Posted on December 16, 2022 at 8:24 AM
On Wednesday, the US Department of Justice announced that it had seized 48 domains that provide services related to conducting distributed denial-of-service (DDoS) attacks on behalf of other malicious actors. The seizure of these domains has reduced the barrier to entry for conducting these malicious activities.
US seizes 48 domains
The DoJ has also charged six suspects that have been associated with these domains. The charged individuals include Angela Manuel Colon Jr, Cory Anthony Palmer, Jeremiah Sam Evans Miller, John M. Dobbs, Joshua Laing, and Shamar Shattock. They are being accused of being involved in the operation.
The DoJ released a press statement saying that the website allowed payments to allow people to launch strong DDoS attacks that swarm computers with a lot of traffic, making it impossible for the user to access their network. DDoS attacks are usually conducted as part of ransomware campaigns.
In its statement, the DoJ noted that these websites “allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet.”
The six individuals charged on this matter are being accused of a wide range of things, from running booter services. Some of the services that they ran include Astrostress[.]com, Booter[.]sx, IPStresser[.] com, RoyalStresser[.] com, SecurityTeam[.] io and TrueSecurityServices[.]io.
The defendants are also charged with violating the computer fraud and abuse act. The actions that were conducted through these websites impacted significant harm to individuals and corporates.
These websites claim that they offer testing services to evaluate the resilience of the web infrastructure of the paying customer. However, these websites never offered the said services; instead, they were used to deploy DDoS attacks on behalf of other threat actors.
The websites are also believed to have targeted multiple victims in the United States and other countries. The attacks also targeted educational institutions, government agencies, and gaming platforms.
The DoJ has also estimated that these attacks affected millions of individuals. The court documents show that more than a million registered users that had deployed IPStresser[.]com had already conducted or tried to carry out DDoS attacks. The report notes that over 30 million DDoS attacks were conducted by the registered users of IPStresser[.]com between 2014 and 2022.
The US Federal Bureau of Investigations analyzed the communications between the administrators of the booter site and their customers. The investigations revealed that the services were paid for using cryptocurrencies. After a customer made the payment, the booter site administrators could link them with the booster they could use to conduct the DDoS attacks.
The statement from the FBI noted that the malicious actors were using established booter and stresser services to conduct the DDoS attacks conveniently. It allowed the threat actors to make payments for an existing network of infected devices instead of creating their own infected devices. The government agency further noted that the malicious actors could have chosen this strategy because it hid the details of any DDoS activity.
Not the first time law enforcement is seizing domains
It is not the first time that the DoJ and the FBI have seized domains linked to malicious campaigns. In December 2018, the two government agencies took similar steps when they seized 15 domains that advertised computer attack platforms such as Booter[.]ninja, Critical-boot[.]com, downthem[.]org, quantumstress[.]net, RageBooter[.]com and Vbooter[.]org.
On April 2018, Europol led an investigation that resulted in the disruption of services offered by Webstresser[.]org. The latter was a platform that allowed users to register and make a slight payment of as low as €15 every month. Users made this payment for renting out services that would later be used in launching DDoS attacks targeting banks, gaming sectors, and governments.
The seizure of domains linked to malicious campaigns is part of a joint effort known as Operation PowerOFF. The operation is being done alongside authorities based in the United Kingdom, Germany, the Netherlands, Poland, and Europol. The goal behind these attacks is to dismantle malicious DDoS-for-hire infrastructures globally.
The efforts that are being made by global law enforcement agencies to take down these malicious threat actors using domain has helped to put some out of business, but DDoS attacks have remained largely high over the past year. Some of the most notorious threat actor groups have launched multiple DDoS attacks targeting key government agencies and institutions.