Security Experts:

Connect with us

Hi, what are you looking for?



Empty DDoS Threats: Cybercriminal Group is All Bark and No Bite

A new cyber-extortion group going by the name of the Armada Collective is extorting organizations by demanding they pay a ransom in order to avoid being hit by distributed denial of service (DDoS) attacks.

A new cyber-extortion group going by the name of the Armada Collective is extorting organizations by demanding they pay a ransom in order to avoid being hit by distributed denial of service (DDoS) attacks.

While this doesn’t sound out of the ordinary, the new gang has never actually launched a single DDoS attack, researchers at CloudFlare say. The group started targeting businesses in March and has already managed to extort more than $100,000 from potential victims, although it appears they never carried out an actual attack.

The group’s alleged name is Armada Collective, but its modus operandi doesn’t fully resemble that of the original Armada Collective, which used to launch a small-size DDoS attack against a targeted organization before sending out the threat email to demand a ransom. The new group seems to be only a copycat determined to cash out as much as possible by launching empty threats, researchers suggest.

The threat emails sent by this new group landed in the inboxes of more than 100 CloudFlare customers, but the security firm says that none of them was actually hit by an attack. Moreover, the researchers say they contacted other DDoS mitigation vendors and found that, although their customers too received the threat, no DDoS attack was launched.

In its threat email, the Armada Collective copycat demanded businesses pay a “protection fee” in Bitcoin, but researchers discovered that the group was reusing Bitcoin addresses, meaning that it couldn’t tell whether a specific victim paid or not. Regardless, the extortion emails sent by the cybercriminal gang have been consistent over the last two months.

The requested protection was typically in the range of 10-50 Bitcoin (approximately $4,600 – $23,000), but CloudFlare couldn’t find a correlation between the requested amount and the size of the victim organization.

However, since the group was targeting multiple businesses at the same time and requested them to send the same amount to the same Bitcoin address, there was no way to tell who paid the fee. The attackers treated all victims the same, by attacking none of them, and this explains why CloudFlare’s researchers couldn’t track a single DDoS attack launched against organizations that received the extortion emails.

The “original” Armada Collective gang, on the other hand, did carry through with its DDoS threats, yet the group went silent in November last year, after attempting an attack against the encrypted email service ProtonMail (the service might have been attacked by a state-sponsored actor). Usually, the group would launch a small DDoS attack to “prove it can do so,” then threated victims with a second, more powerful attack, if they didn’t pay a ransom.

The Armada Collective group followed the business model established by the DD4BC (DDoS “4” Bitcoin) extortion group, which launched a total of 141 attacks between September 2014 and August 2015, and CloudFlare suggests that the two were one and the same gang. The Armada Collective/DD4BC attackers claimed to be capable of launching 500Gbps DDoS attacks, but mitigation vendors never saw attacks larger than 60Gbps.

As Recorded Future revealed last December, the success that DD4BC and Armada Collective enjoyed inspired other cyber-extortion groups to adopt similar tactics. In January 2016, Operation Pleiades, an international effort from law enforcement agencies, resulted in alleged members of the DD4BC group being arrested.

While the new Armada Collective copycat has yet to prove that it can launch DDoS attacks, doing so is relatively easy. Additionally, there are other DDoS extortion groups that are capable of doing so, and they are not sending empty threats, researchers say. 

Related: DDoS Attacks Continue to Rise in Power and Sophistication

Written By

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...