Federal agents over the weekend secretly seized control of two computer networks that hackers used to steal millions of dollars from unsuspecting victims. In doing so, the Justice Department disrupted the circulation of two of the world's most pernicious viruses and turned a 30-year-old Russian computer hacker into a most-wanted fugitive.
The strike, coordinated with the European authorities, was aimed at malware called GameOver Zeus, which is known to steal bank information and send it to overseas hackers, and CryptoLocker, which burrows into computers and encrypts personal data. The hackers then demand a ransom to unlock the files.
"By the time the victims learned that their computers had been infected, it was far too late," Leslie R. Caldwell, the assistant attorney general in charge of the criminal division, said Monday.
Together, the Justice Department estimates, the two malicious programs have infected between 500,000 and a million computers and cost people more than $100 million in direct and indirect losses.
Authorities had been investigating the two viruses separately, but along the way, they realized that GameOver Zeus was the main vehicle by which CryptoLocker was spread, the Justice Department said.
They also determined that the operations were run by the same man, whom the Justice Department identified as Evgeniy M. Bogachev, of Anapa, Russia. Investigators were hunting for him even before they knew his name. Inside the F.B.I., he has long been one of the government's most sought-after individual cybercriminals, through his screen name, Lucky12345.
While both pieces of software are distributed through spam emails, they accomplish different things, each highly damaging.
Once inside a computer, GameOver Zeus quietly tracks each keystroke. When the software detects someone logging into a bank account, it records the password. Armed with that information, hackers log in and drain the account. Often they stole more than $1 million from businesses, prosecutors said, with at least one theft exceeding $6 million.
CryptoLocker spreads through emails that look like they are from legitimate businesses, including fake tracking notices from FedEx and U.P.S. Once inside a network, such as a company's computer system, the virus can spread from one computer to the next. As it spreads, the software locks up computer files behind unbreakable encryption, then demands hundreds of dollars in exchange for the code that unlocks it.
Investigators say many people and organizations, including the police department in Swansea, Mass., have paid to recover their files. Those who refused saw their files permanently erased. Such so-called ransomware is a growing security threat.
Investigators have targeted large malicious software networks, known as botnets, before. In 2011, the F.B.I. hijacked a command-and-control server that ran the similarly harmful Coreflood network. It then sent a shutdown command to every infected computer, effectively killing the virus in one stroke.
This weekend's takedown, which was months in the making, was far more difficult. While CryptoLocker used a command-and-control server, GameOver Zeus did not. Instead, it relied on a decentralized structure, and it did not have a simple shutdown command.
In meetings late last year, F.B.I. agents and private security experts devised a plan to outsmart the hackers. The best chance the F.B.I. had to wrest control of the network, it was decided, was by seizing all the servers that transmitted the malicious code and rerouting their traffic to a safe, government-controlled computer.
In theory, every time an infected computer asked for instructions to carry out its malicious mission, it would instead find itself harmlessly talking to the United States government.
But the GameOver Zeus servers were spread across the world. If the agents missed one infected server, the hackers could use it to restart the network and continue spreading the code.
"You don't want to have any loose ends," said Shawn Henry, a former top F.B.I. cyber investigator and president of CrowdStrike Services, one of several security firms that worked with government on the case. "You want it to be swift. You want it to be complete."
More from the NYT:
Early last Friday, authorities in Canada, France, Germany, Luxembourg, Ukraine and the United Kingdom physically took over the servers that served as the backbone for GameOver Zeus and CryptoLocker, Ms. Caldwell said. All Internet traffic was then rerouted, under a court order, to the government's safe computer.
All weekend, the agents waited and watched for signs of success. Investigators worked from command centers at F.B.I. headquarters in Washington, Europol headquarters at The Hague in the Netherlands and at the National Cyber-Forensics & Training Alliance in Pittsburgh.
One by one, computers across the world contacted the government's safe computer, signifying that America, not the hackers, was in control of the network. With each electronic ping, the government collected the Internet addresses of the infected systems, providing a map of the worldwide infection.
By Sunday, officials said they were confident they had dismantled the network and collected enough data to help security firms and technology companies clean infected computers.
"More than 300,000 victim computers were freed from the botnet," Ms. Caldwell said. "We expect that number to increase as additional computers are powered on and connect to the Internet this week."
CryptoLocker similarly came under United States control, Ms. Caldwell said.
On Monday, the government unsealed court documents charging Mr. Bogachev with bank, computer and wire fraud. The F.B.I. placed Mr. Bogachev on its list of most-wanted cybercriminals.
Mr. Bogachev remains free and the United States has asked Russian authorities to turn him over. Those discussions are continuing, the Justice Department said.