Cyber Threat Actor: Itay Huri
| Actor Type | Location | Known Incidents |
Criminal
|
Israel
|
1 incident |
|---|
Profile
Itay Huri, alsoknown by the alias Itay Huri, is an individual linked to Israel who has been identified as an alleged operator of the vDOS DDoS‑for‑hire service. The vDOS platform provided on‑demand distributed denial‑of‑service capabilities to paying customers, enabling them to launch large‑scale traffic floods against chosen targets. Public reports indicate that the service facilitated more than 150,000 attacks and generated upwards of $600,000 in revenue before its disruption. The actor’s location in Israel was noted in connection with the arrests and subsequent legal proceedings involving the alleged operators.
The vDOS service was used to target a variety of online entities, including news outlets and security firms, demonstrating a broad, non‑sector‑specific focus. Its primary strategic objectives were financial gain through subscription fees and the disruption of victims’ online availability. Observed tactics included the execution of volumetric DDoS attacks that exceeded 140 Gbps, as seen in the sustained assault on KrebsOnSecurity that carried the message “godiefaggot.” Additionally, the service’s infrastructure was subjected to a BGP hijacking counter‑measure by the security firm BackConnect after vDOS had targeted their network. Operational security shortcomings attributed to the alleged operators involved publishing real names in a white paper, associating personal phone numbers with service resources, and openly discussing activities on social media platforms.
Attribution to the actor remains rooted in criminal, for‑profit motives rather than any identified state sponsorship or affiliation with a larger cyber‑crime consortium. The most publicly cited operation involving Itay Huri is the September 9 2016 DDoS attack on KrebsOnSecurity, which exemplified the scale and impact of the vDOS offering. Beyond this incident, the vDOS platform itself represents a significant campaign, having supported a sustained period of attack activity across multiple months before its operators were arrested, released on bail, placed under house arrest, and subjected to internet use restrictions. These facts collectively define the known profile of the threat actor based on the available information.
