Law enforcement takedowns of malware infrastructure have had limited success in reducing cybercriminal activity [1] [2], according to Recorded Future’s 2023 Adversary Infrastructure Report [1] [2]. This report analyzes three specific takedown operations and highlights the need for additional measures to combat cybercrime.


The report examines three takedown operations: the Emotet takedown led by Europol and Eurojust in 2021 [2], the Cobalt Strike takedown in March 2023 [1] [2], and the QakBot takedown led by the FBI in August 2023 [2]. While the Cobalt Strike and QakBot takedowns initially had a significant impact [2], malicious activity quickly resumed [2]. Emotet disappeared and reappeared multiple times between 2021 and 2023 [2].

The report emphasizes that takedowns alone are not a comprehensive solution for cybercrime [1] [2]. It suggests that law enforcement agencies should continue regular takedowns while exploring other options [2]. Additionally, the report highlights the evolving tactics of cybercriminals, such as Russian state-sponsored actors incorporating legitimate internet services into their operations and China-affiliated actors utilizing compromised IoT systems [2].

In 2023, a total of 36,022 malicious servers were detected, more than double the number in 2022 [2]. Cobalt Strike remained the most widely used offensive security tool, and QakBot and Emotet ranked among the top four botnets [2]. The report also identifies the top five remote access Trojans (RATs) and highlights RedLine Stealer and Raccoon Stealer as dominant infostealers in the past year [2].


The findings of the report indicate that law enforcement takedowns of malware infrastructure have limited long-term impact on cybercriminal activity. While these operations may temporarily disrupt malicious operations, cybercriminals quickly adapt and resume their activities. It is clear that takedowns alone are not enough to combat cybercrime effectively.

The report suggests that law enforcement agencies should continue their efforts to conduct regular takedowns, but also explore additional strategies and measures to address the evolving tactics of cybercriminals. This includes staying updated on emerging threats and collaborating with other stakeholders in the cybersecurity community.

As the number of malicious servers continues to rise and offensive security tools remain prevalent, it is crucial for law enforcement agencies to adapt and enhance their approaches to combat cybercrime. The report serves as a reminder that a multi-faceted and proactive approach is necessary to effectively mitigate cyber threats and protect individuals, organizations, and critical infrastructure from malicious actors.