The FBI and the Justice Department say they have disabled a "botnet" of more than two million computers infected with malicious code that Eastern European cyber criminals may have used to drain millions of dollars from bank accounts around the world.
The victims include a Tennessee defense contractor that had $241,000 stolen from a bank account, a Michigan real estate company that lost more than $115,000, a South Carolina law firm had $78,000 taken from accounts and a North Carolina investment firm that lost $151,000 from fraudulent wire transfers, according to court documents.
U.S. authorities continue to combat the network of remotely controlled computers called the "Coreflood" botnet, which has secretly recorded computer users' keystrokes to compromise vast amounts of banking and financial data.
Botnets are armies of so-called "zombie" computers, often ordinary people's machines, that have been hijacked by hackers and ordered to vacuum up private information from bank accounts, credit card data, email services and social media sites.
Coreflood is believed to have been operating since 2002 and has resulted in an unknown number of U.S. bank accounts being broken into with losses that could be in the hundreds of millions of dollars, according to FBI officials.
The Justice Department and FBI filed a civil complaint against 13 "John Doe" defendants, charging them with wire fraud, bank fraud and illegal interception of electronic communications. Investigators will seek to identify the "John Does" as the investigation continues.
The FBI and Justice Department also have executed search warrants to seize Internet domain names believed tied to be the control servers for the Coreflood program.
'Full Extent of the Financial Loss ... Is Not Known'
The botnet has stolen vast amounts of funds from bank accounts in the United States, FBI officials said, and could have stolen hundreds of millions of dollars worldwide.
"The full extent of the financial loss caused by the Coreflood botnet is not known, due in part to the large number of infected computers and the quantity of stolen data," read a civil complaint filed in U.S. Federal District Court in Connecticut.
"As of in or about February 2010, there were approximately 2,336,542 infected computers that were, or had been, part of the Coreflood botnet," the complaint said. "Approximately 1,853,005 of the infected computers appear to have been located in the United States, with the remainder located in countries around the world."
Investigators received a temporary restraining order from the district court allowing them to seize control of the infected computer servers to try to further dismantle and disable the Coreflood botnet.
In its request to the court, the Justice Department wrote, "This is the first case in which United States law enforcement authorities have requested authorization to control a seized botnet using a substitute command and control server. A similar approach was taken by Dutch law enforcement authorities against the 'Bredolab' botnet, in which 'good' software developed by Dutch authorities was downloaded and executed on infected computers around the world as a means of victim notification."