The Australian Federal Police (AFP) launched an investigation into the case, codenamed Cepheus, in 2017 after it received information about a “suspicious RAT” from cybersecurity firm Palo Alto Networks and the U.S. FBI.

The man created the malicious code, a remote access trojan (RAT), when he was 15 years old, and maintained its infrastructure from 2013 to 2019. In November 2019, Europol announced to have dismantled the global organized cybercrime ring behind the Imminent Monitor RAT.

The Imminent Monitor RAT is a hacking tool that allows threat actors to remotely control the victim’s computers. The malware can be delivered in multiple ways, including emails and text messages, and could be used to carry out various malicious actions such as:

  • recording keystrokes,
  • stealing data and passwords from browsers,
  • spying on victims via their webcams,
  • download/execute files,
  • disabling anti-virus and anti-malware software,
  • terminate running processes,
  • and perform dozens of other actions.

The international operation conducted by law enforcement agencies targeted both the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT).

According to the authorities, the popular hacking tool was used across 124 countries where it was bought by more than 14 500 hackers, that now after the operation will no longer be able to use it.

The police seized the infrastructure used by the organization behind the Imminent Monitor RAT and seized over 430 devices used by the gang and its customers.


Imminent Monitor RAT was very popular because it is easy to use, and it is very cheap, it was offered for as little as $25 with lifetime access. According to the Australian police, the RAT cost about AUD$35 (US$25) and was allegedly advertised on a cybercrime forum. The authorities believe the man earned between $300,000 and $400,000 from selling the malware.

Law enforcement speculates hackers using the hacking tool to steal personal details, passwords, private photographs, video footage, and data from tens of thousands of victims.

“An Australian man, 24, who sparked a global law enforcement operation for allegedly creating and selling spyware purchased by domestic violence perpetrators and other criminals, has been charged by the AFP.” reads a press release published by the Australian Federal Police (AFP). “It will be alleged the Frankston man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries.”


The investigation conducted by the AFP identified 201 individuals in Australia who bought the RAT. According to the Australian authorities, 14.2% of Australia-based PayPal purchasers of IM RAT are associated with people named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register.

The defendant has been charged with six counts of committing a computer offense by developing, selling and administrating the RAT.

The man was charged with:

  • One count of producing data with intent to commit a computer offence, contrary to section 478.4(1) of the Criminal Code Act 1995 (Cth);
  • Two counts of supplying data with intent to commit a computer offence, contrary to section 478.4(1) of the Criminal Code Act 1995 (Cth);
  • One count of aiding, abetting, counselling or procuring the commission of an offence, namely the unauthorised modification of data to cause impairment, contrary to sub-sections 11.2(1) and 477.2(1) of the Criminal Code Act 1995 (Cth); and
  • Two counts of dealing in the proceeds of crime to the value of $100,000 or more, contrary to section 400.4(1) of the Criminal Code Act 1995 (Cth). 

The authorities also accused the mother of the man who was served a summons to face one count of dealing with the proceeds of crime.

As part of Operation Cepheus, eighty-five search warrants were executed globally, with 434 devices seized and 13 people arrested for using the Imminent Monitor (IM) spyware for alleged criminal activities.

“These types of malware are so nefarious because it can provide an offender virtual access to a victim’s bedroom or home without their knowledge,’’ Commander Goldsmid said.

“Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes. One of the jobs for the AFP is to educate the public about identifying and protecting themselves from spear-phishing attacks or socially-engineered messaging – essentially emails or texts messages that trick individuals into uploading malware.”

Let me close with some recommendations included in the press release:

Be aware of the infection signs:

  • Your internet connection is unusually slow;
  • Unknown processes are running in your system (visible in the Process tab in Task Manager);
  • Your files are modified or deleted without your permission;
  • Unknown programs are installed on your device (visible in the Add or Remove Programs tab in the Control Panel).
Protect yourself:

  • Ensure that your security software and operating system are up to date;
  • Ensure that your device’s firewall is active;
  • Only download apps and software from sources you can trust;
  • Cover your webcam when not in use;
  • Regularly back up your data;
  • Be wary while browsing the internet and do not click on suspicious links, pop ups or dialogue boxes;
  • Keep your web browser up to date and configured to alert new window is opened or anything is downloaded;
  • Do not click on links and attachments within unexpected or suspicious emails.
-Prameet