FBI Shuts Down $14 Million Malware Ring

U.S. federal authorities have taken down a malware operation that has been responsible for infecting millions of computers worldwide. 

"Working primarily from Estonia and Russia, the defendants effectively hijacked four million computers in a hundred countries -- including half a million computers in the United States," wrote the U.S. Attorney's office, in an FBI press release. "Those half-million U.S. computers include those used by individuals, as well as computers housed in businesses and government entities such as NASA."

The two-year investigation, named "Operation Ghost Click," centered on seven Eastern European suspects who are alleged to have stolen more than $14 million via malware on both Macs and PCs. The malware, called a "DNS Changer," redirects users to fraudulent IP addresses after they attempt to visit a legitimate Web site. These sites include Netflix, the IRS Web page and iTunes, among 15,000 other domains.

In a joint effort with security firms, including Trend Micro, the FBI raided two datacenters located in Chicago and New York City on Tuesday, shut down the main command and control (C&C) node and have taken control of the rogue DNS servers. At the same time, Estonian police took into custody six individuals suspected of perpetrating the ring.

According to Trend Micro, the individuals now in custody ran their operation under the guise of a tech company known as Rove Digital.

"Rove Digital is a seemingly legitimate IT company based in Tartu with an office where people work every morning," wrote Feike Hacquebord, senior threat researcher at Trend Micro, in a blog post. "In reality, the Tartu office is steering millions of compromised hosts all over the world and making millions in ill-gained profits from the bots every year."

Each of those accused have been charged with five counts of computer and wire fraud charges, with one individual, Vladimir Tsastsin, also being charged additionally with 22 counts of money laundering. If found guilty of all charges, each defendant could receive 85 years in prison, with Tsastsin receiving an additional 10 years for each money laundering count.

The FBI has replaced the illegal DNS servers with legitimate ones. The FBI is advising those affected to consult a computer professional to remove the DNS Changer malware.

About the Author

Chris Paoli is the site producer for and


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.