Thirteen internet domains tied to distributed-denial-of-service-for-hire services were seized by the Department of Justice as part of its ongoing initiative to takedown so-called "booter" services. DoJ is continuing to investigate the remaining booter service operations.
DoJ said the seizures mark a third wave in federal law enforcement actions against leading booter services. The actions are part of Operation PowerOFF, an international law enforcement effort working to dismantle global criminal DDoS-for-hire infrastructures.
Booter services allow paying users to launch DDoS attacks to overwhelm servers of targeted entities to block, disrupt or degrade their internet access and can also sever connections for entities connected through a shared internet service provider. These services have proliferated in recent years given the low-bar of entry for potential cybercriminals.
These DDoS attacks are aptly named given the rate of disruption caused by the attacks.
Entities that fall victim to these attacks “often have to ‘overprovision,’ that is, pay for increased internet bandwidth in order to absorb the attacks, or subscribe to DDoS protection services, or purchase specialized hardware designed to mitigate the effects of DDoS attacks,” according to a provided affidavit.
“The prices of such overprovision or DDoS protection services are usually significantly more expensive than the cost of a given booter service,” it added.
As part of its investigation, the FBI paid for subscription plans for booter service accounts and tested the service using the website to launch DDoS attacks on computers controlled by the agency to observe the impacts of the attacks.
Investigators found that the booter websites operated as advertised. For some, “the test attack was so powerful that it completely severed the internet connection,” even when the computer was operating on a network with a large amount of capacity.
Law enforcement efforts already reclaimed data tied to the operation of these booter sites, which revealed hundreds of thousands of registered users previously used these services to deploy “millions of attacks against millions of victims,” according to the release.
Victims include websites belonging to school districts, universities, financial institutions and the government.
In the first law enforcement action targeting booters in late 2018, the Justice Department charged three defendants who facilitated DDoS-for-hire services and seized 15 internet domains associated with DDoS-for-hire services.
Of the domains seized this week, 10 were reincarnations of services previously seized by law enforcement in December during the targeted effort against 48 popular booter services.
One of these domains, cyberstress.org, appeared to be the same service seized during the December operation, cyberstress.us. Fortunately, many of the previously disrupted booter services remain offline.
DoJ officials said they’re committed to taking the operators offline. As part of the effort, four men were charged in late December and pleaded guilty to federal charges, admitting to the operation or participation in the booter services. Sentencing is expected this summer.
The operation is the second major U.S. law enforcement effort in the last month to have successfully disrupted major cybercriminal activity. The largest cybercriminal marketplace for stolen credentials, Genesis Marketplace, was brought down by 45 FBI field offices and international partners in April.
At the time, Attorney General Merrick Garland said the seizure “should serve as a warning to cybercriminals who operate or use these criminal marketplaces: DoJ and our international partners will shut down your illegal activities, find you, and bring you to justice.”
Taking a legal approach, cybercriminals using cracked versions of Cobalt Strike were handed a major blow when Microsoft, Fortra and the Health Information Sharing and Analysis Center (Health-ISAC) were granted a court order that enables them to crack down on the illegal use with help from with internet service providers and computer emergency readiness teams.
Although the seizure won’t stop cybercriminals from working to revive thwarted efforts, security leaders believe federal efforts are certainly making it difficult for hackers to operate in the shadows.