On October 3, the “Melissa” covenant was signed by The Public Prosecution Service (OM), the police, the National Cyber Security Center (NCSC), Cyberveilig Nederland, and ten private parties. In this partnership, the groups join forces to fight cybercrime in a more targeted way, to increase the chances of catching cybercriminals, and to reduce the chance of impact for victims.
On 29 August, the Dutch police announced that Qakbot, one of the world’s largest botnets, had been taken down in an international police operation.
Qakbot, also known as Qbot or Pinkslipbot, made it possible for cybercriminals to carry out ransomware attacks by installing malware on computers. It did so by sending out phishing emails: once the victims clicked on the link in the email, the cybercriminals were able to infiltrate their systems.
The operation, titled ‘Operation Duck Hunt,’ was run by authorities in the US, the Netherlands, Germany, France, the United Kingdom, Romania, and Latvia. The US, which coordinated the operation, was able to seize 8.6 million USD in cryptocurrency. In the Netherlands, 22 servers were taken down. In total, 7.6 billion stolen credentials of computer users, such as email addresses and login details, have been secured, the Dutch police said in its press release.
Structural partnership
In the operation, the Dutch prosecutors and the High Tech Crime Unit of the Dutch Police worked with Fox-IT, Northwave, the National Cyber Security Center, and NFIR. The collaboration of these public and private parties was the first in a structural partnership.
On 3 October, the ‘Melissa’ covenant was signed by The Public Prosecution Service (OM), the police, the National Cyber Security Center (NCSC), Cyberveilig Nederland, and ten private parties. In the partnership, these parties will exchange information with each other on a structural basis and share and discuss current developments more frequently. While the collaboration already started in 2021, the Melissa agreement has now set out the partnership’s legal, organizational, and technical agreements.
Previous operations
Previously, the parties worked together on the Deadbolt and the Genesis Market operations. Deadbolt was a ransomware strain that targeted small businesses and individuals by demanding Bitcoin ransoms after encrypting devices. After the ransom was paid, Deadbolt would create a Bitcoin transaction containing a decryption key and send that to the victim.
In October 2022, the Dutch police received a notification from cybersecurity firm Responders.NU about a method to obtain decryption keys. With that method, the Police obtained over 150 decryption keys during a targeted operation: almost 90% of the keys of victims who had filed complaints.
Operation Cookiemonster, which took place in April 2023 and was led by the FBI and Europol, led to the taking down of the criminal trading website Genesis Market. This website sold millions of user profiles that contained not just login details but also fingerprints, making it possible for buyers to commit identity fraud. In the Netherlands, 17 people were arrested.
Fighting crime in a more targeted way
Often, organizations underestimate the impact of ransomware attacks or think that their data would not be of interest to criminals, the Melissa parties note in its press release. “Yet, the opposite is true: without proper digital security, everyone is vulnerable. It is therefore very important for our society that we join forces to fight this serious form of crime in a more targeted way, increase the chances of catching cybercriminals, and reduce the chance of impact for victims.”