Law enforcement efforts worldwide working on ‘Operation Power Off’ have taken down the webstresser.org website, which police claim sold DDoS attacks, helping up to 136,000 registered users launch up to 4 million attacks worldwide.
Four arrests were made of alleged administrators in the U.K., Canada, Croatia and Serbia who had gone by various pseudonyms, including Admin the CEO, backend developer m1rk, head of support Mixerioza and “support agent” Tyrone. “Measures were taken” against the marketplace’s top users in the Netherlands, Italy, Spain, Croatia, the U.K., Australia, Canada and Hong Kong. Following shut down of the site, police in the Netherlands, Germany and the U.S. seized its infrastructure.
Europol announced the news on Wednesday, saying webstresser.org was “considered the world’s biggest marketplace to hire Distributed Denial of Service (DDoS) services”. Attacks that used the online service targeted banks, government institutions and police forces, in addition to gaming industry sites. Fees on offer were as low as around $18 (15 Euros) per month, allowing individuals with little to no technical knowledge to launch huge DDoS attacks.
Despite the widespread global police efforts, the main targets and customers were American, according to Europol’s lead case coordinator who spoke to Forbes ahead of the announcement. “It’s become one of the most important [DDoS stressers] on the market,” he said.
“It is significant,” added Gert Ras, head of the Netherlands National High Tech Crime Unit, speaking of the takedown. “It is a really big one.”
The website claimed to be legal by advertising its services as a testing service to see how websites stood up to attacks and/or spikes in traffic. They said they provided “the strongest and most reliable server stress testing” and offered “24/7 customer support spread on over three different continents.” Their products were sold in packages, ranging from $18.99 per month for “bronze” membership to $49.99 for “platinum”. They even offered a Facebook page, on which they encouraged customer engagement. The admins made hundreds of thousands of dollars, and accepted payments over PayPal and Bitcoin.
“The service was professional, the most professional I’ve seen,” said Europol’s investigator.
The investigation began in October of last year, and was led by the Dutch National High Tech Crime Unit and the U.K. National Crime Agency (NCA), working in partnership with Europol.
According to Ras, the investigation was initiated by a DDoS attack on an unnamed U.K. bank, which led the NCA to discovery of the fact that webstresser.org was hosted in the Netherlands. The NCA told the Dutch agency about the tip, and in November, the Dutch police took snapshots of the site’s server, from which they created their own version of webstresser.org This gradually allowed them to figure out how the site worked and led towards the identities of the alleged administrators. An attempt to relocate the site’s infrastructure to Germany did not deter the investigators.
Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) supported the investigation from the start by assisting the exchange of information between all international partners. On the action day, a command and coordination post was set up at Europol’s headquarters in The Hague.
“We have a trend where the sophistication of certain professional hackers to provide resources is allowing individuals – and not just experienced ones – to conduct DDoS attacks and other kind of malicious activities online”, said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3). “It’s a growing problem, and one we take very seriously. Criminals are very good at collaborating, victimising millions of users in a moment from anywhere in the world. We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks.”
“Stresser websites make powerful weapons in the hands of cybercriminals” said Jaap van Oss, Dutch Chairman of the Joint Cybercrime Action Taskforce (J-CAT). “International law enforcement will not tolerate these illegal services and will continue to pursue its admins and users. This joint operation is yet another successful example of the ongoing international effort against these destructive cyberattacks.”
During the investigation, some surprising statistics were gathered from the site, which allowed the investigators to discern the unprecedented scale of the DDoS market. Europol said the total duration of DDoS attacks launched via webstresser.org totalled 15.5 years. The average attack lasted 20 minutes while the longest single attack reached 10 hours. The controllers also used techniques to amplify their attacks, such as DNS amplification. The platform offered attacks up to 350Gbps.
It is already becoming apparent that police around the world are not only arresting the alleged administrators, but are also paying house visits to users of the site, either arresting them or warning them about continued use of this kind of DDoS product. Arrests of users have already taken place in Hong Kong and the Netherlands. “The message here is that people who use these services will not stay anonymous,” Ras said. “We will bring them to court.”
Other ‘stresser’ services have also been dismantled recently, including in August, the vDOS service that launched over two million DDoS attacks over four years. The site was shut down and its alleged owners were arrested in Israel.