Do Son 
Sixteen individuals have been formally charged in the United States in connection with the DanaBot malware case—one of the most resilient and widely proliferated infostealer platforms since its emergence in 2018. According to the FBI, the second iteration of the malware was employed not only for data theft but also for cyberespionage. Remarkably, many of the accused inadvertently exposed themselves by infecting their own machines with the malware, thereby leaving behind a digital trail.
DanaBot was first identified in May 2018, marketed under a Malware-as-a-Service (MaaS) model. It specialized in credential theft and banking fraud. Case documents reveal that access to the platform cost affiliated cybercriminals between $3,000 and $4,000 per month. By 2022, the number of active users had reached at least 40.
U.S. authorities estimate that the virus infected more than 300,000 devices globally and caused damages exceeding $50 million. The primary orchestrators of the scheme are named as “JimmBee” and “Onix.” Notably, “Onix” is identified in court filings as an IT engineer who appeared on social media under the alias “Maffiozi.”
Investigators confirmed the existence of two major versions of DanaBot. The first, active until June 2020, was designed for financial crime. The second, launched in January 2021, was repurposed for targeted espionage, compromising systems within government institutions, diplomatic missions, and NGOs across the United States, United Kingdom, Germany, and Belarus.
The indictment alleges that a specially modified variant of the malware was used to intercept diplomatic communications, financial transactions of embassy staff, and information concerning international relations. In certain cases, the malware uploaded files to command servers containing summaries of conversations between U.S. diplomats.
In 2022, the FBI succeeded in seizing DanaBot’s command-and-control servers, as well as the storage repositories housing exfiltrated data. Among the recovered materials were inadvertently uploaded personal files belonging to the cybercriminals themselves—some due to accidental infections, others as part of testing or debugging efforts.
According to a statement from the U.S. Department of Justice, the operation included the seizure of infrastructure within U.S. borders, encompassing dozens of virtual machines. Affected organizations and individuals are now being notified, and the government, in cooperation with technology companies, is assisting in remediation efforts.
The public unveiling of the DanaBot indictments notably followed Microsoft’s announcement of a successful intervention against another malware strain—Lumma Stealer. Like DanaBot, Lumma Stealer operated under a subscription model, priced between $250 and $1,000 per month. Microsoft has also initiated a civil lawsuit seeking control over more than 2,300 domains previously used by threat actors to manage the malware.
Donate