Justice, FBI bust 2 million-computer Coreflood botnet

Agents use new tactic to disable malware on long-running operation; 13 people charged

The Justice Department and the FBI, using a new tactic, seized control of and disabled a botnet that had infected more than 2 million computers worldwide as part of an international fraud scheme, according to agency officials.

The U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unnamed defendants, charging them with engaging in wire fraud, bank fraud and illegal interception of electronic communications, Justice and FBI officials said in a joint statement.

Also, the U.S. District Court for the District of Connecticut seized 29 domain names and five command and control servers used to remotely control infected computers. The agencies also issued a temporary restraining order to replace the illegal servers with substitutes to prevent the botnet from running and to disable the malware on infected computers.

The botnet, called Coreflood, exploits computers that run Windows operating systems. It uses keystroke capture to steal private and financial information, including information on corporate networks, for the purpose of stealing funds and conducting other criminal activities. Coreflood is believed to have originated in Russia and been in operation for a decade.

Related coverage:

U.S. Marshals, Microsoft take down massive spam network

500G of data captured by single botnet

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation's information infrastructure,” said Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, in the joint statement. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”

In a press release, the Connecticut attorney’s office described the effort as the “most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.” A report in Threatpost said it is the first known instance of authorities disabling malware on infected hosts.

Identified owners of infected computers will be able to opt out of the temporary restraining order should they wish to continue running Coreflood for some reason, and authorities will not access information on the infected computers. Hundreds of thousands of computers in the United States are infected with the malware, according to the release.

In 2008, GCN reported that Coreflood had captured data from more than 225,000 online accounts, including bank, credit card, e-mail, online retail, stock trading, payment processing, mortgage and finance company accounts.

Coreflood is not the only large-scale botnet. Last month, federal law enforcement agencies and Microsoft announced that they had disabled a 1 million-computer botnet named Rustock that was responsible for sending out billions of spam messages a day.

About the Author

Kathleen Hickey is a freelance writer for GCN.


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected