Avalanche criminal network taken down in massive international operation

Avalanche was used for phishing campaigns, spreading malware, creating botnets, launching DDoS attacks and for money laundering operations.

A long running botnet infrastructure network for criminal cyber activities was taken down in an international operation with the involvement of many law enforcement agencies from around the world. The United States Department of Homeland Security (DHS), the US Federal Bureau of Investigation (FBI), the Lüneburg Police from Germany, the UK National Crime Agency (NCA), The Shadowserver Foundation, Europol, Eurojust, and law enforcement agencies from 30 countries worked together to make the takedown of Avalanche possible.


"The volume of fraudulent activity made possible by Avalanche was incredible," said Mike Hulett, from the NCA’s National Cyber Crime Unit. "But the scale of the global law enforcement response was unprecedented as 20 strains of malware and 800,000 domains were targeted on one day. This shows how serious we are about tackling cyber crime. The internet isn’t a safe haven for criminals."

The Avalanche network was used for phishing campaigns, spreading malware, creating botnets, launching dedicated denial of service attacks (DDoS) and for money laundering operations. Avalanche was a cloud based content delivery and management platform. The network was used to run money mule schemes as well. The malware on infected machines could be used to get user credentials, banking information, credit card details. The compromised machines could be remotely accessed by criminals. The network could also attack machines with malware, where user data is encrypted till the victims pay a fee to the attackers. Compromised machines could be used to spread malware to other machines.

The network was active in over 30 jurisdictions worldwide, with 37 locations raided, 39 servers seized, and 5 arrests made. Victims of the Avalanche network were spread over 180 countries, and over 40 major financial organisations were targets.


This was the largest ever operation to use sinkholing to demolish botnet infrastructure. Over 800,000 domains used by the network are either seized, sinkholed or blocked. The Europol command post was established at Hague to ensure a smooth operation.  "Avalanche shows that we can only be successful in combating cybercrime when we work closely together, across sectors and across borders," said Julian King, European Commissioner for the Security Union. "Cybersecurity and law enforcement authorities need to work hand in hand with the private sector to tackle continuously evolving criminal methods. The EU helps by ensuring that the right legal frameworks are in place to enable such cooperation on a daily basis"

The Avalanche network was operational since 2009, and the German police were investigating the criminals since 2012. The operation is the end result of over four years of investigation. The Shadowserver Foundation has been supporting the efforts of the law enforcement agencies for eighteen months. Over twenty different malware families were active on the Avalanche network, including Bebloh, Citadel, NewGOZ, Bugat, pandabanker, TeslaCrypt and Marcher. Avalanche was used as a fast flux botnet to support a number of other botnets including TeslaSctipt, Corebot, GetTiny and Matsnu. Antivirus partners to the operation helped with providing assistance to the victims.

While the efforts of the law enforcement agencies have protected users from exploitation by the particular group in control of Avalanche, the malware on the machines of users can still be exploited by other hackers. Users are advised to scan their computers with reputed and updated anti virus software. As security precautions, users are advised to keep their operating systems and antivirus solutions updated, not click through links in fishy emails, and frequently change passwords.

Further reading

Technical alert by US DHS and FBI: Alert (TA16-336A)

Update by UK NCA: UK helps dismantle Avalanche global cyber network sending 1m fraudulent emails a week

US Department of Justice Statement: Joint Statement on Dismantling of International Cyber Criminal Infrastructure Known as Avalanche

Europol Press Release: 'Avalanche' network disabled in International cyber operation 

The Shadowserver Foundation blog post: Avalanche – Law Enforcement Take Down

Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.