Introduction
On Tuesday, August 29, 2023, the FBI announced that a coordinated group of international authorities had taken control of the Qakbot malware infrastructure. In the process, they gained access to a vast amount of data about the botnet, including over 6 million suspected breached email accounts that it was using. As part of the clean up effort, we are now reaching out to the abuse and administrative contacts for the mail servers to whom these accounts belong.
Data
Use the access key that Spamhaus sent you by email to access the list of affected email accounts below.
Frequently asked questions
What is Qakbot?
Created in early 2008, Qakbot (also known as Qbot) was used to to deliver and install ransomware (and other malware), thereby creating a massive botnet of over 700,000 infected computers. This was used to launch ransomware attacks and other cyber crime activity against businesses worldwide, incurring costs that run into the hundreds of millions of dollars in damages. This botnet proved very popular among the major cybercrime gangs: according to the FBI US$ 58 million in ransom payments were generated between October 2021 and April 2023 alone. The victims included healthcare oganizations, financial services, government agencies, defense contractors, and food distribution companies, among others.
How were these email accounts involved?
On consumer and corporate PCs, Qakbot acted as a modular information and password stealer. It also contained a spam
module that allowed Qakbot to spread laterally using email as a vector, using malicious links or attachments.
It was sending tens of thousands of malware-laden emails every day through breached accounts, posing as legitimate
email from known contacts designed to invoke user interaction. The data we provide here covers these breached accounts.
As the data has been recovered from the Qakbot infrastructure, we were not able to verify each entry individually. Some of
the reported accounts may be old or may have already been fixed. Due to the nature of the threat we feel that reporting the
full set is nevertheless worth the effort.
Please note: that the data we share covers roughly the last 12 months, the current situation may be different.
What should be done?
All passwords for the identified breached email accounts should be changed as soon as possible.
What should we as the ISP tell our customers?
Here is a handy template you can use:
Dear Email Administrator, Spamhaus, who is working in conjunction with international law enforcement, has notified us regarding mailboxes that are hosted on a server that your user controls. These email addresses were identified as having been potentially compromised for use by the Qakbot botnet. We ask that you immediately reset the passwords of these mailboxes to prevent any further abuse. This is the only action required to resolve this issue. The list of breached mailboxes identified are as follows: example@example.com example1@example.com ...... We greatly appreciate any action you take in securing these mailboxes and helping to ensure that that they are not further abused by miscreants to do any harm to other users on the internet. Regards, Example Trust and Safety Department
What do the various fields in the data mean?
Both the JSON and the CSV formats contain the same fields. Here is a CSV example:
# ip, hostname, email 192.0.2.25,mail.example.com,user@example.com
IP: IP address of the mailserver the account belongs to
Hostname: Hostname of the mailserver the account belongs to
Email: Breached email address
A note on timing: this is information as-is from the malware infrastructure.
We recommend a password reset if one has not been done recently, since the dataset may have been
shared with other bad actors as well.
Where can I find publications about Qakbot and the takedown?
Official publications:
FBI: FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown
US Attorney's Office: Qakbot Malware Disrupted in International Cyber Takedown
and Documents and Resources Related to the Disruption of the Qakbot Malware and Botnet
Netherlands Public Prosecution Service: Grootste wereldwijde botnet Qakbot onschadelijk gemaakt
UK National Crime Agency: Qakbot: cyber crime service taken out in international operation
Bundeskriminalamt: Gefährliches Schadsoftware-Netzwerk Qakbot zerschlagen
Ministère de la Justice: Démantèlement de l’infrastructure du réseau malveillant Qakbot
Qakbot related news reports:
CNN,
Bleeping Computer,
Techcrunch,
PC Magazine
You contacted us at the wrong/out of date address, can this be changed?
Yes! Please tell us what addresses we should use instead by emailing remediation-team@spamhaus.org.
I have a question that is not answered here
You can contact The Spamhaus Project at remediation-team@spamhaus.org.