Feds Charge 16 Russians Allegedly Tied to Botnets Used in Ransomware, Cyberattacks, and Spying
May 22, 2025 3:56 PM A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking. Photo-Illustration:The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.
The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ's announcement of the charges describes the group as 'Russia-based,' and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US.
Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also describes a second variant of the malware that it says was used in espionage against military, government, and NGO targets. 'Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,' US Attorney Bill Essayli wrote in a statement.
Since 2018, DanaBot has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an 'affiliate' model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike.
At one point in 2021, according to Crowdstrike, Danabot was used in a software supply chain attack that hid the malware in a javascript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial services, transportation, technology, and media industries.
That scale and the wide variety of its criminal uses made DanaBot 'a juggernaut of the e-crime landscape,' according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint.
More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity.
Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.
All of that makes DanaBot a particularly clear example of how cybercriminal malware has been adopted by Russian state hackers, Proofpoint's Larson alleges. 'There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,' says Larson. The case of DanaBot, she says, "is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.'
Despite the operators of DanaBot remaining at large, the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike.
'Every time you disrupt a multi-year operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,' Meyers says. 'But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.'
This is a developing story. Check back for updates.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
4 hours ago
- Yahoo
Ukraine war latest: Ukraine strikes targets in Russia, including gunpowder plant
Key developments on June 11: Ukrainian drones strike targets in Russia, including gunpowder plant, General Staff says Zelensky urges 'stronger' EU sanctions on Russia, lower oil price cap Ukraine repatriates bodies of 1,212 fallen soldiers Ukraine's SBU releases fresh video of Operation Spiderweb, teases 'new surprises' NATO summit statement omits Ukraine's entry bid, $40 billion pledge, Bloomberg reports Ukrainian drones struck multiple military targets in Russia, including the Tambov Gunpowder Plant, overnight on June 11, the General Staff of Ukraine's Armed Forces reported. The plant, one of Russia's main manufacturers of gunpowder and explosives for small arms, artillery, and rocket systems, caught fire following the drone strike, according to the General Staff. Local residents reported hearing explosions and shared videos showing a large blaze near the facility, according to the Russian independent media outlet Astra. The General Staff described the attack as part of a broader operation to degrade Russia's ability to produce explosive materials and ammunition used in the full-scale war against Ukraine. The Tambov facility has been targeted several times since November 2023, and U.S. sanctions were imposed on it that same year. Tambov Oblast, located southeast of Moscow, lies hundreds of kilometers from Ukraine and shares no direct border with it. Russian state news agency TASS confirmed a drone attack but did not mention the strike on the powder plant. Tambov Oblast Governor Maxim Egorov said that emergency services had extinguished the fire and that there were no casualties, though he did not specify the location of the fire. In addition to the strike on Tambov, Ukrainian drones hit the ammunition depot of Russia's 106th Airborne Division in Kursk Oblast and the depot at Buturlinovka airfield in Voronezh Oblast, the General Staff said. The extent of the damage is still being assessed, the General Staff said. "The Defense Forces continue to take all measures to undermine the military and economic potential of the Russian occupiers and force Russia to stop its armed aggression against Ukraine," the statement reads. Ukraine has ramped up long-range drone strikes in recent weeks, targeting Russian air bases and arms production facilities in an effort to disrupt Moscow's war machine ahead of an anticipated Russian summer offensive. Read also: As Russia inches closer to Dnipropetrovsk Oblast, new Ukrainian region might soon be at war President Volodymyr Zelensky on June 11 called on the European Union to impose tougher sanctions against Russia, arguing that stronger financial pressure is necessary to curb Moscow's war effort. Speaking at the Ukraine-Southeast Europe Summit in Odesa, Zelensky said the upcoming 18th EU sanctions package "could be stronger," especially in targeting Russian oil tankers and the financial sector. He urged the EU to further reduce the price cap on Russian oil exports. "A ceiling of $45 per barrel of oil is better than $60, that's clear, that's true. But real peace will come with a ceiling of $30," he said. "That's the level that will really change the mindset in Moscow." After the 17th package of sanctions against Russia took effect on May 20, Ukraine's allies announced the following day that another round of restrictions was already in the works. European Commission President Ursula von der Leyen announced on June 10 that the EU is considering lowering the oil price cap from $60 to $45 per barrel — a measure that will be discussed at the upcoming G7 summit in Canada on June 15–17. The Kremlin's budget is increasingly strained by soaring military expenditures, with Russia's Finance Ministry relying heavily on energy revenues to fund the war against Ukraine. Join our community Support independent journalism in Ukraine. Join us in this fight. Support Us The push for tighter sanctions comes as Russia continues to reject ceasefire proposals and presses forward with military operations. Zelensky warned that Odesa remains one of Russia's "main targets," with plans to push beyond it toward the borders with Romania and Moldova. "Russia wants to destroy it, as it has done with countless cities and villages in the occupied territories," he said. "Russian military plans point to this region — Odesa — and then to the border with Moldova and Romania." Odesa is a major port city in southern Ukraine, located on the northwestern coast of the Black Sea. The president warned of possible destabilization efforts in the broader region, comparing the Kremlin's strategy to its previous interference in the Balkans. "We saw this before in the Balkans, where Russia intensified interethnic friction, carried out sabotage, and even attempted coups," Zelensky said. The Odesa summit was attended by several southeastern European leaders, including Serbian President Aleksandar Vucic and Romania's newly elected President Nicusor Dan. Vucic's trip marked his first official visit to Ukraine since the start of Russia's full-scale invasion. Read also: Ukraine bracing for 'painful' reduction in US military aid after Hegseth announces cuts Ukraine has brought back the bodies of 1,212 fallen service members, the Ukrainian Coordination Headquarters for the Treatment of Prisoners of War (POW) said on June 11. The announcement follows Russian-Ukrainian Istanbul talks on June 2, which focused on exchanges of POWs and fallen soldiers. The repatriation was carried out through a coordinated effort involving the Security Service of Ukraine (SBU), the Armed Forces, the Interior Ministry, the Ombudsman's Office, the State Emergency Service, and other national security and defense institutions. The International Committee of the Red Cross also supported the operation. The remains of soldiers were returned from multiple front-line regions, including Kharkiv, Donetsk, Luhansk, Zaporizhzhia, Kherson, and Sumy oblasts. Officials emphasized that investigative and forensic teams from the Interior Ministry and the Health Ministry are working to identify the bodies in the shortest possible time. Vladimir Medinsky, aide to Russian President Vladimir Putin, claimed Russia transferred the bodies of 1,212 Ukrainian soldiers in accordance with the agreements in Istanbul, while Ukraine released the remains of 27 Russian service members. The Ukrainian side did not disclose how many Russian bodies were handed over in return. At the Istanbul meeting on June 2, Russian and Ukrainian delegations agreed on a new exchange of POWs but failed to reach a ceasefire agreement. The Turkey-hosted talks were the second round since mid-May and resulted in an agreement to exchange severely wounded and young prisoners, with President Volodymyr Zelensky saying up to 1,200 individuals could be returned on each side. Russia also pledged to transfer up to 6,000 bodies of Ukrainian soldiers. Following the Istanbul talks, Ukraine and Russia have already conducted two prisoner exchanges on June 9 and 10. While exact figures were not immediately disclosed, Ukraine confirmed the return of severely wounded and chronically ill prisoners, including those captured during the 2022 siege of Mariupol and held for more than three years. In Istanbul, Ukraine also submitted a peace proposal that called for a full ceasefire, an "all-for-all" POW exchange, the return of abducted children, and the use of frozen Russian assets to rebuild Ukraine. Russia has yet to formally respond. Read also: 'Ukrainians have been stripped of illusion of control' — Filmmaker Kateryna Gornostai on Russia's war, cinema and reclaiming the narrative The Security Service of Ukraine (SBU) released on June 11 a new video detailing the sequence of its mass drone strike against Russia's strategic aviation earlier this month. The Operation Spiderweb, carried out on June 1, involved 117 drones that were hidden in trucks across Russia and deployed against four air bases, some thousands of kilometers from the Ukrainian border. The strike deep in the rear damaged 41 aircraft, including Tu-95, Tu-22M3, and Tu-160 bombers, rare A-50 spy planes, and An-12 and Il-78 transport aircraft, causing damage of over $7 billion, the SBU said. Trucks, seen in the footage driving in an undisclosed location, first transported first-person-view (FPV) drones and wooden cabins to Russia, the SBU said. Already on Russian territory, the vehicles were loaded with cabins, which, in turn, carried the drones. 0:00 / 1× The preparations were taking place in the Russian city of Chelyabinsk, not far from a Federal Security Service (FSB) office, according to the SBU. The loaded trucks then drove to multiple locations in the cities of Ivanovo, Ryazan, and in the Murmansk, Irkutsk, and Amur oblasts. The cabins opened remotely at the time of the attack, allowing the drones to strike Russian planes at the Belaya, Olenya, Dyagilevo, and Ivanovo air bases. The operation was also meant to strike at the Russian air base in Ukrainka in Amur Oblast, but this part of the attack failed. In the strike, Ukraine deployed drones specially designed by SBU specialists for attacks deep in the rear. Their unique features allowed them to be remotely controlled in real time thousands of kilometers behind the border, an SBU source told the Kyiv Independent. The drones' design also helped them "bypass Russian defenses and effectively strike the strategic aviation," the source said. SBU chief Vasyl Maliuk, who personally oversaw the operation, stressed that Ukrainian drones targeted "absolutely legitimate targets – military airfields and aircraft that attack our peaceful cities." "The SBU is hitting and will hit (Russia) where it considers itself unreachable!" Maliuk said in a statement. "We are working on new surprises, no less painful than the Operation Spiderweb." The attack was lauded by Ukrainian leaders and Western partners, with NATO Admiral Pierre Vandier calling it a reinvention of "the Trojan Horse" method with "technical and industrial creativity." Various satellite imagery released after the attack showed around a dozen destroyed planes. NATO estimates that between 10 and 13 Russian planes were completely destroyed, and more were damaged. In turn, President Volodymyr Zelensky claimed that roughly half of the 41 targeted planes have been damaged beyond repair. Russia acknowledged damage to its aircraft but claimed all of them will be "restored." Read also: America's weak strongman A one-page draft of a joint declaration for the upcoming NATO summit omits Ukraine's membership aspirations and last year's pledge of over $40 billion in support, Bloomberg reported on June 11 after reviewing the draft. This news signals that, for the first time since 2022, Russia's war against Ukraine will not be the chief focus of the annual NATO meeting, which is taking place on June 24-25 in The Hague. The unusually brief document recognizes Russia as a threat to NATO but not as an aggressor in Ukraine. It also does not mention China, Bloomberg reported. The communique of the 2024 summit in Washington named Beijing as a "decisive enabler" of Russia's war against Ukraine. Last year's gathering also included a declaration that Ukraine's path to NATO is "irreversible" and promised more than $40 billion in additional military aid. This year, the document will solely focus on defense spending, as U.S. President Donald Trump pushes NATO partners to hike the military expenditure benchmark from 2% to 5% of GDP. The final version of the statement can still change, Bloomberg reported. The brevity of the communique and the summit itself, as well as the decreased focus on Ukraine, stems from the effort to avoid conflict between Trump and European allies. In a sharp break from former U.S. President Joe Biden, the Trump administration has not approved any new military aid packages to Ukraine and signaled its intent to reduce assistance for Kyiv in the next year's budget. The U.S. president initially vowed to broker a peace deal between Kyiv and Moscow but became increasingly less engaged in the process as the negotiations stalled and Russia only intensified its attacks against Ukraine. According to Bloomberg, NATO allies will pledge to allocate at least 3.5% of GDP to defense needs and 1.5% to protecting infrastructure and civil preparedness by 2032. Member states will also consider counting their contributions to Ukraine as part of the new defense spending targets, the news outlet reported. The summit was preceded by rumors that President Volodymyr Zelensky would not be invited to participate for the first time due to U.S. opposition. Later, the speculations were dispelled after the Dutch media reported that NATO Secretary General Mark Rutte had invited the Ukrainian leader to attend. Ukraine War Latest is put together by the Kyiv Independent news desk team, who keep you informed 24 hours a day, seven days a week. If you value our work and want to ensure we have the resources to continue, join the Kyiv Independent community. We've been working hard to bring you independent, locally-sourced news from Ukraine. Consider supporting the Kyiv Independent.
Wall Street Journal
5 hours ago
- Wall Street Journal
Chinese Spyware, Only $6.99
A dilemma of dealing with Chinese companies in a free society like America is their mandated allegiance to the Chinese Community Party. That's the subject of a state lawsuit filed Wednesday that says the e-shopping platform Temu and related app Pinduoduo are putting the data of American citizens at risk. In the complaint filed in state court in Nebraska, Attorney General Mike Hilgers says Temu installs malware that gives the app access to 'sensitive information.' This includes the microphone, messages, photos and 'information sufficient to track their movements.' The malware is also designed to operate secretly and 'avoid detection,' the lawsuit alleges.
Yahoo
7 hours ago
- Yahoo
Group tracking Russian abductions of Ukrainian children prepares to shut down following Trump admin funding cut
The preeminent body tracking alleged Russian war crimes in the war with Ukraine, including the abduction of Ukrainian children, has transferred its data to Ukraine's government and the US State Department as it prepares to shut down in the coming weeks after the Trump administration terminated its funding. 'Right now, we are running on fumes, we have about two weeks of money left, mostly through individual donations from our website. As of July 1, we lay off all of our staff across Ukraine and other teams and our work tracking the kids officially ends. We are waiting for our Dunkirk moment, for someone to come rescue us so that we can go attempt to help rescue the kids,' Nathaniel Raymond, the Executive Director of the Humanitarian Research Lab at the Yale School of Public Health, told CNN. The Ukraine Conflict Observatory, an effort led by Yale's Humanitarian Research Lab, has collected more than three years of data following Russia's invasion of Ukraine with the backing of State Department funding. The effort was launched in May 2022 'to capture, analyze, and make widely available evidence of Russia-perpetrated war crimes and other atrocities in Ukraine.' The database currently includes the information and identities of over 30,000 Ukrainian children who were allegedly abducted by Russia across 100 locations, explained a source familiar with the data. The initiative's closure will leave a major blind spot because no other body has so closely tracked the abduction of Ukrainian children. The lab's work has supported six International Criminal Court indictments against Russia, including two related to the abduction of children, Raymond said. Earlier this year, the effort's funding was cut off as part of Department of Government Efficiency cuts, which resulted in researchers at Yale losing access to the database. But the funding was reinstated for a short time by Secretary of State Marco Rubio to ensure that the data was transferred to the European Union's law enforcement agency, Europol, so that it could be used as evidence in future war crimes cases. The transfer to Europol is expected to happen within hours or days now that the data and evidence of the alleged war crimes – including attacks on energy infrastructure, filtration sites, and attacks on civilian infrastructure – has been finalized for the time being by researchers at Yale and shared with the State Department, the source said. CNN has asked the State Department for comment. The scramble to keep the program alive has unleashed new efforts by a wide variety of individuals who are looking for private funding that could keep the effort alive. Members of Congress defended the observatory's work and its necessity earlier this year and they are planning to urge the administration not to cut the funding once again, congressional aides said. Congressional offices have learned that the State Department notified Congress late last year of their intent to disperse about $8 million in funding for the program, congressional aides said. They are trying to find out if that money has been reprogrammed or could still be allocated to the effort, they added. Meanwhile, Ukraine and Russia began prisoner swaps this week, with Ukrainian soldiers who have spent nearly the entire duration of the war in captivity among those returning home. But efforts to secure an end to the war appear out of reach for the time being. And without future data from the initiative – which is sourced from satellite imagery and biometric data – efforts to secure the release of Ukrainian children captured in the future could be severely hampered. 'This data is absolutely crucial to Ukraine's efforts to return their children home,' House lawmakers wrote in a letter to Secretary of State Marco Rubio and Treasury Secretary Scott Bessent in March. CNN's Jennifer Hansler contributed to this report.
