The botnet used the Bitcoin blockchain to evade cybersecurity officials and remain online, Google alleged.
Known as “Glupteba,” the botnet has infected more than 1 million machines worldwide, Google said in a civil complaint filed Tuesday against Dmitry Staroviko and Alexander Filippov, as well as 15 unknown individuals. Google alleged the defendants utilized this botnet to mine cryptocurrencies on victims’ computers, steal victims’ account information to sell to third parties, purchase goods and services using credit cards with insufficient funds and sell access to compromised machines to third parties.
Moreover, the botnet itself leveraged blockchain technology in a unique manner as an effort to secure it against traditional tools meant to disrupt these types of malicious activities. It effectively turned bitcoin’s decentralization into an asset that made it “much harder to shut down,” Google executives wrote in a blog post.
The botnet weaponized bitcoin’s blockchain, according to Chainalysis, which said it helped Google’s investigation. By embedding command-and-control server addresses in the blockchain, and then having the botnet turn to that data whenever an infected server was shuttered, it stays a step ahead of the cybersecurity whack-a-mole.
“This is the first known case of a botnet using this approach,” representatives for Chainalusis said in an email.
Google’s complaint went into more detail, saying that the “Glupteba Enterprise,” the entity controlled by the defendants, would use this method to direct the malware to new servers.
Google said that while it has already taken some action to disrupt the botnet, the fact that it uses the Bitcoin blockchain means the operators can resurrect the network at any time.
“The Glupteba botnet cannot be eradicated entirely without neutralizing its blockchain-based infrastructure,” the complaint said.
Google filed fraud and racketeering allegations against the defendants in its suit.