A big law enforcement operation has led to the shutdown of the system used for the DanaBot MaaS operation. This DanaBot banking Trojan and botnet malware is typically passed on through spam emails. It steals credentials, cryptocurrency files, credit card numbers, and hijacks affected systems. Lately, DanaBot shifted to distributing other malware variants, which include ransomware.
The DanaBot malware was also employed to support Russia’s military pursuits in Ukraine. Two sub-botnets were particularly used for surveillance to further the interests of the Russian government. The malware was used to infect over 300,000 computers around the world and has prompted fraud and cyberattacks that have resulted in about $50 million in damages.
The shutdown of the DanaBot system was important to Operation Endgame, a global law enforcement operation organized by Eurojust and Europol. The operation seized 300 servers, neutralized 650 domains, and issued arrest warrants involving 20 people. Operation Endgame seized more than EUR 3.5 million or $3.97 million during the DanaBot takedown. The total Operation Endgame seizures are currently around EUR 21.2 million or $24.04 million.
Connected with this action, the U.S. Department of Justice has 16 Russian nationals charged with creating, using, and managing DanaBot. The Russian nationals include two individuals from Novosibirsk, Russia: 39-year-old Aleksandr Stepanov (also called JimmBee), the supposed leader of the operation, and 34-year-old Artem Aleksandrovich Kalinkin (also called Onix). Stepanov is thought to have partnered with some other co-conspirators to develop Danabot, promote it on Russian-language criminal message boards, and offer malware subscriptions.
Kalinkin is arrested for selling malware and helping criminals who bought subscriptions, and together with co-conspirators, tried to use the stolen information (which may include PII and PHI) to commit fraud and get money from financial organizations. Kalinkin faces a 72-year sentence in federal prison, whereas Stepanov faces up to 5-years jail term. The two are on the loose and are probably hiding in Russia. Some of the indicted persons were identified because their computers were unintentionally infected with DanaBot. The malware stole sensitive information from their PCs and saved it on the servers, which was taken during the operation and accessed by law enforcement.