Police shut down 48 DDoS-for-hire services, arrest 7 alleged administrators

International police shut down dozens of popular websites that allowed paying users to launch distributed denial-of-service attacks and arrested seven alleged administrators of the sites, Europol announced Thursday.

The announcement came one day after the U.S. Department of Justice said six defendants in the U.S. had been charged with overseeing the services, which include Booter.sx., Astrostress.com, and SecurityTeam.io. They are expected to make their initial court appearance early next year, the DOJ said. Another suspect was arrested in the U.K., according to Europol, “with further actions planned against the users of these illegal services.”

The defendants disguised their sites as services that could allegedly be used for network testing but actually demanded money for conducting DDoS attacks against educational institutions, government agencies, gaming platforms and millions of individuals in the U.S. and abroad, according to the DOJ. DDoS attacks work by flooding websites with junk traffic, making them unreachable.

The operation, dubbed "Power Off," was conducted by law enforcement agencies in the U.S., U.K., Germany, Poland and the Netherlands. The takedown came less than two weeks before the Christmas holiday, which typically brings a significant increase in DDoS attacks across the gaming world, according to the DOJ.

The operation is just the latest success that law enforcement has had with combatting DDoS-for-hire services. In 2018, international police took down the largest such website at the time, which helped launch up to 4 million DDoS attacks for as many as 136,000 registered users for as little as $18 a month.

By comparison, one of the recently-seized services was used to carry out more than 30 million attacks, according to Europol.

Although DDoS attacks are not considered particularly sophisticated, they are still worth paying attention to, said Alan Woodward, a specialist in computer security at the University of Surrey.

The websites can be highly lucrative for administrators, and businesses that suffer from DDoS attacks can lose money as potential customers go elsewhere when their sites are down.

In addition, these attacks can deprive people of essential services offered by banks, government institutions and police forces.

“Although there are many services that will help mitigate DDoS attacks, smaller businesses and some government departments just don’t have the resources to afford this protection,” Woodward told The Record.

Another danger of DDoS is that it lowers the entry barrier to cybercrime. For a fee as low as $10, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks, according to Europol.

“Emboldened by perceived anonymity, many young IT enthusiasts get involved in this seemingly low-level crime, unaware of the consequences that such online activities can carry,” Europol said in a statement.