The FBI and Europol seized 48 internet domains for popular DDoS-for-hire platforms responsible for millions of DDoS attacks in a global campaign dubbed Operation Power Off.
The multi-prong operation that involved respective law enforcement agencies from the United States, the United Kingdom, Germany, the Netherlands, and Poland, led to the arrest of seven administrators of the alleged DDoS-for-hire sites.
Distributed denial of service (DDoS) attacks bombard computers with information, preventing legitimate users from accessing them and degrading everyone else’s online experience. According to the FBI, the DDoS-for-hire platforms lowered the entry barrier for cybercrimes, putting critical infrastructure and businesses at risk of disruption, financial losses, and reputational damage.
DDoS-for-hire websites masqueraded as legitimate stress-testing platforms
DDoS-for-hire services or “booters” allegedly offered customers the ability to knock off targeted websites while masquerading as stress-testing platforms. However, authorities analyzed thousands of communications between the DDoS-for-hire administrators and their customers and determined that the claims were a pretext for illegal DDoS services.
According to an affidavit by FBI special agents, “both parties are aware that the customer is not attempting to attack their own computers.”
Additionally, FBI agents executed a sting operation posing as customers and confirmed that the booters/stressors functioned as advertised. Threat actors frequently advertise booters/stressers on underground forums for illegal DDoS services.
“These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone’s ability to access the internet,” said United States Attorney Martin Estrada.
DDoS-for-hire administrators face cybercrime charges
The Department of Justice has charged six individuals with aiding and abetting computer intrusion.
Jeremiah Sam Evans Miller, 23, of Texas, and Angel Manuel Colon Jr., 37, Shamar Shattock, 19, and Cory Anthony Palmer, 22, of Florida, were accused of running RoyalStresser.com (formerly Supremesecurityteam.com), SecurityTeam.io, Astrostress.com, and Booter.sx booter/stressor services, respectively.
John M. Dobbs, 32, of Hawaii, and Joshua Laing, 32, of New York, were charged in the U.S. District Court of Alaska for aiding and abetting violations of the Computer Fraud And Abuse Act related to the alleged operation of Ipstressor.com (IPS) and TrueSecurityServices.io, respectively.
According to Europol, one seized booter/stressor service was responsible for 30 million attacks globally.
Authorities to investigate DDoS-for-hire customers for prosecution
DDoS-for-hire services had thousands of users, with customers paying as little as $10 to execute DDoS attacks. The multinational law enforcement coalition said they seized databases from the DDoS-for-hire services and would analyze the list of suspected customers.
Donald Alway, the Assistant Director heading FBI’s Los Angeles Field Office, warned that any individual who directly or indirectly launched DDoS attacks was liable to prosecution. And Europol warned that executing DDoS attacks were a serious crime regardless of the culprit’s status or intention.
“DDoS-ing is taken seriously by law enforcement. Size does not matter – all levels of users are on the radar of law enforcement, be it a gamer booting out the competition out of a video game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol stated.
Building on previous successes
In December 2018, the FBI seized the domains of 15 DDoS-for-hire sites, including quantumstress.net, critical-boot.com, ragebooter.com, and downthem.org, collectively responsible for over 200,000 DDoS attacks from 2014 to 2018.
Additionally, the agency arrested three individuals and charged them with running DDoS-attacks-for-hire services. Matthew Gatrel, 30, of Illinois, and Juan Martinez, 25, of California, were charged with conspiring to violate the Computer Fraud and Abuse Act by operating Downthem and Ampnode stressor sites. Prosecutors also indicted David Bukoski, 23, of Pennsylvania, for operating Quantum Stresser, one of the longest-running DDOS services in operation.
In 2018, Quantum Stressor was responsible for 50,000 actual or attempted DDoS attacks targeting victims worldwide, including government agencies, educational institutions, and gaming platforms. The seizure also allowed the FBI to obtain a database of 136,000 DDoS-for-hire customers, some of whom have faced arrests and prosecution.
Interestingly, both crackdowns occurred ahead of major festivities, when DDoS attacks disrupted the gaming world and online holiday shopping. Such crackdowns have proven successful in stopping DDoS attacks.
According to DDoS Threat Report Q4, 2018, by threat intelligence firm NexusGuard, the 2018 crackdown on DDoS-for-hire services slashed DDoS attacks by 85% year-on-year and 11% from 2017.
Estrada said the latest law enforcement action was “a major step” in eradicating “criminal conduct that threatens the internet’s infrastructure and our ability to function in a digital world.” Authorities plan to build on previous successes “by targeting all known booter sites, shutting down as many as possible, and undertaking a public education campaign.”
Lauding the successful operation, Dr. Ilia Kolochenko, Chief Architect & CEO of ImmuniWeb, had mixed feelings: “2022 was a remarkably successful year for interagency operations by European and US law enforcement agencies and their international partners,” Kolochenko said. “One should, however, bear in mind that the number of successful takedowns and seizures is to be regarded through the prism of a surging number of organized cybercrime groups.”
He warned that many seized infrastructures reappear within weeks or months, reversing previous gains.
“The modern Dark Web is also rapidly growing, bringing new services and products both for end customers and cybercrime gangs, ranging from sensitive data stolen from law enforcement agencies to sophisticated malware that exploits 0day vulnerabilities.”