FBI Leads Agencies to Shut Down Qakbot, Seizes Millions in Bitcoin

In late August, the FBI, in collaboration with law enforcement agencies from around the world, announced a proactive disruption of the Qakbot botnet. According to the DOJ press release, “The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The Department also announced the seizure of approximately $8.6 million in cryptocurrency in illicit profits.”

Using traditional investigative techniques as well as blockchain tracing, the FBI and its partners were able to identify, track, and seize over $8,600,000 worth of bitcoin. 

Qakbot background

Qakbot, aka Qbot and Pinkslipbot, is a sophisticated malware variant and botnet used since 2008 to further cyber-criminal activity, including ransomware and exfiltration of victim data, and was primarily spread through email phishing campaigns. In a nutshell, various affiliate criminal groups use the botnet to infect victim computers and then demand extortion “ransom payments” in order to delete the botnet from the victims’ computers. 

According to FBI Cyber Division Section Chief Bryan Smith, many of the most prominent ransomware groups, including Conti, ProLock, Egregor, REvil, Black Basta and others, all used Qakbot to extort ransomware victims. “Like other malware variants, Qakbot evolved into an initial access broker for other cyber criminals. I cannot emphasize enough how initial access brokers are key to the cyber criminal ecosystem and how the true impact from a botnet comes from how it is used.”

The FBI has been investigating the Qakbot malware and botnet in its various forms since 2011. The investigation revealed its infrastructure and that victims’ computers were located across the globe. The exact numbers varied over time, but in 2023, there were approximately 700,000 Qakbot victims across the globe with over 200,000 infections in the United States. Total infections over the life of Qakbot are estimated to be in the millions.

Section Chief Bryan Smith, whose program oversaw the cryptocurrency investigation, estimated that in total, the deployment of the Qakbot botnet resulted in hundreds of millions of dollars worth of losses for victims around the world. The affiliates in turn pay a fee, generally 10-20 percent of the ransom payment to the Qakbot administrators. 

As detailed in the seizure warrant affidavit, agents were able to trace ransomware proceeds from affiliates to Qakbot administrators and then seize the proceeds from the administrators. For example, the affidavit describes 44+ bitcoin extortion payments flowing from ransomware group Black Basta to Qakbot administrators. Investigators were able to obtain internal chats from the Qakbot team showing that the 44.066491 payment into “Subject Address 1” was a proportional payment flowing from Black Basta.

‍

‍

Similarly, the affidavit described “Subject Address 2” as a 10 percent fee related to a ransomware affiliate’s ransomware extortion award.

‍

‍

Section Chief Smith elaborated on the use of blockchain tracing and using tools to follow the money:

“In the case of crypto currency, there are some difficulties due to the anonymous nature of the transactions and the speed by which value can be moved, but there are also investigative benefits to having an open blockchain that provides a permanent digital footprint that we can analyze and connect to other activity. The FBI realized back in 2013 that cryptocurrency was not going away. So we started our first virtual currency team to trace cryptocurrency, build capability and awareness across the FBI, and provide training to our employees and partners. That work expanded over the years and we have seen cryptocurrency evolve from a niche market used by cyber criminals and money laundering facilitators to having some role in virtually every violation the FBI is responsible for.”

‍
‍The takedown

On August 25, 2023, the FBI and international partners conducted law enforcement actions against Qakbot infrastructure worldwide that included:

• Redirection of botnet traffic to an FBI controlled server
• Removal of the Qakbot malware from infected victims and dismantling of its global infrastructure
• Seizure or freezing of approximately $8.6 million of cryptocurrency, which represents the proceeds of ill-gotten gains
• Initiation of the Department of State Rewards for Justice program for information about the Qakbot group

The FBI and its partners were able to do so through collaboration and using forward leaning investigative techniques. For example, Section Chief Smith explained, “First, we penetrated the Qakbot network and were able to map it out in its entirety. Through legal authority, we then assumed control of Qakbot command and control servers and redirected traffic to a server under the control of the FBI. Through further authorization from US Courts, we then facilitated the removal of the Qakbot malware from victim machines by updating the Qakbot malware with a removal tool.” 

This proactive approach to a multi-agency, multi-faceted disruption was the result of persistence and collaboration. The FBI and DOJ worked with multiple foreign partners, along with Europol and Eurojust to identify and dismantle the infrastructure.  Some of the foreign partners included Germany, the Netherlands, France, Romania, Latvia, and the United Kingdom and multiple offices within the FBI, including Los Angeles, Milwaukee, and New Haven.

Why it matters

The FBI and its partners take a multi-pronged approach towards cybercrime strategies. The FBI and its partners aim to completely neutralize cybercrime actors by dismantling the malware delivery system, its overall infrastructure, and its communications network and seizing all proceeds of the crimes. 

To assist victims, the FBI leveraged private sector capabilities from “Have I Been Pwned.” The public can go to haveibeenpwned.com and enter their email address to determine if they may have been a victim of Qakbot.

Additionally, the FBI also partnered with CISA, Microsoft Digital Crimes Unit, the National Cyber Forensics and Training Alliance, Shadowserver, and ZScaler to aid in victim notification and remediation. 

Organizations should consider engaging with CISA (or their own country’s equivalent) and their Internet Service Provider and inquire about the availability of free victim notification alerts and associated services. 

Finally, victims should be reminded that Qakbot facilitated access to compromised networks. Often, additional malware and tools were then used by criminal actors to steal data, deploy ransomware, or carry out fraudulent schemes. So while the FBI removed Qakbot from victim machines, there may still be other malware residing on the system.