Akamai Diversity

The Akamai Blog

DD4BC: PLXsert warns of Bitcoin extortion attempts

A Bitcoin extortion campaign is underway, launched by a group of bad actors calling themselves DD4BC. The group repeatedly tried to blackmail Bitcoin exchanges and gaming sites -- threatening victims with DDoS attacks in order to extort bitcoins. Akamai's Prolexic Security Engineering and Response Team (PLXsert) reports the following:
The campaign typically consists of an email informing the victim that a low-level DDoS attack is underway against the victim's website. The email explains that the DDoS activity can be observed in server logs and that it is currently at a low level in order not to interrupt the victim's operations. Following this explanation, DD4BC demands a ransom paid in bitcoins in return for protecting the site from a larger DDoS attack capable of taking down the website.

The targets seem to have been chosen for their reluctance to involve law enforcement. To date, the targets have been associated with either illegal gaming activity or unregulated digital crypto currencies, commonly referred to as bitcoins. Given the illegal and/or unregulated nature of these activities, these sites typically do not want to invite the scrutiny of law enforcement.

This modus operandi is similar to express kidnapping, where criminals demand a small ransom that can be easily paid by the victims. This allows the malicious actors to quickly obtain funds while the victims recover without any major damage.
PLXsert collected information about these malicious individuals by matching DDoS-related IP addresses and payloads, and researching public information about the Bitcoin block chain. This information indicates the bad guys have already received ransom payments and are moving the currency around to thwart traceback and prosecution.
Current investigation includes a series of screen shots showing messages from attackers to victims, as well as operation methods. Here's an example of an email where DD4BC takes responsibility for a DDoS attack and asks for payment in exchange for DDoS protection information:

Thumbnail image for Screen Shot 2014-12-01 at 7.56.10 AM (3).pngMore from the PLXsert team:
PLXsert predicts an increase in this type of activity and a surge of copycats. Due to the nature of their online activities, the targeted victims have the choice of either paying malicious actors or seeking DDoS protection services. 

The Bitcoin community has launched a bitcoin bounty hunter campaign to provide an anonymous way to send tips and help law enforcement arrest and prosecute DD4BC members. But that effort is undermined by the reluctance of victims to involve law enforcement.
Further details surrounding this operation is available to all Akamai security customers.