16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide

LOS ANGELES – A federal grand jury indictment and criminal complaint unsealed today charge 16 defendants who allegedly developed and deployed the DanaBot malware which a Russia-based cybercrime organization controlled and deployed, infecting more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damage.

The defendants include Aleksandr Stepanov, 39, a.k.a. “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix”, both of Novosibirsk, Russia. Stepanov was charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping, and use of an intercepted communication.

Kalinkin was charged with conspiracy to gain unauthorized access to a computer to obtain information, to gain unauthorized access to a computer to defraud, and to commit unauthorized impairment of a protected computer. Both defendants are believed to be in Russia and are not in custody.

According to the indictment and complaint, DanaBot malware used a variety of methods to infect victim computers, including spam email messages containing malicious attachments or hyperlinks. Victim computers infected with DanaBot malware became part of a botnet (a network of compromised computers), enabling the operators and users of the botnet to remotely control the infected computers in a coordinated manner. The owners and operators of the victim computers are typically unaware of the infection.

The DanaBot malware allegedly operated on a malware-as-a-service model, with the administrators leasing access to the botnet and support tools to client coconspirators for a fee that was typically several thousand dollars a month. The DanaBot malware was multi-featured and had extensive capabilities to exploit victim computers. It could be used to steal data from victim computers, and to hijack banking sessions, steal device information, user browsing histories, stored account credentials, and virtual currency wallet information.

DanaBot also had the capability to provide full remote access to victim computers, to record keystrokes, and record videos showing the activity of users on victim computers. DanaBot has further been used as an initial means of infection for other forms of malware, including ransomware. The DanaBot malware has infected over 300,000 computers around the world, and caused damage estimated to exceed $50 million.

DanaBot administrators operated a second version of the botnet that was used to target victim computers in military, diplomatic, government, and related entities. This version of the botnet recorded all interactions with the computer and sent stolen data to a different server than the fraud-oriented version of DanaBot. This variant was allegedly used to target diplomats, law enforcement personnel, and members of the military in North America, and Europe.

“Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” said United States Attorney Bill Essayli for the Central District of California. “The charges and actions announced today demonstrate our commitment to eradicating the largest threats to global cybersecurity and pursuing the most malicious cyber actors, wherever they are located.”   

“The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks,” said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office. “The DanaBot malware was a clear threat to the Department of Defense and our partners. DCIS will vigorously defend our infrastructure, personnel, and intellectual property."

"Today's announcement represents a significant step forward in the FBI's ongoing efforts to disrupt and dismantle the cyber-criminal ecosystem that wreaks havoc on global digital security," said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. "We are grateful for the coordinated efforts of our domestic and international law enforcement partners in holding cyber criminals accountable, no matter where they operate."

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

If convicted, Kalinkin would face a statutory maximum sentence of 72 years in federal prison, and Stepanov would face a statutory maximum sentence of five years in federal prison.

As part of today’s operation, Defense Criminal Investigative Service (DCIS) agents effected seizures and takedowns of DanaBot command and control servers, including dozens of virtual servers hosted in the United States. The U.S. government is now working with partners including the Shadowserver Foundation to notify DanaBot victims and help remediate infections.

These law enforcement actions were taken in conjunction with Operation Endgame, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling and prosecuting cybercriminal organizations around the world.

Amazon, Crowdstrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team CYMRU, and ZScaler provided valuable assistance.

The investigation into DanaBot was led by the FBI’s Anchorage Field Office and the Defense Criminal Investigative Service, working closely with Germany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police. The Justice Department’s Office of International Affairs provided significant assistance.

Assistant United States Attorney Aaron Frumkin of the Cyber and Intellectual Property Crimes Section is prosecuting these cases. Assistant United States Attorney James E. Dochterman of the Asset Forfeiture and Recovery Section is handling the forfeiture case.