Two 18-year-old Israeli men who are believed to have earned over $600,000 running a massive cybercrime operation were arrested Thursday, after the FBI alerted Israel Police of their activities.
Itay Huri and Yarden Bidani were released on bail with conditions.
U.S. cybercrime investigator Brian Krebs, a former Washington Post staffer and among the best-known writers on data security in the world, reported last week on his blog about a major cybercrime operation in which Huri and Bidani were implicated.
The Israelis are allegedly behind vDOS, a web service that helps customers carry out so-called distributed denial-of-service attacks (DDoS) for the purpose of knocking websites offline.
Such DDoS attacks work by flooding the targeted website from multiple computers until it crashes. It’s as if millions of callers tried to dial the same phone number simultaneously.
Krebs’ report was based on data KrebsOnSecurity.com obtained in late July after vDOS was itself hacked, “spilling secrets about tens of thousands of paying customers and their targets,” as Krebs wrote.
The service was responsible for several of the largest DDoS attacks carried out in recent years.
According to Krebs, Huri and Bidani “market their service mainly on the site hackforums[dot]net, selling monthly subscriptions using multiple pricing tiers ranging from $20 to $200 per month,” depending on the duration and intensity of the attacks.
“Records leaked from vDOS indicate that since July 2014, tens of thousands of paying customers spent a total of more than $618,000 at the service using Bitcoin and PayPal,” Krebs reported. He added that the total earnings likely exceeded $1 million, since vDOS began operations in September 2012, but payment records date only from 2014.
Krebs reported that Huri and Bidani refused to order DDoS attacks on Israeli websites, writing: “Responses from the tech support staff show that the proprietors of vDOS are indeed living in Israel and in fact set the service up so that it was unable to attack any websites in that country — presumably so as to not attract unwanted attention to their service from Israeli authorities.”
According to domain registration sites, Huri lives in Hod Hasharon, while Bidani’s Twitter account indicates that his partner is a resident of Tzur Yitzhak, central Israel.
Krebs reported that the two received payment through PayPal and in bitcoins, adding that “the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts.”
In a statement, the Israel Police confirmed the arrest Thursday — following a request for cooperation from the FBI — of “two major [hacking] suspects, aged 18, from central Israel.” The two were questioned and brought to a detention hearing.
At the request of their lawyer, they were released under strict conditions to house arrest for 10 days, under the constant supervision of one of their sureties. The sureties posted 40,000 shekels ($10,655) in cash for a 30,000-shekel, third-party bond, in addition to the 50,000-shekel promise made by the suspects.
Huri and Bidani are barred from using the internet and any communication methods for 30 days, and must be available for questioning as needed.
In addition, the police statement noted, “Their passports were deposited with the police and they are prohibited from leaving the country or communication with others involved in the case for 30 days.”
The police did not say why the men were arrested and disclosed no details of the investigation.
The Israeli data-security website Digital Whisper (Hebrew only) contains a professional article on DDoS attacks whose authors are given as Itay Huri and Raziel Becker.
The article, which was published within the past several days, explains how to carry out massive DDoS attacks even when the attackers have limited computing resources.
A note at the end of the article adds, “Itay Huri is 18 and about to enlist in the Israel Defense Forces; in his free time, he engages in web development and data security.”
Less information is available on Becker, but in his report Krebs noted, “The data shows that vDOS support emails go to itay@huri[dot]biz, email@example.com and firstname.lastname@example.org.”
No responses were received from requests for comment that were sent to the email addresses of the owners of vDOS, as published by Krebs.