CrowdStrike Collaborates with U.S. Department of Justice on DanaBot Takedown

Introduction

Effective collaboration is essential when confronting today’s sophisticated cyber adversaries, particularly those operating with state tolerance or direction. At CrowdStrike, we routinely work alongside law enforcement agencies and industry partners to identify, monitor, and mitigate cyber threats. Recently, we provided technical assistance to the U.S. Department of Justice as part of a coordinated effort to disrupt the activities of individuals involved in developing, administering, and operating the DanaBot malware, tracked by CrowdStrike as SCULLY SPIDER.
2. Situational Awareness: Cyber Threats Heightened by COVID-19 and How to Protect Against Them: https://www.crowdstrike.com/en-us/blog/covid-19-cyber-threats/
On October 22, 2021, a high-profile supply chain attack involving a compromised NPM package, ua-parser-js, distributed DanaBot — sub-botnet 40 — alongside XMRig.¹ CrowdStrike Falcon® platform telemetry related to the incident indicated that DanaBot was observed in a wide range of sectors, including transportation, media, technology, and financial services.² Two weeks after the October incident, on November 4, 2021, the same adversary leveraged another compromised NPM package, coa, to distribute DanaBot. At that time, the affected node package had 8.9 million weekly downloads, demonstrating the potential scale of impact from these operations.

The Russian Government-eCrime Nexus

DanaBot initially targeted victims in Ukraine, Poland, Italy, Germany, Austria, and Australia prior to expanding its targeting posture to include U.S.- and Canada-based financial institutions in October 2018. The malware’s popularity grew due to its early modular development supporting Zeus-based web injects, information stealer capabilities, keystroke logging, screen recording, and hidden virtual network computing (HVNC) functionality. Between 2018 and 2021, DanaBot maintained its popularity as it gradually transitioned from banking trojan toward being leveraged as a distribution platform for other malware families.
Evidence of DanaBot’s alignment with Russian state interests emerged shortly after Russia’s full-scale invasion of Ukraine. On March 2, 2022, DanaBot’s sub-botnet 5 received tasking to download a Delphi-based executable leveraged to conduct HTTP-based distributed denial-of-service (DDoS) attacks against the Ukrainian Ministry of Defence (MOD) webmail server. Following that activity, on March 7, 2022, the same sub-botnet was used to facilitate an HTTP-based DDoS attack against the National Security and Defense Council (NSDC) of Ukraine. The timing and targeting of these attacks suggest direct support of Russian military objectives, demonstrating how eCrime infrastructure can be rapidly repurposed for state-aligned disruptive operations.
The takedown of DanaBot represents a significant blow not just to an eCrime operation but to a cyber capability that has appeared to align Russian government interests. The case of SCULLY SPIDER highlights why we must view certain Russian eCrime groups through a political lens — as extensions of state power rather than mere criminal enterprises. The Russian government’s tolerance of these actors, the direct use of DanaBot in attacks supporting Russia’s invasion of Ukraine, and the revelation of espionage-focused sub-botnets all suggest a calculated strategy of leveraging criminal proxies for state objectives. This takedown demonstrates the critical importance of public-private partnerships in not just disrupting financially motivated cybercrime but in countering the broader Russian cyber threat that blends criminal and state-sponsored activities. As we continue to face such hybrid threats, identifying and disrupting these dual-purpose cyber capabilities remains essential to protecting our digital ecosystem from both criminal exploitation and geopolitical weaponization.

Supply Chain Attacks and Beyond

SCULLY SPIDER is a Russia-based eCrime adversary known for developing and operating DanaBot as a malware-as-a-service (MaaS). Following DanaBot’s debut in May 2018, it quickly gained popularity due to its modular functionality supporting credit card theft, wire fraud, and exfiltration of cryptocurrency-related files. What distinguishes DanaBot from typical eCrime operations, however, is the Russian government’s tolerance of its activities. Despite having ample capability to investigate and prosecute these criminals operating within Russian borders, there is no public evidence authorities have taken legal action, a pattern that suggests these cybercriminals serve as proxy forces applying pressure on Western nations while maintaining plausible deniability for the Russian state.

Direct Support for Russian Military Operations

The U.S. Defense Criminal Investigative Service (DCIS) seized the botnet’s U.S.-based server infrastructure, effectively neutralizing the threat actor’s ability to issue commands to compromised systems. This seizure ensures that these command-and-control (C2) servers can no longer be used to direct, update, or otherwise manipulate the network of infected machines, cutting off the operators’ control and preventing further malicious activities against victims.

Espionage Activities Revealed

Perhaps most significantly, the DOJ indictment reveals that two DanaBot sub-botnets, 24 and 25, were specifically utilized for espionage purposes. Though it is unclear how the collected data was used, we think this direct use of criminal infrastructure for intelligence gathering activities provides evidence that SCULLY SPIDER operators were acting on behalf of Russian government interests. Such dual use of criminal infrastructure for state espionage represents a cornerstone of Russia’s hybrid cyber strategy, allowing the government to maintain distance from operations while benefiting from their outcomes.

Continuous Adaptation to Serve Multiple Masters

Today, the U.S. Department of Justice unsealed an indictment against Russian nationals accused of developing, administering, and operating DanaBot. This announcement reveals insights into the intricacies of operating a modern eCrime MaaS that has served both criminal and state interests.

Conclusion

Since 2022, SCULLY SPIDER has annually restructured their product offering to adapt to changes in the eCrime ecosystem, primarily adjusting the pricing of their services offered. Additionally, the adversary has continued to refactor the DanaBot codebase, emphasizing defense evasion. This is best highlighted by multiple updates to the malware’s proprietary binary C2 protocol since July 2022. These adaptations have been key to the adversary’s sustained success in serving both criminal clients and state interests.

Additional Resources

1. Compromised NPM Package Used in Supply Chain Attack: CrowdStrike Falcon Customers Protected: https://www.crowdstrike.com/en-us/blog/crowdstrike-customers-protected-from-compromised-npm-package-in-supply-chain-attack/
This takedown represents more than just disrupting a criminal enterprise — it strikes at a cyber capability that has appeared to align with Russian government interests. In this blog, we examine how DanaBot exemplifies the blurred lines between Russian eCrime and state-sponsored cyber operations, highlighting why such takedowns are crucial in countering the broader Russian cyber threat.