Media Coverage

Shadowserver in the news

Police around the world learn to fight global-scale cybercrime

The Conversation, April 26, 2017

From 2009 to 2016, a cybercrime network called Avalanche grew into one of the world’s most sophisticated criminal syndicates. It resembled an international conglomerate, staffed by corporate executives, advertising salespeople and customer service representatives. Our study of Avalanche, and of the groundbreaking law enforcement effort that ultimately took it down in December 2016, gives us a look at how the cybercriminal underground will operate in the future, and how police around the world must cooperate to fight back.

Kelihos Botnet Had Around 60K Bots When It Was Taken Down (Fourth Time's a Charm)

Bleeping Computer, April 12, 2017

The Kelihos botnet is no more. Or at least that’s what authorities hope happens, after attempting to bring it down three times in the past, but to no avail. This time around, the takedown attempt has more chances of succeeding because authorities arrested Kelihos’ main maintainer, a Russian national known as Pyotr Levashov, or Peter Severa. This time around, US authorities, with help from the Shadowserver Foundation and CrowdStrike, hope this fourth takedown attempt works better.

How the FBI Took Down Russia's Spam King—And His Massive Botnet

Wired Magazine, April 11, 2017

As part of the operation, security researchers and the FBI teamed up to dismantle the Kelihos botnet itself, targeting three domains used to run the network—,, and—and redirecting traffic from infected computers to new servers controlled by authorities and the ShadowServer Foundation, a volunteer anti-cybercrime group, a process that’s known in cybersecurity circles as “sink-holing.”

MongoDB ransom attacks soar, body count hits 27,000 in hours

The Register, January 9, 2017

MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day. Criminals are accessing, copying and deleting data from unpatched or badly-configured databases. In the Antipodes, the Australian Communications and Media Authority has been reporting exposed MongoDB installations since July 2015 using intelligence provided by the ShadowServer nonprofit.

It took 4 years to take down 'Avalanche', a huge online crime ring

Wired, December 2, 2016

ON THURSDAY, A group of international law enforcement agencies announced that it had completed an ambitious takedown of an extensive online criminal infrastructure called “Avalanche.” It’s one of the largest botnet takedowns ever, a four-year effort that turned up victims in 180 countries worldwide. Which is to say, nearly all of them. The scale of Avalanche is overwhelming, as was that of the effort to unwind it.

Audacious Android scam hacks a million Google accounts to boost app ratings

CSO Online, December 1, 2016

A new Android scam is hacking Google accounts just to help apps get discovered in Google Play’s crowded marketplace of two million apps. Google is working with ISPs, security firms and handset makers to fight Android malware, dubbed Gooligan, that has compromised a million Google Accounts to boost ratings on select apps in Google Play.

Legal raids in five countries seize botnet servers, sinkhole 800,000+ domains

Ars Technica, December 1, 2016

A botnet that has served up phishing attacks and at least 17 different malware families to victims for much of this decade has been taken down in a coordinated effort by an international group of law enforcement agencies and security firms. Law enforcement officials seized command and control servers and took control of more than 800,000 Internet domains used by the botnet, dubbed “Avalanche,” which has been in operation in some form since at least late 2009. The Shadowserver Foundation, a non-profit organization of security professionals that assisted in what the organization described in a post on the takedown as an 18-month collaboration with law enforcement, described Avalanche as a “Double Fast Flux” botnet.

Android 'Gooligan' Hackers Just Scored The Biggest Ever Theft Of Google Accounts

Forbes, November 30, 2016

A new variant of Android malware is responsible for what’s believed to be the biggest single theft of Google accounts on record. The so-called Gooligan strain has infected as many as 1.3 million Android phones since August, completely prising the devices open and stealing the tokens users are given to verify they are authorized to access accounts. Its main aim, though, is not to pilfer all that juicy data in Gmail or Docs, but to force users into downloading apps as part of a huge advertising fraud scheme, making as much as $320,000 a month.

Security Firm Detects 57M Attempts to Exploit 2-Year-Old Router Firmware Backdoor

Bleeping Computer, November 21, 2016

The case of the Netis router firmware backdoor shows you that even if a company puts out a patch to resolve security issues, the problem lingers on for years, as users fail to update their devices, or the patch itself fails to properly fix the issue. A more accurate statistics for the number of compromised Netis routers is provided by The Shadowserver Foundation, which claims to have identified over 15,000 hacked Netis routers, which is more than enough to build powerful DDoS botnets and bring down websites.

Hackers hacking hackers to knacker white hat cracker trackers

The Register, April 14, 2016

ACSC2016 Malware writers are selling each other out to white hats and hacking through each other’s infrastructure to frame rivals, Shadowserver’s Richard Perlotto says.