More than 90 Arrested in Blackshades RAT Takedown

The FBI, Justice Department and law enforcement in 19 countries announced the takedown of the Blackshades operation, responsible for dissemination of the Blackshades RAT.

More than 90 arrests have been made in connection with development and sales of a remote access Trojan used worldwide to steal data and spy on victims, including Syrian dissidents.

The FBI and the Manhattan U.S. Attorney’s office yesterday announced the takedown of the Blackshades operation responsible for the inexpensive and invasive RAT which Citizen Lab of Canada exposed in 2012 as a tool allegedly used by the Syrian government to spy on activists in that country. The RAT was also used by 20-year-old Jared Abrahams to spy on Miss Teen USA Cassidy Wolf in an extortion scheme; Abrahams was sentenced in March to 18 months in federal prison.

“As today’s case makes clear, we now live in a world where, for just $40, a cybercriminal halfway across the globe can – with just a click of a mouse – unleash a RAT that can spread a computer plague not only on someone’s property, but also on their privacy and most personal spaces.” U.S. Attorney Preet Bharara said.

Blackshades was available on criminal forums for as little as $40

Blackshades was available on criminal forums for as little as $40, giving criminals the ability to remotely turn victims’ computers into surveillance devices. According to the Justice Department, once the victim was lured into downloading the RAT via drive-by downloads or spam, the malware could exfiltrate files, drop a keylogger that would steal credentials, and give the hackers access to the compromised machine’s webcam.

The FBI said the RAT was sold and distributed to thousands in more than 100 companies and is responsible for more than 500,000 infections. The RAT also had the capability of spreading itself to other machines by spoofing malicious links to social network contacts or over IM platforms.

“It required no sophisticated hacking experience or expensive equipment,” Assistant Director-in-Charge of the FBI George Venizelos said.

Officials said criminals could remotely manage compromised computers via a backdoor installed by the RAT; a management interface provided the attacker with system information, including whether a webcam was accessible.

“The user could, among other things, remotely activate the victim’s web camera. In this way, the user could spy on anyone within view of the victim’s webcam inside the victim’s home or in any other private spaces where the victim’s computer was used,” the Justice Department said in a statement.

The RAT could also force victim computers to join a botnet and be used in distributed denial-of-service attacks, the Justice Department said.

The FBI said it became aware of Blackshades during its takedown of a carding operation known as Operation Cardshop. Through this operation, the FBI said it was able to identify those in charge of Blackshades, Swede Alex Yucel, 24, and American Michael Hogue, 23 of Arizona. The FBI yesterday unsealed an indictment against Yucel, while Hogue was arrested in 2012 and pled guilty to charges related to the Operation Cardshop takedown; both are alleged co-developers of the Blackshades malware. Yucel is awaiting extradition to the U.S. after his arrest in Moldova, the FBI said.

“The charges unsealed today showcase the top to bottom approach the FBI takes to its cases. We tackled this malware starting with those that put it in the hands of the users- the creators and those who helped make it readily available- the administrators,” the FBI’s Venizelos said. “We will continue to work with our law enforcement partners to bring to justice anyone who used Blackshades maliciously.”

Also arrested in the last two days were Brendan Johnston, 23 of California, who is alleged to have helped market and sell Blackshades malware; Kyle Fedorek, 26 of New York, who allegedly used the RAT to steal from hundreds of victims; and Marlen Rappa, 41 of New Jersey, who allegedly used the RAT to spy on victims and steal online account credentials and data.

The Justice Department said the takedown included the cooperation of law enforcement in 19 countries and involved more than 300 searches; the investigation is ongoing.

Suggested articles


  • Dr. Hilliard Haliard on

    I wish they didn't put webcams on the front, back and side of every new computing device. Those pieces of opaque tape I use to cover them up are starting to look unsightly and annoying.
    • Brian on

      :) black shoe polish or paint works as well! Can even color coordinate with the case....
  • Kevin Crabb on

    STOP if you are EBay user don't change your password till you have keyboard encryption from StrikeForce or CW 7. This EBay News is what I'm talking about, the KeyLoggers are getting worst. People have to educate themselves and protect themselves with keyboard encryption and tape their WebCam before it's to late. Lock down your keyboards NOW! For more information message back.
  • Peabody on

    Not too long ago a man would be hanged for stealing a horse. These guys steal everything and get a slap on the wrist. Then they're back doing it again. Federal prison is too good for these guys. It's time to hang them.
  • Mariloowhoo on

    Years ago, when i first heard about hackers being able to 'reverse' the webcams, I put a sticker over it. Now it's an American flag, but it's been a lot of other ones too. Keep the dang thing covered!
  • Jorge Bidarra on

    For 3 days at least, I have been trying to update the database kaspersky without sucess. When the execution reaches 2% of the verification, execution stops, accusing problems in accessing the proxy. The kaspersky version installed on my laptop is official. How to fix it?
    • Brian Donohue on

      Jorge, We can't really help you with that. However, if you are on twitter, you can reach out to @Kaspersky. You can also get support at Or you can do it the old fashioned way and contact support directly: Hope this helps.
    • Bill on

      try reloading activation code , it worked for me .
  • James Bull on

    Keep up the good work!
  • Roberta Mucci on

    Yes, please help me --- What does Lock down your Keyboard mean? and, JUST HOW IS IT DONE? Thank you.
    • Brian Donohue on

      When he says "lock down you keyboards," he is advising you to install a security product that protects against keyloggers. A keylogger is a type of malware that monitors your keystrokes in order to steal credentials and other information. There are a variety of different sorts of applications and products that provide this sort of protection.
    • Karma on

      You can also just use an onscreen virtual keyboard, where you click letters with your mouse. But the safest way to browse is to download and burn a live linux cd/dvd, like Linux Mint. Just boot from that dvd. Because the dvd is unchangeable, it can't get infected by malware. For faster performance, you can also make a bootable usb flash drive. Instructions are on the site. Or if you want a different OS, go to and you'll see there are lots of other free and secure OS's to choose from. One thing to keep in mind when using a live DVD/usb: it won't remember any system updates you make while using it (or anything else), so, to stay up-to-date, it's best to download and burn a new one whenever a new version is released.
      • Karma on

        Let me correct one thing: a live OS can get infected by malware, but the malware only survives for that session; rebooting makes it vanish. So, assuming you don't fall prey to social engineering attacks, and you turn java off in your browser, and you are using a live Linux or BSD DVD, then it's virtually impossible to get malware on your system unless there is someone manually targeting your IP address directly. And even then, just reboot and it's gone.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.