Google Threat Analysis Group director Shane Huntley’s declaration is the central technical and investigative filing in Google LLC’s Glupteba botnet case in the Southern District of New York. The document explains how Glupteba evolved from a long-observed malware family into a sophisticated criminal enterprise that infected roughly one million devices worldwide and compromised large numbers of Google and social media accounts. Huntley outlines Glupteba’s infection methods, including fake software download sites and deceptive “YouTube downloader” pages, then describes the malware’s modular capabilities: Chrome cookie and credential theft, SSH attacks, local network exploitation using EternalBlue-style propagation, router exploitation, proxy deployment, cryptomining, and delivery of additional malicious tools. He also explains that Glupteba uses numerous domains, IP addresses, and content-delivery mechanisms, and that Google’s investigators reverse engineered the malware through manual analysis across dozens of modules.

What makes this declaration especially notable is its explanation of Glupteba’s blockchain-backed resilience and monetization ecosystem. Huntley describes how the botnet used Bitcoin blockchain transactions and encrypted wallet data as a backup command-and-control mechanism when primary C2 servers were disrupted. He then traces several criminal business lines tied to the enterprise, including stolen Google account sales through dont.farm, Google Ads credit-card fraud through Extracard.net, disruptive ad injection through Push.farm and related properties, proxy monetization through AWMProxy and ABM/Trafsip infrastructure, and cryptojacking. The declaration further identifies supporting corporate entities and individuals, including Dmitry Starovikov and Alexander Filippov, and details the harm to Gmail, YouTube, Google Ads, Google Docs, and other Google services. This is not just a malware declaration; it is an enterprise-mapping document that ties botnet technology, stolen account fraud, proxy abuse, ad fraud, cryptocurrency abuse, and blockchain command-and-control into one coordinated cybercrime picture. It is highly valuable for anyone researching the Glupteba botnet, Google TAG investigations, blockchain-based malware persistence, account hijacking, proxy botnets, and civil cyber disruption litigation.