August 9, 2017

Two young Israeli men alleged by this author to have co-founded vDOS — until recently the largest and most profitable cyber attack-for-hire service online — were arrested and formally indicted this week in Israel on conspiracy and hacking charges.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated more than two million distributed denial-of-service (DDoS) attacks over the four year period it was in business.

That story named two then 18-year-old Israelis — Yarden “applej4ck” Bidani and Itay “p1st” Huri — as the likely owners and operators of vDOS. Within hours of that story’s publication the two were detained by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

vDOS as it existed on Sept. 8, 2016.

vDOS as it existed on Sept. 8, 2016.

On Tuesday, Israeli prosecutors announced they had formally arrested and charged two 19-year-olds with conspiring to commit a felony, prohibited activities, tampering with or disrupting a computer, and storing or disseminating false information. A statement from a spokesman for the Israeli state attorney’s office said prosecutors couldn’t name the accused because their alleged crimes were committed while they were minors.

But a number of details match perfectly with previous reporting on Bidani and Huri. As noted in the original Sept. 2016 expose’ on vDOS’s alleged founders, Israeli prosecutors say the two men made more than $600,000 in two of the four years the service was in operation. vDOS was shuttered for good not longer after Bidani and Huri’s initial detention in Sept. 2016.

“The defendants were constantly improving the attack code and finding different network security weaknesses that would enable them to offer increased attack services that could overcome existing defenses and create real damage to servers and services worldwide,” Israeli prosecutors alleged of the accused and their enterprise.

“Subscribers were able to select an ‘attack’ package from the various packages offered, with the packages classified by the duration of each attack in seconds, the number of simultaneous attacks and the magnitude of the attack in Gigabits per second, and their prices ranged from $ 19.99 to $ 499.99,” the allegation continues.

19-year-old Yarden Bidani.

19-year-old Yarden Bidani.

Lawyers for Bidani and Huri could not be immediately reached for comment. But both have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks.

The owners of these stresser services have sought to hide behind wordy “terms of service” agreements to which all customers must agree, arguing that these agreements absolve them of any sort of liability for how their customers use the service.

Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.

KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.

That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.

At the height of vDOS’s profitability in mid-2015, the DDoS-for-hire service was earning its then-17-year-old proprietors more than $42,000 a month in PayPal and Bitcoin payments from thousands of subscribers. That’s according to an analysis of the leaked vDOS database performed by researchers at New York University.

The vDos home page.

The vDOS home page.

20 thoughts on “Alleged vDOS Operators Arrested, Charged

  1. IRS iTunes Card

    The stupid script kiddies are just to narcissistic to understated that they can and will get arrested for what they are doing against the internet infrastructure

    1. ostow

      Inteligented people turn to be criminals. Why they dont have normal jobs??? Why only stupid people have jobs in our society ?

      1. SeymourB

        In my experience the only stupid people who have good paying jobs are the ones who are related to the owner or otherwise have a connection to the business. If they don’t have that then they either slave away at minimum wage jobs or become criminals.

        Exceedingly few smart people become script kiddies, they mostly find legitimate work because their skills are in demand.

        At least that’s how it is in the western world. In your neck of the woods the situation may be reversed, but why just blindly accept thats the way it has to be?

    2. C Davis

      These guys are more than just script kiddies.

      1. treFunny

        I would agree… script kiddies were the ones using the service and would not know how to ddos anyone without ddos-ssas

  2. ralph seifer

    As Seinfeld would say, usually not with over-the-top sincerity,
    “Ah, that’s a shame.”

  3. Robert Ostrow

    Excellent article. Why aren’t these little kids in college learning some common sense. Where are their parents?

    1. Jon Marcus

      They weren’t in college because they were in their mid-teens when they committed these crimes. (They were 17 when arrested, and I assume they’d been at this for a few months or years.). They likely were in high school.

      And after high school most Israelis would serve in the military before going to college in their early 20s.

      1. ripley_stew_dios8

        Jon is correct. All Israelis are required to sign a 2-3 year contract with the IDF before pursuing any secondary education.

    2. Cory Martinson

      If I was 17 years old and making $42K a month, I know what I’d say about the idea of going to college.

  4. JTL

    Hate to say it, but these DDoS attackers have great UI design skils.

    Glad they got arrested and indicted though…

    1. Mikey

      Yes, it’s good they got caught and arrested.

      Ironically, a growing number of these kids will suddenly “turn their lives around” and sell their hacking skills as “experts” that will stress IT systems to identify vulnerabilities.

      Reminds me of the thief who had lied his way to success as a criminal and, upon release from prison, was asked if he’d do it again. His reply: “If I said no, would you believe me?”

      1. Old School

        On the subject of “turn their lives around” based on its original meaning, attending a lecture given by Frank Abagnale Jr. is an enlightening experience. His comments about Facebook are quite sobering.

  5. Mahhn

    I hope they get punishment and not just a slap on the backside.

    1. FunnyBits

      Don’t bet on it. Either a low sentence in Country Club Blue Collar Crime Prison. To network and start it all over again when they get out. It ridiculous the sentences these kids receive.

  6. Cyril SZECSKO

    PayPal to run a business forbidden in a lot of states? Doxed + PayPal + dos = jail : why they didn’t move to Russia?
    If my child told me he run a business in security tools online , I will check twice…

  7. Yuri

    What is surprising for me in all this is how bunch of kids, not following any BlackOps best practices, transferring their earnings to Paypal account, using their Gmail addresses elsewhere on the Net succeeded to become the leading (according to media) DDOS service for hire and operate for 4 years ??
    That is, if they were proz, with no identifiable info and no option for FBI/NSA to break into their website to get their identities, it would go forever, just change the apprehended domains from time to time?

Comments are closed.