French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency from more than 850,000 computers. Once in control of the server, the police remotely removed the malware from those computers.

Antivirus firm Avast, which helped France&#x2019;s National Gendarmerie cybercrime center, [announced](https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/) the operation on Wednesday.

Avast said that they found that the command and control server, which was located in France, had a design flaw in its protocol that made it possible to remove the malware without &#x201c;making the victims execute any extra code,&#x201d; as the company explained in its lengthy report.

This takedown is a good example of how law enforcement agencies are starting to push the boundaries to not only stop malware, but directly help victims remove it from their systems.

&#x201c;\[This is\] something \[police\] have long wanted to do, but have been hesitant to do,&#x201d; Matthew Olney, a security researcher at Cisco Talos, [said](https://twitter.com/kpyke/status/1166774056076623872) responding to the news on Twitter.

**Have a tip about a hack or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com**

Cybersecurity firms such as Avast, as well as [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/), had been tracking the worm, called Retadup, since last spring. Most of the infected computers were used by the malware authors to mine the cryptocurrency Monero, but in some cases it was also used to push ransomware and password-stealing malware, according to Avast.

A Twitter account that went by the name &#x201c;black joker&#x201d; claimed to be behind the malware in April, responding tweets posted by Trend Micro.

Its my baby <3 https://t.co/E2dy6Dmpna— black joker (@radblackjoker) April 27, 2018



black joker on Twitter

As Martijn Grooten, the editor of trade magazine Virus Bulletin, explained to Motherboard, taking down malware like Retadup and disinfecting victims requires police officers to have full understanding of the malware to make sure their disinfection doesn&#x2019;t negatively affect the infected computers.

In this case, the cops had the help of Avast researchers, who had studied the malware and tested the disinfection mechanism on a local machine.

As the antivirus firm reported, most Retadup victims were in South America, with Peru, Venezuela, Bolivia and Mexico at the top of the list.

**_Subscribe to our new cybersecurity podcast,_** [**_CYBER_**](https://itunes.apple.com/gb/podcast/cyber/id1441708044?mt=2)**_._**

Hacking

Tech

Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers

botnet

malware

Worm

cybercrime

hackers

ransomware

cryptocurrency

monero

FRANCE

Retadup

ADAH

Video

Apps

Podcasts

Newsletters

Culture

News

Munchies

Rec Room

Drugs

Entertainment

Environment

Extremism

Horoscopes

Identity

Investigations

investigations

Justice

JUSTICE

Money

Music

Photography

Travel

VICE Magazine

VICE Voices

The Unfiltered History Tour

The Gender Spectrum Collection

About 

Jobs

Partner

Content Funding on VICE

Security Policy

Privacy & Terms

Accessibility Statement

VICE

VICE on TV

Refinery29

vice

Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers

ONE EMAIL. ONE STORY. EVERY WEEK. SIGN UP FOR THE VICE NEWSLETTER.