Menu
Browse

Cyber Threat Actor: P1st

Actor Type Location Known Incidents
 Icon
Criminal
Israel
1 incident
Profile

P1st is an alias used by a pair of Israeli individuals who operated a DDoS‑for‑hire service that was publicly exposed in July 2016. The actors are known to have been based in Israel, and the service they ran offered on‑demand denial‑of‑service capabilities to paying customers worldwide. Their operation generated more than six hundred thousand dollars in revenue from tens of thousands of users who launched attacks through the platform. The service deliberately avoided targeting Israeli‑based websites to reduce the likelihood of domestic law‑enforcement scrutiny.

The primary strategic objective of the P1st operation was financial gain, as evidenced by the substantial revenue collected through PayPal and Bitcoin intermediaries used to launder payments. By providing accessible, high‑powered attack tools, the service also enabled widespread disruption across various online targets, which aligns with a secondary objective of causing operational downtime for victims. The actors did not focus on any particular industry sector; instead, they sold capacity to anyone willing to pay, resulting in attacks against a broad range of online services. This approach allowed customers to inflict damage equivalent to nearly nine years of cumulative downtime within a short timeframe.

Attribution to the actors is based on public reporting that identifies them as two Israeli nationals, with no indication of state sponsorship or affiliation with a larger criminal consortium. The individuals appear to have acted independently, leveraging their technical expertise to build and maintain the DDoS‑for‑hire infrastructure. Their operational security measures included hosting servers in Bulgaria and concealing them behind commercial DDoS protection services to obscure the true location of the command‑and‑control nodes. No public evidence links the pair to any government intelligence agency or organized cybercrime group.

The most notable publicly reported campaign involving P1st is the DDoS‑for‑hire service itself, which was compromised on July 31, 2016, leading to the leak of internal logs, customer data, and server configurations. The breach revealed that the platform had facilitated tens of thousands of attack sessions, generating attack volumes that summed to nearly nine years of uninterrupted downtime for targeted victims. Payment laundering through PayPal and Bitcoin intermediaries was a key tactic used to conceal the flow of illicit proceeds. The exposure of the service highlighted how a relatively small‑scale criminal enterprise could provide large‑scale disruption capabilities to a global clientele.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources