A coordinated international law enforcement operation has taken down the Emotet botnet, one of the most prolific distributors of malware over the past decade.

This week police seized computer servers running the operation following a near two-year investigation mapping the criminal group’s infrastructure.

The joint operation involved authorities from Germany, the US, the UK, France, Lithuania, Canada, the Netherlands and Ukraine.

Europol, which coordinated the operation with Eurojust, said the infrastructure used by Emotet involved “several hundreds of servers located across the world”.

The agency said it was now redirecting infected machines to infrastructure controlled by law enforcement.

Researchers first discovered Emotet in 2014 in the form of a banking trojan. Since then its versatility has made it popular among cybercriminals, leading Europol to describe it as the “world’s most dangerous malware”.

The Emotet group spread malware via emails containing malicious Word attachments. Once opened, it would install the malware on the victim’s computer where it could steal passwords and information or launch further attacks.

During the pandemic, these malicious Word documents often purported to contain information on Covid-19 as the Emotet gang played on people’s fears.

“The take-down of Emotet is a milestone in the fight against cybercrime,” said Adolf Streda, malware analyst at anti-virus firm Avast.

“Emotet has been like a Swiss army knife, with functionalities to steal people’s passwords, steal money from their bank accounts, and also adding victim’s machines to botnets, to launch further phishing campaigns.”

Taking down Emotet marks a major victory for law enforcement. The sprawling nature of cybercrime across borders often makes it difficult to stop crime groups that have a global reach with the click of a button.

Those in the cybersecurity industry welcomed the news.

“Taking down Emotet is the equivalent of taking down an AWS or Azure major data centre,” said Chris Morales, head of security analytics at cybersecurity firm Vectra. “The immediate impact would be felt, but eventually organisations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organisations leveraging that infrastructure.”

Hugo van den Toorn, manager for offensive security at Outpost24, said: “Unfortunately, many people wrongfully think law enforcement does very little against hacking. It is great to see that these often-clandestine operations can have such a tangible effect.

“From taking down dark web marketplaces such as Hansa Market to disrupting attacker infrastructure. These operations are incomprehensively large, crossing many international borders and jurisdictions. But also requiring pinpoint accuracy in both digital and physical actions by international and local law enforcement teams.  This is a great story from the front-lines on successful international law enforcement.”

Jordan LaRose, Managing Consultant at F-Secure, said:

“One of the most difficult aspects of incident response, and combating malware at large, is taking action against attackers who are able to act anonymously and largely without penalty due to the diplomatic implications of retaliation against them. This is never truer than with a botnet like Emotet that has infrastructure distributed among countries all over the world.

“While it is likely that other attackers will rise to fill the void left by Emotet, this investigation should serve as a warning to all other malware groups that distributed attack strategies won’t protect them forever”.


Read more: Infostealers most common type of covid-themed malware