Emotet malware botnet used to infiltrate millions of computers has been taken down

The National Crime Agency (NCA) has teamed up with law enforcement partners across the world to take down a malware botnet that was used by cybercriminals to infiltrate thousands of companies and millions of computers worldwide.

They worked for nearly two years to map the infrastructure of Emotet - a pervasive malware that not only infected computers, but also enabled other malware to gain access and cause significant damage to victim networks. Europol and Eurojust co-ordinated the operation, which saw the takedown actioned and searches of properties take place in Ukraine.


NCA investigators led the financial arm of the investigation which included tracking how the criminal network behind the malware was funded, where that funding went and who was profiteering.

Emotet was first discovered as a banking Trojan in 2014 and subsequently gained a reputation amongst the cyber crime community as a key tool to open the door for other malwares and ransomware.

Cybercriminals used Emotet as their first port of call. A botnet would send out emails to unsuspecting victims or companies with the malware either embedded in the email as a downloadable link,or included as a word doc attachment.

When people clicked into the attachments or links, they were prompted to enable content to view the document, but in doing so allowed the malware to install and take hold of their computers.

Emails would often relate to shipping notifications but would also use current events, such as Covid-19 in recent attacks, to entice recipients.Working with Emotet data, the NCA gained insight of the movement of illicit funds to pay for the infrastructure.


Analysis of accounts used by the group behind Emotet showed $10.5 Million being moved over a two-year period on just one Virtual Currency platform. NCA investigators were able to identify that almost $500,000 had been spent by the group over the same period to maintain its criminal infrastructure.

Further criminal servers identified by the NCA were also taken offline during the same operation, with at least 700 servers taken down globally with partners.

Analyst banner 1.png

HOME       |       EVENTS       |       FREE CPD       |       JOBS       |       NEWSLETTER       |       PARTNERS       |       SPONSORSHIP       |       CONTACT US