Global distribution of Avalanche severs. Source: Shadowserver.org / See Entire ImageAfter over four years of investigation, the international criminal infrastructure platform known as ‘Avalanche’ is reported to have been dismantled via a collaborative effort involving Public Prosecutor’s Office Verden and the Lüneburg Police (Germany) in close cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Europol, Eurojust and global partners. The takedown also required help from INTERPOL, the Shadowserver Foundation, Registrar of Last Resort, ICANN and domain name registries.

Additional information below from the official report:

— 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing to combat botnet infrastructures and is unprecedented in its scale, with over 800,000 domains seized, sinkholed or blocked.

— The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone.

— Monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.

— What made the ‘Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, because of the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

— Malware campaigns that were distributed through this network include around 20 different malware families such as goznym, marcher, matsnu, urlzone, xswkit, and pandabanker. The money mule schemes operating over Avalanche involved highly organised networks of “mules” that purchased goods with stolen funds, enabling cyber-criminals to launder the money they acquired through the malware attacks or other illegal means.

— Infographic / Operation Avalanche:  Click here to see infographic illustrating the Avalanche operation. The detailed technical infographic also provided here.

Additional reports:

— Shadowserver: Avalanche Law Enforcement Take Down
— Krebs on Security: ‘Avalanche’ Global Fraud Ring Dismantled