Australian and European police shut down access to popular criminal hacking tool

The demise of the Imminent Monitor Remote Access Trojan is a major victory for law enforcement officials.
Europol, the EU's law enforcement agency, was in on the bust. (Europol)

Australian and European law enforcement officials say they have taken down a remote-access hacking tool that had been sold to 14,500 buyers in 124 countries.

The demise of the so-called Imminent Monitor Remote Access Trojan’s (IM-RAT), which officials said had been used to steal personal data from tens of thousands of victims, is a major victory for law enforcement officials in Australia and Europol, the European Union’s law enforcement agency.

The invasive RAT gave anyone willing to pay $25 full access to a victim’s machine to steal photographs, passwords, and video footage.

Months of investigative work culminated last month in the dismantling of IM-RAT’s infrastructure, and the arrest of 13 of its most prolific users. Where exactly the suspects were arrested was not immediately clear. None were arrested in Australia.


“The offenses enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far reaching privacy and safety consequences for those affected,” Chris Goldsmid, a spokesperson for the Australian Federal Police, said in a statement.

IM-RAT had been on the black market for at least seven years and been used in more than 115,000 different attacks on customers of cybersecurity company Palo Alto Networks, the company said Monday.

“With such prevalence, we had to wonder why the author of this malware has been allowed to continue to profit from this for almost seven years, unchecked,” said Unit 42, Palo Alto Networks’ threat intelligence division, which helped with the investigation.

Just as legitimate software developers do, IM-RAT’s custodians added new features to the trojan over time. In 2014, IM-RAT began supporting third-party plugins, one of which let operators turn a victim’s web camera on, according to Unit 42.

The identity of IM-RAT’s creator is not publicly known, but Unit 42 shared some clues based on its investigation. A domain registered by someone who developed and sold the malware lists a contact address in New South Wales, a state in Australia. The researchers also said they found a female name, which they redacted, that registered an Australian business associated with the domain.


The investigation into IM-RAT isn’t over. Europol officials say they will continue to pore over the 430-odd devices they seized for additional information.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts