Takedown of IPStorm Botnet Nets Malicious Infrastructure, Shielding Thousands of Devices

The FBI recently dismantled the IPStorm botnet and its infrastructure following the botnet owner’s plea agreement in September. The U.S. Department of Justice announced the disassembly of the IPStorm botnet infrastructure, which had compromised thousands of devices across Linux, Mac, and Android in Asia, Europe, North America, and South America.

First detected by researchers in June 2019, the botnet initially targeted Windows systems. It drew the attention of specialists for its use of the IPFS protocol to communicate with infected systems and transmit commands. Notably, the number of infected systems increased from about 3,000 in May 2019 to over 13,500 by 2020.

The U.S. Department of Justice reported that the botnet owner pleaded guilty on September 18 to three counts of hacking, each carrying a maximum sentence of 10 years in prison. According to the Department, the defendant had been developing and distributing malicious software from June 2019 until December 2022, infecting thousands of internet-connected devices worldwide.

The primary objective of the botnet was to transform infected devices into proxy servers, access to which was provided through the owner’s websites. Clients paid hundreds of dollars monthly for control over the infected devices. The criminal admitted to authorities that he had earned at least $550,000 from his scheme and agreed to surrender all the cryptocurrency earned from the botnet. The Department of Justice disabled the IPStorm infrastructure but did not remove the malware from infected devices—a decision that has previously sparked controversy in other botnet dismantling operations by the FBI.

The investigation was conducted by the FBI in Puerto Rico, the Dominican Republic, and Spain, in collaboration with local law enforcement agencies. Additionally, Anomali Threat Research and Bitdefender assisted in uncovering the case. This investigation serves as another testament to the successful collaboration between law enforcement and the private cybersecurity sector in combating illegal activities and holding the perpetrators accountable.