News & Insights

Topic: Takedowns

Has The Sun Set On The Necurs Botnet?

March 15, 2020
Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and compared their observed demographics with data from the previous decade of spambot takedowns.

Alleged DarkScandals administrator arrested and vile sites seized

March 13, 2020
A joint operation by International Law Enforcement Agencies today arrested the alleged administrator of the DarkScandals child sexual exploitation website sites and protected victims by seizing the sites. The Shadowsever Foundation was happy to play a small role in the successful operation by providing technical support to our LE partners.

Dridex update: The wheels of international Law Enforcement keep on turning

December 5, 2019
The Dridex botnet was sinkholed in October 2015 and the infected victims remediated via Shadowserver's free daily network reports. In December 2019, the US DoJ, FBI and UK NCA unsealed criminal charges against other actors alleged to be behind the Dridex botnet’s activities, via an organization self described as “Evil Corp”. This included a record US $5M FBI Most Wanted cyber criminal reward being offered.

Goznym Indictments - action following on from successful Avalanche Operations

May 16, 2019
The US DoJ, FBI and international LE partners announce multiple indictments against the alleged operators and customers of the Goznym malware, controlled via the Avalanche platform. Sinkhole data continues to be available from The Shadowserver Foundation, as part of ongoing sinkholing over over 20 Avalanche malware strains.

Mirai Botnet #14: 1 Million German customers disrupted, Liberia taken off line and now the culprit has been convicted

January 12, 2019
The huge Mirai Botnet #14 IoT botnet attacks were successfully stopped and sinkholed by the German BKA and The Shadowserver Foundation, and the actor behind them was identified, arrested and prosecuted in both Germany (with the BKA) and the UK (with the NCA). Sentencing details were made public in the UK today.

Avalanche 1,2,3…

December 2, 2018
Year 3 of our ongoing Avalanche operations with international law enforcement continue to provide protection for over 2 million unique IP addresses per day against 20+ different strains of malware, including the Andromeda dropper from year two. This has required an unprecedented blocking/seizing of over 2.4 million malicious domain names to date. Sinkhole data continues to be available to subscribers via our free daily network reports.

3ve Takedown / Operation Eversion

November 27, 2018
Operation Eversion was the takedown of the highly sophisticated Boaxxe/Kovter botnet based "3ve" (pronounced "Eve") ad fraud network by the DoJ/FBI, Google, WhiteOps and other industry partners. Sinkhole data is available from Shadowserver.

VPNFilter - FBI Sinkholing

May 23, 2018
VPNFilter is a multi-stage modular malware platform designed to infect small office and home office (SOHO) routers and other network devices, believed to be connected to APT28. It was sinkholed under court order by the FBI, with infected device data being made available via Shadowserver's free daily network reports.

Avalanche year two, this time with Andromeda

December 4, 2017
On December 1st last year, the successful takedown of the long-running criminal Avalanche double fast flux platform was announced by a consortium of international public and private partners, including The Shadowserver Foundation. One year saw another milestone, with the addition of Andromeda-related domains being added to the set of Avalanche domains to be seized/blocked in a second round of LE action. This takes us to 842,000 malicious domains and another 2+ million unique infected victim IP addresses hitting the sinkholes per day and requiring remediation.

Kelihos.E Botnet - Law Enforcement Takedown

April 12, 2017
On Monday April 10th 2017, The US Department of Justice (DOJ) announced a successful operation to take down the Kelihos Botnet and arrest the suspected botnet operator.