[ARTICLE] Dismantling of the Avalanche botnet (March 2017)

Five people arrested, 221 servers offline, 37 searches. This spectacular report is the result of a long investigation carried out by Europol to dismantle one of the most important botnets, Avalanche. According to Europol, this is the largest botnet dismantling operation ever carried out. The Avalanche network had infected millions of computers in 180 countries, including France. The infected machines were mainly Windows PCs and Android smartphones.

Little bots, little bots, always little bots

The Avalanche network has been in existence since 2009. It was used to drive nearly twenty different malware including ransomwares (Teslacrypt) and bank Trojans (Pandabanker, Tiny Banker). This network is linked to many malware families such as Bolek, Citadel, CoreBot, Marcher, Nymain, Ranbuys, TeslaCrypt, Tiny Banker UrlZone or Vawtrak. The latter were used to create fraudulent transfers. These sums were then laundered by the purchase of products, through a “highly organized” network of mules. In the early years, the network grew to a peak of about half a million infected computers. Avalanche had become a distribution network for malware, spam and other phishing attempts. In 2010 a report of the Anti-Phishing working group had already described Avalanche as “the most prolific phishing gang in the world“, noting that the Avalanche botnet was responsible for two thirds of all phishing attacks recorded in the second half of 2009.

This botnet network has targeted more than 40 major financial institutions, online services and job sites. Avalanche is also associated with the Zeus financial fraud botnet and at the end of 2009, the network was already using more than 950 separate domains for its phishing campaigns. It was at more than 800,000 domains at the time of its dismantling this week. At the height of its activity, one million emails with malicious attachments were sent each week. One of Avalanche’s technical characteristics was its camouflage infrastructure. The command and control (C&C) servers were protected not only by a maze of proxies, but also by a “fast double flow” DNS addressing system, where the thousands of name and IP address servers to which the zombie machines had to access were modified every five minutes.

A major dismantling: 830,000 domains seized!

Extensive cooperation was then established between the German and English law enforcement agencies, Europol, Eurojust, the FBI and the Pennsylvania Prosecutor’s Office. This agreement led to a four-year investigation that recently led to a major operation. It was held on November 30, 2016 and resulted in the termination of the Avalanche network. Five people were arrested following an investigation that involved investigators and prosecutors in more than 30 countries. 37 locations were searched and 39 servers were seized. In its statement, Eurojust states that this is the largest use ever recorded of “sinkholing” (literally a funnel) against a malware control infrastructure. In all, more than 830,000 domains were seized, redirected or completely blocked. To carry out this operation, a special command post had been set up in The Hague, where Europol has its headquarters.

An operation similar to that of Onymous

On November 6, 2014, in the Mission district of San Francisco, an FBI team raided the home of Blake Benthall, a 26-year-old computer scientist and former employee of Space X, the American company responsible for sending rockets into space. This man was suspected by the FBI of running Silk Road 2, one of the largest hidden sites specializing in the sale of drugs and fake identity documents. This FBI intervention, called Operation Onymous, is the result of a long investigation into the Dark Web in order to unmask the creators of the Silk Road 2 site. Silk Road had become one of the “most sought-after, vast and sophisticated criminal markets“. Buyers could acquire forged documents, drugs or methods to hack into a Gmail account in exchange for Bitcoins. The site was closed by the FBI on October 2, 2013. Its creator, Ross William Ulbricht, was arrested after the site was closed. A few weeks later version 2 appeared. Created by Blake Benthall, Silk Road 2 had a monthly turnover of 8 million dollars and attracted more than 100,000 loyal customers worldwide. The FBI infiltrated the site as soon as it appeared. One of the undercover agents managed to join the small team created by the site manager, Blake Benthall, called Defcon on the site.

Operation Onymous, coordinated by Europol (J-CAT cell in charge of the fight against cybercrime), Eurojust, the European Cybercrime Centre (EC3), the FBI, the services in charge of the fight against illegal immigration and the department in charge of internal security on the United States side, had resulted in the closure of more than 400 camouflaged sites in the Dark Web, as well as the closure of Silk Road 2. A total of 17 arrests, including that of the leader of Silk Road 2, took place during this operation, which was taking place in 16 countries. Several servers were taken offline and entered. In France, two servers located in large hosting companies had been seized and stopped. In addition to France, servers have been seized in the United States, the Netherlands, Germany and Bulgaria.

Although Operation Onymous was a technological success just hours after the closure of Silk Road 2, a new version has already taken over, called Silk Road 3 Reloaded. The same is true for Operation Avalanche. This operation means that of the control infrastructure, not those of malware, which remains one of the most persistent threats, as evidenced by the weekly emergence of new malware.


Even if the operation is a great success and will probably give some pirates pause for thought, the botnet phenomenon will not disappear. Recently, a new botnet has emerged known as Leet. It launches DDoS attacks of more than 650 Gbps over short periods of time. The speed with which they carry out increasingly powerful attacks against servers, combined with the release of the source code of some malware, has led to the emergence of a new concept: the “breakthrough paradigm”. Indeed, malware is becoming more and more complex, and therefore very difficult to contain. Without international cooperation between agencies responsible for combating cybercrime (ANSSI, BSI, Europol, etc.), malware will continue to increase given the revenues they generate for criminals. Botnets are also used to paralyze entire servers, as evidenced by the paralysis of the DNS infrastructure of the American provider Dyn last October.