Menu
Browse

Cyber Threat Actor: AppleJack

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Israel
1 incident
Profile

AppleJ4ck is an alias used by one of the two principal operators of the vDOS distributed denial‑of‑service‑for‑hire service, the other operator being known online as P1st or M30w on Hackforums. Both individuals are identified as young hackers residing in Israel, a fact supported by their own statements in vDOS technical support tickets where they confirmed blacklisting all Israeli IP ranges to avoid attracting local authority attention. vDOS functioned as a booter platform that sold subscription‑based access to DDoS attack capacity, with pricing tiers ranging from twenty to two hundred dollars per month, and the service generated more than six hundred thousand dollars in revenue over a two‑year period according to leaked payment logs. The platform’s customers launched over one hundred fifty thousand attacks, accumulating more than two hundred seventy seven million seconds of attack time between April and July 2016 alone, which the operator described as nearly nine years of continuous DDoS traffic compressed into four months. While vDOS advertised the ability to deliver attacks up to fifty gigabits per second, independent testing observed peak volumes of fourteen and six gigabits per second, still sufficient to overwhelm most unprotected websites. The service primarily targeted online businesses and news outlets outside of Israel, as evidenced by the attack on KrebsOnSecurity that delivered in excess of 140 gigabits per second and included the taunting message “godiefaggot.”

Technically, vDOS concealed its true infrastructure behind Cloudflare protection while the attack servers were rented from Verdina.net in Bulgaria, reachable at the IP address 82.118.233.144. Administrative communications were automated via Nexmo SMS alerts sent to six mobile numbers, two of which were linked to Israeli phones, and email correspondence was managed through Mailgun using keys that were among the data exfiltrated during the 2016 breach. To obscure financial flows, the operators laundered PayPal payments through a round‑robin chain of unverified accounts, recruiting fellow Hackforum members to process two to three hundred dollar transactions multiple times daily, and later routed Bitcoin payments received via Coinbase through an intermediary server at 45.55.55.193 hosted on Digital Ocean in the United States before updating the Bulgarian database. Public attribution ties AppleJ4ck and P1st to the vDOS operation through their repeated appearances in support tickets, their advertised presence on Hackforums, and the linkage of the v‑email.org domain to an Israeli registrant whose phone number matched one of the Nexmo contacts. The KrebsOnSecurity incident remains the most publicly cited operation associated with the actors, illustrating their capacity to launch large‑scale disruption campaigns for financial gain.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
2 sources