Cyber Incident Victim: KrebsOnSecurity
Date:
Sep 2016
Location:
Israel
Summary
The KrebsOnSecurity website experienced a sustained DDoS attack exceeding 140 Gbps, with attack packets containing the message "godiefaggot." This followed the exposure and arrests of two individuals allegedly operating the vDOS DDoS-for-hire service, which had facilitated over 150,000 attacks and generated more than $600,000 in revenue. The vDOS service was disrupted via BGP hijacking by security firm BackConnect after vDOS targeted their network, with the attackers claiming responsibility. Operational security lapses by the vDOS operators included using real names in a published white paper, linking personal phone numbers to service infrastructure, and discussing activities openly on social media. Attack logs released by CloudFlare revealed client details, targets, and timestamps of vDOS attacks spanning several months. The alleged operators were arrested, released on bail, placed under house arrest, and restricted from internet use.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On September 8, 2016, Israeli authorities arrested Itay Huri and Yarden Bidani, two 18-year-old hackers, in connection with an FBI investigation into vDOS, a DDoS-for-hire service they allegedly operated. The arrests coincided with the publication of an investigative report by security researcher Brian Krebs on his website KrebsOnSecurity, which exposed the duo as the purported masterminds behind vDOS and revealed the service had generated over $600,000 in revenue. Within hours of the report’s release, KrebsOnSecurity came under a sustained DDoS attack peaking at nearly 140 Gbps, with each attack packet containing the message "godiefaggot." The attack persisted throughout Friday, September 9, though the exact start time relative to the arrests wasn’t specified. Israeli authorities released Huri and Bidani on bail after questioning, imposed a 10-day house arrest, seized their passports, and banned them from internet or electronic communications for 30 days. Krebs’ investigation disclosed that vDOS, active since 2012, had facilitated over 150,000 DDoS attacks, including 277 million seconds of attack traffic (approximately 8.81 years) between April and July 2016 alone. The service relied on at least four Bulgarian-hosted servers and had been compromised prior to the arrests, leaking customer data and attack logs.
vDOS ceased operations on September 9 when BackConnect Security, a DDoS mitigation firm, executed a BGP hijack of vDOS’s internet address space. BackConnect CEO Bryant Townsend confirmed this action was a defensive measure after vDOS targeted his company’s network with over 200 Gbps attacks the previous day, citing an email from vDOS claiming responsibility. The hijack disrupted vDOS’s infrastructure globally by fraudulently rerouting its traffic. Concurrently, CloudFlare—whose services vDOS had initially used—released detailed attack logs from April to July 2016, exposing client usernames, target IP addresses, and attack timestamps. Krebs highlighted operational security failures by Huri and Bidani, including Huri publishing a DDoS methodology white paper under his real name while referencing his upcoming Israeli military service, Bidani’s vDOS-linked email address, and public social media discussions where associates referenced Bidani’s hacker alias "AppleJ4ck." vDOS’s support system also forwarded alerts to Huri’s personal Israeli phone number, which matched domain registration records for vDOS-affiliated sites. Krebs indicated plans to publish further analysis of vDOS’s victims but did not specify mitigation actions taken by affected parties.