The email arrived in inboxes -- thousands possibly -- around the world on January 15, 2020, billed as the latest update from international observers monitoring the situation in eastern Ukraine.
The bullet-pointed summary, identical to those from the Organization for Security and Cooperation in Europe (OSCE), was followed by a note “Full Report In Attachment,” along with a password to access the attached report.
If you were unlucky enough to have clicked on the compressed attachment, you would have unwittingly launched a virus that connected your computer to a global network of infected computers -- the technical term is a bot -- called DanaBot.
The bot was Russian made. And, according to researchers and law enforcement agencies, it was used not only for crimes such as stealing credit card information, bank account numbers, and cryptocurrency wallets, but also for espionage by Russian intelligence agencies.
Last month, authorities in a dozen countries announced they had unplugged the DanaBot.
The US Justice Department also unsealed a 3-year-old indictment charging 16 people, mainly Russians, for running or using the bot, which aimed to “steal data…such as bank accounts, email accounts, social media accounts, and cryptocurrency wallets.”
Less noticed, however, was what the accompanying affidavit by an FBI agent, and the indictment itself, described: a second variant of the bot, dubbed the "Espionage Variant,” which was allegedly “used to target military, diplomatic, government, and non-governmental organizations.”
“These activities were likely conducted to align with Russian government espionage objectives,” said Proofpoint, a California-based research company that was among the first to start documenting the bot’s activities more than seven years ago.
Russian Overlap
The overlap between Russian cybercriminals and Russian intelligence agencies has itself been extensively documented over the past 25 years -- not to mention prosecuted.
The three primary Russian security agencies -- the Federal Security Service, the Foreign Intelligence Service, and the Main Intelligence Directorate of the General Staff -- have major cyber capabilities, though not all engage in malicious actions like ransomware or so-called banking trojans, or work closely with hackers.
Ransomware is a malicious computer code that, once launched by an unwitting recipient, locks down a computer or computer server. In order to unlock it, the recipient usually must send a ransom -- typically difficult-to-trace cryptocurrencies like BitCoin or Ethereum -- to the sender.
More than a decade ago, the main cyber unit for the Federal Security Service, known as the FSB, employed a former hacker as its deputy director.
The unit, known as Center 18, was implicated by US officials in hacking US political operatives during the 2016 presidential election. The Main Intelligence Directors, better known as the GRU, conducted its own parallel hacking operation at the same time.
Center 18 later imploded in an embarrassing scandal that resulted in state treason charges being filed against its then director, and the hacker-deputy-director, and two others.
The same unit allegedly recruited another Russian hacker named Aleksei Belan for help in stealing billions of Yahoo e-mail accounts, one of the biggest thefts of its kinds in history.
A Russian group called Evil Corp. was responsible for one of the most problematic ransomware codes in history called Dridex or Bugat. Its founder, Maksim Yakubets, was indicted by the US Justice Department in 2019 for the ransomware, which allegedly resulted in some $100 million in bank fraud.
Yakubets’ father-in-law is a former FSB special forces officer, who “leveraged his status and contacts to facilitate Evil Corp's developing relationships with officials of the Russian intelligence services,” the US Treasury Department said in 2024.
According to US charging documents, the DanaBot tool was developed allegedly by two Russian men from the Siberian city of Novosibirsk: Aleksandr Stepanov and Artyom Kalinkin.
For a monthly fee -- around $3,000 or $4,000 -- the bot was rented or leased out to other interested hackers who then used it to steal banking credentials or credit card information or even cryptocurrencies, according to researchers.
Researchers dubbed that type of model for cybercrime as "Crime as a Service" or "Malware as a Service"
Before it was shut down, DanaBot had infected 300,000 computers around the world, officials said.
But there was a second variation of the DanaBot that was also built, authorities said: an “Espionage Variant,” which experts said was unusual.
That variant was used -- in October 2019 and January 2020, according to researchers -- for espionage against government entities, military agencies, and even nongovernment organizations.
The messages impersonated the Organization for Security and Cooperation in Europe (OSCE), which is a Vienna-based trans-Atlantic organization that monitors elections, promotes democracy, and conducts peacekeeping monitoring, including in Ukraine. An unnamed Kazakh government entity was also impersonated.
“What distinguishes DanaBot from typical [cybercrime] operations, however, is the Russian government's tolerance of its activities,” said CrowdStrike, another cyber research company that tracked DanaBot activities.
“Despite having ample capability to investigate and prosecute these criminals operating within Russian borders, there is no public evidence authorities have taken legal action,” the company said.
“A pattern that suggests these cybercriminals serve as proxy forces applying pressure on Western nations while maintaining plausible deniability for the Russian state.”
In the FBI affidavit filed along with the indictment, an FBI agent said law enforcement officials were able to seize computer servers to observe how the malware traveled.
The agent also said the bot’s creators had infected their own computers, perhaps, deliberately to test or improve the malware. That, however, resulted in sensitive data being inadvertently stolen from the bot's creators, which help identify them.
“One of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake,” the affidavit said.
Avoiding Russian Authorities
One former Russian hacker, who was not authorized to speak publicly, said the DanaBot arrangement -- a criminal variant and an espionage variant -- was typically used by Russian cybercriminals as a way to avoid problems from Russian security agencies.
Also, Russian hackers avoid targeting Russian companies or entities so as to avoid government scrutiny.
“This is expected. A variant to serve both financial motivations and keep the state happy,” the person told RFE/RL.
“When you are a successful criminal, and you don’t want to go to jail you look for ways. Maybe even proactive outreach to a friend of a friend. And now you have a ‘krysha’” – a Russian term meaning “roof,” or “protection.”
Despite the accumulated evidence of Russian security agencies using criminal actors, there’s nothing to indicate the security agencies have been dissuaded from the practice.
“They don’t care as long as it works,” the hacker said.
