French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency from more than 850,000 computers. Once in control of the server, the police remotely removed the malware from those computers.

Antivirus firm Avast, which helped France’s National Gendarmerie cybercrime center, announced the operation on Wednesday.

Avast said that they found that the command and control server, which was located in France, had a design flaw in its protocol that made it possible to remove the malware without “making the victims execute any extra code,” as the company explained in its lengthy report.

This takedown is a good example of how law enforcement agencies are starting to push the boundaries to not only stop malware, but directly help victims remove it from their systems.

“[This is] something [police] have long wanted to do, but have been hesitant to do,” Matthew Olney, a security researcher at Cisco Talos, said responding to the news on Twitter.

Have a tip about a hack or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at 1 917 257 1382, OTR chat at, or email

Cybersecurity firms such as Avast, as well as Trend Micro, had been tracking the worm, called Retadup, since last spring. Most of the infected computers were used by the malware authors to mine the cryptocurrency Monero, but in some cases it was also used to push ransomware and password-stealing malware, according to Avast.

A Twitter account that went by the name “black joker” claimed to be behind the malware in April, responding tweets posted by Trend Micro.


A tweet by the alleged author of the Retadup malware. (Image: Avast)

As Martijn Grooten, the editor of trade magazine Virus Bulletin, explained to Motherboard, taking down malware like Retadup and disinfecting victims requires police officers to have full understanding of the malware to make sure their disinfection doesn’t negatively affect the infected computers.

In this case, the cops had the help of Avast researchers, who had studied the malware and tested the disinfection mechanism on a local machine.

As the antivirus firm reported, most Retadup victims were in South America, with Peru, Venezuela, Bolivia and Mexico at the top of the list.

Subscribe to our new cybersecurity podcast, CYBER.