DOCUMENTS AND RESOURCES RELATED TO THE DISRUPTION OF THE QAKBOT MALWARE AND BOTNET
Information for Victims
Beginning on August 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer. The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers; instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.
Hash value for the Qakbot Uninstall file (SHA-256):
As a result of this operation, the FBI and the Dutch National Police have identified numerous account credentials that were compromised by the Qakbot actors. The FBI has provided those credentials to the website Have I Been Pwned, which is a free resource for people to quickly assess whether their access credentials have been compromised in a data breach or other activity. The Dutch National Police have also set up a website that contains information about additional compromised credentials. You can check to see if your credentials were compromised at the following websites:
- Have I Been Pwned (https://haveibeenpwned.com/)
- Dutch National Police (https://politie.nl/checkyourhack)
This webpage will be updated as more resources become available. Victims are encouraged to report the cybercrimes with their local FBI field office or the Internet Crime Complaint Center (IC3) at ic3.gov.
Shadowserver has disseminated data about historical Qakbot infections to 201 National Computer Security Incident Response Teams and to affected network owners around the world.
Qakbot Historical Bot Infections Special Report (September 8, 2023), https://www.shadowserver.org/news/qakbot-historical-bot-infections-special-report/
The following documents contain additional information for victims and network defenders:
The Shadowserver Foundation: Qakbot Botnet Disruption (August 29, 2023)
Spamhaus: Qakbot Breached Email Accounts (August 29, 2023)