Cyber Incident Victim: vDOS
Date:
Jul 2016
Location:
Israel
Summary
A DDoS-for-hire service operated by two Israeli individuals was compromised, exposing its infrastructure and customer data after generating over $600,000 in revenue from tens of thousands of users who launched extensive denial-of-service attacks. The proprietors employed payment laundering through PayPal and Bitcoin intermediaries, avoided targeting Israeli websites to evade local scrutiny, and utilized servers in Bulgaria hidden behind DDoS protection services. The breach revealed operational details, including attack volumes equivalent to nearly nine years of cumulative downtime within a short period, highlighting the service's role in enabling widespread disruption by providing accessible, high-powered attack capabilities to paying customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
The vDOS incident involved the compromise of a prominent DDoS-for-hire service operating from September 2012 until its breach in July 2016. The service, marketed on Hackforums.net under aliases like "M30w" (P1st) and "AppleJ4ck," offered subscription packages ranging from $20 to $200 per month, generating over $618,000 in revenue between July 2014 and July 2016 through Bitcoin, PayPal, and briefly credit card payments. Attack durations were sold based on seconds, with the service launching approximately 277 million seconds (8.81 years) of attack traffic between April and July 2016 alone. vDOS concealed its infrastructure behind Cloudflare, with actual attack servers hosted at Verdina.net in Bulgaria (IP: 82.118.233.144). The breach occurred when a researcher exploited a vulnerability in PoodleStresser—a service relying on vDOS infrastructure—to access vDOS's API endpoint, subsequently extracting its databases, configuration files, and administrator credentials.
The leaked data identified Israeli nationals Itay Huri ([email protected], [email protected]) and Yarden Bidani as primary operators, using SMS alerts via Nexmo.com to manage customer support. vDOS intentionally blocked attacks on Israeli IP ranges to avoid local scrutiny, as confirmed in support tickets. Payment laundering involved rotating PayPal accounts and a U.S.-based Digital Ocean server (45.55.55.193) to relay Bitcoin transactions via Coinbase, circumposing financial monitoring. The service facilitated over 150,000 attacks, primarily targeting online businesses, with advertised capacities up to 50 Gbps—though independent tests recorded peaks of 14 Gbps. PayPal’s collaboration with researchers disrupted vDOS’s payment channels, forcing reliance on cryptocurrency. The breach exposed operational details, including associated domains (huri.biz, ustress.io) and administrative email accounts (e.g., [email protected]), revealing the scale of a service that democratized high-volume DDoS capabilities for non-technical users, compelling widespread adoption of anti-DDoS protections among potential targets.