The German authorities in cooperation with the United States and Europol dismantled the Avalanche botnet.
Five people arrested, 37 searches, 39 seized servers and 221 servers taken offline, more than 800,000 domains blocked with the help of numerous cyber security experts. It is the biggest International operation in the history.
After four years of investigation, the final phase occurred on Wednesday 30 November 2016, under the leadership of the German authorities, in cooperation with their American counterparts and Europol.
It seems that Avalanche has been used since 2009 to spread malicious software and launch phishing campaigns. This botnet reportedly sent more than a million emails each week containing malicious links or attachments that infected computer users with ransomware viruses like Osiris. The International investigation started in Germany after a massive infection by ransomware.
Research has shown that Avalanche's main role was to steal online bank data. The botnet was also used to recruit "money mules" responsible for laundering money by making purchases.
In Germany alone, the damage related to attacks on online banking systems would amount to 6 million Euros. According to Europol, there should be added hundreds of millions of Euros as a result of malware spread in more than 180 countries. But according to the criminal police office, it is very difficult to give an estimate given the number of malicious strains distributed: about 20 families including GozNym, Matsnu, URLZone, Panda Banker and XswKit.
The analysis of more than 130 terabytes of data made it possible to determine the structure of this botnet which regularly controlled more than 500 000 machines.
It was discovered that Avalanche botnet used "double fast-flux" technique to avoid detection. In general terms, it makes it much more difficult to locate the main server by exploiting zombie computers as "reverse proxies." This model could assign several IP addresses to the same domain name.