OPSEC mistakes spill Russian DDoS scum's payment secrets

OPSEC mistakes by a cybercrook have allowed security researchers to estimate the revenue of a Russian DDoS booter merchant.

The research is noteworthy because the only public information available on these miscreants is normally their online advertisements for site takedown services in Russian-language cybercrime forums and the like.

Arbor Networks has been able to dig out the sects of one particular miscreant, including the type of DDoS botnets he used to execute attacks, the number of attacks he made, targets – and the amount of money a hacker called “Forceful” made selling these attacks.

Forceful made a series of mistakes that gave up the command and control (C2) details of botnets used to carry out the purchased DDoS attacks in a separate discussion about file encrypting malware. Forceful, who used the G-Bot DDoS bot, went to make on second (arguable even bigger OPSEC mistake, as a blog post by Arbor explains.

While a self identified DDoS threat actor posting an MD5 hash of a known DDoS malware feels like a solid link between a DDoS-as-a-service advertisement and a DDoS botnet; a second OPSEC mistake by the threat actor has helped strengthen their association with kypitest[.]ru. On November 11, 2015 Forceful started a forum thread (including ICQ instant messaging logs) complaining that another forum (tophope[.].ru) had unfairly deleted their DDoS advertisement.

A dispute between the hacker and the forums about his ads triggered a DDoS attack, wehich was linked back to Forceful. The threat actor Forceful,’s pricing, from a DDoS booter ad is $60 a day and $400 per week.

Arbor was able to use its internal BladeRunner bot monitoring system to search for activity on “kypitest[.]ru” and estimate the number and during of contracted attacks attributable to Forceful to come up with an estimate for his illicit income.

The total estimated revenue for the 82 attacks from July 9, 2015 to October 18, 2015 was $5,408. The mean estimated revenue per attack was $66 and the mean estimated revenue per day was $54.

Arbor’s research provides a rare backstage perspective on the business of mounting DDoS attacks. The research illustrates, should there still be any doubt, that DDoS attack contracted out at low cost can be highly debilitating and costly for their intended victims. ®