It was particularly popular due to its anonymity, evading takedowns and the feds by using what's called a double fast flux technique. Almost as impressive as the scale of the network were the lengths taken to protect it. It relied on thousands of new domain names being generated every day, with each one changing both IP address and DNS server every five minutes.
Plenty of people use proxies to watch the Netflix catalogs of other countries. They hide a user's real location and trick Netflix into thinking the request is originating elsewhere. Avalanche was doing more or less the same thing, but with a proxy that comprised countless thousands of domains, the usually static details of which were changing every five minutes. And instead of watching Netflix, cybercriminals were hiding behind this complex web and commanding a vast botnet to attack companies and banks, conduct email scams, distribute malware and organize money-laundering activities.
Avalanche has been in operation since at least 2009, and in the second half of that year, was responsible for two-thirds of all phishing attacks according to a report from the Anti-Phishing Working Group. German police began investigating Avalanche in 2012 following a significant bloom of Windows encryption ransomware. Just prior to its takedown, the network was thought to involve roughly half a million infected computers daily, and was responsible for sending out one million malware-infected emails every week.
Agencies across the world delivered the crippling blow on November 30th. Five people have been arrested, 37 premises were searched, 39 web servers seized and another 221 taken offline by abuse notifications issued to hosting providers. It's apparently the largest botnet bust to date, with over 830,000 nefarious web domains shut down as a result of the sting.