Background
Group-IB played a major role in identifying members of a cybercriminal group called CybSec Group, which was engaged in extortion and distributed denial-of-service (DDoS) attacks on international companies between 2015 and 2016. One unfortunate victim of CybSec Group was the international online dating service AnastasiaDate, from which the extortionists demanded $10,000 to stop a series of prolonged DDoS attacks.
Behind the scenes
Curiously, one of the attack organizers headed a marriage agency which collaborated with AnastasiaDate throughout 2 years preceding the DDoS attack.
Impact
The cybercriminals were identified and convicted, and attacks from this group stopped. Dating Disaster became the first large-scale international DDoS-extortion case in Ukraine, which was solved with the support of Group-IB experts and brought to court. As a result, this case sets a precedent for the coordinated and effective cooperation of international partners, which helps achieve the common goal of bringing evildoers to justice.
Storyline
In September 2015, one of the largest international online dating services, AnastasiaDate was hit by a powerful DDoS attack. The attack caused the company’s website to be taken offline due to a massive series of targeted requests. For several days the site was inaccessible to users, being down for 4 to 6 hours every day. As is to be expected in extortion attempts of this kind, the perpetrators soon got in touch with the company and issued their demands: 50 BTC (which was worth approximately $11,800 at this time) to stop the DDoS attacks.
Figure 1. Extortion email of CybSec Group. Source: BleepingComputer
The security department of Anastasiadate.com got in touch with Group-IB asking for help in identifying the members of the hacker group who conducted DDoS attacks against the company’s website.
Additionally, in addressing the challenge of preventing DDoS attacks, the company enlisted the support of Qrator Labs. Specializing in network security and DDoS attack protection, Qrator Labs brought their expertise to enhance the company’s defense mechanisms against such cyber threats. With this, Operation Dating Disaster truly kicked into gear
Figure 2. Excerpt from the Qrator Labs report
Group-IB’s investigations unit analyzed the digital traces left behind in the wake of the attack and managed not only to identify the perpetrators, but also uncovered a chain of other incidents that led back to the same extortionists.
Who was behind the attack
Initially, Group-IB investigators possessed the web server logs of the attack, email addresses and Skype accounts of the attackers. They also shared various payment credentials with the victims. By analyzing this set of data, our specialists were able to identify some accounts on hacking forums associated with the cybercriminals. These accounts were used to advertise DDoS attack services.
The forum messages contained more contacts used by the attackers and revealed more data about their operations. After concluding their investigation, Group-IB’s High-Tech Crime Investigation unit was able to reveal to the public that the extortion attempt on AnastasiaDate was organized by two Ukrainian citizens – Gayk G., dob 1994, and Inna Y., dob 1986. , both residents of Cherkassy, Ukraine. Group-IB also discovered that the pair were part of a larger hacker group, allegedly headed by Inna Y.
Curiously, Inna Y. headed a marriage agency that collaborated with AnastasiaDate for two years immediately before the DDoS campaign was launched. Gathered materials and digital evidence of Gayk G. and Inna Y. involvement were provided to AnastasiaDate’s security team.
Figure 3. Forum topics advertising DDoS services of the CybSEC Group
A healthy appetite
During their investigation into this extortion gang, Group-IB experts discovered that AnastasiaDate was not the only victim. Other targets of the group included online stores, payment systems, as well as websites offering betting, lottery and gaming services. In particular, the victims of the Ukrainian fraudsters included Stafford Associated, an American company leasing data center and hosting facilities, and the PayOnline online payment service. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000. However, at that time no criminal action was taken against them. Most of the victims simply paid their ransom and did not appeal to the police.
In November 2016, almost a year after the original DDoS campaign, AnastasiaDate once again was the victim of an extortion attack. The site’s administrators received a new letter that contained a ransom demand and a threat to renew the attacks on its website. Sure enough, this threat was turned into action, and AnastasiaDate’s website was once again hit by a string of DDoS attacks.
Group-IB experts were brought on board a second time, and while investigating the incident, they discovered a clear connection between this attack and the DDoS campaign of one year before. In the end, it turned out that their initial suspicions – that it was the same threat actors (Gayk G. and Inna Y.) who launched this recent attack – were true.
And justice for all
Upon completion of their investigation, data gathered by Group-IB and Qrator Labs was handed over to the Ukrainian authorities. In December 2016, the National Police of Ukraine initiated criminal proceedings based on the testimony of the victims, and four months later, in March 2017, law enforcement agencies launched a search of the hackers’ apartment and offices, seizing computers and mobile phones in the process. Two suspects were arrested.
Forensic analysis of the data stored on the confiscated devices constituted irrefutable evidence of Gayk G. and Inna Y. involvement in the extortion cases of 2015 and 2016, and the pair eventually pleaded guilty. A Ukrainian court issued five-year suspended sentences to both in January 2018.
Conclusion
Operation Dating Disaster was a cogent example of the effective work that can be carried out when private sector organizations cooperate with law enforcement authorities. By not giving into extortionists, and instead engaging cybersecurity companies and sharing information with law enforcement agencies, it is possible to bring down the operations of cybercriminal gangs.
In this notable case, Group-IB’s High-Tech Crime Investigation Unit helped to suppress the criminal activity of an organized group that had been involved in launching DDoS attacks and extortion for over two years.
Fighting against cybercrime in all its forms has been at the heart of Group-IB’s activities for more than two decades, and it will continue to be the mantra by which the company’s High-Tech Crime Investigation unit lives and works by.