Skip to main content
  1. Home
  2. Computing
  3. News

Two Israeli teenagers arrested over vDOS DDoS-for-hire service

Add as a preferred source on Google

Updated on 9-12-2016 by Jonathan Keane: Israeli police arrest two teens for allegedly running the vDOS DDoS-for-hire service

Israeli news site Haaretz reports that the Israeli national police arrested two teenagers following a tip from the FBI. The two men, Huri and Yarden Bidani, (it has not been clarified if they are related) are under house arrest for 10 days at $10,000 bail. They were also ordered to hand over their passports and are barred from using the internet for 30 days. The vDOS website is now offline.

Recommended Videos

The vDOS operators are alleged to have carried out hundreds, if not thousands, of DDoS attacks on websites on behalf of customers, earning at least $600,000 in the last two years. However the site had a policy of never attacking Israeli sites to avoid drawing too much attention to itself at home.

Original:

A web service that helped customers carry out distributed denial-of-service (DDoS) attacks on unsuspecting victims has been hacked revealing data on the customers that availed of this clandestine service.

According to security journalist Brian Krebs, vDos was hacked recently and he obtained a copy of the leaked data in July. Upon scrutinizing the database, he claims that vDOS is being run by two Israeli cybercriminals under the pseudonyms of P1st or P1st0 and AppleJ4ck, with associates in the United States.

vDOS allegedly offered monthly subscriptions to DDoS attack services, paid in bitcoin or even through PayPal, with the prices based on how long the attack would last. These DDoS attacks would launch fake traffic at victim websites, overwhelming their servers and knocking the sites offline. A particularly strong DDoS attack could cripple a site for days.

“And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic,” Krebs said in his analysis. He added that he believes vDOS was handling hundreds or even thousands of concurrent attacks a day. Kreb’s analysis is based on data from April to July. Apparently all other attack data going back to the service’s founding in 2012 has been wiped away.

Krebs’ source for info on the hack was allegedly able to exploit a hole in vDOS that allowed him to access its database and configuration files. It also allowed him to source the route of the service’s DDoS attacks to four servers in Bulgaria.

Among the data dump were service complaint tickets where customers could file issues they had with the DDoS attacks they purchased. Interestingly the tickets show that the owners of vDOS declined to carry out attacks on Israeli sites to avoid drawing attention to themselves in their native land.

The duo supposedly made $618,000 according to payments records dating back to 2014 in the data dump.

“vDOS does not currently accept PayPal payments. But for several years until recently it did, and records show the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts,” Krebs said.

The operators of the DDoS service are believed to have enlisted the help of members from the message board Hackforums in laundering the money.

Krebs warned that services like vDOS are worrisome because they make cybercrime tools available to pretty much anyone willing pay. In some cases, vDOS offered subscriptions as low as $19.99. These sorts of tools, also known as booter services, can be used ethically for testing how your site holds up against large swathes of traffic but in the wrong hands they can be abused and sold very easily.

“The scale of vDOS is certainly stunning, but not its novelty or sophistication,” Ofer Gayer of security firm Imperva said but added that this new widespread attention on DDoS service might stall them for a while.

Jonathan Keane
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Google’s new Magic Pointer Play Store listing reveals a Gemini shortcut built for Googlebooks
The unannounced app turns the cursor into a contextual AI tool for search, image creation, and shopping
Plant, Text, Business Card

Google has quietly published a new Play Store listing for Magic Pointer, an unannounced app built for Googlebooks. Updated on July 10, the app turns the cursor into a Gemini shortcut that can act on whatever a user selects on screen.

Magic Pointer can send an image to Lens, generate a related image, or surface a shopping action without forcing users to open a separate chatbot. Regular Android devices currently show as incompatible, so the listing offers an early preview rather than a broad release.

Read more
You can stop using AI, but this new report says you probably can’t escape it
A UK survey found that most people feel AI exposure is unavoidable, raising harder questions about consent, privacy, and whether opting out is still realistic
AI Chatbots

More people are trying to use less AI, but avoiding it altogether may already be impossible.

A survey of 2,055 UK adults found that 42% deliberately limit how much AI they use. Another 70% said avoiding AI exposure would be difficult or impossible, even when they actively wanted less of it.

Read more
The face on an AI interviewer may matter as much as the decision it makes
Researchers found that race and gender matching changed how fairly rejected applicants viewed an automated interview, even though everyone received the same outcome
File, Computer Hardware, Electronics

An AI hiring system can treat every applicant the same and still leave some people feeling targeted. Researchers found that rejected candidates judged an automated interview differently depending on the race and gender of the avatar delivering the result.

Around 220 participants completed a simulated interview for a fictional customer support role with one of four photorealistic AI avatars. Everyone was rejected, yet perceptions of fairness shifted with the interviewer’s appearance. An algorithm audit could miss that reaction because candidates don’t experience the system as raw code. They experience a face asking questions and judging their answers.

Read more