The criminal mastermind responsible for one of the world's largest cyber-crime rings remains at large, despite a major assault on his Citadel botnet network by Microsoft and the FBI.

Citadel Botnet Takedown Microsoft
Microsoft staff and forensics experts examine evidence related to the Citadel malware that was collected from a New Jersey data center in Atlantic City, New Jersey in this June 5, 2013. (Credit: Microsoft)

Known only as 'Aquabox' and believed to operate out of eastern Europe, the mastermind behind one of the world's largest botnet networks remains at large despite a major disruption to his network of infected PCs.

However Aquabox will feel the impact of the latest collaboration between Microsoft and the FBI which has knocked offline at least 1,000 of the 1,400 malicious computer networks known as botnets.

Botnets are networks of zombie computers (or bots) which are infected by malicious software and are controlled by a central "command and control" server. Citadel, which is a derivation of the Zeus banking Trojan, allows those in charge to monitor the keystrokes on infected PCs meaning online banking login details can be easily recorded.

While Aquabox was ultimately in charge of Citadel, he sold the malicious software to dozens of cyber-criminals who in turn rented our their own botnets for a fee, allowing customers to steal huge amounts of money.

According to Microsoft, the Citadel botnet was operational in 80 countries around the world and was believed to have helped the cyber-crime ring steal over $500 million (£325m) over the last 18 months. The FBI believe Aqubox works with at least 81 so-called 'botherders' who could be located anywhere in the world.


The investigation was begun in early 2012 and it is believed over five million PCs in the US, Western Europe, Australia, Hong Kong and India were infected. Its creators managed to spread the Citadel software by bundling it with pirated copies of older Windows software, using fraudulently obtained product keys for the Windows XP version of the popular operating system.

Microsoft filed a civil lawsuit against the unidentified Aquabox in the US District Court in Charlotte, North Carolina and obtained a court order to shut down the botnets. This is Microsoft's seventh botnet takedown effort but its first in collaboration with the FBI.

As well as the FBI, the investigation collaborated with law enforcement agencies from the UK and many other countries including: Australia, Brazil, Ecuador, Germany, Holland, Hong Kong, Iceland, India, Indonesia and Spain.

Chasing John Doe

Identified as 'John Doe No. 1' in the civil lawsuit filed by Microsoft, the mastermind behind the Citadel botnets emerged in early 2012 selling a variation of what was already out there in the shape of the Zeus botnet - though "greatly expanding its functionality."

How a botnet works
How a botnet works (Credit: Reuters)

Unlike Zeus however, Citadel was controlled by a single developer with Aquabox using underground malware forums to sell his software in kit form, costing from $2,400 at a time, though the FBI believes Aquabox also received a percentage of the money stolen by these 'botherders'.

The software has been designed so as not to attack PCs or financial institutions in the Ukraine or Russia leading to investigators believing Aquabox lives in one of these countries.

The FBI told Reuters it is working closely with Europol and other overseas authorities to try to capture the unknown criminals. The FBI has obtained search warrants as part of what it characterized as a "fairly advanced" criminal probe.

"We are upping the game in our level of commitment in going after botnet creators and distributors," FBI Assistant Executive Director Richard McFeely said in an interview.

"This is a more concerted effort to engage our foreign partners to assist us in identifying, locating and - if we can - get US criminal process on these botnet creators and distributors."