07
Jun 20

Owners of DDoS-for-Hire Service vDOS Get 6 Months Community Service

The co-owners of vDOS, a now-defunct service that for four years helped paying customers launch more than two million distributed denial-of-service (DDoS) attacks that knocked countless Internet users and websites offline, each have been sentenced to six months of community service by an Israeli court.

vDOS as it existed on Sept. 8, 2016.

A judge in Israel handed down the sentences plus fines and probation against Yarden Bidani and Itay Huri, both Israeli citizens arrested in 2016 at age 18 in connection with an FBI investigation into vDOS.

Until it was shuttered in 2016, vDOS was by far the most reliable and powerful DDoS-for-hire or “booter” service on the market, allowing even completely unskilled Internet users to launch crippling assaults capable of knocking most websites offline.

vDOS advertised the ability to launch attacks at up to 50 gigabits of data per second (Gbps) — well more than enough to take out any site that isn’t fortified with expensive anti-DDoS protection services.

The Hebrew-language sentencing memorandum (PDF) has redacted the names of the defendants, but there are more than enough clues in the document to ascertain the identities of the accused. For example, it says the two men earned a little more than $600,000 running vDOS, a fact first reported by this site in September 2016 just prior to their arrest, when vDOS was hacked and KrebsOnSecurity obtained a copy of its user database.

In addition, the document says the defendants were initially apprehended on September 8, 2016, arrests which were documented here two days later.

Also, the sentencing mentions the supporting role of a U.S. resident named only as “Jesse.” This likely refers to 23-year-old Jesse Wu, who KrebsOnSecurity noted in October 2016 pseudonymously registered the U.K. shell company used by vDOS, and ran a tiny domain name registrar called NameCentral that vDOS and many other booter services employed.

Israeli prosecutors say Wu also set up their payment infrastructure, and received 15 percent of vDOS’s total revenue for his trouble. NameCentral no longer appears to be in business, and Wu could not be reached for comment.

Although it is clear Bidani and Huri are defendants in this case, it is less clear which is referenced as Defendant #1 or Defendant #2. Both were convicted of “corrupting/disturbing a computer or computer material,” charges that the judge said had little precedent in Israeli courts, noting that “cases of this kind have not been discussed in court so far.” Defendant #1 also was convicted of sharing nude pictures of a 14 year old girl.

vDOS also sold API access to their backend attack infrastructure to other booter services to further monetize their excess firepower, including Vstress, Ustress, and PoodleStresser and LizardStresser.

Yarden Bidani. Image: Facebook.

Both defendants received the lowest possible sentence (the maximum was two years in prison) — six months of community service under the watch of the Israeli prison service — mainly because the accused were minors during the bulk of their offenses. The judge also imposed small fines on each, noting that more than $175,000 dollars worth of profits had already been seized from their booter business.

The judge observed that while Defendant #2 had shown remorse for his crimes and an understanding of how his actions affected others — even sobbing throughout one court proceeding — Defendant #1 failed to participate in the therapy sessions previously ordered by the court, and that he has “a clear and daunting boundary for recurrence of further offenses in the future.”

Boaz Dolev, CEO of ClearSky Cyber Security, said he’s disappointed in the lightness of the sentences given how much damage the young men caused.

“I think that such an operation that caused big damage to so many companies should have been dealt differently by the Israeli justice system,” Dolev said. “The fact that they were under 18 when committing their crimes saved them from much harder sentences.”

While DDoS attacks typically target a single website or Internet host, they often result in widespread collateral Internet disruption. Less than two weeks after the 2016 arrest of Bidani and Huri, KrebsOnSecurity.com suffered a three-day outage as a result of a record 620 Gbps attack that was alleged to have been purchased in retribution for my reporting on vDOS. That attack caused stability issues for other companies using the same DDoS protection firm my site enjoyed at the time, so much so that the provider terminated my service with them shortly thereafter.

To say that vDOS was responsible for a majority of the DDoS attacks clogging up the Internet between 2012 and 2016 would be an understatement. The various subscription packages for the service were sold based in part on how many seconds the denial-of-service attack would last. And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.

It seems likely vDOS was responsible for several decades worth of DDoS years, but it’s impossible to say for sure because vDOS’s owners routinely wiped attack data from their servers.

Prosecutors in the United States and United Kingdom have in recent years sought tough sentences for those convicted of running booter services. While a number of  current charges against alleged offenders have not yet been fully adjudicated, only a handful of defendants in these cases have seen real jail time.

The two men responsible for creating and unleashing the Mirai botnet (the same duo responsible for building the massive crime machine that knocked my site offline in 2016) each avoided jail time thanks to their considerable cooperation with the FBI.

Likewise, Pennsylvania resident David Bukoski recently got five years probation and six months of “community confinement” after pleading guilty to running the Quantum Stresser booter service. Lizard Squad member and PoodleStresser operator Zachary Buchta was sentenced to three months in prison and ordered to pay $350,000 in restitution for his role in running various booter services.

On the other end of the spectrum, last November 21-year-old Illinois resident Sergiy Usatyuk was sentenced to 13 months in jail for running multiple booter services that launched millions of attacks over several years. And a 20-year-old U.K. resident in 2017 got two years in prison for operating the Titanium Stresser service.

For their part, authorities in the U.K. have sought to discourage would-be customers of these booter services by purchasing Google ads warning that such services are illegal. The goal is to steer customers away from committing further offenses that could land them in jail, and toward more productive uses of their skills and/or curiosity about cybersecurity.

Tags: , , , , , , , , , , , , , , ,

25 comments

  1. Defendant #1 is Yarden, Defendant #2 is Itay.

  2. Considering that the amount of financial damages to their victims surely was in the millions of shekels/dollars and that at least one of them doesn’t get it, no doubt the sentences won’t stop them from a life of cyber crime. It sure sounds like the judge was extremely naive or the victim of a con-job by their attorneys. So one guy cried thru his trial. Was that because he was remorseful or scared about going to prison? Some criminals don’t know how to make a living legally. And others are pathologically inclined to continue their criminal career.

    • Itay actually turned his life around, he started working in a legit company (sndbox) and left his criminal past behind, he is the one who cried in court. Kids can do stupid things, and will not think of the consequences.

    • “I’m going to pound me in the @$$ prison!”

  3. I guess we will have to wait for these “miscreants” to run afoul of the law again in order to see full justice. I am amazed and dismayed to see that 77,470 users are registered to their website. Wow!

  4. Sounds like Israeli legal system is in uncharted territory just now; maybe that also explains the loose sentence. I assume there was no time served as they were probably out on bail – if in fact that is the way things work in Israel. At least they sweated it out for 4 or more years wondering what would happen to them when they went before the judge for sentencing!

    • Very few countries are like the US with our massive corporate incarceration system. There are a lot of economic incentives driving up sentencing here.

      They were sentenced to community service, although I don’t know exactly what that will entail, it is unlikely they could have “time served”, if they weren’t doing community service.

    • I imagine they’ll give Bibi a similar wrist slap for all the frauds..

  5. This is an article titled “Amplified DDoS Attacks”, written by Itay Huri, Raziel Beker(Bakar?) in the Hebrew language infosec journal Digital Whisper: https://www.digitalwhisper.co.il/files/Zines/0x4B/DW75-4-AmplifiedDDoS.pdf

    It says in the sentencing memorandum that “defendant 2 “also wrote articles in the field”.

    So #2 should be Huri as “iKnow” stated.

  6. What needs to be done is fine every single customer $10,000 as a a restitution fund to be paid to those whose sites were attacked.

    Cut off the demand by making it too expensive and make any such debt NOT dischargeable in bankruptcy.

  7. I am probably stating the obvious, but one IP address can host a number of websites. Thus you don’t DDoS a website but rather you DDoS a server. Before I set up a VPS, my website and email was often knocked offline because some other website on the same address was being DDoSed.

    • There are multiple methods of DDOS. Some of them – the majority of the booter services offer – only focus on IP addresses. But you can also use botnets to do specific queries on websites to bring them down as well. This is what is called an application based DDOS attack instead of volumetric where you just flood the pipes.

      • I see your point. But software on the server can control the attempt to use too many resources. SQL can queue up requests that it can’t immediately service for example. But I guess at some point the server will become unresponsive.

  8. Michael Smith

    Brian, to clarify, does the “community service” involve imprisonment? Based on Google’s admittedly crude translation, it looks like it does. (Page 22, sections 66 and 72)

    • I had two native Hebrew speakers look at this document. I trust their word over Google Translate any day.

    • It doesn’t include imprisonment. You probably mix it out with another concept called “Public benefit service” which will not include criminal records and will max at 250 hours (can be spread over a year).

      Community services is an alternative for imprisonment and carries a criminal record.They will need to do it 6 days a week, 8 to 5 everyday, for 6 months.

    • Community service does not include imprisonment.

  9. I think MOST of us would willingly do 6 months of probation for “$600,000”. Especially when that 600K is more likely than not – in the millions.

  10. Thanks for another article of the high quality we have become accustomed to from you, CBK…

    I know the DDoS thing has been a virtual thorn in your ass in particular given that you have shown no fear to tbese ne’r-do-wells and therefore continue to be the sacrificial lamb…

    You are very appreciated Cyberhero Krebs

  11. These guys have a pretty big network of ddos services, aren’t these the same guys that ran Low Orbit Ion Cannon?
    https://securedyou.com/download-loic-low-orbit-ion-cannon-free-ddos-tool/

  12. I’ll bet they get a scholarship. After all, that what Israel schools are best known for, hacking. Besides, like Russia, the crime was committed against other nations, so it’s just worthless heathens affected.

  13. Did they lose their wealth or were they allowed to keep the funds they had obtained via criminal activities?

    • When they got arrested, the police caught $600K in funds, this will not be returned to the criminals. In addition each of them will pay 25K NIS as a fine.

Leave a comment