Security Experts:

Connect with us

Hi, what are you looking for?



DD4BC, Armada Collective Inspire Cyber Extortion Copycats

Cyber extortion is expected to gain traction among cybercriminals after attack groups such as DD4BC (DDoS “4” Bitcoin) and Armada Collective successfully boosted revenue by extorting organizations, according to threat intelligence company Recorded Future.

Cyber extortion is expected to gain traction among cybercriminals after attack groups such as DD4BC (DDoS “4” Bitcoin) and Armada Collective successfully boosted revenue by extorting organizations, according to threat intelligence company Recorded Future.

Over the past year, the DD4BC group attempted to extort numerous companies, many in the financial services sector, by warning the of an imminent powerful DDoS attack that would be launched against their infrastructure unless they agreed to pay a specific ransom. Following the warning email, a small attack, typically of 10–15 Gbps and lasting only several minutes was launched, to prove the threat was real.

Armada Collective operated in a similar manner, first sending threat emails and small attacks to prove it was capable of launching DDoS attacks, and some suggested that DD4BC might have rebranded. The group also asked for a small amount of Bitcoin from companies willing to pay the ransom to avoid being attacked.

In September, Akamai’s Prolexic Security Engineering and Response Team (PLXsert) revealed that between September 2014 and August 2015 DD4BC launched a total of 141 attacks against organizations in North America, Europe, Asia and Australia. They also revealed that the group’s largest attack peaked at 56 Gbps and that NTP (22%), SSDP (15%), UDP (15%) and SYN (13%) floods were used to disrupt targets.

Akamai also observed a 13.34 Gbps average peak bandwidth for all attacks, which was quite low, considering that the group was claiming to be capable of launching 400-500 Gbps attacks. The security researchers also revealed that attackers initially asked between 25 ($6,000) and 100 ($24,000) Bitcoin from companies to prevent being hit by the DDoS attacks, but that they also started threatening to expose a targeted organization via social media, to bring harm to the brand.

Following the September report from Akamai, the activity of DD4BC has decreased significantly, and Recorded Future suggests that the cybercriminals in the group might be in fear of being caught. Furthermore, they suggest that those behind Armada Collective might have been thinking exactly the same after the recent incident with ProtonMail.

The encrypted email service provider was targeted by the group in early November, yet the attack against it was much powerful than what DD4BC or Armada Collective ever showed before. Initial investigation led to the conclusion that the service might have been attacked by a state-sponsored actor, especially with Armada Collective emailing ProtonMail to explain that they did not launch the second attack, and that it was much powerful than any DDoS they would be able to produce.

Based on all this data, Recorded Future suggests that other groups are already copying this modus operandi, looking to achieve the same level of success that DD4BC and Armada Collective had. Moreover, they claim that a recent set of attacks against Greek banks, carried out by a group calling themselves Armada Collective, might have been performed by entirely different people.

The ransom was much higher than those requested by DD4BC and Armada Collective, namely 20,000 BTC, about $7.2 Million, which is atypical. Moreover, after ProtonMail paid the ransom, Armada Collective emailed them back to deny responsibility for the attack, and Recorded Future notes that they even returned the ransom.

The threat intelligence company also notes that there has been an increase in requests on the Dark Web for information on how to perform DDoS attacks, a clear indicator that others are also considering cyber extortion to boost their revenue. Script kiddies are suspected to be interested in this method the most, and the fact that all suspects arrested in the recent TalkTalk breach are very young appears to confirm this.

“Nevertheless, the DDoS threat landscape continues to evolve. While cyber extortion has been around for quite some time, the adoption of Bitcoin as a method of ransom will continue to attract new miscreants into the DDoS space,” Recorded Future said.

Related: The Rise of Cyber Extortion

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.