Who unplugged the Mozi botnet?
![Image Report examines recent activities of Russian cybercriminals from [Sandworm]](https://incyber.org//wp-content/uploads/2024/04/incyber-news-cybersecurite-cybersecurity-attack-danger-2024-885x690.jpg)
Mystery kill switch ended botnet in summer of 2023.
On November 1, 2023, the Eset cybersecurity firm published an analysis of the kill switch that, in the summer of 2023, ended Mozi, one of the world’s largest botnets. Active since September 2019, it controlled around 1.5 billion bots, 90% of which were in China and India.
At the end of September 2023, Eset thus identified a Mozi update that deactivated the malware and some systems services, leading to its shutdown. The kill switch was rolled out in two phases, one on August 8, 2023, in India, and the other on August 16, 2023, in China. The source of the deactivation remains a mystery, yet Eset researchers discovered an administrator account had indeed signed the update.
Two hypotheses have formed. The first possibility is that Mozi’s developers unplugged the botnet themselves. The second is that law enforcement took control of an administrator account to install the kill switch.
In the summer of 2021, the Chinese cybersecurity publisher 360 NetLab reported aiding the arrest in China of Mozi’s developers, without providing further details. One of the arrested cybercriminals could be tied to the deactivation but the lack of transparency in Chinese cybersecurity information prevents any certainties.