Disrupting cyberthreats since 2008

Storm-1152, based in Vietnam, was a major Cybercrime-as-a-Service (CaaS) operation selling fraudulent Microsoft accounts and tools to bypass identity and CAPTCHA safeguards. The actor used automation and AI-assisted techniques to scale account creation, adapt to defensive controls, and evade detection—reducing the cost and effort for criminals to conduct phishing, spam, ransomware, extortion, and DDoS campaigns. Storm-1152 created ~750 million fraudulent Microsoft accounts, generating millions in illicit revenue while imposing fraud, security, and operational costs across the digital ecosystem. Threat actors such as Octo Tempest (Scattered Spider) relied on Storm-1152-supplied accounts to support social engineering and financial extortion campaigns. To disrupt these activities, the DCU—working with Arkose Labs and cross-functional Microsoft teams—combined AI detection and legal action to seize Storm-1152’s infrastructure, reducing fraudulent sign-ups by ~60% and degrading its operations.

Cobalt Strike is a commercially available penetration-testing tool originally built for security professionals to simulate cyberattacks and identify network vulnerabilities. Unfortunately, unauthorized, “cracked” versions of the tool have become a preferred way for ransomware groups and nation-state actors to deploy malware. The DCU identified the widespread abuse of this software as a critical factor in high-impact intrusions across the globe. To blunt this threat, the DCU spearheaded a first-of-its-kind legal action with Fortra and Health-ISAC, obtaining a court order to disrupt the malicious infrastructure hosting cracked legacy versions of Cobalt Strike. Recognizing the need to continue pressure on the ecosystem, DCU continuously identifies and disrupts newly stood-up infrastructure as it emerges through its Statutory Automated Disruption (SAD) and Court Monitor programs.

Smoke Sandstorm, also tracked as Bohrium, is an Iran-based threat actor that conducted strategic espionage and disruptive operations against the government, transportation, and technology sectors. The group utilized spear-phishing and custom malware to harvest credentials and maintain persistence within critical networks. Microsoft identified these activities as a significant risk to regional stability, resulting in the DCU taking legal action to neutralize the threat. By securing a federal court order, the DCU seized the malicious domains used for command-and-control while a Court Monitor program allowed the DCU to rapidly dismantle new infrastructure as it emerged. This sustained intervention severed the actor’s access to sensitive data and significantly hindered its ability to conduct reconnaissance, protecting organizations across the Middle East from state-sponsored interference.

A global cybercrime group operating the ZLoader Malware-as-a-Service (MaaS) botnet leveraged advanced evasion techniques, including a domain generation algorithm (DGA), to steal credentials, disable security tools, and deliver follow-on ransomware such as Ryuk, which repeatedly targeted healthcare organizations. The threat actor hit businesses, hospitals, schools, and consumers, enabling account takeovers, financial theft, and extortion—putting patient safety and critical services at risk. To disrupt it, the DCU obtained a US federal court order seizing 65 command-and-control and 319 additional DGA domains, redirecting them to Microsoft sinkholes and blocking future registrations. The action combined legal and technical measures with partners including ESET, Black Lotus Labs, Unit 42, FS-ISAC, Health-ISAC, Avast, and Microsoft security teams, plus referrals to law enforcement and ISP coordination—demonstrating an ecosystem-wide approach to disrupting organized cybercrime.

Nylong Typhoon, also tracked as Nickel, is a China-based threat actor that conducted sophisticated espionage against government agencies, diplomatic entities, and NGOs across 29 countries. The group exploited unpatched vulnerabilities to deploy custom malware, allowing for long-term persistence and the exfiltration of sensitive data. Microsoft identified these activities as a strategic threat to international organizations, resulting in the DCU initiating a landmark legal action to disrupt the actor’s global reach. By securing a court order, the DCU seized control of the group’s malicious infrastructure, redirecting traffic from compromised sites to secure servers. A Court Monitor oversaw the case until June 2025, allowing the DCU to swiftly dismantle new infrastructure used by the actor. This proactive intervention effectively severed the actor’s command-and-control capabilities, protecting high-value targets and slowing state-sponsored espionage.

Emotet was first observed by Microsoft in July 2014 as a globally distributed banking and financial trojan and malware-distribution botnet. The DCU identified Emotet as a foundational threat to the global economy due to its ability to sell “access” to compromised corporate and government networks. The DCU played a key private-sector partner role in Europol’s coordinated disruption of Emotet by providing critical threat intelligence and technical analysis that enabled law enforcement to identify and seize the botnet’s command-and-control infrastructure. While the operation was led by international law enforcement, the DCU’s support helped make the coordinated takedown effective at scale and reduced Emotet’s use as a primary gateway for ransomware and other cybercrime.

Trickbot was a sophisticated, globally dispersed botnet that evolved from a financial trojan into a dominant ransomware distributor and a primary threat to election integrity. Microsoft identified Trickbot as a systemic risk due to its ability to disable security software and provide backdoors for attacks like Ryuk. To dismantle this cybercrime engine, the DCU, working with public- and private-sector partners such as FS-ISAC, ESET, NTT, Symantec, and law enforcement, coordinated a disruption, including securing a federal court order to disable the botnet’s infrastructure. By also working with global telecommunications providers, the DCU severed the links between the operators and their network of millions of devices, including compromised routers. This strategic intervention prevented the potential deployment of ransomware against critical voting infrastructure and demonstrated the DCU’s unique ability to protect democratic processes through large-scale technical and legal leadership.

COVID-19 Bonus was a business email compromise (BEC) campaign that rapidly adapted to global events, using pandemic-themed lures to target victims worldwide. First identified by the DCU in December 2019, the campaign evolved to exploit COVID-19-related financial anxieties, with phishing emails falsely promising a “COVID-19 Bonus” to induce engagement. Instead of stealing credentials directly, the actors leveraged “consent phishing,” tricking users into granting a malicious web application access to their Microsoft 365 accounts—enabling unauthorized access to emails, contacts, and sensitive business data. Recognizing the scale and adaptability of the operation, DCU pursued a civil action in the US, obtaining a court order to seize key domains used in the attackers’ infrastructure. This action disabled the core delivery mechanism for the phishing campaign, preventing further compromise and disrupting follow-on BEC fraud schemes that relied on access to victim accounts.

Necurs was a prolific botnet that infected over nine million computers, serving as a primary global delivery engine for banking trojans and ransomware. The DCU identified Necurs as a foundational threat to the digital ecosystem due to its massive spam output and ability to rent infected devices to other criminals. To neutralize this operation, the DCU orchestrated a coordinated strike across 35 countries. By reverse-engineering the botnet’s algorithm, the DCU predicted and blocked over six million future domains while securing a court order to seize its US infrastructure. This intervention effectively severed the botnet’s command-and-control, protecting millions of users and demonstrating the DCU’s expertise in dismantling the world’s most resilient criminal networks.

Emerald Sleet, also tracked as Thallium, is a North Korea-based state actor that targeted government officials, human rights organizations, and nuclear-proliferation experts to conduct long-term espionage. The DCU identified the group’s use of fraudulent domains mimicking Microsoft services to harvest credentials and maintain persistent access to sensitive networks. To disrupt this threat, the DCU initiated a strategic civil action in the US District Court for the Eastern District of Virginia, securing a court order to seize 50 malicious domains used for command-and-control. This disruption, supported by a persistent Court Monitor, allows the DCU to swiftly neutralize new infrastructure as it emerges. By severing these communication lines, the DCU protects high-value targets and significantly hinders the actor’s ability to conduct unauthorized surveillance and data exfiltration.

Mint Sandstorm, also tracked as Phosphorus, is an Iran-based threat actor that targeted prominent individuals in business and government, including activists and journalists, to conduct long-term espionage. Microsoft Threat Intelligence identified the group’s use of highly tailored spear-phishing and custom malware to compromise sensitive accounts and maintain persistent access. To neutralize this threat, the DCU initiated a strategic legal action in the US District Court for the District of Columbia, securing a court order to seize the malicious domains used for credential harvesting and command-and-control. This disruption, supported by an ongoing Court Monitor, enables the DCU to rapidly dismantle new infrastructure as it is identified. By severing these operational links, the DCU protects high-value targets and significantly raises the cost for the actor to maintain its surveillance capabilities.

Gamarue, also tracked as Andromeda, was a prolific botnet and “crime kit” that facilitated the distribution of over 80 malware families, including ransomware and banking trojans. Microsoft Threat Intelligence identified Gamarue as a major threat to global security due to its ability to disable system defenses and evade automated analysis. To dismantle this infrastructure, the DCU spearheaded a global investigation in coordination with Europol, the FBI, Germany’s Federal Office for Information Security (BSI), and ESET. Following a landmark legal filing, the DCU secured a court order to seize and sinkhole 1,500 malicious domains used for command-and-control. This massive disruption severed the link between millions of infected devices and their operators, effectively neutralizing a foundational engine of cybercrime. Through this leadership, the DCU protected millions of users and crippled a key monetization model for global threat actors.

Avalanche was a criminal syndicate and infrastructure used for large-scale phishing, online banking fraud, ransomware, and money mule operations. The Avalanche network—composed of owned, rented, and compromised systems—enabled cybercriminals to host and rapidly distribute multiple malware families, targeting victims worldwide, including more than 40 major financial institutions. Victims faced the theft of sensitive personal and financial data such as account credentials and banking information, while compromised machines were further abused to propagate malware, launch denial-of-service attacks, and support downstream criminal activity. Through coordinated disruption efforts led by the DCU, in close partnership with Fraunhofer, the Shadowserver Foundation, the FBI, Germany’s Federal Office for Information Security, and Europol’s European Cybercrime Centre, this criminal infrastructure was dismantled—cutting off a key enabler of fraud, malware distribution, and money laundering.

Brass Typhoon, also tracked as Barium, is a China-based nation‑state threat actor that targeted the global gaming and internet-content industries to exfiltrate high-value intellectual property and sensitive data. Microsoft Threat Intelligence identified the group’s use of a specialized malware toolkit designed for stealthy credential theft and persistent network exploitation. To neutralize this threat, the DCU initiated a strategic legal action in the US District Court for the District of Columbia, securing a court order to seize the malicious domains used for command-and-control. A Court Monitor oversaw the case until November 2018, allowing the DCU to swiftly dismantle new infrastructure used by the actor. This proactive intervention protected countless organizations from unauthorized surveillance and sophisticated state-sponsored espionage.

Forest Blizzard, also tracked as Strontium, is a Russian state-affiliated actor that leveraged zero-day exploits and spear-phishing to target government agencies, think tanks, and sporting organizations worldwide. Microsoft Threat Intelligence identified the group as a persistent threat to democratic institutions and international stability, particularly during its campaigns to disrupt the 2020 Tokyo Olympics and target Ukrainian infrastructure. To neutralize these operations, the DCU spearheaded multiple strategic legal actions, securing court orders to seize the actor’s command-and-control domains. Supported by a long-term Court Monitor until March 2025, the DCU was able to rapidly dismantle new malicious infrastructure as it emerged. This sustained intervention severed the actor’s access to sensitive networks, protected high-value targets from state-sponsored espionage, and demonstrated the DCU’s global leadership in defending the digital ecosystem.

Dorkbot was a rapidly evolving “botnet-in-a-box” malware operation spread through removable media and messaging services, enabling cybercriminals to steal personal and financial information and deliver malware at scale. By 2015, Microsoft had identified ~100,000 new infections per month, with millions of devices globally compromised, creating significant risk to consumers and enterprises and generating billions of daily communications between infected machines and criminal infrastructure. In response, the DCU, working with global partners including the FBI, Europol, INTERPOL, national CERTs, and ISPs, provided intelligence that enabled the physical seizure of command-and-control servers and redirected malicious traffic to Microsoft-managed sinkholes, where advanced analytics and cloud-scale AI-driven data processing delivered near-real-time insight, supported victim notification and remediation, and fed threat intelligence back into Microsoft’s platforms to help prevent reinfection.

Ramnit was a stealthy botnet designed to harvest banking credentials, passwords, and personal files, giving cybercriminals remote control over millions of devices while evading traditional defenses via rapidly shifting command-and-control (C2) infrastructure. At its peak, Ramnit infected approximately 3.2 million computers worldwide, contributing to broader economic harm from botnets that accounted for 34% of observed cyberattacks in 2014 and enabled large-scale fraud and identity theft affecting consumers, enterprises, and financial institutions. In a coordinated disruption led by Europol’s European Cybercrime Centre, the DCU worked with Symantec, AnubisNetworks, national law enforcement agencies across Europe, and ISPs to shut down C2 servers and redirect 300 malicious domains, using cloud-scale analytics and near-real-time data processing to analyze hundreds of thousands of daily botnet communications, support victim remediation, and materially degrade Ramnit’s ability to operate. 

Simda was a sophisticated botnet used by cybercriminals to gain remote access to infected computers, steal personal and banking credentials, and distribute malware through a pay-per-install criminal model that regenerated variants to evade detection. The operation infected over 770,000 computers in over 190 countries, with 90,000 new infections detected in the US in the first two months of 2015, exposing individuals, financial institutions, and internet networks to fraud, data theft, and traffic interception. In a coordinated global disruption, INTERPOL, the FBI, and other law enforcement partners worked with the DCU, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute to seize and dismantle servers in multiple countries, using large-scale data analytics and heat-mapping techniques to identify infrastructure and victim impact, while redirecting traffic, supporting remediation through free cleaning tools, and significantly degrading Simda’s ability to operate. 

Caphaw was a financially motivated banking botnet designed to steal online banking credentials and enable fraudulent transactions by targeting banks and their customers, particularly across Europe. The malware spread at scale through social and communication platforms such as Facebook, YouTube, and Skype, as well as via removable drives and drive-by downloads, allowing cybercriminals to rapidly compromise consumer and enterprise devices and expose victims to account takeover, identity theft, and significant financial losses. To disrupt the threat, the DCU worked closely with UK law enforcement and financial industry partners, leveraging intelligence-sharing collaborations such as the FS-ISAC to provide near-real-time visibility into malware infections affecting tens of millions of unique IP addresses and using cloud-based analytics on Microsoft Azure to support infrastructure takedowns, accelerate remediation, and strengthen protection for financial institutions and customers. 

GameOver Zeus was a highly destructive financial malware operation, acting as a peer-to-peer botnet designed to steal banking credentials and deliver ransomware that eliminated centralized command-and-control servers. The malware infected more than one million computers worldwide and was linked to over $100 million in financial losses, impacting individuals, businesses, financial institutions, and critical services as stolen credentials were monetized and ransomware attacks escalated. In 2014, a coordinated disruption known as Operation Tovar brought together the DCU, the FBI, Europol, Interpol, national law enforcement agencies, and private-sector partners, including industry security firms and ISPs, using large-scale data analytics and sinkholing techniques to seize domain infrastructure, sever botnet communications, redirect infected machines, and provide remediation support—significantly degrading GameOver Zeus’s ability to operate, propagate, and generate criminal revenue. 

Bladabindi (NJRat) and Jenxcus (NJw0rm) were highly prevalent families of malware that enabled remote access, credential theft, surveillance, and other malware distribution, allowing cybercriminals to maintain control over infected machines. Microsoft observed more than 7.4 million detections in a single year, with infections affecting millions of customers worldwide, exposing victims to data theft, fraud, and disruption. To disrupt the threat, the DCU filed a civil action in US federal court, securing authority over 23 abused dynamic DNS domains used to control the malware, and—working with ISPs, global CERTs, A10 Networks, and industry partners—redirected malicious traffic to Microsoft-managed sinkholes. Using cloud-scale analytics on Microsoft Azure and advanced malware analysis, Microsoft identified infected systems, shared intelligence through its Cyber Threat Intelligence Program, enabled remediation, and significantly degraded the criminals’ ability to execute their operations.

ZeroAccess, also tracked as Sirefef, was a peer-to-peer botnet used for large-scale fraud, including click fraud and malware distribution. The malware compromised millions of computers globally, imposing significant remediation costs on consumers, enterprises, and the broader digital ecosystem as infected devices were exploited for criminal gain. In a coordinated disruption, the DCU filed a civil action in US federal court and worked closely with Europol’s European Cybercrime Centre (EC3) and national law enforcement agencies, including Germany’s BKA and cybercrime units across Europe, to identify and cut off fraudulent infrastructure, monitor criminal attempts to reconstitute the botnet, and rapidly trace newly deployed IP addresses—ultimately prompting the operators to abandon the botnet entirely, underscoring the effectiveness of sustained public-private partnerships in degrading and dismantling complex cybercrime operations. 

Citadel was a sophisticated Zeus-derived banking Trojan used to steal online banking credentials and identities at scale, including by logging keystrokes and conducting man-in-the-middle attacks—injecting pop-ups and monitoring web traffic to trick victims into entering sensitive financial information on legitimate sites. It compromised ~5 million PCs and was tied to more than $500M in theft, impacting consumers, businesses, and dozens of major financial institutions. To disrupt the operation, the DCU—working with the FBI and financial services and technology partners—used a US civil court order to seize and disable key command-and-control infrastructure supporting ~1,400 botnets, raising the cost and risk for the criminals and enabling broader remediation and follow-on investigations. 

Bamital was a large-scale botnet designed to hijack internet search results, redirecting users to malicious sites for malware delivery, spyware installation, and click fraud, undermining trust in search and advertising ecosystems. The malware infected more than 8 million computers worldwide, exposing victims to identity theft and financial harm, while defrauding the online advertising industry. To disrupt the threat, the DCU partnered with Symantec, filed a civil lawsuit, and—under court authorization and with support from the US Marshals Service—seized botnet infrastructure across multiple US hosting facilities, severing command-and-control links. As part of the operation, Microsoft and Symantec redirected victim traffic to a remediation site, shared intelligence with ISPs and CERTs, and used the takedown data to strengthen broader protections—demonstrating how coordinated public-private action can dismantle criminal infrastructure and protect millions of users.

Nitol was a botnet discovered through Microsoft research on insecure technology supply chains, using over 70,000 subdomains hosted on the 3322.org service to distribute more than 500 different malware strains. The malware infected millions of computers globally, often through compromised software before reaching consumers, exposing victims to credential theft and fraud while undermining trust in PCs. To disrupt the threat, the DCU filed a civil action that led to a landmark settlement, working with the 3322.org operator and the China Computer Emergency Response Team (CN-CERT) to block subdomains, redirect traffic to managed sinkholes, and support victims; in just 16 days, the action blocked over 609 million connections from more than 7.6 million unique IP addresses, while intelligence was shared with CERTs in over 40 countries, ISPs, and partners such as Shadowserver, demonstrating the power of data-driven public-private coordination to dismantle cybercrime infrastructure. 

Zeus, also tracked as Zbot, was one of the most prolific financial malware families, operating as a credential-stealing Trojan that infected computers through phishing and drive-by downloads to capture keystrokes, intercept web sessions, and steal online banking credentials. The malware compromised millions of consumer and enterprise devices globally and was responsible for hundreds of millions of dollars in financial losses, impacting individuals, banks, small businesses, and public institutions by enabling fraud, identity theft, and downstream criminal activity. To disrupt the threat, the DCU worked with law enforcement, financial institutions, FS-ISAC, ISPs, and global CERTs to pursue civil legal action, seize and disable Zeus infrastructure, redirect malicious traffic, and share actionable threat intelligence—supporting victim notification and support while significantly raising the cost of operating the Zeus ecosystem through coordinated public-private collaboration. 

Kelihos was a spam-focused botnet that distributed malicious email, stole credentials, and spread malware via fast-flux infrastructure designed to evade takedowns. At its peak, Kelihos infected hundreds of thousands of computers worldwide, enabling fraud, phishing, and malware while imposing remediation costs and degrading trust in email services. In response, the DCU pursued a series of coordinated civil legal actions, securing court orders to seize and sinkhole Kelihos domains, name and pursue operators and enablers, and later reach a settlement with infrastructure providers whose services were abused by the botnet. Working alongside law enforcement, ISPs, global CERTs, and industry partners, Microsoft repeatedly weakened Kelihos’s infrastructure, supported cleanup and victim notification, and increased the operational cost and legal risk for the criminals—demonstrating how sustained, multi-phase public-private disruption can materially degrade even highly adaptive malware campaigns. 

Rustock was a spam-sending botnet, using stealthy rootkit techniques to infect computers and covertly distribute unsolicited email advertising counterfeit goods, scams, and malware. At its peak, Rustock was responsible for over 30 billion spam emails per day, accounting for up to 30–40% of global spam volume, with DCU researchers observing that a single infected machine could send 7,500 spam emails in just 45 minutes—over 240,000 per day, imposing massive costs on consumers, enterprises, and internet networks. In 2011, the DCU led a landmark disruption alongside the US Department of Justice, FBI, and US Marshals Service, using civil court orders to seize servers across multiple hosting facilities, cut off botnet communications, preserve evidence, and later refer the case for criminal investigation; the effort ultimately forced the botnet offline, demonstrating the power of sustained legal, technical, and public-private collaboration to dismantle industrial-scale cybercrime operations.  

Conficker was a fast-spreading computer worm exploiting unpatched Windows vulnerabilities and weak passwords to propagate, disable security services, and download malware. At its peak, Conficker infected an estimated 9–15 million computers worldwide, impacting consumers, businesses, governments, and critical infrastructure, causing remediation costs, disruption, and persistent security risk. To counter the threat, the DCU helped launch an unprecedented public-private coalition—including Microsoft, security researchers, domain registrars, ISPs, and global CERTs—known as the Conficker Working Group, combining legal action, technical analysis, coordinated domain pre-registration and sinkholing, and continuous intelligence sharing to block malicious domains, prevent updates, and protect victims; the effort became a foundational model for collective cybercrime disruption and demonstrated how sustained collaboration can blunt even the most adaptive global malware threats.