In reply to Deadeye:
In the antivirus world, there are teams that work for companies. There are also ad-hoc teams of geeks that work together, on interesting projects. Think of it like medical research. Someone might spot something that is used as a stepping stone by others, on the way to a cure.
There is a lot of effort put into tracking command and control servers, as well as the other communications channels used by the bad guys. The intention is not just to shut down the attack, but to the track the controllers and to identify them. Also, lots of the viruses and trojans share the same or similar code. In tracking down and stopping one infection, the investigators may have a god start on stopping the next attack earlier.
What this guy did is not uncommon in that field. Command and control networks have been disabled many times before. Victims can be identified, and notified. Money, even though it is bitcoin, can be traced to a degree. The real life identities of the people who run the networks can be found.
What's notable is, at the time of writing this story is the MalwareTech, twitter chap is keeping his real details out of the lime light. Many papers would pay for his story. His bosses, at whatever AV company he works for, would love the publicity. There is good reason for this anonymity. He, his friends, family, company etc will become the target of all sorts of dirty tricks by the virus writers. I don't suppose his anonymity is 100%. People in his field may know his real name and it will leak out. I would guess that in the name of 'truth' some tabloid will unmask him, as a scoop. Whilst many may want to laud him as a hero, I bet he's kinda worried.
If you want an insight into the world of the guys who track and break botnets, this story is quite good. It romps along at a fair pace. In reality there are many more shades of grey involved, dead ends and far less James Bond.
https://www.wired.com/2017/03/russian-hacker-spy-botnet/
