Two men accused of operating the Warzone remote access trojan (RAT) were arrested, and servers across six countries hosting the popular malware seized, in an FBI-led operation.
Authorities also took down the Warzone website and three related domains, which officials claim the two men used to market malware and offer online support service sold through the site.
One of the accused, Daniel Meli, was arrested in Malta and the other, Prince Onyeoziri Odinakachi, in Nigeria, with both facing extradition to the U.S. where they have been indicted on multiple charges.
The Warzone RAT, also known as Ave Maria, was first observed in 2019 and is a tool commonly used by several threat groups. Features include the ability to browse victim file systems, take screenshots of compromised systems, record keystrokes, steal victim usernames and passwords and access victim web cameras.
Scattered Spider, the gang believed to be responsible for last year’s attacks on MGM Resorts International and Caesars Entertainment, has Warzone in its toolkit.
The U.S. Justice Department said the FBI discovering instances of the Warzone RAT being used to attack victim computers in Massachusetts and covertly purchased and analyzed the malware to confirm its malicious features, according to a statement made last week.
FBI special agents in Boston and Atlanta teamed up with overseas law enforcement agencies to disrupt the operation largely coordinated through Europol.
Agencies in Canada, Croatia, Finland, Germany, the Netherlands, and Romania helped secure the servers hosting the Warzone RAT infrastructure as part of the international operation.
Alleged Warzone Rats
Federal authorities in Atlanta and Boston unsealed indictments charging Meli with selling Warzone and Odinakachi with supporting cybercriminals seeking to use the malware for malicious purposes.
Both men were arrested in their respective countries on Feb. 7.
According to charging documents, Meli, 27, had been hawking malware products and services through hacking forums since at least 2012. He is accused of assisting cybercriminals seeking to use RATs for malicious purposes and selling related teaching tools, including an eBook.
It is alleged that prior to selling Warzone, Meli peddled another malware known as the Pegasus RAT, which he sold through an online criminal organization called Skynet-Corporation. He is also accused of providing online customer support to purchasers of both RATs.
“This alleged cybercriminal facilitated the takeover and infection of computers worldwide,” said U.S. Attorney Ryan Buchanan for the Northern District of Georgia.
Meli was indicted by a federal grand jury in the Northern District of Georgia on Dec. 12, for four offenses, including causing unauthorized damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offenses.
According to charging documents, Odinakachi provided online customer support to individuals who purchased and used the Warzone RAT malware between June 2019 and at least March 2023.
He was indicted by a federal grand jury in the District of Massachusetts on Jan. 30 for conspiracy to commit multiple computer intrusion offenses, including obtaining authorized access to protected computers to obtain information and causing unauthorized damage to protected computers.