The French Center for Combating Digital Crime (C3N), with the help of Avast Researchers, was able to dismantle a vast botnet of 850,000 machines during a large-scale operation.

The French Police "Gendarmerie" announced Wednesday, August 28th, 2019 to neutralize a network of 850,000 computers infected with the computer virus named Retadup. The latter was present without the knowledge of the legitimate owners of these computers and allowed hackers to take discrete control.


Retadup is no stranger, the Japanese publisher of cybersecurity solutions Trend Micro wrote an article in 2017 about this Information Stealer Found Hitting Israeli Hospitals. This is a malware that, once installed on a computer spreads including passing through removable media and along with features that allow it to infect its host with other malwares.

Over time, Retadup, first detected in Israel, including hospitals, and then in several countries in South America, served as a bridgehead for data theft or cryptocurrency mining. According to the French Gendarmerie, it also seems to have been used for blocking computer systems.

French Police Removed RETADUP Malware from 850,000 PCs


It all started in March 2019, when the company Avast, a specialist in computer security, warned the unit of the Gendarmerie specialized in cybersecurity, the Center for combating digital crimes (C3N) the presence on the French territory of the server allowing to control this network. In a long explanation posted on its site, the company also explained to have discovered a flaw in the way this central server communicated with the infested computers.

The Gendarmerie raided the host, to make a "Quiet Copy" of this server without being spotted by hackers. Then, the gendarmes replaced it by another copy equipped with tools of control and analysis which, exploiting the identified vulnerability, ordered the 850.000 copies of the virus to self-destruct.

The majority of the infected machines were located in Central and South America. Without their owners being aware, their computers were used to create Monero cryptocurrency. The Gendarmerie solicited and obtained the help of the FBI, because part of the control server infrastructure was located in the United States. The Gendarmerie, which presents this operation as a "World First", ensures further investigations to try to identify the developers of the malicious program.