Ted December 9, 2021 12:30 PM

According to Cyberwire this is a “Technical Head Slap and a Legal Nose Pull.”

Why, I Oughta…!!!

Glupteba is a botnet being used to steal credentials and other data for crypto-jacking on infected hosts. The lawsuit is the first against a blockchain-enabled botnet. The action is being filed in the Southern District of NY.

“Google disrupts Glupteba” (min 7:10 to 9:45)

Ted December 9, 2021 3:11 PM

This is a mess.

From the lawsuit:

49) Thus, whenever a C2 server is taken offline, Glupteba malware is programmed to locate a replacement C2 server by querying the public blockchain…

50) […] Thus, the Glupteba botnet cannot be eradicated entirely without neutralizing its blockchain-based infrastructure.

Do they have to find the two named defendants (or Does 1-15) for a jury trial?

How does this even go to trial?

Clive Robinson December 9, 2021 3:26 PM

@ Ted,

Remember this is a big US Silicon Valley Corp.

Remember what a US court decided a big US tech Corp from Seattle could do with regards a different botnet?

US courts apparently have no issue with granting large US Corps the equivalent of not just “police powers” but those that are “extrajurisdictional” and certainly illegal in more than one or two places.

Ted December 9, 2021 3:46 PM


Remember what a US court decided a big US tech Corp from Seattle could do with regards a different botnet?

Oh interesting.

However I don’t understand what this new Google lawsuit will be able to do.

From a Google TAG post:

Google is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and tortious interference of business relationships, and unjust enrichment.

While these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect the actor’s ability to conduct future operations.

Someone found the one effective use for blockchain.

Etienne December 9, 2021 5:13 PM

I consider it economic warfare at the minimum, and the US should use it’s military power to thwart these attacks.

These people need to be droned, or assassinated by proxy.

Clive Robinson December 9, 2021 7:16 PM

@ Ted, SpaceLifeForm,

I really hope Brian Kreb’s recent tweets on this indicate a forthcoming article.

There is a certain irony to this.

The “meet in the middle” annoymous unblockable “Command and Control” for botnets etc idea originated on this blog years ago.

I posted the idea but talked about using “Googles search engine and random blogs”, simply because no organisation I know of out side a very few telcos and banks would dare block access to Googles search engine.

Did the two Russian’s read it and think “that’s a good idea” or did they come up with it independently?

I suspect that due to the time span since I posted the idea and the fact they’ve used a system that most sensible organisations should block –but probably don’t– suggests the latter.

SpaceLifeForm December 9, 2021 7:44 PM

@ Ted, Clive, ALL

I suspect Lanham Act is part of the lawsuit, is because the perps were using gogle [dot] com.

Single OH, not double.

Ted December 9, 2021 9:16 PM

@Clive, SpaceLifeForm

I posted the idea but talked about using “Googles search engine and random blogs”

Clive it would not surprise me if your ideas were picked up and put into play. Funnily though, you are pretty darn creative and knowledgeable. So if an idea was in the realm of even obscure possibility I’d put my money on the fact that you’d thought of it 🙂

Ted December 9, 2021 9:38 PM

@SpaceLifeForm, Clive, ALL

I suspect Lanham Act is part of the lawsuit, is because the perps were using gogle [dot] com.

I’m glad you mentioned that because I didn’t know what the Lanham Act was. It’s federal trademark law right?

The complaint has a section specifically outlining the violations of the Lanham Act.

One of them was:

178) Defendants’ […] offering of software that purported to assist in downloading of videos from YouTube, have been false, deceptive, and misleading.

I guess they tricked people into using a fake YouTube video downloader that infected their computers with the Glupteba malware and made them part of the botnet.

I don’t know all the infection vectors they used, but it’s wild that it ended up on 1 million devices.

MrC December 9, 2021 9:38 PM

@ Ted:

Do they have to find the two named defendants (or Does 1-15) for a jury trial?

They have to serve the two named defendants with the complaint. This is more difficult than it sounds.

There is a treaty governing service of process aboard — the Hague Convention on Service of Process — and both the U.S. and Russia are signatories. Here’s where it gets ugly. The Convention provides that each state must create a “central authority” to receive requests for service from foreign parties, and it must do so free of charge. In typical U.S. fashion, the U.S. has delegated part of this process to a private contractor who charges a $95 fee. Russia (correctly!) views this as a violation of the treaty and has responded by flatly refusing to accept service requests from the U.S. until the U.S. comes back into compliance. So it is presently impossible to serve a Russian defendant in a U.S. civil case pursuant to the terms of the Convention. Which is a big problem, since service pursuant to the Convention is the only legal means of service in such cases. What’s a U.S. litigant suing a Russian supposed to do then? Well, U.S. courts appear to be converging on the position that you may make a motion for service by alternative means, supported with factual evidence that the Russians are still rejecting service requests, and the Court then will order some other method of service to be used. It’s somewhat dubious that U.S. courts have the authority to do this absent an (extremely hypocritical) executive decree that Russia is in violation of the treaty. In any event, Russian courts would almost certainly refuse to enforce any resulting judgment.

(For more details, see

As for the Doe defendants, the plaintiff needs to figure out who they are during discovery, make a motion to amend the case caption, and then serve them. You might ask the Court for special early discovery limited to figuring out who the Does are. If you can’t figure out who the Does are, you need to drop them.

How does this even go to trial?

It doesn’t. Given the near certainty they’d be arrested the moment they set foot in the U.S., there’s no way in hell the defendants will be showing up. So they’re going to default, and then Google is going to see how far they can get the judge to go with a default judgment.

My guess is that Google is either seeking a pretty broad injunction that would authorize some otherwise legally dubious steps to further disrupt the botnet, or they’re planning to seize control of the C&C infrastructure under the theory they’re seizing assets to pay the default judgment. Either way, I think this boils down to looking for legal cover for “hacking back.”

Ted December 9, 2021 11:08 PM


Re: Google’s legal path against Glupteba

Oh my lord. Where did you go to law school? That’s awesome. Those were all just the sort of questions I had. I was wishing I had a phone-(or text)-a-lawyer friend.

Thanks so much for your response.

I was kind of wondering the same thing. That is, if the only way to get a handle on this blockchain botnet (or its operators) is ‘hacking back.’ I thought one article says the Justice Dept declined to comment on these proceedings, but I hope lots more comes out.

One addtl article said:

Together with Facebook, Google and Microsoft are currently part of a trifecta of US tech companies that have been actively suing and using the courts to disrupt malware operations. Microsoft has filed 24 lawsuits so far, and Facebook is not far behind.

I’m curious how all these lawsuits are approaching these problems, and what results they are having. Very interesting.

Ps: What the heck kind of name is Glupteba?

Freezing_in_Brazil December 10, 2021 6:46 AM

@ Ted

Ps: What the heck kind of name is Glupteba?

Croatian word meaning ‘stupid”. Or so it seems.

Clive Robinson December 10, 2021 8:26 AM

Hey did Freezing just pull a funny at the expense of some rooskie’s?

+11 for style.

Now remember “duck, cover and run” is good to get you out of the rain…

Winter December 10, 2021 8:48 AM

@ Freezing_in_Brazil
“Croatian word meaning ‘stupid’”

Google Translate tells me that “Glup teba” means “Stupid you” in Croatian.

Yipee December 10, 2021 12:43 PM

What exactly does “hacking back” look like in this context? Does Goolge plan to user a blockchain based attempt too?

SpaceLifeForm December 10, 2021 4:38 PM

@ Clive

Now remember “duck, cover and run” is good to get you out of the rain…

Depends upon the depth of the puddles.

Sometimes, it is better to tread slowly, carefully selecting your path.

The interesting puddles are those that form out of thin air.

Freezing_in_Brazil December 11, 2021 6:17 AM

@ Clive, Ted, Winter, All

Hey did Freezing just pull a funny at the expense of some rooskie’s?

Hehe, I wouldnt dare, my friend. They say, 'fools rush in where angels fear to tread'. Im trying not to be the fool. 🙂

Clive Robinson December 11, 2021 7:27 AM

@ Freezing_in_Brazil, ALL,

In all my years I’ve learned a little thing, that no matter how hard we try life always,

1, Makes fools of us all.
2, Has the last laugh.

So I figure you can not win, you can not draw… so with a cheerful smile and careless laugh just “cease it by the tail” and “go hell for leather” and enjoy life whilst you have the time.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.