Authorities in nearly a dozen countries worked with private security companies to wrest control of the network of infected machines, known by the name of its master software, Gameover Zeus.
Court documents released on Monday said that between 500,000 and 1 million machines worldwide were infected with the malicious software, which was derived from the original "Zeus" trojan for stealing financial passwords that emerged in 2006.
In addition to stealing from the online accounts of businesses and consumers, the Gameover Zeus crew installed other malicious programs, including one called Cryptolocker that encrypted files and demanded payments for their release. Cryptolocker alone infected more than 234,000 machines and won $27 million in ransom payments, the Justice Department said.
The two programs together brought the gang more than $100 million, prosecutors said in court documents, including $198,000 in an unauthorized wire transfer from an unnamed Pennsylvania materials company and $750 in ransom from a police department in Massachusetts that had its investigative files encrypted. Other victims included PNC Bank, Capital One Bank and others, according to court documents.
"These schemes were highly sophisticated and immensely lucrative, and the cyber criminals did not make them easy to reach or disrupt," Leslie Caldwell, who heads the Justice Department's criminal division, told a news conference.
The Gameover Zeus "botnet" - short for robot network - is the largest so far disrupted that relied on a peer-to-peer distribution method, where thousands of computers could reinfect and update each other, said Dell expert Brett Stone-Gross, who assisted the FBI.
"We took control of the bots, so they would only talk with our infrastructure," Stone-Gross said.
A civil suit in Pennsylvania helped authorities get court orders to seize parts of the infected network, and on May 7, Ukrainian authorities seized and copied Gameover Zeus command servers in Kiev and Donetsk, officials said. U.S. and other agents worked from early Friday through the weekend to seize servers around the world, freeing some 300,000 victim computers from the botnet so far.
A criminal complaint unsealed today in Nebraska, meanwhile, accused Russian Evgeniy Mikhaylovich Bogachev and others of participating in the conspiracy.
U.S. officials said Bogachev was last known to be living in the Black Sea resort town of Anapa. In an FBI affidavit filed in the Nebraska case, an agent cited online chats in which aliases associated with Bogachev claimed authorship of the original Zeus trojan, which has infected more than 13 million computers and is blamed for hundreds of millions of dollars in losses.
"That's what he claimed. There were probably a number of people involved," said Dmitri Alperovitch, co-founder of security firm CrowdStrike, which also worked with the FBI. A person familiar with the case said that Bogachev's ICQ number, which is an assigned Internet chat query identifier, matched that of the known Zeus author.
Attempts to reach Bogachev were unsuccessful. FBI and Justice Department officials did not immediately respond to questions about Bogachev's alleged past role with Zeus, one of the most pernicious pieces of software ever developed. Zeus's code has since been publicly released, and many variants are still being used by gangs large and small.
"Zeus is probably the most prolific and effective piece of malware discovered since 2006," said Lance James, head of cyberintelligence at consultancy Deloite & Touche, which also helped authorities.
Russia does not extradite accused criminals to other countries, so Bogachev may never be arrested. He was named as part of a new policy on aggressively exposing even those the United States has little hope of catching. The recent crackdown includes the indictment of five members of China's People's Liberation Army for alleged economic espionage, which prompted denials and an angry response from Chinese authorities.
"This is the new normal," Robert Anderson, the top FBI official in charge of combating cyber crime said at a news conference announcing the Russian action.
When asked whether Russian authorities would turn Bogachev over to the U.S., Deputy Attorney General James Cole said "as far as Russia, we are in contact with them and we've been having discussions with them about moving forward and about trying to get custody of Mr. Bogachev," but declined to provide further detail of those talks.
The shutdown of Gameover Zeus may not last. Other botnets have resurfaced as criminals regained at least partial control of their networks. Officials at the United Kingdom's National Crime Agency said in an "urgent warning" that users might have only two weeks to clean their computers from traces of the infection. They directed users to https://www.getsafeonline.org/nca, which was intermittently available late Monday.
The U.S. Department of Homeland Security set up a website to help victims remove the malware, https://www.us-cert.gov/gameoverzeus.
The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine.
Intel Corp, Microsoft Corp, security software companies F-Secure, Symantec Corp, and Trend Micro ; and Carnegie Mellon University supported the operation.