EMOTET and NetWalker Actors Busted on the Same Day

By Bill Toulas / January 28, 2021

It’s been a dark Wednesday for cybercriminals, as two of the world’s most notorious and dangerous groups were busted in two separate and unrelated law enforcement operations. The first one to fall was EMOTET, the botnet that has been plaguing the internet world since 2014, running three separate botnets under the context of a “malware as a service” platform. On the other case, the NetWalker ransomware group’s operations were disrupted, money seized, and arrests made.

The EMOTET operation was coordinated by Europol and happened in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine. The authorities found and seized several hundreds of servers in these countries, so if the operation was focused on just a few locations, the botnet will continue with only minimal disruption. Two arrests were made in Ukraine.

Having taken control of the EMOTET infrastructure, the authorities are sending a “cleaning payload” to the infected machines, set to remove the botnet on March 25, 2021. The reason for the slight delay is to allow the admins of the infected systems to figure out if they have any subsequent infections and secondary payloads deployed through the EMOTET malware.

The importance of this operation is reflected by this comment by Chris Morales, head of security analytics at Vectra:

Taking down Emotet is the equivalent of taking down an AWS or Azure major datacenter. The immediate impact would be felt, but eventually, organizations leveraging that infrastructure would look to move services elsewhere, including potentially internally managed. This could take some time depending on the capabilities and funding of the organizations leveraging that infrastructure. The good news is I see signs of law enforcement learning how to better coordinate global efforts to respond to what are international threats.

The NetWalker ransomware group, which recently hit ‘K-Electric,’ the University of Utah, and also ‘Cygilant,’ was also severely disrupted as a Canadian citizen (Sebastien Vachon-Desjardins of Gatineau, who is considered a key person in its operation) was arrested and charged.

The U.S. Department of Justice seized approximately $454,500 in crypto that was collected from ransom payments. The unsealed indictment considers the seized amount to be only a fraction of the total made by the group, which is estimated to be over $27.6 million.


Additionally, the dark web site of the group that was used for instructing victims on how to pay the ransom was sized by the authorities, and a relevant banner is displayed to the visitors. As it became known now, the server’s location was in Bulgaria and was unearthed by the Bulgarian National Investigation Service.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: