Skip to content

Cybersecurity After the DNSChanger Shutdown

NordVPN Hacked: Here's What You Need to Know ASAP

The world prepared for an “cybersecurity internet doomsday” on July 9, 2012: a complete collapse of the global internet.

But that never happened. And that non-event was the result of a prolonged and well-concerted effort by a great number of organizations, led by the FBI.

It was one of the most remarkable cybercrime operations ever, and it had a long-lasting impact on how experts viewed and defended against malicious cyberattacks.

Operation Ghost Click

The story began in 2007 when Rove Digital, an unethical spam advertising corporation with offices in Estonia, began to employ a new trojan malware program called DNSChanger. This program went on to infect more than four million machines across more than 100 nations. Only in the United States are about 500,000 systems infected. Drive-by malware, which was actually the DNSChanger trojan, was misrepresented to customers as a codec needed to view videos. Systems were infected by DNSChanger at the boot sector level, making removal challenging.

The malware changed PCs’ DNS entries to link to Rove Digital’s fake name servers, which were used to inject advertisements into websites and steal user data. DNSChanger occasionally included a self-defense feature that stopped OS systems and antivirus software from being updated.

According to reports, the con artists made $14 million from their operation.

The subsequent actions were astounding. The National High Tech Crime Unit of the Dutch National Police Agency, the Estonian Police and Border Guard Board, the FBI, NASA’s Office of Inspector General (OIG), Internet Systems Consortium, Mandiant, National Cyber-Forensics, and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, and the University of Alabama collaborated on the two-year operation known as Operation Ghost Click (DCWG).

Preventing “Internet Doomsday”

Following the investigation, six Estonians were arrested on November 8, 2011, extradited to the United States, and accused of involvement in an Internet fraud ring. A seventh alleged conspirator, a Russian national, is still at large but has been charged with many offenses and added to the FBI’s list of Cyber Most Wanted. Two new servers were installed in exchange for their two seized servers.

But the DNSChanger malware, which would stop the other victims from accessing the internet, was left in place by the FBI. Instead, they led a successful operation to help victims securely remove the malware from their computer systems while collaborating with ISPs and others.

The FBI built a victim help office with a hotline to call and a wealth of tools for understanding and resolving DNSChanger malware impacts.

In addition, authorities froze the offenders’ bank accounts and seized hard drives from more than 100 malware servers believed to be a part of the group’s command and control network in data centers in Chicago and New York.

Estimates indicate that the initiative was a resounding success in the majority of cases, with only 41,800 systems still affected when the FBI shut down its servers.

The “Internet Doomsday” happened on July 9, 2012, a Monday. But the end of the world was avoided thanks to Operation Ghost Click’s coordinated efforts. Nothing bad happened.

In the end, the entire operation was among the best law enforcement initiatives against cybercrime ever.

How Operation Ghost Click Changed Cybersecurity

The whole thing was successful and changed how law enforcement deals with cybercrimes. The operation specifically taught them:

  • The effectiveness of interagency law enforcement. Cybercrime usually appears on the international market. Some criminals can be stopped from finding safe havens abroad by collaborating with international police departments, pooling resources, and coordinating operations. However, this notion is limited, especially when rogue states shield cybercriminals. But cooperation is essential to the greatest extent possible.
  • The benefit of working with cybersecurity experts from universities and security companies. The FBI and other law enforcement organizations have cybersecurity specialists. However, cybercriminals can be effectively outsmarted by bringing top professionals wherever they are, including among the victims of cybercrime (NASA, for instance, was a significant DNSChanger victim and also partnered in the law enforcement operation).
  • The advantages of creating temporary working groups (in this case, the DCWG). It’s a great idea to assemble a team of knowledgeable volunteers to thoroughly research a particular kind of harmful malware and then inform law enforcement of their findings.
  • Using a comprehensive approach to preventing cybercrime. The FBI’s job is to look into crimes; it is not to maintain and advertise cybersecurity protection tools or hire DNS servers. However, the entire operation was distinguished by original thinking and daring deeds, such as the choice to take control of and replace the criminals’ DNS servers and maintain them in operation until the majority of victims were able to uninstall the malware.

The entire Operation Ghost Click, DNSChanger, and “internet doomsday” event stunned and fascinated the online and cybersecurity community a decade ago. It serves as a case study for today’s students on how to look into, prosecute, and—most importantly—protect the public from transnational cybercrime.

Want to know more about Cybersecurity? Visit our course now.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com