The notorious DanaBot botnet has been severely disrupted following a large-scale international law enforcement operation. As part of Operation Endgame, authorities from multiple countries partnered with cybersecurity firms to dismantle DanaBot’s infrastructure, seize millions in crypto, and unmask key threat actors.
Announced by Europol, the coordinated operation targeted DanaBot and other malware families that had resurfaced after prior crackdowns. The latest effort saw law enforcement take down 300 servers and 650 domains, while issuing 20 international arrest warrants.
The U.S. Department of Justice revealed that DanaBot had infected over 300,000 systems worldwide, enabling widespread fraud, credential theft, and ransomware deployment. The malware has caused at least $50 million in financial losses since its emergence.
Charges Unsealed Against DanaBot Operators
The DOJ unsealed charges against 16 individuals believed to be involved in DanaBot’s creation and distribution. Among them are Aleksandr Stepanov (aka JimmBee) and Artem Kalinkin (aka Onix), both residents of Novosibirsk, Russia. Kalinkin—identified as an IT engineer at Russian energy giant Gazprom—faces up to 72 years in prison if prosecuted in the United States, while Stepanov could face five years.
Authorities revealed that several suspects were exposed after accidentally infecting their own systems with DanaBot during development.
Launched in 2018, DanaBot began as a banking trojan targeting Europe and Australia before expanding to North America. The malware later evolved into a malware-as-a-service (MaaS) platform, supporting ransomware campaigns and other threats.
From Banking Trojan to Espionage Tool
DanaBot’s distribution tactics changed over the years—from phishing emails to malvertising and SEO poisoning. Even after its brief disappearance from the email threat landscape in 2020, the botnet remained active underground, resurfacing in mid-2024 with new capabilities.
Proofpoint, CrowdStrike, ESET, and Lumen Technologies’ Black Lotus Labs assisted in the investigation. According to CrowdStrike, DanaBot is operated by a threat actor tracked as Scully Spider, whose activities have reportedly been tolerated by the Russian government.
Evidence suggests that DanaBot sub-botnets were used for military support and espionage, including targeting diplomats, military personnel, and law enforcement officials in both North America and Europe.
The DOJ reported that $24 million in cryptocurrency was seized during Operation Endgame, including $4 million linked to DanaBot.
With up to 150 active command-and-control servers daily, DanaBot was among the largest MaaS platforms by infrastructure volume. Analysts at Team Cymru and Black Lotus Labs played a key role in tracking these servers and supporting law enforcement.
“The blow will surely be felt,” said Tomáš Procházka, a researcher at ESET, noting that law enforcement succeeded in unmasking several individuals central to DanaBot’s operations. However, experts warn that resilience in cybercrime networks means that recovery—though difficult—is still possible.
For now, the DanaBot botnet takedown marks a significant step forward in the global fight against malware-as-a-service operations that have enabled ransomware, espionage, and cyber fraud across critical sectors.
