Koobface gang turns off command servers, as Russian police explain lack of action

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Facebook logo and Koobface suspectsThe publication of a detailed investigation into alleged members of the Koobface malware gang appears to have had an instant impact.

The C&C (command and control) servers at the heart of Koobface have stopped responding, and the individuals uncovered by the report have been busy deleting their profiles on social networks, where they had left digital clues as to their identities.

Although social networking accounts have been wiped, security researchers and law enforcement agencies have archives of the vast amount of material already published by Koobface gang members, including photographs, movies, and locations as they checked into sites such as FourSquare.

That data can be used in a variety of ways. For instance, FourSquare logins can be displayed on Google Earth, allowing researchers to replay how individuals have moved from place to place at certain times.

Sign up to our free newsletter.
Security news, advice, and tips.

Locations tracked on FourSquare, displayed on Google Earth

Ryan McGeehan, a member of Facebook’s security team, was quoted in the press, expressing his delight that releasing information about the five men’s alleged activities had already had an impact:

“The thing that we are most excited about is that the botnet is down. Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it’s permanent but it was certainly effective.”

Meanwhile, Russia’s anti-cybercrime unit has claimed that there’s a very good reason that it hasn’t investigated the Koobface gang – it hasn’t been asked to.

According to a report from Reuters, the Interior Ministry’s K Directorate says that it has received no official request to look into the activities of the Koobface gang, alleged to be based in St Petersburg.

“An official request needs to be filed to the K Directorate first, and when it’s filed, we will certainly investigate and work on it,” said Larisa Zhukova, a representative at the cyber unit, told Reuters. “The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far.”

All that we see from this is that it can be very difficult to co-ordinate investigations into cybercriminal activity when there are multiple countries involved. One thing is clear, however, the people identified in the report are clearing up the various breadcrumbs they have left lying around the net.

Read: The Koobface malware gang – exposed!


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.