A global law enforcement operation has delivered a major blow to one of the cybercrime world’s most persistent threats—the DanaBot botnet. With over 300,000 infected devices and an estimated $50 million in damages, DanaBot’s reign is now under heavy scrutiny as authorities move in with criminal charges against 16 key suspects.
Launched as part of Operation Endgame, this takedown campaign has already made waves across the cybersecurity landscape. Europol, alongside private sector allies and international partners, dismantled the infrastructure powering DanaBot and other revived malware strains. The operation took down more than 300 servers and seized control of 650 domains, aiming to disrupt the ransomware supply chain at its core.
As part of this effort, authorities also confiscated $24 million in cryptocurrency, with $4 million linked directly to the DanaBot investigation.
Malware-as-a-Service Empire Faces Its Reckoning
According to the U.S. Department of Justice, DanaBot functioned as a malware-as-a-service platform, initially launched in 2018 to steal banking credentials and personal data. What began as a banking trojan quickly evolved into a powerful malware loader, distributing ransomware and other malicious tools for hire. Its reach expanded from Eastern Europe and Australia to victims across North America.
At the center of the criminal conspiracy are two Russian nationals—Aleksandr Stepanov, 39, known as “JimmBee,” and Artem Kalinkin, 34, aka “Onix.” Both are residents of Novosibirsk, Russia, and are now wanted by U.S. authorities. Kalinkin, notably, has ties to Gazprom, the Russian state energy giant, where he reportedly worked as an IT engineer.
Kalinkin is facing up to 72 years in prison if extradited and convicted, while Stepanov could serve up to five years. The stark difference in sentencing reflects their varying roles in the botnet’s design and management.
Ironically, investigators were able to identify several members of the botnet’s operation after they accidentally infected their own devices with DanaBot—leaving behind digital footprints that led law enforcement right to their doors.
Espionage and Cybercrime: A Blurred Line
Security researchers have long tracked DanaBot’s evolution. Analysts at Proofpoint noted the malware was widely distributed via malicious emails until mid-2020, after which it shifted tactics. By mid-2024, it reemerged using malvertising and SEO poisoning to lure victims.
CrowdStrike, which tracks the responsible hacking group as Scully Spider, suggested the Russian government turned a blind eye to the group’s activities. Some sub-botnets tied to DanaBot were allegedly repurposed for espionage, targeting Western military and law enforcement personnel. Others were reportedly used to assist Russia’s military operations in Ukraine.
The botnet’s scale is alarming. Lumen Technologies’ Black Lotus Labs reported DanaBot maintained roughly 150 active command-and-control servers daily, making it one of the most widespread malware delivery platforms in the world.
Tomáš Procházka, a researcher at cybersecurity firm ESET, noted that while the infrastructure has been severely damaged, it’s uncertain if DanaBot will resurface. What’s certain, however, is that the arrests and exposure of its operators have rattled the underground cybercrime scene.
