‘Avalanche’ network dismantled in international cyber operation

1 December 2016

After more than four years of investigations, German police and prosecutors in close cooperation with the US authorities, the FBI, Europol, Eurojust and global partners including INTERPOL, have dismantled an international criminal infrastructure platform known as ‘Avalanche’.


In a day of coordinated action (30 November) involving 30 countries, more than 800,000 domains were seized, sinkholed or blocked. In addition, five individuals were arrested, 37 premises were searched and 39 servers were seized, with a further 221 servers put offline through abuse notifications sent to hosting providers. Victims of malware infections were identified in more than 180 countries.

The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns, causing an estimated EUR 6 million in damages through concentrated cyberattacks on online banking systems in Germany alone.

At least 500,000 computers worldwide were infected and controlled by the Avalanche system on a daily basis, with the total monetary losses linked to network estimated to be in the hundreds of millions of euros.

Ahead of the joint action, German authorities analysed more than 130 TB of captured data and identified the server structure of the botnet.

The successful takedown of this server infrastructure was supported by INTERPOL, the Shadows Server Foundation, Registrar of Last Resort, ICANN and domain registries, with a number of antivirus partners also providing support for victim remediation.

Criminal groups have been conducting malware, phishing and spam activities using the Avalanche infrastructure since 2009, with more than one million emails with damaging attachments or links sent to unsuspecting victims every week.

Investigations began in 2012 in Germany, after an encryption ransomware, infected a substantial number of computer systems, blocking users’ access. Millions of private and business computer systems were also infected with malware, enabling the criminals operating the network to harvest bank and email passwords.

Criminals were then able to perform bank transfers from the victims’ accounts, re-directing the proceeds through a double fast flux infrastructure specifically created to secure the illicit proceeds.

The Avalanche network was estimated to involve as many as 500,000 infected computers worldwide on a daily basis.

What made the ’Avalanche’ infrastructure special was the use of the so-called double fast flux technique. The complex setup of the Avalanche network was popular amongst cybercriminals, with the double fast flux technique offering enhanced resilience to takedowns and law enforcement action.

Around 20 different malware families such as goznym, marcher, matsnu, urlzone, xswkit and pandabanker were distributed through the network. The money mule schemes operating over Avalanche involved highly organised networks of “mules” who purchased goods with stolen funds, enabling cyber-criminals to launder the money they acquired through the malware attacks or other illegal means.

Computer users should note that this law enforcement action will NOT clean malware off any infected computers – it will merely deny the Avalanche users’ ability to communicate with infected machines.

Victims can use the following webpages created for assistance in removing the malware:

  • http://www.bsi-fuer-buerger.de/botnetz  and http://www.bsi-fuer-buerger.de/avalanche (German);
  • https://www.bsi-fuer-buerger.de/EN/botnetz and https://www.bsi.bund.de/EN/avalanche (English);
  • https://us-cert.gov/avalanche;
  • http://www.nationalcrimeagency.gov.uk/news/962-avalanche-takedown;
  • https://www.getsafeonline.org/news/avalanche/;
  • http://www.actionfraud.police.uk/news-police-takedown-computer-network-used-to-infect-millions-of-devices-dec16;
  • http://www.cyberaware.gov.uk/blog.