The FBI has stepped up its search for members of a multimillion-dollar cybercrime group more than two years after the bureau and its European allies announced they had taken down the group's computer systems, according to newly unsealed court documents reviewed by CNN.
A hacking tool associated with the group -- whose operations were previously traced to eastern Ukraine -- has stalked the internet for nearly a decade, costing victims hundreds of millions of dollars, and leading to a disruptive ransomware attack on a US school in 2017.
After the hacking tool, known as Emotet, reemerged online late last year, the FBI executed a search warrant in January for information that an agent on the case thought might uncover new details about the hackers' identities or whereabouts. The warrant asked for digital records tied to the hackers that the FBI believed were held by US web-hosting firm GoDaddy.
But the search came up empty, according to court documents unsealed this week in US federal court. Seamus Hughes, an independent researcher and founder of Court Watch, shared the documents with CNN.
The court records show how difficult it can be to shut down cybercriminal gangs, often based in Eastern Europe and Russia, that operate like well-oiled multinational corporations and fleece Americans out of millions of dollars. Unless they're arrested, the hackers can sometimes recover from law enforcement seizures of their computer infrastructure and rebuild their fraudulent empires.
The records were unsealed in the US District Court for the Middle District of North Carolina, where the FBI is investigating Emotet operatives after their malware was used in a ransomware attack on a North Carolina school district in 2017.
A spokesperson for the FBI declined to answer questions about the new court records or the status of the Emotet investigation. GoDaddy declined to comment on why the search warrant came up empty.
Emotet (both the name of the malicious code and the hackers' army of infected computers) has cost US state and local governments $1 million per hacking incident, according to federal data.
It is exactly the type of cybercriminal enterprise that the US government has sought to aggressively dismantle in recent years through a campaign of arrests, computer seizures and offensives from US military hackers. The accelerated Western law enforcement actions have come as the Russian government has balked at cooperating with investigators and the war in Ukraine has uprooted cybercriminals in that country.
Investigative leads from the war in Ukraine
In January 2021, the FBI alongside Dutch, British and other European law enforcement agencies announced that they had infiltrated Emotet's servers and cut off the hackers' access to victim computers. Ukrainian police also seized computers allegedly used by the hackers.
But hackers associated with the group have continued to rebuild their infrastructure, and they blasted out another campaign of spam emails in March, according to researchers. Experts who track the group told CNN they haven't observed Emotet activity in months, raising questions about where they might surface next -- or if their operations had suffered a mortal blow and law enforcement agencies were closing in on the hackers.
The FBI and European allies said last month that they had dismantled Qakbot, another network of infected computers that is similar to Emotet. A senior FBI official told CNN at the time that the investigation into Qakbot and related activity is ongoing.
The new court documents also show how the chaos unleashed by the war in Ukraine has provided investigative leads, and challenges, for the FBI in its hunt for cybercriminals.
At the onset of Russia's full-scale invasion of Ukraine in February 2022, a Ukrainian cybersecurity researcher leaked a trove of private chats from Conti, another cybercriminal gang that has alleged ties to Russian intelligence. The Ukrainian told CNN that he leaked the data to get revenge on the Russian cybercriminals after they swore allegiance to the Kremlin, and "to prove that they are motherf**kers."
The new court documents are perhaps the first time the FBI has publicly corroborated the Conti leaks. Those leaks were authentic, the FBI agent said in an affidavit filed in in the Emotet case, and showed that at least one of the Emotet hackers was administering the group's malicious code both before the January 2021 law enforcement bust and in the years since.
"Sophisticated adversaries go to great lengths to stay anonymous and build layers of resiliency in their operations," said Michael DeBolt, a former US representative to Interpol who is now chief intelligence officer at security firm Intel 471. "For law enforcement, investigating and eventually prosecuting prolific cybercriminals requires a great deal of patience and perseverance."