Site navigation

Emotet Botnet Shut Down Following International Police Operation

Ross Kelly



Thousands of computers used in running the world’s most dangerous hacking networks have been seized by police.

The police operation, which is a result of a collaborative effort between authorities in the UK, United States, Germany and Netherlands, disrupted the Emotet botnet, one of the most significant of its kind in the past decade.

Europol, which helped coordinate the international operation, described Emotet as being “one of the most professional and long-lasting cybercrime services” available to hackers and criminals.

The botnet enabled hackers to prey on victims first by obtaining access to their devices – often via malicious email attachments – then by selling on access to the devices to other cybercriminals.

“The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale,” Europol said in a statement.

“Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities, such as data theft and extortion through ransomware.”

Emotet was first discovered in 2014 as a banking Trojan, but the malware has since grown to become one of the go-to solutions for cybercriminals.

This highly-efficient attack method was fully automated and employed a variety of different lures to trick unsuspecting users into opening attachments, Europol said.

Email campaigns launched using the Emotet botnet frequently masqueraded as invoices, shipping notices and, most recently, information relating to the coronavirus pandemic.

“All these emails contained malicious Word documents, either attached to the email itself or downloadable by clicking on a link within the email itself,” Europol explained.

“Once a user opened one of these documents, they could be prompted to “enable macros” so that the malicious code hidden in the Word file could run and install Emotet malware on a victim’s computer.”

Disrupting Emotet Infrastructure

According to investigators at Europol, the infrastructure used by Emotet involved “several hundreds of servers located across the world”.

Many of these, the agency added, had different functionalities so as to better-manage the computers of those infected and to accelerate the spread to new devices. The extensive infrastructure has also served cybercriminals well in recent years as it made the network more resilient against attempts to shut it down.

A host of law enforcement agencies worked closely on the operation to create what Europol said was an “effective operational strategy”.

This approach enabled law enforcement and judicial authorities to gain control of the infrastructure rapidly following the police operation – effectively taking the network down from the inside.

“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure,” Europol said. “This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”


Nigel Leary, Deputy Director of the National Cyber Crime Unit, said: “Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and RYUK, which have had significant economic impact on UK businesses.

“Working with partners we’ve been able to pinpoint and analyse data linking payment and registration details to criminals who used Emotet.”

Leary added: “This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically.

“Using our international reach, the NCA will continue to work with partners to identify and apprehend those responsible for propagating Emotet Malware and profiting from its criminality.”

Ross Kelly

Staff Writer

Latest News

%d bloggers like this: