Dutch Cyber Cops Tell Stresser/Booter Customers: Cut It OutHow Many Strikes Should Cybercrime-as-a-Service Customers Get Before Getting Busted?
Dutch cybercrime police have a message for almost 30 users of an on-demand distributed denial-of-service site: We see what you're doing; now cut it out or we're going to arrest you.
Not for the first time, the move shows police in Europe attempting to nudge offenders - who are often young men - away from criminality, rather than busting them outright.
On Monday, Dutch National Police said they had issued a written warning to 29 individuals they've identified, telling them that if they continue to use DDoS services, they will be prosecuted.
In a letter to each individual, police say:
"We have registered you in our system and you are now receiving a final warning. If new, similar evidence arises in the future, we will prosecute you. In that case, you will face conviction, having a criminal record as well as losing your computer and/or laptop."
"The aim of the letter is to inform the recipients about the criminality and consequences and also to offer them alternatives," police say.
Alternative, Legal Pursuits
To that end, police suggested to the letter recipients that they explore more positive - and legal - pursuits, such as:
- Gamechangers: This online site, maintained by Dutch National Police, offers ethical hacking challenges.
- Crimediggers: This fictional site allows participants to play the role of a digital specialist in a police cybercrime team, using digital forensic skills to investigate the sudden, unexpected disappearance of a Dutch politician.
- ESL Gaming: Formerly known as Electronic Sports League, ESL is an esports organizer and production company that produces video game competitions worldwide. ESL is the world's largest esports company.
- Hack the Box: The site describes itself as being "a massive, online cyber security training platform, allowing individuals, companies, universities and all kinds of organizations around the world to level up their hacking skills."
Police say they identified the notified individuals as part of an ongoing operation into a DDoS-on-demand - aka stresser/booter - service called www.minesearch.rip, prompted by a games site that says it was disrupted by the service. Police say dozens of other reports have also been filed by other businesses as well as government authorities, pertaining to the service.
As part of their www.minesearch.rip probe, police say they searched the homes of two suspects - both age 19 - in the Dutch cities of Spijkenisse and Winschoten and seized computer devices and smartphones for digital forensic analysis. "The police investigation is still ongoing," authorities say.
On-Demand DDoS Attacks
Stresser/booter sites typically operate by using a botnet comprised of malware-infected - aka bot-infected - systems, which can be instructed to funnel junk traffic at a designated site, in the hope of overwhelming its servers and knocking the site offline.
Historically, games sites have been a regular target for DDoS attacks, and especially right before the Christmas holiday. Based on past police reports and charging documents, many users and administrators of such sites are young men. Indeed, there appears to be a never-ending supply especially of individuals in their late teens who create and use such services.
It's not clear how many stresser/booter service users understand - or care - that not only are DDoS attacks illegal, but that they can have serious economic consequences for a targeted business, and that police are often able to recover evidence of which service users ordered the attack, not least by following the money, and tracing who paid for the attack and how, oftentimes even if cryptocurrency was used.
Try Ethical Hacking Instead
The letters sent by Dutch police to suspects are only the latest in a long line of such outreach efforts across Europe.
In the U.K., for example, in 2017, the National Crime Agency began testing weekend rehab camps for young cybercriminals.
One attendee subsequently told the BBC: "Now that I know cybersecurity exists, it sounds like it would be something I really, really want to go into. You get the same rush, the same excitement, but you are using it for fun still, but it is legal and you get paid. So, it's every kind of benefit."
Separately, as part of an intelligence investigation into the notorious Webstresser stresser/booter service, law enforcement agencies in 2018 arrested six alleged administrators and identified some of the site's 136,000 registered arrests, who collectively had launched more than 4 million attacks since the service's 2015 launch.
Beginning in November 2018, a coalition of U.K. law enforcement agencies had executed multiple warrants, seized dozens of devices, and issued a number of "cease and desist" notices to suspected Webstresser users.
The NCA now coordinates - with local and regional police cybercrime teams - Cyber Choices, a program that it says "was created to help people make informed choices and to use their cyber skills in a legal way."
Dutch Urge Young Adults to Hack_Right
In 2018, Dutch police and prosecutors launched an experimental program called Hack_Right, aiming to keep first-time offenders ages 12 to 23 from graduating to more serious crimes by implementing a four-phase program - recovery, training, alternatives and coaching - that included having the offenders complete internships in IT departments.
In 2019, the program got a boost, with 20 business partners signing on. Criminal court judges can also require offenders to work with the program, as part of their sentencing or plea agreement.
"Hackers between the age of 12 and 23, who have committed a cybercrime for the first time, are given the opportunity to improve their behavior within Hack_Right," according to an overview published by Dutch security cluster Security Delta, or HSD. "The youngsters get an alternative or additional punishment aimed at recovery, training and coaching. The objective of Hack_Right is preventing recidivism, and at the same time letting the youngster develop their talents, within the legal framework."
About 100 young offenders per year now work with the program, PortSwigger Web Security's news site The Daily Swig reported in 2020.
Program partners include not only Dutch police and prosecutors, but also firms such as Fox-IT, KPN, Deloitte, ING, DutchDare International, Radically Open Security and Guardian360.