Before Mirai came into the public eye, the FBI was working on a case involving two teens running a DDoS-for-hire service called vDOS. Two young Israeli men were using the massive vDOS botnet to offer a booter service, aimed at helping gamers knock their rivals offline. Its customers paid small amounts, from $5 to $50, to rent small-scale denial-of-service attacks via an easy-to-use web platform. vDOS was in operation from 2012 to 2016 when it was taken down. According to researchers, it was responsible for the majority of DDoS attacks worldwide, which occurred during that time period. It reportedly earned in excess of $600,000 between 2014 to 2016 alone and helped customers coordinate over 150,000 DDoS attacks aimed at knocking web sites offline.
Itay Huri and Yarden Bitani, both then 18 years old, were arrested in September 2016, in connection with an investigation by the U.S. Federal Bureau of Investigation. In August 2017, the teenagers were charged for running vDos as a DDoS-for-hire service, the largest such platform of its time.
The decline of vDoS began in the summer of 2016 when a DDoS hacking crew known as PoodleCorp rented one of its botnets. A vulnerability in the PoodleCorp PoodleStresser enabled other hackers and cybersecurity professionals to gather data from the third-party botnet, which was primarily being used to attack servers belonging to gaming sites. Investigative journalist Brian Krebs analysed the hacked data and published an exposé article on his KrebsonSecurity blog in September 2016, pointing to Huri and Bitani as the masterminds behind, and owners of, the attack service. Krebs wrote about the scale of vDOS, saying, “in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic”. However, Hurai and Bitani set the service up so that no DDoS attacks could take place against Israel, “presumably so as not to attract attention to their service from Israeli authorities”.
A wave of DDoS attacks followed against the KrebsonSecurity blog, which have since entered infosec lore as the largest ever DDoS attacks recorded at that time, fuelled by the now infamous Mirai botnet.
The formal indictment issued in August 2017, according to Bleepingcomputer, does not mention the two suspects by name as they were minors at the time in which they committed the crimes, but confirmed much of Krebs’ other analysis. Israeli investigations, for instance, confirmed the hackers’ ties to Lizard Squad and PoodleCorp, and that the owners of vDOS had earned over $600,000 from the service. The two had a fake UK company to launder the money they took in via their PayPal accounts and cryptocurrency payments.
In October 2016, law enforcement authorities in the U.S. and the Netherlands made two further associated arrests. The two 19 year-old-teenagers,Zachary Buchta of Fallston, Maryland, and Bradley Jan Willem van Rooy of Leiden, the Netherlands were arrested on suspicion of launching huge DDoS attacks as part of the Lizard Squad and PoodleCorp hacking crews.
The vDOS botnet was a variant of an older IoT zombie army—a 2014 botnet known as Qbot.