Slovakian cybersecurity firm ESET and the Dutch police uncovered a major crypto theft linked to the notorious Ebury botnet last week. The botnet has compromised over 400,000 servers in the past 15 years, making it a major threat to the sector.
ESET explained in a May 14 report that the Ebury botnet incident was first uncovered during a 2021 investigation by the Dutch National High Tech Crime Unit (NHTCU).
The operatives found that the cybercriminals had been involved in a series of crypto thefts, specifically targeting Ethereum and Bitcoin nodes. According to the Dutch police, Botnet operators steal assets from unsuspecting users’ wallets when they enter their credentials on the infected servers.
The Ebury botnet, active since at least 2009, is used to deploy additional malware, monetize the botnet (such as modules for web traffic redirection), proxy traffic for spam, perform adversary-in-the-middle (AitM) attacks, and host supporting malicious infrastructure.
AitM attacks involve intercepting and potentially altering the communication between two parties without their knowledge.
Between February 2022 and May 2023, the Ebury botnet compromised over 200 AitM attack targets across 75 networks in 34 countries. It stole cryptos, credentials, and credit card details, accumulating large sums of money over time.
The access enables them to steal funds directly from these wallets or use compromised systems to mine cryptocurrencies, siphoning off resources from unwitting victims. The botnet’s ability to stay undetected for long periods allows it to continue its operations, accumulating large amounts of cryptocurrency over time.
The Ebury botnet’s ability to compromise many servers has created the go-to malware needed to facilitate