Criminals Arrested As Webstresser DDoS Website Taken Down

National Crime Agency involved in international operation to take down website behind four million cyber attacks

A major international operation has resulted in the take down of the website linked to more than four million DDoS cyber attacks across the globe.

The website was responsible for the attacks which included strikes against some of the UK’s biggest banks.

The investigation into the website was led by the National Crime Agency (NCA) and the Dutch National Police, in collaboration with international law enforcement partners in Serbia, Croatia and Canada. Europol and Police Scotland were also involved.

Website takedown

The investigation targeted six members of the crime group behind webstresser.org.

“Dutch police, with assistance from Germany and the United States then seized servers and effected a takedown of the website at 11:30am this morning (Wednesday 25 April),” said the NCA.

It said that cyber criminals had used webstresser.org, which could be rented for as little as $14.99 (£10.76), to launch in excess of 4 million distributed denial of service (DDoS) attacks. The NCA said “individuals with little or no technical knowledge could rent the webstresser service to launch crippling DDOS attacks across the world.”

A DDoS attack typically aims to force websites and web-based services offline by bombarding them with so much traffic that their services and infrastructure cannot handle it all.

The NCA identified an address in Bradford and this was searched and a number of items seized. Its officers believe an individual linked to the address used the webstresser service to target seven of the UK’s biggest banks in attacks in November 2017.

Meanwhile officers from the NCA’s National Cyber Crime Unit (NCCU) identified criminal infrastructure in the Netherlands, and worked closely with the Dutch National Police to identify the crime group behind the site and execute the coordinated law enforcement operation.

Catching criminals

“A significant criminal website has been shut down and the sophisticated crime group behind it stopped as a result of an international investigation involving law enforcement agencies from eleven countries,” explained Jo Goodall, Senior Investigating Officer at the NCA.

““Cyber crime, by default, is a threat that crosses borders and our response must be one that utilises the close international law enforcement collaboration that is crucial to tackling this threat,” said Goodall.

“The arrests made over the past two days show that the internet does not provide bullet-proof anonymity to offenders and we expect to identify further suspects linked to the site in the coming weeks and months as we examine the evidence we have gathered.”

“Cyber offenders can act against UK targets from anywhere in the world and this means UK-based offenders can also attack targets in any country,” said Goodall. “Our success depends on law enforcement, government and industry working together to fight cyber crime.

“By taking down world’s largest illegal DDOS seller in a worldwide joint law enforcement operation based on NCA intelligence, we have made an unprecedented impact on DDOS cybercrime,” said Gert Ras, Head of the National High Tech Crime Unit at the Dutch National Police.

“Not only were the administrators of this illegal service arrested, but also users will now face prosecution and civil liability for caused damage,” he added. “This is a warning to all wannabee DDOS-ers – do not DDOS because through close law enforcement collaboration, we will identify you, bring you to court and facilitate that you will be held liable by the victims for the huge damage you cause”.

Expert Reaction

Experts were quick to point to the ability of these seemingly legitimate “stressing” websites that in reality hide a sinister purpose.

“Portrayed as legitimate services, ‘stressors’ are designed to assist security engineers in testing the resilience of corporate servers against extreme traffic loads, and often explicitly prohibit any illegal use,” explained Andrei Barysevich, director of advanced collection and dark web expert at Recorded Future.

“In reality, such policies are just a facade, designed to create the appearance of legitimacy,” said Barysevich. “For instance, alongside with other similar services, Webstresser has been openly operating in the darknet since 2015 and was a commonly recommended solution for turn-key DDoS attacks. The takedown by the international law enforcement is a powerful statement to all cybercriminals and a step in the right direction, however, with more than 50 underground DDoS vendors, I am afraid the problem is not likely to be solved any time soon.”

Another expert welcomed the arrest of the ringleaders of the website.

“The takedown of webstresser.org is good news for any business that operates online, as it removes a potential attack platform that can easily be used by a disgruntled customer or staff member to cause real financial impact for a business,” said Jamie Tynan, head of technical services at ThinkMarble.

“Perhaps of greater benefit is the arrest of the suspected ringleaders of the gang as this will prevent them from simply starting a new website offering the same service in the never-ending ‘whack-a-mole’ between authorities and cyber-criminals,” said Tynan.

“Unfortunately, this service is neither a new proposition from criminals, nor is it likely to end with the takedown of webstresser.org,” he said. “Similar services are offered on the dark web by a multitude of cyber-criminals; however, the arrests will make criminals think twice about offering illegal services if they feel their anonymity (and hence their freedom) is at risk. Arrests of cyber-criminals have increased significantly over the last few years, which show that the additional resources provided to cybersecurity in law enforcement is reaping real and tangible benefits.”

DDoS attacks

In March one of the most powerful distributed denial-of-service attacks (DDoS) ever seen briefly took down the website of GitHub.

That cyber attack at its peak reached an incredible 1.35Tbps.

Last October the UK National Lottery confirmed a DDoS attack was behind an outage that took its website and mobile application offline for more than an hour during peak time.

Also last year the hacking group CyberTeam claimed responsibility for a Skype outage thanks to a DDoS attack that blighted the service for two whole days.

Research from Kaspersky Lab found that businesses believe they are more likely to be targeted by DDoS attacks from rival firms than cyber criminals.

Do you know all about security? Try our quiz!