• Cyber Syrup
  • Posts
  • DanaBot Malware Infrastructure Disrupted: U.S. DoJ Charges 16 Individuals in Global Cybercrime Crackdown

DanaBot Malware Infrastructure Disrupted: U.S. DoJ Charges 16 Individuals in Global Cybercrime Crackdown

The DoJ revealed the takedown of the online infrastructure powering DanaBot—a prolific malware platform used in large-scale financial fraud, espionage, and ransomware campaigns

May 26, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

10x Your Outbound With Our AI BDR

Imagine your calendar filling with qualified sales meetings, on autopilot. That's Ava's job. She's an AI BDR who automates your entire outbound demand generation.

Ava operates within the Artisan platform, which consolidates every tool you need for outbound:

  • 300M+ High-Quality B2B Prospects, including E-Commerce and Local Business Leads

  • Automated Lead Enrichment With 10+ Data Sources

  • Full Email Deliverability Management

  • Multi-Channel Outreach Across Email & LinkedIn

  • Human-Level Personalization

DanaBot Malware Infrastructure Disrupted: U.S. DoJ Charges 16 Individuals in Global Cybercrime Crackdown

The U.S. Department of Justice (DoJ) has announced a major victory in the ongoing global fight against cybercrime. On Thursday, the DoJ revealed the takedown of the online infrastructure powering DanaBot—a prolific malware platform used in large-scale financial fraud, espionage, and ransomware campaigns. The operation includes charges against 16 individuals associated with a Russia-based cybercrime organization responsible for creating and distributing DanaBot.

Background on DanaBot

DanaBot (also known as DanaTools) is a Delphi-based modular malware that has been active since May 2018. Originally designed as a banking trojan, it has evolved into a powerful malware-as-a-service (MaaS) platform. Threat actors rent access to DanaBot for $500 to several thousand dollars per month, depending on capabilities and campaign scope.

DanaBot can:

  • Steal sensitive user data (including banking credentials and cryptocurrency wallets)

  • Log keystrokes and record screen activity

  • Provide full remote access to infected systems

  • Hijack sessions and manipulate user activity

With victims in over 40 countries, DanaBot infected more than 300,000 systems worldwide and caused over $50 million in damages, according to the DoJ.

Arrests and Charges

The U.S. unsealed indictments against 16 individuals, including two lead actors:

  • Aleksandr Stepanov (aka JimmBee, 39)

  • Artem Kalinkin (aka Onix, 34)

Both are Russian nationals from Novosibirsk and remain at large. They face a wide range of charges, including:

  • Conspiracy to commit wire and bank fraud

  • Unauthorized access to protected computers

  • Aggravated identity theft

  • Wiretapping and use of intercepted communications

Notably, some of the suspects inadvertently infected their own systems with DanaBot during development or testing, exposing their real identities and logging sensitive personal data to the very servers they operated.

Infrastructure and Espionage Capabilities

DanaBot’s infrastructure was designed with layered communications, involving two to three tiers of servers to obscure the final command-and-control (C2) servers. On average, the malware maintained:

  • 150 active tier-1 C2 servers per day

  • 1,000 daily victims globally

The malware was also used in espionage-focused campaigns. Noteworthy findings include:

  • Sub-botnet 5 launched DDoS attacks on Ukrainian government websites in March 2022

  • Sub-botnets 24 and 25 were tailored for espionage, particularly targeting military, diplomatic, and government institutions

  • A second version of DanaBot was customized in 2021 to monitor government and defense sectors in North America and Europe

While the DoJ could not conclusively prove the malware was used exclusively for espionage, some infrastructure showed very low traffic, suggesting targeted intelligence gathering.

Delivery and Evasion Tactics

Though initially distributed via malicious email attachments and hyperlinks, DanaBot later adopted more sophisticated delivery mechanisms, including:

  • SEO poisoning

  • Malvertising

  • Loader partnerships with other malware distributors like Matanbuchus

The group behind DanaBot maintained a robust operational model, offering customer support, modular updates, and frequent version releases (with the latest being version 4006, compiled in March 2025).

Operation Endgame Collaboration

This disruption was part of Operation Endgame, a joint law enforcement initiative focused on taking down infrastructure used in malware deployment and ransomware attacks. The DanaBot takedown included the seizure of dozens of virtual servers, many of which were hosted in the United States.

Private-sector contributions from firms such as Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru, and Zscaler were vital in identifying and dismantling the malware’s infrastructure.

Industry Impact and Forward Outlook

Cybersecurity experts have welcomed the disruption. Proofpoint, which first identified DanaBot in 2018, stated the takedown will significantly affect the criminal landscape.

"These operations force cybercriminals to adapt, burn resources, and reevaluate their methods," said Selena Larson, threat researcher at Proofpoint. "They also sow distrust within the cybercrime community and may even prompt some to abandon malicious activities altogether."

Conclusion

The dismantling of DanaBot’s infrastructure and the criminal charges filed by the U.S. Department of Justice represent a significant step in the global fight against organized cybercrime. By leveraging international cooperation and private sector intelligence, authorities continue to strike at the heart of complex malware ecosystems, protecting both public institutions and private citizens from sophisticated digital threats.