French ‘Cybergendarmes’ Bust Up Monero Botnet

Earlier this week, a team at France’s C3N “digital crime-fighting” office foiled a cryptocurrency mining botnet of some 850,000 infected machines in over 100 countries. The botnet primarily infected machines in Central and South America, and was primarily used to mine the heavily anonymized Monero (XMR) token. According to a report published by the BBC, the so-called “Retadup” botnet was also used in ransomware and data theft attacks.

The botnet was first identified in early 2019 by anti-virus company Avast, but the location of its control server was unknown until a team of French investigators, nicknamed the “cybergendarmes,” tracked it down to an undisclosed site near Paris. After seizing the botnet’s server, the C3N team created a “replica” server that directed botnet traffic to “unused” parts of the internet, allowing the program to become inactive on infected machines. Authorities plan to keep the new “disinfected” server online for the foreseeable future, as some infected machines may not be regularly connected to the internet.

The scope of the botnet’s cryptocurrency mining activity isn’t known, but officials estimate that millions of dollars in Monero’s XMR tokens have been mined by infected computers. The Retadup botnet appears to have been in operation since 2016. The location of the botnet operators, as well as the location of their ill-gotten cryptocurrency, is still unknown.

Speaking with France Inter radio, C3N chief Jean-Dominique Nollet explained that the threat presented by the botnet went far beyond “crypto-jacking,” data theft, and ransomware. “People may not realise it,” he explained, “but 850,000 infected computers means massive [DDoS] firepower, enough to bring down all the [civilian] websites on the planet.”

On a related note, the French Monero-mining botnet may not be the only one of its kind in operation. Data-analysis firm Carbon Black released a report earlier this month suggesting that a similar botnet has infected around 500,000 machines in Eastern Europe, Russia, and Asia. This so-called “Access Mining” botnet appears to have earned its operators around 8,900 XMR ($600,000) since 2018.