Six men believed to be behind a massive click-fraud scheme were arrested on Monday following a two-year, international police investigation, dubbed Operation Ghost Click, the FBI announced Wednesday.
The racket led to the infection of more than four million computers in 100 countries with malware.
The defendants, all of whom are Estonian nationals, were arrested in their native country. The U.S. attorney’s office is planning to seek their extradition to the United States. The seventh defendant, a Russian national, remains at large.
The gang is accused of infecting millions of computers around the world with so-called DNSChanger malware capable of manipulating the web advertising industry through a hacker method known as clickjacking, the FBI said in a news release. When a user of an infected computer clicked on a link displayed through a search engine query, the malware rerouted the victim machine to websites and online advertisements of the attackers’ choosing, earning them at least $14 million in fraudulent commissions unknowingly paid for by legitimate advertisers.
MORE: Learn about how the DNSChanger malware works and how to combat it
At least 500,000 compromised machines were located in the United States, including computers belonging to NASA and other government agencies, educational institutions, nonprofits, commercial businesses and individuals.
The defendants were each charged by the Manhattan prosecutors with five counts of wire and computer intrusion crimes. One defendant was also charged with 22 counts of money laundering.
“These defendants gave new meaning to the term, ‘false advertising,’” Preet Bharara, Manhattan U.S. attorney, said. “The international cyberthreat is perhaps the most significant challenge faced by law enforcement and national security agencies today, and this case is just perhaps the tip of the internet iceberg.”
The investigation was carried out by the FBI with the help of Estonian and Dutch police, as well as a number of security firms, including Mandiant and Trend Micro, as well as other private-sector organizations.
In conjunction with the arrests, U.S. authorities seized the defendants’ computers, froze their bank accounts and disabled the command-and-control (C&C) infrastructure used to operate the ring.
The C&C infrastructure consisted of a network of rogue DNS servers located in New York and Chicago. Feike Hacquebord, senior threat researcher at Trend Micro, in a blog post Wednesday, called it the “biggest cybercriminal takedown in history.”