As spring gives way to summer, a wave of cybercrime crackdowns has taken root, with law enforcement and private security companies directing a surge of takedowns, seizures, indictments and arrests.
Prolific infostealers, malware loaders, counter antivirus and crypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns over the past six weeks.
“It’s been really energizing to see the volume and velocity of these takedowns in such a short period of time,” Flashpoint CEO Josh Lefkowitz told CyberScoop.
“I can’t think of such a flurry and rapid succession — and then magnified by complementary takedowns by Europol and international partners,” he added. “It’s been a great couple of weeks for the good guys, and I wouldn’t be surprised if there’s more around the horizon.”
The scale of infrastructure disrupted by law enforcement and cybersecurity companies in the past few weeks is vast, spanning tens of thousands of malicious IP addresses and domains, and command-and-control systems and accounts used by cybercriminals to advertise and initiate their illicit activities.
The retaliatory targets hampered or rendered nonoperational by recent law enforcement actions include:
- The Lumma Stealer infostealer operation, which infected about 10 million systems
- The counter antivirus service AVCheck and related crypting services
- DanaBot’s malware-as-a-service operations
- BidenCash, a cybercrime marketplace
- Infostealer operations in Asia that claimed more than 216,000 victims
- Hundreds of domains and servers used across several leading malware strains
- DDoS-for-hire sites
- Cryptocurrency funds linked to North Korea’s IT worker scheme
Some, but not all, of the takedowns were part of Operation Endgame — a broad, ongoing international law enforcement effort to dismantle and prosecute cybercriminal organizations. Other actions were taken in coordination with Operation PowerOFF and Operation Secure.
Collectively, these actions target the ecosystem that supports the most impactful cyberattacks, Selena Larson, senior threat intelligence analyst at Proofpoint, told CyberScoop.
“Any disruption is a win,” she said. “I always get so happy to see any disruption. So I have been just so stoked the last couple of weeks.”
Security experts said they are heartened by how private industry, the FBI, Interpol, Europol and dozens of countries are pooling resources, sharing intelligence and collaborating to thwart cybercrime.
International law enforcement agencies and the private sector often glean insights from one takedown that uncover stepping stones to another, Lefkowitz said. “All it can take is one breadcrumb to inform a subpoena or a perspective on who to focus on within a network,” he added.
Authorities also continue to embrace cybercriminals’ information operations playbook by naming and shaming alleged conspirators, creating and publishing memes, videos and countdown clocks to instill fear and ramp up pressure across the criminal underground.
“When you look at how you disrupt trust-based networks, particularly in scenarios where they’ve never actually met each other face to face, that psychological warfare can be extraordinarily powerful,” Lefkowitz said. “It’s really an indication that the global law enforcement community is adopting more creative and forward-leaning mechanisms to react to the realities of the threat landscape that we’re operating in.”
Kristopher Russo, principal threat researcher at Palo Alto Networks’ Unit 42, said it also shows how authorities are becoming more adept at working together to pierce the veil of anonymity cybercriminals try to hide behind.
“Every malware site seizure not only directly impacts illegal services, but exposes a trove of data on how these networks operate and who is using them,” Russo said. “The anonymity of the internet and shady websites will not shield bad actors from the consequences of their actions.”
While the flurry of recent takedowns led to some arrests, the majority of people involved in these criminal enterprises remain at large.
Local police in Vietnam, Sri Lanka and Nauru arrested a combined 32 suspects for their alleged involvement in infostealer operations in Asia.
Authorities issued international arrest warrants for 20 suspects as part of Operation Endgame, in addition to 16 people who were charged for their alleged involvement in DanaBot, which is controlled by a Russia-based cybercrime organization. The United States does not have an extradition treaty with Russia.
Achieving a lasting impact is a perpetual challenge in the fight against cybercrime, particularly given how diffuse, diverse and resilient the ecosystem is, Lefkowitz said.
“You can certainly impose costs,” he said, “and imposing costs takes a number of different forms and fashions,” such as putting alleged criminals in handcuffs, seizing infrastructure or funds, imposing sanctions or degrading trust among key players.
“The best possible outcome is bad actors in handcuffs,” Lefkowitz said. “Absent that, the actions that they’re taking are certainly powerful and profound, and certainly should not be minimized.”
Brett Leatherman, assistant director and lead official of the FBI Cyber Division, acknowledged that results of technical operations aren’t always permanent.
“We may not eradicate the threat,” he said during a media briefing after authorities toppled Lumma Stealer. “That’s yet to be seen in any technical operation, but any period of downtime to the actors brings relief to victims, and that’s what we’re looking to do here.”
Cybercriminals who remain free after disruptive takedowns often regroup and reconstitute their operations or join other syndicates.
Yet, the lingering effects — second- and third-order impacts — of counter-cybercrime operations aren’t trivial.
“It’s not just the disruption to infrastructure, a full-on takedown, that has impacted the landscape. This causes ripples across the underground economy and across the entire ecosystem,” Larson said.
“The reputation hit is huge,” she said. “It imposes cost on them in many, many different ways.”
The post Cybercrime crackdown disrupts malware, infostealers, marketplaces across the globe appeared first on CyberScoop.