This week, we were pleased to see the end to a nearly year-long legal battle against the Glupteba botnet – a highly sophisticated botnet that used cryptocurrency blockchains to protect its command structure and compromised millions of Windows devices. The court’s ruling against the operators of this botnet sets an important legal precedent and sends a warning to cybercriminals and those who enable or protect them.
Last December, Google’s Threat Analysis Group (TAG) shared the actions it took to disrupt the operations of the Glupteba botnet. Our legal team also filed a case in the Southern District of New York to hold the botnet operators accountable. We made the explicit decision to name the criminal actors behind Glupteba as defendants in the suit, to expose them and their various shell companies. This is not a common tactic, but we felt it was important to try and disrupt their ability to operate covertly online. We did this knowing it could lead to drawn-out litigation. The risk was that these actors – who are based in Russia – could attempt to abuse the U.S. court system by litigating from abroad with no intention of complying with the court’s orders and could try to use the legal process to get information about Google’s defense mechanisms. They attempted to do exactly that.
But the court saw through these attempts. On Tuesday, the court agreed with Google and granted our motion for sanctions, entering default judgment against the defendants to hold them responsible for attempting to mislead the court. In an extraordinary move, the court also issued monetary sanctions against both the Russian-based defendants and their US-based lawyer – requiring the criminal actors behind Glupteba to pay Google’s legal fees. This step is particularly important because it shows that there will be real, monetary consequences for engaging in this type of criminal activity.
"It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” said Federal Judge Denise Cote in her decision Tuesday.
We’re pleased with the outcome of this case and believe it will have significant ramifications for online crime. While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them. And the steps TAG took last year to disrupt their operations have already had significant impact. Over the past year, TAG has observed a 78% reduction in the number of infected hosts.
But there’s a lot more work to be done. Legal cases that expose the criminal elements behind these types of operations are just one tool that Google uses to protect our services and the people and businesses who use them. We’ll continue to put security at the core of everything we do through legal action, sophisticated threat intelligence from TAG, work with law enforcement, and partnerships with government cybersecurity agencies.