Security Advisor

Spamhaus DDoS Attacker Arrested

Here's a tip, don't try to make up a fake diplomat title to get out of being arrested.

Police in Spain on Friday have apprehended a suspect in the largest distributed denial of service (DDoS)  attack in history.

The suspect, a 35-year-old Dutch man that has only been identified as "S.K" is believed to be responsible for flooding Spamhaus, an online spam advocacy group, with a 3000 Gbps attack in March that would have brought down even the mightiest Web site to its knees.

The arrest came after a 25-day coordinated investigation between different European Union law enforcement agencies in which the suspect was pinpointed  22 miles north of Barcelona in the town of  Grannolers.

And what's interesting is that he is believed to have perpetrated this and many previous online attacks from a mobile office located in his van. Investigators said the vehicle was "equipped with various antennas to scan frequencies" that was used to access Wi-Fi networks.

When arrested, the Dutch man told authorities that he was a "diplomat" and even gave himself the bogus title of Minister of Telecommunications and Foreign Affairs for the Republic of CyberBunker.  

Doing a quick search, I learned that CyberBunker is an actual business (or, more appropriately, a front company for cyber crime) that is located in a decommissioned NATO  nuclear warfare bunker in the Netherlands.

By day, the company's Web site said it provides Web hosting and datacenter services. However, it doesn't hide the fact that it routinely participates in online attacks, and has even chronicled the Spamhaus saga on its home page.

In a written message on its Web site, CyberBunker  said that Spamhaus blacklisted the company due to its somewhat open hosting policy  that many believed included turning a blind eye to those using its services to host spam. Apparently, as long as it did not include child pornography or terrorism, CyberBunker had no problem hosting for whatever its clients wanted.

"According to Spamhaus, CyberBunker is designated as a 'rogue' host and has long been a haven for cybercrime and spam," said the company.  "Of course Spamhaus has not been able to prove any of these allegations."

And, of course, the company has kept quiet on its involvement in the DDoS attack.

Getting back to the attacker, while officials have kept his identity unknown , security blogger Brian Krebs said the man is most likely one Sven Olaf Kamphuis.

"The attack on Spamhaus was the subject of a New York Times article on Mar. 26, 2013, which quoted Mr. Kamphuis as a representative of Cyberbunker and saying, 'We are aware that this is one of the largest DDoS attacks the world had publicly seen,'" wrote Krebs in a blog post. "Kamphuis also reportedly told The Times that Cyberbunker was retaliating against Spamhaus for 'abusing their influence.'"

S.K. will now be extradited to the Netherlands in the next few days for formal charges.


About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube