November 14, 2022 By Mike Elgan 3 min read

On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.

Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.

It was one of the most remarkable operations in the history of cyber crime, and it led to lasting changes in how professionals think about and defend against malicious cyberattacks.

Operation Ghost Click

The story began in 2007 when an unethical Estonia-based spam advertising company called Rove Digital started to use a new trojan malware called DNSChanger, which went on to infect more than four million computers in over 100 countries. Some half a million systems were infected in the United States alone. The drive-by malware was falsely presented to users as a codec required to watch videos but was, in fact, the DNSChanger trojan. DNSChanger infected systems at the boot sector level, making it hard to remove.

The malware changed computers’ DNS entries to point to Rove Digital’s own rogue name servers, where advertising was injected onto web pages and personal information was stolen. In some cases, DNSChanger also had the self-defense mechanism of blocking operating systems and anti-virus software from updating.

The perpetrators reportedly got $14 million from their scheme.

What happened next was astonishing. The FBI launched a two-year operation called Operation Ghost Click, coordinating the FBI, NASA’s Office of Inspector General (OIG), the Estonian Police and Border Guard Board, the National High Tech Crime Unit of the Dutch National Police Agency, cybersecurity and technology specialists from Georgia Tech University, Internet Systems Consortium, Mandiant, National Cyber-Forensics and Training Alliance, Neustar, Spamhaus, Team Cymru, Trend Micro, the University of Alabama at Birmingham and members of an ad hoc group of subject matter experts known as the DNSChanger Working Group (DCWG).

Preventing “internet doomsday”

After the investigation, on November 8, 2011, six Estonians were arrested, extradited to the United States and charged with participation in an Internet fraud ring. A seventh alleged conspirator, who is Russian, remained at large but was also charged with a wide range of crimes and placed on the FBI’s Cyber Most Wanted list. Their servers were seized and replaced with two new servers.

But the FBI did not remove the DNSChanger malware, which would disrupt the internet access of the many victims. Instead, they headed a widespread initiative, working with ISPs and others, to enable victims to safely remove the malware from their computer systems.

The FBI set up an office for victim assistance, with a hotline to call and a wide range of resources for understanding and remediating the effects of the DNSChanger malware.

Authorities also froze the criminals’ bank accounts and seized hard drives from more than 100 rogue servers in New York and Chicago data centers suspected of being part of the group’s command and control infrastructure.

Estimates suggest that the initiative was successful in an overwhelming number of instances, with just 41,800 systems still affected when the FBI pulled the plug on their servers.

That day, called “Internet Doomsday,” was Monday, July 9, 2012. But due to the combined efforts of Operation Ghost Click, doomsday was averted. No catastrophe took place.

In the end, the entire operation was one of the most successful law enforcement operations in the history of cyber crime.

How Operation Ghost Click changed cybersecurity

The entire operation was a success and changed how law enforcement approaches cyber crimes. Specifically, the operation taught them:

  • The power of law enforcement cooperation. Cyber crime tends to be international. Working with international police, sharing resources and coordinating efforts can prevent some criminals from finding safe havens abroad. Of course, this idea only goes so far, especially when rogue states protect cyber criminals. But to the greatest extent possible, cooperation is key.
  • The power of partnering with cybersecurity specialists at universities and security firms. Law enforcement agencies like the FBI have cybersecurity experts. But by bringing top experts wherever they are, including among the cyber crime victims (NASA, for example, was a major DNSChanger victim, and also partnered in the law enforcement operation), the cyber criminals can be truly outsmarted.
  • The value in creating ad hoc working groups (in this case, the DCWG). It’s a great idea to cobble together expert volunteers to deeply study specific, particularly dangerous malware, then share their findings with law enforcement.
  • Taking a broad view of cyber crime law enforcement. The FBI’s mission is to investigate crimes, not to commission DNS servers or maintain and publicize cybersecurity protection resources. But the entire operation was characterized by creative thinking and unusual actions, such as the decision to take over and replace DNS servers run by the criminals and keep them running until most victims could remove the malware.

A decade ago, the whole Operation Ghost Click, DNSChanger and “internet doomsday” event shocked and fascinated the internet and cybersecurity communities. Today it represents a textbook case on how to investigate, prosecute and, most importantly, protect the public from international cyber crime.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today