The group, known as Avalanche, has been working in Europe and North America for some time and law enforcement officials say the gang was operating more than 800,000 malicious domains as part of its phishing campaigns. The crew was using more than 20 different malware families and had compromised hundreds of thousands of machines in the six years it’s known to have been active. Given their need for secrecy and the constantly shifting nature of their operations, there’s no real way to measure the size of cybercrime groups, but officials estimate that Avalanche is one of the larger groups ever to be taken down.

“Avalanche has been a highly significant operation involving international law enforcement, prosecutors and industry resources to tackle the global nature of cybercrime. The complex trans-national nature of cyber investigations requires international cooperation between public and private organisations at an unprecedented level to successfully impact on top-level cybercriminals. Avalanche has shown that through this cooperation we can collectively make the internet a safer place for our businesses and citizens,” Rob Wainwright, director of Europol, one of the main agencies involved in the takedown, said.

The sheer size of the Avalanche operation is pretty staggering. Here are some of the numbers associated with the takedown:

• 5 people arrested
• 37 premises searched
• 39 servers seized
• Victims in 180 countries
• 221 servers taken offline
• 800,000 domains seized, sinkholed, or blocked

Aside from the scope of its operation, the Avalanche group also is notable for its use of a double fast-flux infrastructure, which it used to hide its servers and domains from investigators for years. Botnets and malware operations have been using fast flux DNS techniques for several years now as a way of hiding the actual location of their servers. The Avalanche crew was using a modified version of this tactic that involved hundreds or thousands of servers quickly registering and dropping out of a DNS record server list for a specific DNS zone. The idea is to keep investigators and security researchers guessing by quickly changing the IP address associated with a given domain.

In the case of Avalanche, the tactic worked quite well and for a very long time. Most cybercrime groups don’t have anywhere near the longevity of this one. Groups often fall to internal disagreements or make sloppy mistakes that bring them to the attention of law enforcement long before they can establish the kind of infrastructure and scope that Avalanche had. In this case, law enforcement caught on to the group several years ago thanks to a huge ransomware attack attributed to the Avalanche operators.

But even after becoming aware of the group’s operations, it took law enforcement years of investigative work and cooperation among agencies in 30 countries to take down Avalanche. That long-term work and perspective is what’s often been missing in cybercrime investigations, so it’s encouraging to see an operation like this succeed.