1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Botnet broken

March 3, 2010

Spanish authorities say they have apprehended three men who helped operate one of the largest criminal computer networks in the world. The Mariposa botnet stole data from millions of computers.

A bundle of network cables
The group's malicious software turned computers into a data-stealing army called a botnetImage: AP

The men allegedly used a computer virus to gain access to data from 13 million PCs in almost every country in the world. All aged between 25 and 31, the men were only identified by their online aliases. The suspected ringleader, known as "Netkairo" or "hamlet1917" was arrested in February along with two accomplices, "Ostiator" and "Johnyloleante." One had data from more than 800,000 users on his computer when arrested.

The group made each infected computer part of its botnet - a virtual army of computers that could execute their commands. Their network was known as Mariposa, the Spanish word for butterfly. The ringleaders then sold the information, which included passwords, usernames, and credit card information, to other hackers, criminal syndicates, and individual criminals.

Their reach spread to 190 countries. Their victims were users in homes, schools, half of the world's 1,000 largest companies and more than 40 financial institutions.

Shrewd, but 'not that smart'

The virus first spread through a security hole in Microsoft Internet Explorer, said Defence Intelligence head Chris Davis, whose computer security firm helped break the ring. Later it proliferated through links sent using Microsoft's instant messaging program, and through memory sticks that were used in infected computers.

The arrests came after Spanish police, the FBI and several computer security companies managed to dismantle the network in December.

"The guys involved with this botnet were not that smart," Javier Merzan, a spokesman for Panda Security, one of the companies that broke the network, told Deutsche Welle. "[After] we blocked the botnet, [one suspect] was trying to set it live again from his home computer. We were able to track the IP address and the police department here was able to know exactly where he was."

Editor: Michael Lawton

Skip next section Explore more