DDoS-for-Hire Service Webstresser Dismantled

DDoS-for-Hire Service Webstresser Dismantled

ddos stresser expert

Authorities in the U.S., U.K. and the Netherlands on Tuesday took down popular online attack-for-hire service WebStresser.org and arrested its alleged administrators. Investigators say that before the takedown, the service had significantly more than 136,000 registered users and was accountable for launching approximately four and six million attacks within the last three years.

The action, dubbed “Operation Power Off,” targeted WebStresser.org (previously Webstresser.co), one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that anyone can rent to knock nearly any website or Internet user offline.

Webstresser.org (formerly Webstresser.co), because it appeared in 2017.

“The damage of those attacks is substantial,” reads a record from the Dutch National Police in a Reddit thread in regards to the takedown. “Victims are out of business for a period of time, and spend money on mitigation and on (other) security measures.”

In a different statement released today, Europol — the law enforcement agency of the European Union — said “further measures were taken against the most effective users of this marketplace in the Netherlands, Italy, Spain, Croatia, the United Kingdom, Australia, Canada and Hong Kong.” The servers powering WebStresser were situated in Germany, the Netherlands and the United States, in accordance with Europol.

The U.K.' s National Crime Agency said WebStresser could possibly be rented for less than $14.99, and that the service ddos stresser allowed people with minimum technical knowledge to launch crippling DDoS attacks around the world.

Neither the Dutch nor U.K. authorities would say who had been arrested in connection with this takedown. But in accordance with information obtained by KrebsOnSecurity, the administrator of WebStresser allegedly was a 19-year-old from Prokuplje, Serbia named Jovan Mirkovic.

Mirkovic, who went by the hacker nickname “m1rk,” also used the alias “Mirkovik Babs” on Facebook where for a long time he openly discussed his role in programming and ultimately running WebStresser. The final post on Mirkovic's Facebook page, dated April 3 (the day ahead of the takedown), shows the young hacker sipping what is apparently liquor while bathing. Below that image are lots of comments left in the past few hours, many of them simply, “RIP.”

A story in the Serbia daily news site Blic.rs notes that two men from Serbia were arrested along with the WebStresser takedown; they're named only as “MJ” (Jovan Mirkovik) and D.V., aged 19 from Ruma.

Mirkovik's fake Facebook page (Mirkovik Babs) includes countless mentions of another Webstresser administrator named “Kris” and features a photograph of a tattoo that Kris got in 2015. That same tattoo is shown on the Facebook profile of a Kristian Razum from Zapresic, Croatia. According to the press releases published today, one of the administrators arrested was from Croatia.

Multiple sources are now pointing to other booter businesses that were reselling WebStresser's service but which are no further functional as a result of the takedown, including powerboot[dot]net, defcon[dot]pro, ampnode[dot]com, ripstresser[dot]com, fruitstresser[dot]com, topbooter[dot]com, freebooter[dot]co and rackstress[dot]pw.

Tuesday's action against WebStresser is the newest such takedown to focus on both owners and customers of booter services. Many booter service operators apparently believe (or at the least hide behind) a wordy “terms of service” agreement that most customers must acknowledge, beneath the assumption that somehow this absolves them of any type of liability for how their customers utilize the service — it doesn't matter how much hand-holding and tech support team booter service administrators offer customers.

In October the FBI released an advisory warning that the usage of booter services is punishable beneath the Computer Fraud and Abuse Act, and may lead to arrest and criminal prosecution.

In 2016, authorities in Israel arrested two 18-year-old men accused of running vDOS, until then the most used and powerful booter service on the market. Their arrests came within hours of an account at KrebsOnSecurity that named the men and detailed how their service have been hacked.

Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that a large proportion of both groups are teenagers under age 21. In its Reddit thread, the Dutch Police addressed this criticism head-on, saying Dutch authorities work on a new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders.

“Prevention of re-offending by offering a mix of restorative justice, training, coaching and positive alternatives is the key aim of this project,” the Dutch Police wrote. “See page 24 of the 5th European Cyber Security Perspectives and stay tuned on our THTC twitter account #HackRight! AND we work on a media campaign to prevent youngsters from needs to commit cyber crimes in the very first place. Expect a launch soon.”

Meanwhile, it's likely we'll sooner see the launch of yet more booter services. Based on reviews and sales threads at stresserforums[dot]net — a marketplace for booter buyers and sellers — you can find lots of other booter services in operation, with new ones coming online virtually every month.