Two men who ran a service making it easy for anybody to launch distributed denial-of-service attacks, capable of knocking websites offline, have been given a six month community service sentence by an Israeli court.
As Brian Krebs reports, Yarden Bidani and Itay Huri ran vDOS, a notorious DDoS-for-hire service offering monthly subscriptions ranging from $20 to $200 per month that is estimated to have earned them over $600,000 up until mid-2016,
What happened in mid-2016? The vDOS booter service was hacked, and its customer list fell into the hands of law enforcement.
Seeing as most of vDOS’s DDoS-hiring clients were likely to have had a strong incentive for retaining their privacy, that was clearly bad news for online criminals and good news for the police.
Bidani and Huri – who went by the online handles “Applej4ck” and “P1st” – were 18 years old when they were arrested in the aftermath of the hack.
And now they’ve been sentenced to community service.
As Krebs explains, the defendants’ age at the time of the majority of the DDoS attacks may have saved them from a tougher sentence:
Both defendants received the lowest possible sentence (the maximum was two years in prison) — six months of community service under the watch of the Israeli prison service — mainly because the accused were minors during the bulk of their offenses. The judge also imposed small fines on each, noting that more than $175,000 dollars worth of profits had already been seized from their booter business.
Considering the immense impact that vDOS’s denial-of-service attacks would have had on companies, the length of time they operated, and the money generated by the criminal activity, it feels to me like the two men were lucky to escape a jail sentence.
Some will undoubtedly question whether community service sends the right message to others considering setting up a DDoS-for-hire service, or launching their own denial-of-service attack against a website.
As we described in last week’s episode of the “Smashing Security” podcast, it appears to be not uncommon for young cybercriminals to have initially entered the world of DDoS attacks and booter services via online videogames.
Smashing Security #181: 'Anti-cybercrime ads, tricky tracing, and a 5G Bioshield'
Listen on Apple Podcasts | Spotify | Google Podcasts | Pocket Casts | Other... | RSS
Launching a DDoS attack against a gaming rival, may be the first step into what may ultimately be more serious cybercriminal activity.
The UK’s National Crime Agency (NCA) recognises this and is actively attempting to drive young people into using their skills to build careers in games design, cybersecurity, and programming.
In fact, as we discuss on the podcast, the NCA has been running a campaign of Google Ads targeted at young people searching for information about DDoS attack services.
Which means that a 13-year-old searching online for booter and stresser services might instead find themselves pointed to articles underlining that such attacks are illegal, and that there are more positive things to do with your time which won’t get you into trouble with the law.
DDoS attacks have long plagued the makers of video games – whether it be for the purposes of extortion, juvenile mischief-making or petty rivalries between gamers.
For instance, in 2011, Minecraft, League of Legends, and EVE Online were struck by a DDoS attack instigated by the notorious LulzSec gang. More recently, in October 2018, the launch of Ubisoft’s Assassin’s Creed Odyssey video game was disrupted by a DDoS attack that swamped its servers.
Earlier this year, game maker Ubisoft took a DDoS-for-hire website to court over attacks against its servers.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.