Fireball arrests

Beijing police have arrested the makers of the Fireball adware family, presumed to have infected millions of devices around the globe.

Chinese news outlets reported this week of the arrest of 14 employees of Rafotech, a Chinese digital marketing company, which Check Point named in its report as the authors of the Fireball adware.

Check Point published its Fireball report on June 2. Chinese media says local police received an anonymous complaint against the company the next day, and after a short investigation, Beijing's Public Security Bureau Network Security Corps moved in for the arrests on June 15.

Nine tried to destroy data during the arrest

Of the 14 arrested suspects, three are Rafotech's management, the company's CEO, CTO, and CFO. Nine persons are also accused of attempting to destroy data from their computers. All suspects admitted their crimes.

According to police, the company was headquartered in Beijing's Haidian district and was founded in 2015 by three high school students who went on to develop various adware families (Youndoo, Trotux, Startpageing123, Luckysearch123, Hohosearch, Yessearches) collectively referred to as Fireball.

Police say they estimate Rafotech made over 80 million yuan ($11.8 million) from distributing their adware.

Fireball adware infected 5 million computers (not 250 million)

Fireball malware was distributed via bundled software, and its primary goal was to hijack browser's search engine and redirect users to fake search engines where the Fireball crew made money from each search query. Some of these fake search engines received so much traffic that a few managed to break into the Alexa Top 1,000.

Check Point estimated that Fireball infected over 250 million computers, but Microsoft debunked Check Point's numbers, claiming the adware infected only 5 million users. Most of the infected users resided in Brazil, Russia, India, and European countries.

More coverage of the arrests is available in Chinese media here: 1, 2, 3, 4, 5, 6, 7, 8. Hat tip to The Register, who first spotted the arrests.

Related Articles:

Firebird RAT creator and seller arrested in the U.S. and Australia

CISA orders agencies impacted by Microsoft hack to mitigate risks

Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack

Winnti's new UNAPIMON tool hides malware from security software

Finland confirms APT31 hackers behind 2021 parliament breach