Europol shuts down largest cyberattack-for-hire website

Webstresser.org was allegedly behind 4 million distributed denial-of-service attacks before police in Europe arrested its administrators.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Europol said it shut down the largest DDoS-for-hire website on Wednesday.

James Martin/CNET

A website that police say was behind millions of cyberattacks has been closed following a series of international arrests. 

Europol said Wednesday morning that it's shut down Webstresser.org, a page that carried out distributed denial-of-service attacks for a price, sometimes as cheap as $18.26 a month. The page had more than 136,000 users and carried out 4 million attacks by April, according to Europol, the European Union Agency for Law Enforcement Cooperation. 

DDoS attacks are capable of taking out websites and servers by flooding an address with so many requests that it's forced offline. In 2016, the Dyn attack managed to temporarily shut down major websites like Twitter, Spotify and Reddit. Hackers need access to a massive amount of devices to carry out these attacks -- usually with hijacked internet of things (IoT) gadgets -- but websites like Webstresser.org could offer that service to anyone willing to pay.  

That meant criminals didn't need the technical expertise to carry out massive cyberattacks on websites, opening the door to millions of new victims.

"Stresser websites make powerful weapons in the hands of cybercriminals," Jaap van Oss, the Dutch chairman of the Joint Cybercrime Action Taskforce, said in a statement.

On-demand DDoS attacks are available online, some from niche groups like a Grand Theft Auto mods community. Europol said Webstresser was the world's largest provider. 


Webstresser's Facebook page boasted about being able to take down Fortnite servers.

Alfred Ng/CNET

Webstresser had attacked banks, police, government and gaming websites before investigators shut the page down, Europol said. One requested attack used Webstresser to hit seven of the UK's largest banks last November, shutting down entire systems and causing hundreds of thousands of dollars in damages, according to The Guardian

Americans made up the majority of targets and customers, according to Forbes

Police involved with what they called Operation Power Off arrested the site's four alleged administrators in the UK, Croatia, Canada and Serbia. Officers also arrested top customers in the Netherlands, Italy, Spain, Australia and Hong Kong. The website's infrastructure, based in the Netherlands, the US and Germany, was also seized.

The organization had a dedicated Facebook page, where it posted memes and asked for "quality influencers" to help market its service on YouTube. The page also bragged about taking down servers for popular games like Fortnite and Player Unknown: Battlegrounds. 

On YouTube, several guides were available showing anyone how they could launch a DDoS attack for cheap. 

The investigation was coordinated by the Dutch police and the UK National Crime Agency, which also helped take down the two largest Dark Web markets last July. 

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.

Follow the Money: This is how digital cash is changing the way we save, shop and work