At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings. Some of the highlights from the report are presented below. This botnet was used to display fake messages, that were supposedly coming from the victim’s bank, requiring her to make a wire transfer. 11 730 different machines were connecting to the sinkhole server. Over 77% of all connections originated from Poland. Almost all of the connections were coming either from Europe or from Japan. Citadel bots were running on Microsoft Windows operating system starting from Windows XP up to Windows 7. The botnet used multiple proxy servers to hide real C&C servers. Full text of the report can be found here or under the “Reports” tab.