Beijing police have arrested the makers of the Fireball adware family, presumed to have infected millions of devices around the globe.
Chinese news outlets reported this week of the arrest of 14 employees of Rafotech, a Chinese digital marketing company, which Check Point named in its report as the authors of the Fireball adware.
Check Point published its Fireball report on June 2. Chinese media says local police received an anonymous complaint against the company the next day, and after a short investigation, Beijing's Public Security Bureau Network Security Corps moved in for the arrests on June 15.
Of the 14 arrested suspects, three are Rafotech's management, the company's CEO, CTO, and CFO. Nine persons are also accused of attempting to destroy data from their computers. All suspects admitted their crimes.
According to police, the company was headquartered in Beijing's Haidian district and was founded in 2015 by three high school students who went on to develop various adware families (Youndoo, Trotux, Startpageing123, Luckysearch123, Hohosearch, Yessearches) collectively referred to as Fireball.
Police say they estimate Rafotech made over 80 million yuan ($11.8 million) from distributing their adware.
Fireball malware was distributed via bundled software, and its primary goal was to hijack browser's search engine and redirect users to fake search engines where the Fireball crew made money from each search query. Some of these fake search engines received so much traffic that a few managed to break into the Alexa Top 1,000.
Check Point estimated that Fireball infected over 250 million computers, but Microsoft debunked Check Point's numbers, claiming the adware infected only 5 million users. Most of the infected users resided in Brazil, Russia, India, and European countries.