Sophos Cloud Optix
A Europol cyber-bust has downed the “Avalanche” cybercrime network, a major group believed to be behind a long line of damaging phishing attacks since 2009.
The numbers emerging from the multi-agency global operation are impressive: 37 premises raided in numerous countries, 39 servers physically seized, another 221 taken offline and the final sink-holing of 800,000 rogue domains used to host malware attacks.
Surprisingly, only five suspects were arrested in countries that haven’t yet been identified.
The charge sheet against Avalanche reads like a potted history of cybercrime over the last seven years.
This was a speciality business running botnets used to target consumers with phishing emails, especially for online banks, in which it was an early innovator.
To keep this afloat, the group built a cybercrime platform capable of “fast-fluxing” or generating new cybercrime domains faster than law enforcement could take them down.
In its time, it pushed at least 20 families of malware, including the infamous as Zeus, Citadel and Vawtrak banking types. More recently, the ransomware operation took off and it spread nasties such as Cerber and TeslaCrypt.
How much money it has made for its masterminds will probably never be known but the sums must run to tens or even hundreds of millions. Its activity has been blamed for the loss of €6m ($6.4m) from German banks alone.
That it’s gone is the good news, but how long that took and what cost, should give pause for thought at the scale of what police are taking on.
Fernando Ruiz, the head of Europol’s Cybercrime Center, told The Associated Press: “We have arrested the top, the head of the snake. We are sure that this will have a very huge impact.”
We hope that’s true but the operation generated other interesting figures such as the fact that beating it took police time in 40 countries over a four-year period from 2012.
In addition to Europol, other agencies involved included the US DOJ, the FBI, Eurojust, the German Public Prosecutor’s Office Verden, the Lüneburg Police, and the US Attorney’s Office for the Western District of Pennsylvania.
That’s before you even get to consider a raft of cybersecurity vendors and researchers that aided the action.
It’s impressive but it’s clear that gathering evidence and hunting down perpetrators is long and difficult work that functions on occasional sometimes spectacular successes.
It’s the latest in a line of botnet busts, including that against Simda in 2015 and the famous action against the rapacious Gameover Zeus network a year earlier.
Going back further in time were a number of key botnet take-downs starting with Zotob in 2005 and Waledec in 2010, both aided by Microsoft’s Digital Crimes Unit (DCU).
But that history underlines how removing one network paves the way for rival criminals to move into the vacuum left behind. For the police, it’s like a never-ending digital whack-a-mole.
Cybercrime often seems to be a criminal enterprise whose perpetrators live just beyond the reach of the law. The rising number of arrests proves that accountability exists after all. But progress – even with exemplary international co-operation – remains painfully slow.
What? Not even a mention of The Shadowserver Foundation?
They played a role in this operation too, and they aren’t running on tax dollars.
The only groups we mentioned by name were selected law enforcement agencies. We thanked everyone else with the words “a raft of cybersecurity vendors and researchers”.
As far as The Shadowserver Foundation is concerned, we’re happy for you to name them specifically here.