Law Enforcement Disruption of Malicious Cyber Actors Is Gaining Steam

According to Metacurity’s timeline of law enforcement disruptions of malicious cyber actors, the rate of these actions is picking up steam in 2024, with the take-down of LabHost marking the fifth known action so far, compared to eight total in all of 2023.

Yesterday's disruption of the phishing-as-a-service platform LabHost marks the fifth known US domestic or international law enforcement action during the first four months of 2024 to hamper the efforts of malicious cyber actors.

This rate translated into more than one significant takedown per month—and April is not even over yet. According to Metacurity's timeline of government actions against malicious cyber actors, this pace compares to eight significant disruptions during 2023.

The real question surrounding these disruptions is whether they work to slow down the activities of the targeted cybercriminals, given the propensity of threat groups to pop up again in new iterations.

Bob Kolasky, SVP of critical infrastructure at Exiger and the founding director of CISA's National Risk Management Center, likened cybercriminals' illegal deeds to the nature of crime in the physical, kinetic world. "[Real-world] crime doesn't get eradicated," Kolasky told Metacurity earlier this year. "Crime gets reduced, and crime gets less profitable, hopefully. And that's what you're trying to do here."

Ciaran Martin, leader of the SANS CISO Network and founder of the UK's National Cyber Security Centre, thinks these kinds of take-downs should be considered worthy tactics but not necessarily big strategic actions. "There's this sort of debate within the cybersecurity expert community about whether these take-downs are whack-a-mole, and I suppose they are," he told Metacurity earlier this year.

"But on the other hand, aren't all interventions against crime and nation-state threats? Apart from the odd war that ends in the total surrender of one party, which is pretty rare these days, most interventions are tactical."

Timeline and summaries of law enforcement disruption of cybercriminal operations

he following is a timeline of the announced law enforcement disruptions of malicious cyber actors from January 2023 through April 17.

This timeline does not represent other government actions taken to crimp the ability of threat actors to engage in their efforts, such as sanctions levied against cryptocurrency mixers, who launder money for financially motivated cybercriminals, or sanctions against Russian leaders who facilitate government hacking initiatives. It also doesn't include efforts to seize cryptocurrency scam operators.

4/18/24 – Disruption of LabHost: Following a year-long operation, law enforcement from 19 countries severely disrupted one of the world's largest phishing-as-a-service platforms, LabHost.

2/20/24 – Take-Down of LockBit: The UK's National Crime Agency (NCA), working in close cooperation with the US FBI and international partners, engaged in an epically embarrassing take-down "the world's most harmful cybercrime group, ransomware threat actor LockBit.

2/15/24 – Moobot-enabled neutralization of GRU Military Unit 26165. Under a court-ordered authorization, the US Justice Department used malware called Moobot to neutralize a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165 (also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit) used to conceal and otherwise enable a variety of crimes.

2/9/24 – Warzone RAT domain seizures: The Justice Department, as part of an international law enforcement effort, seized www.warzone.ws and three related domains internet domains that were used to sell computer malware used by cybercriminals to secretly access and steal data from victims' computers, who offered for sale the Warzone RAT malware.

1/31/24—Disruption of Volt Typhoon botnet: Under a December 2023 court-authorized operation, the US Justice Department disrupted a botnet campaign involving hundreds of U.S.-based small office/home office (SOHO) routers that were infected with KV Botnet malware and hijacked by People's Republic of China (PRC) state-sponsored hackers known as Volt Typhoon.

12/19/23 – ALPHV/BlackCat disruption: With the cooperation of German and Danish law enforcement, along with Europol, the US Justice Department disrupted the Blackcat ransomware group, also known as ALPHV or Noberus, and offered over 500 victims an FBI-developed decryption tool to recover their files.

10/8/23 – Seizure of DPRK domains used for fraud: The US Justice Department announced that under a court order, the United States seized 17 website domains used by Democratic People's Republic of Korea (DPRK) information technology (IT) workers in a scheme to defraud US and foreign businesses, evade sanctions and fund the development of the DPRK government's weapons program.

8/29/23 – Quakbot disruption: The US Justice Department, as part of a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, disrupted the botnet and malware known as Qakbot and took down its infrastructure, while also deleting the Qakbot malware from victim computers.

6/22/23 – Breached.vc domain seizure: The Federal Bureau of Investigation, US Department of Health and Human Services, Office of Inspector General, and the Department of Justice, along with international partners, seized the domain Breached.vc following the March arrest of its owner Conor Fitzpatrick, also known as Pompompurin.

5/9/23 – Disruption of Turla's Snake malware: The US Justice Department completed a court-authorized operation, code-named MEDUSA, to disrupt a global peer-to-peer network of computers compromised by sophisticated malware called "Snake," that the government attributes to a unit within Center 16 of the Federal Security Service of the Russian Federation (FSB) known as Turla.

5/8/23 – Booter domains seized: As part of an ongoing initiative targeting computer attack "booter" services, the Justice Department, under a court order, seized 13 internet domains associated with DDoS-for-hire services, with ten of the domains reincarnations of services that were seized during a prior sweep in December 2022, which targeted 48 top booter services

4/5/23 – Genesis Market Take-Down: As part of a coordinated international operation, the US Justice Department took down Genesis Market, a criminal online marketplace that advertised and sold packages of account access credentials stolen from malware-infected computers worldwide.

1/26/23—Hive Ransomware Group Dismantled: The US Justice Department dismantled the Hive ransomware group following a months-long campaign during which it penetrated Hive's computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay the $130 million ransom demanded.