Google’s Legal Campaign Strikes Hard Against Hackers and Scammers

Three years ago, Google security engineers uncovered a significant problem: a botnet named Glupteba that had infected over a million Windows computers, turning them into tools for mining cryptocurrency and spying on users. The malware was spreading through compromised Google accounts, fraudulent Google ads, and Google cloud tools, making it a substantial threat. Typically, in such situations, tech giants like Google coordinate with other companies and U.S. authorities to dismantle botnets. However, this time, Google’s legal team proposed an unorthodox solution: to sue the hackers behind Glupteba for damages, marking a return to a strategy that Google had not employed in years.

This lawsuit against two Russian men and a dozen unidentified individuals marked the beginning of a series of at least eight cases Google has filed against hackers and scammers. Google calls this approach "affirmative litigation," designed to deter would-be fraudsters and raise public awareness about cybercrime. Google’s security and legal teams believe this method has been effective. The company has won nearly all the cases it has pursued, collecting over $2 million in damages and shutting down hundreds of companies and websites involved in fraudulent activities. Although these financial awards are minor compared to Google’s vast resources, they can be devastating for the defendants.

Google’s litigation advance team, led by Chester Day, is focused on taking bad actors to court to protect users and deter future malicious activities. Google’s blog posts and other content related to these lawsuits have reached over 1 billion views, raising awareness and encouraging vigilance among consumers, which helps reduce the pool of potential victims. According to Harold Chun, director of Google’s security legal team, educating the public about how these crimes operate is one of the most effective ways to prevent them.

Other major tech companies have also pursued similar litigation strategies. Microsoft, for instance, has filed over two dozen lawsuits since 2008, primarily targeting botnets and hacking tools. Amazon has been particularly active, filing numerous cases related to counterfeit products, fake reviews, and other forms of fraud. Since 2019, Meta has initiated at least seven lawsuits involving counterfeiting or data theft, and Apple has sued the Israeli spyware developer NSO Group for hacking allegations.

While some legal experts question the overall effectiveness of this litigation strategy, suggesting that the volume of cases may not be sufficient to deter widespread abuse, others commend these companies for stepping in where government agencies might lack the resources to act. Kathleen Morris of UC Berkeley’s Institute of Governmental Studies praised the collaboration between the public and private sectors, emphasizing that regular enforcement helps create a society with less harm.

Google’s general counsel, Halimah DeLaine Prado, views the legal department not just as a gatekeeper but as a proactive force in protecting the company and its users. This proactive approach began in earnest in 2015, with Google’s lawsuit against Local Lighthouse, a California marketing company accused of making robocalls to trick small businesses into paying for improved search rankings. Since then, Google has filed similar lawsuits against other marketers, with most cases resulting in settlements.

Google has also targeted individuals submitting false copyright complaints or using its platforms for scams, such as one involving fake puppy sales. The most intriguing cases, however, involve lawsuits against hackers. The Glupteba case, for example, was particularly challenging because the malware was designed with a backup system using blockchain technology, allowing it to persist even after traditional takedown efforts. Despite the risks, Google’s attorneys decided to proceed with the lawsuit, which eventually led to favorable rulings for the company.

In the Glupteba case, the defendants, Dmitry Starovikov and Alexander Filippov, initially attempted to fight the lawsuit, but a U.S. district judge ruled against them, finding that they had misled the court. The ruling included sanctions and required the defendants to pay Google’s legal fees. Google’s actions effectively disrupted the Glupteba operation, significantly reducing the number of infected computers and cutting off the hackers’ misuse of Google’s services.

While some defendants in other hacking cases have not responded to Google’s lawsuits, leading to default judgments, the company still considers these outcomes successful. Google uses the rulings to persuade banks and cloud providers to sever ties with the defendants, making it harder for them to continue their activities. Even when hackers don’t pay damages, the legal actions complicate their operations and limit their opportunities.

Google’s litigation advance team continues to explore new cases, considering whether they could set important legal precedents or highlight emerging threats. As the process becomes more efficient, Google expects to file more lawsuits, possibly including cases outside the U.S. or representing specific users who have been harmed.

Other tech companies are also expanding their use of affirmative litigation. Waymo, Google’s sibling company, recently sued individuals who allegedly vandalized its self-driving taxis, and Microsoft is considering cases against those using generative AI for malicious purposes.

Despite the growing number of lawsuits, the question remains whether these actions significantly deter cybercriminals or if more companies will adopt similar strategies. Erin Bernstein, a lawyer who has encouraged companies to pursue affirmative litigation, believes this approach will continue to grow. However, Google’s DeLaine Prado hopes that, over time, the success of these efforts will reduce the need for such lawsuits, ultimately making this type of work obsolete.