A hacker participates in an offline hacking competition named Hackathon 2022, in Kolkata on July 29, 2022. The event, the first of its kind in the eastern Indian state of West Bengal, was organised by Kolkata Police where 412 hackers competed with each other to complete the tasks, reported the organisers. (Photo by Sankhadeep Banerjee/NurPhoto via Getty Images)
Los Angeles, California – In what officials are calling one of the most damaging cybercrime operations in recent years, the U.S. Department of Justice unsealed indictments against 16 individuals allegedly behind a sophisticated global malware scheme that infected over 300,000 computers and caused at least $50 million in financial damage on Thursday.
At the center of the case is the DanaBot malware — a robust and adaptable program deployed by a Russia-based cybercrime group that, for years, covertly harvested data, stole bank credentials, hijacked online sessions, and opened the door to other malicious attacks, including ransomware. The accused ringleaders, Aleksandr Stepanov and Artem Kalinkin, remain at large in Russia.
According to prosecutors, DanaBot was not just another piece of malware. It was an industrial-scale, criminal enterprise. Functioning on a malware-as-a-service model, its developers leased out access to their botnet — a vast network of compromised computers — to criminal affiliates worldwide. For a few thousand dollars a month, clients could remotely spy on victims, steal their data, or even record their keystrokes and screen activity.
It wasn’t just banks and individuals who were targeted. DanaBot went after military personnel, diplomats, and government systems in North America and Europe. The scale and scope of the threat are alarming.
The malware spread primarily through phishing emails, often disguised as legitimate attachments or links. Once installed, it gave criminals full access to infected machines, siphoning off sensitive information and in many cases acting as a gateway for further attacks. Prosecutors say hackers tailored a second version of DanaBot specifically to target high-value government and military networks — a chilling escalation from financial crime to potential national security breach.
The indictment also revealed how deeply embedded DanaBot had become in global cybercrime infrastructure. Working with international law enforcement agencies and private cybersecurity firms, the U.S. government has seized command and control servers and launched efforts to notify affected users. Companies like Google, PayPal, Crowdstrike, and Amazon contributed to the takedown.
While indictments have been filed, the lead suspects remain out of reach for now, operating from within Russia. Still, officials say this marks a massive step in dismantling a major piece of the cybercrime puzz
