Facebook said police in Greece made two arrests last week in connection with a little-known spamming botnet called Lecpetex, which used hacked computers to mine the Litecoin virtual currency.
As many as 50,000 Facebook accounts were affected, and as many as 250,000 computers worldwide, primarily in Greece, Poland, Norway, India, Portugal and the U.S., according to a blog post on Tuesday from Facebook's Threat Infrastructure team.
The social networking site described the difficulties in shutting down the botnet, whose creators taunted Facebook through messages left on servers that were part of its network.
Those behind Lecpetex launched at least 20 spam campaigns between December 2013 and last month, affecting Facebook and other online services. Some of the victims received private messages containing a ".zip" attachment containing a Java JAR file or Visual Basic script.
Those files, if executed, would then retrieve other malware modules stored on remote sites. The modules were either DarkComet, a widely used remote access tool that can harvest login credentials, or variants of software that mines the virtual currency Litecoin, the team wrote.
By frequently refreshing and changing the malicious attachments, Lecpetex defeated Facebook's filters designed to stop such malware from being distributed. The malware would also automatically update itself to evade antivirus products.
"The operators put significant effort into evading our attachment scanning services by creating many variations of the malformed zip files that would open properly in Windows, but would cause various scanning techniques to fail," the team wrote.
Facebook said it reached out to other infrastructure providers and law enforcement when it realized security software wasn't alone going to foil Lecpetex.
"Ultimately, remediating a threat like Lecpetex requires a combination of technical analysis capabilities, industry collaboration, agility in deploying new countermeasures and law enforcement cooperation," it wrote.
The creators of Lecpetex eventually caught on to Facebook's efforts. In May, they started leaving notes on command-and-control servers they knew Facebook was investigating, playfully saying they weren't involved in fraud.
"These changes suggested to us that the authors were feeling the impact of our efforts," Facebook wrote.
Greece's Cybercrime Subdivision was notified on April 30. By July 3, Greece told Facebook two suspects were in custody, and that they had been creating a Bitcoin "mixing" service to help launder their proceeds. Mixing services aim to make Bitcoin transfers harder to follow.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk