Skip to main content
close search
site logo

US authorities charge 16 in operation to disrupt DanaBot malware

Authorities said malware linked to a Russia-based cybercrime group infected more than 300,000 computers around the world with the malicious code.

Published May 27, 2025
David Jones's headshot
Reporter
DOJ voluntary self-disclosure pilot program
US Department of Justice building and the American flag under the sun in Washington D.C. Authorities charged 16 people in connection with a malware-as-a-service operation called DanaBot. Bo Shen via Getty Images

U.S. authorities on Thursday charged 16 defendants in a massive global operation to disrupt the Russia-based cybercrime group behind the DanaBot malware. 

DanaBot infected more than 300,000 computers around the world, facilitating fraud and ransomware and resulting in more than $50 million in damage, according to federal prosecutors. The U.S. coordinated with multiple foreign governments and private cybersecurity firms to dismantle the botnet operators’ infrastructure.

The Department of Justice charged Aleksandr Stepanov, 39, a.k.a. “JimmBee,” with conspiracy, conspiracy to commit wire and bank fraud and additional charges. Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix,” was charged with conspiracy to gain unauthorized access to a computer to gain information and to defraud, among additional charges. 

DanaBot, which operates as a malware-as-a-service, was first identified in 2018, according to Proofpoint, which first discovered the malware. DanaBot became a favorite payload of a threat group identified as TA547 but was later adopted by several other threat actors, including TA571 and TA564. 

DanaBot nearly disappeared from view in mid-2020 before returning to prominence in December 2023.  

DanaBot recently surfaced in a cyberattack campaign against transportation and logistics firms. In another recent operation, hackers used DanaBot while impersonating travel booking firms and leveraging a technique called ClickFix. 

DanaBot used spam email messages that contained malicious attachments or hyperlinks, according to court documents. Infected computers became part of a botnet and the operators could then remotely control those computers without the user knowing. 

The hackers used a second version of the botnet to spy on military, diplomatic and government targets in North America and Europe. 

The DanaBot disruption was part of a larger effort called Operation Endgame. Germany, the Netherlands and Australia worked with the U.S. on the investigation, with support from cyber researchers and others at Amazon, CrowdStrike, ESET, Google and other firms.

“Cybercriminal disruptions and law enforcement actions not only impair malware functionality and use, but also impose cost to threat actors by forcing them to change their tactics, cause mistrust in the criminal ecosystem and potentially make criminals think about finding a different career,” Selena Larson, staff threat researcher at Proofpoint, which also provided key support, said in a statement.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Fraud on the Rise: Highway Blocks 400,000 Scams in Q1 2025
From Highway
May 19, 2025
Highway logo
Bitcoin Tops $104K as Cloud Mining Gains Momentum — JA Mining Offers Regulated Entry Point and…
From JAMining
May 17, 2025
JAMining logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Threats
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.