DDoS attackers who bought and sold services and kits offered in the defunct marketplace webstresser.org are now being targeted for prosecution by authorities in 20 countries.
Following up on the April 2018 takedown of the now disabled webstresser.org in the effort known as Operation Power OFF, investigators are now tracking its 151,000 registered users, reported Europol, which is coordinating efforts with the Joint Cybercrime Action Taskforce (J-CAT), with the support of the Dutch Politie and the British National Crime Agency.
Europol said in a press release that the marketplace was responsible for launching more than 4 million attacks by hackers paying as little as €15 (US$17) a month.
Countries engaged in the Operation Power OFF follow-up include Belgium, Croatia, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Lithuania, Portugal, Romania, Slovenia, Sweden, Australia, Colombia, Serbia, Switzerland, Norway and the U.S.
Raj Samani, London-based chief scientist and McAfee fellow, commented to SC that these investigations indicate an intention by “law enforcement to unmask [Webstresser] customers.” In addition, the latest actions show “anonymity in a username simply does not exist,” Samani added.
Samani’s colleague at McAfee, John Fokker, the company’s head of cyber investigations, noted globally coordinated takedowns and prosecutions isn’t a new development. “What is remarkable about Operation Power OFF is the level of active collaboration from several industry stakeholders to gain better insights into the malicious nature of the Booter/Stresser sites,” Fokker added.
Recent examples of actions resulting from Operation Power OFF include:
• In the U.K., more than 250 former Webstresser users face prosecution over their DDoS attacks, and more than 60 personal electronic devices have been seized as evidence after an investigation by the U.K.’s National Crime Agency (NCA). Another 400 former customers of the site are being targeted by NCA.
• A hacker received a sentence of three years in a British prison for carrying out DDoS missives in Liberia that crashed the country’s entire internet access, resulting in millions of dollars in damage
• In the U.S., the FBI on Dec. 15 seized other DDoS-for-hire services Downthem and Quantum Stresser
• Romanian authorities have also seized DDoS platforms and information about their users
“Taking down botnet crime masters heavily relies on international cooperation of various federal agencies,” commented Ondrej Krehel, CEO and founder of the cyber forensics firm LIFARS. “Threat actors have clear understanding that it takes time to come close to them, and prosecution is often lacking evidence,” he noted.
Krehel pointed out to SC that the dark internet still offers many renting locations for DDoS attacks, and infrastructure for cybercrime is “very affordable, often cents per compromised IP based systems.”
Visitors now to the URL Webstresser.org are told that the domain has been seized by the U.S. Department of Defense, Defense Criminal Investigative Service, Cyber Field Office in accordance with a warrant issued by the United States District Court for the Eastern District of Virginia.