Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Ten Arrested for Infecting 11 Million Computers with Yahos Worm and Stealing $850 Million

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

U.S. and international law enforcement agencies charged ten John Does in connection with a global crime ring that infected 11 million computers. No, the guys were not all named John Doe. Law enforcement uses John and Jane Doe as placeholder names where suspects the true identities must be withheld in a legal action. You already knew that? Well, not everybody watches Law & Order, NCIS, CSI and Hawaii Five-O. They do?

Anyway, according to, the FBI announced that the suspects operated the “Butterfly” botnet, which spread multiple variants of the Yahos worm (not to be confused with any past or present Yahoo CEOs). The banking malware stole credit card, bank account and other personal information leading to more than $850 million in losses.

The FBI said the worm, which targeted Facebook users, (Facebook helped law enforcement in the investigation) from 2010 to October of 2012 and was often spread through instant messaging.

Arrests were made in the United States, United Kingdom, New Zealand, Peru, Croatia, Macedonia, and Bosnia and Herzegovina as part of a joint operation by the FBI, U.S. Department of Justice and international authorities. However, it’s unclear which jurisdiction will prosecute the suspects.

In April 2011, security researchers found that the worm targeting Facebook and MySpace users was a modified form of an older malware, named “SdBot,” which, like Yahos, was spread through instant messaging.

Using Facebook’s IM service, Yahos would send fake messages containing links to photos to Facebook members’ friends list. The messages urged the recipients to go to a website with malicious binaries.

By ThreatMetrix Posted