On May 22, 2025, U.S. and European law enforcement disrupted the infrastructure of DanaBot, a sophisticated banking trojan that infected computers and stole financial and personal information. Intel 471 contributed intelligence to this operation, which has also divulged the real-world identities of two people allegedly linked to the malware, including its developer, JimmBee, and a sales representative, O*nix. Both have been active participants in Russian-language cybercrime circles. DanaBot was one of the most prevalent banking malware families distributed between 2018 and 2020. It was sold as a monthly subscription, a common type of underground offering known as malware-as-a-service (MaaS), contributing to an online landscape marked by data theft operations with tremendous scale.
DanaBot’s distribution has declined considerably since those years but it is still a threat as a data theft tool, an initial access foothold, a precursor to ransomware and a distributed denial-of-service (DDoS) attack tool. Following Russia’s full-scale invasion of Ukraine, DanaBot was used in March 2022 to launch DDoS attacks against Ukraine’s Ministry of Defense. In 2023, Microsoft detected a DanaBot infection campaign where it was being used as an initial access tool, gathering credentials from infected systems that were then passed onto Storm-0216, a group that distributed the Cactus ransomware. In 2024, DanaBot was observed distributing IcedID aka Bokbot — another key malware linked to ransomware — as well as Matanbuchus, which is “loader” malware used to load other malware onto infected machines. In December 2024, Intel 471 documented a large-scale DanaBot campaign aimed at compromising administrative hotel and property owner accounts for the Booking hospitality platform. Once compromised, threat actors targeted guests with upcoming bookings and social engineered them into revealing payment card details. DanaBot was also spotted very recently, between April and May 2025, this time targeting four Mexican banks. Aside from financially-motivated cybercrime customers, U.S. prosecutors allege there was also a second, “espionage” version of Danabot that targeted militaries, governments, non-governmental organizations and diplomatic communications.
Despite declining volumes of DanaBot in malware payload statistics, JimmBee has continued to develop the malware, introducing tiered subscription plans in July 2023 and releasing at least nine updates over a nearly two-year period through May 2025. Malware developers often opt to retool and improve their offerings to stay competitive. There are signs the actor may have been transforming DanaBot to increasingly cater to the initial access broker (IAB) market and ransomware operators rather than solely the malware market. It is also possible the actor may have been keeping DanaBot more closely held so as not to overly expose it and retain some degree of stealth. However, this law enforcement action is expected to impact the viability of the malware. This post draws on Intel 471’s extensive Adversary Intelligence, which tracks threat actors and their operations, and Malware Intelligence, which covers malware families, attack campaigns and adversary infrastructure. It will cover what law enforcement has done, DanaBot’s background, why it is a threat and an assessment of the viability of DanaBot.
Takedown summary
On May 22, 2025, the U.S. Department of Justice (DOJ) announced a multifaceted operation against the developers and operators of the DanaBot malware. Defense Criminal Investigative Service (DCIS) agents effected seizures and takedowns of DanaBot command-and-control (C2) servers, including dozens of virtual servers hosted in the U.S. The operation also involved Germany’s Bundeskriminalamt (BKA), the Netherlands National Police and the Australian Federal Police (AFP). Authorities are now working to notify those with infected machines and remediate DanaBot infections through organizations including the Shadowserver Foundation.
Sixteen defendants were federally charged, the details of which are described in a grand jury indictment filed in U.S. federal court in the Central District of California on Sept. 20, 2022. Among the defendants are Aleksandr Stepanov, 39, aka JimmBee and Artem Aleksandrovich Kalinkin, 34, aka Onix, both of Novosibirsk, Russia. An additional criminal complaint from the same court dating from March 1, 2022, was also released related to Kalinkin. Stepanov was charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping and use of an intercepted communication.
Other parties named in the indictment include:
- Danil Khalitov aka Flawless, Dancho.
- Aleksey Efremov aka Ahost.
- Kamil Szturgulewski aka RaZZputin, bank666, kgb666.
- Ibrahim Idowu aka daveedo, audrops, sostransfer, Ronald 22, Ronshop.
- Artem Shubin aka Krad.
- Aleksey Khudyakov aka Bshayne, Moddixpb, BarboSpidor.
Also named are these individuals, whose real-world identities are unknown:
- The actor _pin_ aka Pin_plus, Pin.
- The actor Format.
- The actor Goldcoin.
- The actor Matrix8.
- The actor Chopin.
- The actor Benzz.
- The actor Linup.
Overview, associated campaigns
DanaBot is a sophisticated banking trojan written in the Delphi programming language and first identified by Proofpoint in May 2018. However, it may have origins going back much further. The actor JimmBee wrote in a post on the Vpodpolie forum Jan. 15, 2010, saying he had a private trojan with moderate functionality that worked on Windows XP and Vista. Over the years, DanaBot evolved into a robust MaaS platform, undergoing multiple significant updates and offering a range of functionalities. These included an advanced stealer and post-grabber mechanisms targeting multiple browsers, hypertext markup language (HTML) injects similar to the Zeus banking malware, hidden virtual network computing (HVNC), clipboard sniffing and keylogging, among others.
On the Exploit underground forum, DanaBot was offered starting at US $500 per month with the following options:
Customers who purchased DanaBot’s MaaS originally received builds embedded with unique affiliate identifications aka affids hard-coded into the binaries. These affiliations represented the threat actors DanaBot operators served and facilitated the tracking of malware campaigns by cybersecurity researchers. Our telemetry shows at least 38 operators leveraged the botnet under this scheme. In late 2022, however, the developers retired per-affiliate tagging, issuing all subsequent builds with the static affid value 9 and thereby removing that level of granularity. Campaign differentiation nevertheless remains possible by pivoting on the “module identifier” artifact present in every sample.
The above graph charts DanaBot activity from Feb. 19, 2025, to May 19, 2025, using the module identifier. The dataset relies solely on emulation data, avoiding the historical noise typical of public repositories such as VirusTotal. During the 90-day period, the botnet’s footprint steadily contracted, leaving a single active cluster tied to module ID 30D13364F8AD1C05C03B807C385AD6EE. The earliest event attributed to this identifier dates back to Nov. 15, 2024.
Leveraging the full 2025 emulation dataset, the accompanying graph below depicts the daily count of unique module identifiers.
The graph shows two clear spikes in activity: the first in early January, immediately after the Booking-themed campaigns pivoted to DanaBot deployment, and a second in late February when daily detections again reached 11 distinct module identifiers. Thereafter, usage tapered steadily until only a single module ID — 30D13364F8AD1C05C03B807C385AD6EE — remained active as of May 19, 2025. Given its sustained presence, we assess this module could be tied directly to the DanaBot project owners or developers.
Over the years, multiple cybersecurity researchers and vendors have documented DanaBot campaigns, with some of the most notable contributions including the following:
Cyberespionage tool
The U.S. alleges there was a second, “espionage” version of DanaBot which was created by Stepanov and unindicted co-conspirators. This version, the U.S. government claims, targeted military, government, diplomatic and non-governmental organizations. The malware stole diplomatic communications, credentials, financial transactions by diplomatic staff, day-to-day diplomatic correspondence and summaries of a country’s interactions with the U.S. The espionage version of DanaBot used separate servers and communications architecture than the cybercrime version and sent harvested data to Russia. In an example of the type of data the espionage version stole, the U.S. alleged an unindicted co-conspirator created a document containing email addresses of diplomatic representatives from “many governments, several of whose computers had been infected with the DanaBot malware Espionage Variant.” It infected machines in the U.S., Belarus, the U.K., Germany and Russia.
This overlap between cybercriminal use of malware and possible nation-state use has been noted before, particularly related to Russia. Russia allows professional cybercrime gangs to operate within its borders as long as they do not cause domestic incidents, so these groups and actors usually direct their intrusions outside of Russia’s borders and also exclude CIS countries. In exchange, cybercriminals within Russia are expected to aid the state and intelligence agencies upon request, a quid pro quo that has been documented over many years (Evgeniy Bogachev, the Yahoo email breach, Trickbot, Conti). The foundation for these relationships is institutionalized corruption, where the state — which has the power to conduct raids, audits and other forms of harassment — can coerce cybercriminal actors into paying protection money, participating in state-directed cyber operations such as espionage or data theft and supporting state narratives through hacktivist or misinformation campaigns.
Fluctuating volumes
DanaBot has experienced notable fluctuations throughout its operational lifecycle. Its peak period, often referred to as its “golden age,” spanned from May 2018 to June 2020. During this time, DanaBot was consistently recognized as one of the leading banking malware families within the cybercrime threat landscape. However, after June 2020, its activity declined sharply with no clear explanation for the drop.
A few months later, in October 2020, researchers at Proofpoint identified the first sample of DanaBot version 4 and published a detailed analysis in January 2021 highlighting the new enhancements introduced. Although these updates were rolled out, there was no immediate uptick in activity. A modest resurgence occurred in July 2021, but this quickly diminished by mid-November of that same year. Since then, DanaBot has been operating at relatively low levels with occasional spikes in activity, including brief resurgences observed during certain malware campaigns.
In December 2024, we documented the last large-scale DanaBot campaign, during which threat actors leveraged Booking.com-themed phishing lures. This operation persisted into January 2025. For an overview of these types of malware attacks, see Intel 471’s blog “How cybercriminals exploit the hospitality industry.”
We have observed several additional noteworthy activities since the start of this year. One such instance occurred in early February 2025 when multiple samples of the Lumma information stealer ultimately facilitated the deployment of a specific DanaBot banking trojan variant. This DanaBot sample, identified by the SHA-256 signature d650a5ccf08f4ab7bf02e68c1619aec104b37253890eb28231a690f04bdbc2ca, was configured with the module ID 62505A022E0501D3D296E3E623F09FCC. In total, 249 instances of the same sample were collected, each linked to one of 15 unique Lumma identifiers.
Another notable campaign was observed between mid-April and mid-May 2025, in which DanaBot operators deployed web-injects targeting four Mexican banks (see: chart below). The campaign was carried out by the DanaBot operator identified by the module ID B3FD2A33E9F5012ECCF234B6548006EB. The web-inject files collected through emulation referenced the domain https://dlxfreights[.]site from which additional JavaScript code was fetched and injected into the websites targeted by the DanaBot operator.
Despite fluctuations in operational intensity, DanaBot’s developer JimmBee periodically resurfaced on the Exploit forum to announce key updates to the loader. Notably, on March 7, 2022, the actor introduced an “extended kit” that expanded DanaBot’s capabilities to include support for Linux and VMware ESXi hypervisors, along with a JavaScript and Microsoft Visual Basic Script (VBScript) “generator.” This enhancement marked a strategic shift toward serving network intruders and ransomware operators, signaling broader ambitions for DanaBot beyond banking malware use cases. Subsequently, on July 10, 2023, the actor unveiled another update that introduced tiered service plans for the MaaS platform, further formalizing DanaBot’s commercial structure. In total, between July 2023 and May 2025, JimmBee released at least nine updates to the loader. The most recent update, posted May 2, 2025, included improvements to the PostGrabber component and secure sockets layer (SSL) libraries, and previewed plans to release a new version of DanaBot’s custom cryptor.
Overall, DanaBot has maintained a positive reputation for reliability, consistently receiving positive feedback from other threat actors regarding both its functionality and the quality of customer support.
Threat actors behind DanaBot
Aleksandr Stepanov aka JimmBee
According to the DOJ announcement, the operator previously known only by his underground aliases — JimmBee, Zadrot, MojerDims, mainvillain and main.villain — has now been identified as Stepanov.
Stepanov first appeared on the DamageLab cybercrime forum in October 2010 seeking a developer with deep exploitation expertise to build and maintain exploit packs. Over the subsequent decade, he built and managed DanaBot, contracting coders to extend its feature set and marketing the malware on the vetted Exploit forum to prospective customers, investors and partners. His core team included several recognized underground figures: O*nix, who managed sales, and diveragent, an early reseller of DanaBot who later departed the project. In addition to running the MaaS platform, Stepanov allegedly sold DanaBot log files containing stolen credentials. If convicted, Stepanov faces a statutory maximum sentence of five years in federal prison.
JimmBee’s team
The DOJ also announced the real-world identity of O*nix aka Onix, EoGeneo, MaffiozI as Kalinkin. Kalinkin joined the Exploit forum Oct. 5, 2013, but kept a low profile until early 2017. By September 2018, he had become JimmBee’s public-facing partner, handling customer support and reselling licenses
Throughout the years, O*nix continued to maintain an active presence on Exploit, periodically commenting on DanaBot threads and a variety of other topics. His most recent post dated May 16, 2025, appeared in a thread titled “Targeted installs using calls,” which the actor _pin_ started. In that message, O*nix vouched for _pin_, noting they had “worked together in various directions” and had again collaborated successfully — language that strongly implies recent involvement in phone-based delivery of malware installs. This activity suggests O*nix’s recent activity could be related to access brokering operations that facilitate intrusions into the corporate environment. If convicted, Kalinkin faces a statutory maximum sentence of 72 years in federal prison.
The actor diveragent aka BlackBirddd, kotovskiy, mzhela, mZHel, vpofhej1, Sanya, Saika served as a reseller for the DanaBot MaaS until his departure from the project in September 2019. The actor subsequently remained active in the cybercrime scene, most visibly on Exploit where he has routinely advertised credential logs harvested from the AZORult and Vidar stealers since March 2019. His presence on the forum, however, has tapered off: postings became sporadic after 2020 and were limited to only a handful of appearances in 2024, indicating a marked reduction in underground activity.
DanaBot affiliates
In June 2019, we reported on the long-standing underground actor _pin_ aka pin, C@RDpin, gangster, Jew, Marchello, pin_plus, whose underground activity dates back to August 2007. This actor is identified as Fnu Lnu in the federal indictment. In May 2019, the actor allegedly operated DanaBot against Australian targets under affiliate identifiers affid-5 and affid-6 before pivoting to the Silent Night banking trojan in November 2019. Recent forum posts show the actor is still focused on the Australian financial sector. On May 18, 2025, _pin_ solicited malware install services explicitly “for AU traffic,” and two weeks earlier opened a thread seeking partners for “targeted installs using calls.” The thread drew an endorsement from O*nix, suggesting a continuing relationship between the two, although the exact nature of their collaboration remains undefined.
JimmBee’s partners
In mid-2023, JimmBee partnered with the actor afron, who previously operated a MaaS for several years. The actor allegedly managed a Gozi ISFB-based malware variant and was likely behind the BatLoader malware loader. The actor JimmBee also maintained a partnership with the actor BelialDemon, the author of the Matanbuchus malware loader.
Other JimmBee activity
- Code-signing certificates: The actor purchased code-signing certificates from the actors daiver, Firefox and RastaFarEye.
- Malware crypting services: The actor acquired malware crypting services from the actors Tehnik aka Техник, o1oo1, EncShellCode, ImComplexed and memory_lost. The actor JimBee also publicly recommended memory_lost’s malware crypting service and advertised it to DanaBot customers.
- Bulletproof hosting (BPH): The actor used BPH services the actors ccweb and IronHost provided.
Assessment
The takedown of DanaBot’s remaining infrastructure occurred nearly a year after six other peer botnets were dismantled and less than 24 hours after the seizure of the Lumma stealer. This operation highlights that even older tools operated by well-resourced actors remain a top priority for law enforcement. By mid-2024, DanaBot’s influence was already declining, as more than a decade of its presence had allowed modern antivirus and endpoint detection and response (EDR) platforms to fingerprint its code exhaustively. Additionally, like most mature crimeware, it was nearing the end of its operational life.
Nevertheless, the importance of this takedown cannot be overlooked. The indictment goes beyond simply naming the long-standing underground personas JimmBee and O*nix. It publicly identifies at least six additional DanaBot affiliates by name, underscoring the breadth of the investigation and the growing personal exposure facing participants in MaaS schemes. By unmasking these actors and linking their online handles to real-world identities, investigators have sent a powerful deterrent signal — even a decade of rigorous operational security (OPSEC) cannot guarantee anonymity. Additionally, by unmasking the actors, investigators have rendered collaboration with them a reputational and legal liability. Prospective partners must now weigh the likelihood that any association could draw similar scrutiny and unravel their own anonymity. In an ecosystem where secrecy is currency, that prospect is often costlier than a temporary technical setback.
