We are the Dutch National Police and the Public Prosecution Service. Together with International Law Enforcement Agencies we just powered off Webstresser.org. Ask Us Anything.

What kind of prosecution are the users of this service going to face?

DDOS websites like this are notorious for being used by "script kiddies" - generally young people with little idea of what they are doing, technically and morally.

Have you any ideas on how to prevent this kind of behaviour? Is it a matter of education?

What kind of prosecution are the users of this service going to face?

The charges they face depend on many things like the laws of the country they live in, their age, the number of attacks they have committed and other circumstances.

DDOS websites like this are notorious for being used by "script kiddies" - generally young people with little idea of what they are doing, technically and morally. Have you any ideas on how to prevent this kind of behaviour? Is it a matter of education?

Together with cyber security companies and partners within the legal system, the Dutch Police and The Public Prosecutors Office currently work on a new legal intervention, called "Hack_Right", for young first cyber offenders, exactly for the reasons you mention. Prevention of re-offending by offering a combination of restorative justice, training, coaching and positive alternatives is the main aim of this project. See page 24 of the 5^th European Cyber Security Perspectives and stay tuned on our THTC twitter account #HackRight!

AND we are working on a media campaign to prevent youngsters from starting to commit cyber crimes in the first place. Expect a launch soon.

~SA1

The prosecution will quite probably be aimed at large scale users. In order to take down a website of significance you'd need a lot more money then what most script kids have.

There are multiple programs for young people in their first offense, usually leading to them having to do volunteer work.

The prosecution will quite probably be aimed at large scale users. In order to take down a website of significance you'd need a lot more money then what most script kids have.

Every law enforcement agency is dealing with customers of Webstresser in their own way. At the start of this AMA, 10 arrests had already been made and the operation is of course still ongoing with many actions in the past hours (house searches, seizure of systems, and interrogations of suspects).

There are multiple programs for young people in their first offense, usually leading to them having to do volunteer work.

Together with cyber security companies and partners within the legal system, the Dutch Police and The Public Prosecuters Office currently work on a new legal intervention called "Hack_Right" for young first cyber offenders. Prevention of re-offending by offering a combination of restorative justice, training, coaching and positive alternatives is the main aim of this project. See page 24 of the 5^th European Cyber Security Perspectives and stay tuned on our THTC twitter account #HackRight!

AND we are working on a media campaign to prevent youngsters from starting to commit cyber crimes in the first place. Expect a launch soon.

~ DA1

Websites that sell stressers often operate under the guise of legitimacy, and there are genuine use cases for buying stressers online. How do you decide when a website is involved in malicious activity?

The same is true for piracy for instance (The Pirate Bay CAN be used for legitimate torrents but in reality it isn't). However, in the Netherlands this has been a legal debate for years now where a judge has the final call. Do you see similarities between cases?

Websites that sell stressers often operate under the guise of legitimacy, and there are genuine use cases for buying stressers online. How do you decide when a website is involved in malicious activity?

Stresser/booters are considered to be illegal in The Netherlands, depending on the targets and methods of attacks, under articles 138b, 350a, 350d, 161sexies of the Criminal Code. The police does not consider them a regular pentesting service since there is generally a combination of the following factors :

• there is no check up on the customers and the IP addresses and/or URL’s of targeted websites
• some attack methods are illegal by nature (e.g. use of botnets)
• administrators were active anonymously
• payments could be done anonymously
• potential targets had to pay to be put on a ‘blacklist’, which meant they could not get attacked
• administrators advised customers on which targets to hit or not hit to stay out of sight of law enforcement.

That being said, a judge will always take all circumstances into consideration when coming to a verdict.

The same is true for piracy for instance (The Pirate Bay CAN be used for legitimate torrents but in reality it isn't). However, in the Netherlands this has been a legal debate for years now where a judge has the final call. Do you see similarities between cases?

The legal grounds as well as the phenomena differ substantially, so a more or less direct analogy would not be applicable in our opinion.

~ DA1

I get a lot of adds telling me to join the police. Your (high tech) vacancies only ask for an ICT background.

Don't you have a need for embedded specialists or anything related to hardware? Does the police outsource these jobs?

Always interested in your profile. You can DM us on our THTC twitter account. ~ SA1

Could you comment on how young these cyber criminals are? Is there some pattern in their bio; a common trait? Were they oblivious to the fact, that they were indeed comitting crime? What charges do they face?

Since there were a lot of users and most users registered anonymously, we cannot give a full overview of the demographics of the Webstresser customers. However, we did find numerous attacks on gaming servers. In general we find that a lot of cybercrimes are committed by young (ages ranging from 12 to 23) people. Not all of them are aware of the fact that they have committed a crime and/or the consequences. Others are more calculative offenders. The charges they face depend on many things like the laws in the country they live in, their age, the number of attacks they committed and other circumstances. ~ SA1

When I google for 'stresser' now, Webstresser comes out at the top but there are plenty of competing sites offering the same services. Do you feel you are making progress in the fight against DDoS-for-hire sites or does it feel like a game of whack-a-mole?

Also, what do you feel is the biggest obstacle to taking on stressers effectively?

Operation Power Off is an ongoing international effort against Webstresser. Internationally there are more investigations running against stresser/booters at the moment. We expect more actions like the ones in Operation Power Off in the future. Together with academic, publie and private (international) partners The Dutch Police started the NoMoreDDoS Initiative. NoMoreDDos focuses on the prevention, disruption and attribution of DDoS-attacks. It aims to assemble information from her partners in order to combat DDoS-attacks more effectively. ~DA2

How hard is it to join Dutch national police as a dutch person? Asking as a IT Student that likes to orientate myself in possible jobs.

Speaking as someone who was not so long ago a dutch IT student himself, check our website (https://www.kombijdepolitie.nl/) regularly for jobs that might fit your profile and don't hesitate to reply. You can always DM us on our THTC twitter account for jobs specific for our department. We will be recruiting around ~100 people for National Cyber Crime Teams this year alone, tell your friends!

In the past couple of months a lot of Team Fortress 2 streamers from all over the world on Twitch have been personally DDoSed (personal home connection), the Valve provided game servers they've been playing on, match servers have been targeted as well as the Copenhagen Games attack at the end of March was done by the same person.

We know certain details of this person claiming of doing these attacks, how would we (as a community and/or individuals) best go about pressing charges against someone using services like webstresser and other DDoS providers? Or do we sit back and wait for the Dutch Politie to follow up on the data of users that was found with this takedown?

Everyone who experiences (substantial) undergoing attacks is advised to log all data and inform your local Law Agency as soon as possible. Any relevant information about the attacks is appreciated. A more pro-active stance by victims of cyber-crime is highly recommended and sought after by Law Agencies across the world, and is something we strive to educate the public about. ~DA2

How you feeling finishing up that job?

It is always a great feeling when a lot of hard work, especially in an international cooperation, comes together in such a great effort to make the web safer and a better place for all. ~DA2

I’m so fucked??

¯\_(ツ)_/¯

Edit: thanks for the heads-up Natanael!

~ DA1

First of all, good job on taking this 'service' down that caused alot of damage to a lot of companies. I've a few questions regarding the proces of engaging a target with the intention to take it down.

• When the NCA contacts The Netherlands in 2017 what kind of processes are being started? Are there any fases to go through which leads to shutting Webstresser.org down?

• About Team High Tech Crime, what kind of people are you looking for?

• Will there ever be another Cybercrime Challenge? I've enjoyed the last challenge with the hospital records and memdump proces.

When the NCA contacts The Netherlands in 2017 what kind of processes are being started? Are there any fases to go through which leads to shutting Webstresser.org down?

After receiving such information, the first actions are aimed at assessing and enriching the information that was received. Afterwards, when there is a suspicion of a criminal offence, an investigation can be started where investigative powers are used under the guidance of the Public Prosecutor with the goal of truth-finding. During this investigation, we of course kept close contact with our international partners.

About Team High Tech Crime, what kind of people are you looking for?

Our team consists not only of technical people or people with a police background, and level of skill is most important. We have people who come from a police background, technical specialists, linguists, criminologists etc. Feel free to have a look at our website or this part of the website for open job postings!

Will there ever be another Cybercrime Challenge? I've enjoyed the last challenge with the hospital records and memdump proces.

At some point in time there will be another Cybercrime Challenge, but we do not yet have an exact planning for this.

~ DA1

The Dutch press release states that the infrastructure was located in The Netherlands for a while and that because of that the police was able to gather information about users and targets of the service. Can you elaborate on that? Did the THTC infiltrate and control the servers, like it did with the Hansa Market?

4 snapshots (=copy of server in NL) were made in the course of the investigation. We could have used more means but since those are operative methods I can't disclose them. ~DA2

Is there any proof of who you are? While its not the brightest idea to impersonate the police, one can never be too sure about these things

Ps: linking a twitter account isnt proof, i could link you trumps twitter account but that dont make me the president

Edit: proof provided

You are right, just posting a Twitter account cannot count as proof. We have just tweeted about our AMA, so there you go! ~ DA1

Did the recent attack on the Dutch tax authority and a number of banks (i.e. Bunq) lead you to this website?

As stated above, we were tipped off by the NCA that part of the Webstresser infrastructure was hosted in the Netherlands. This happened before the recent attacks on Dutch web-infrastructures, so Webstresser.org was already under investigation.

We cannot go into detail about specific attacks because they might be under investigation.

~ DA2

Congratulations on your success! Can you explain why the Dutch police is in charge of this obviously very internationally oriented problem?

Also what is your main purpose of this AMA? Do you merely want to inform an international audience or are there different objectives (prevention, awareness, promoting how badass the police is).

The Dutch police can start a case when either Dutch victims or offenders are involved, or when the (ab)used infrastructure is located in the Netherlands. In this case both the infrastructure, victims and offenders were present in The Netherlands. We saw reasonable opportunity for apprehension and prosecution of the actors and disruption of the services. Furthermore, to combat cybercrime effectively, we do not only aim for prosecuting offenders but also look for opportunities to prevent or disrupt criminal activities, mitigate the damage they cause and notify unaware victims. The aim of this AMA is mainly to inform everyone interested in this operation, the judicial reaction on DDoS-attacks and the Police in general about our activities to combat cybercrime. If we can prevent anyone from committing a DDoS-attack with this AMA, we would be more than happy :) ~SA1

Hallo! In another reply you mentioned that most individuals connected to the webstressor site appear to be quite young (12-23 years of age). I find this especially interesting, since youth crime in the Netherlands has been on a sharp decline in the last few years. I'd like to ask you: could it be that this decline in teenager/young adult crime is (partly) caused by those age groups moving from traditional crime onto cybercrime?

Mornikos

The age group of 12-23 is related to cybercriminals in general, not to the individuals connected to webstresser specifically. However, it might not be very different. And it would not surprise us if there is a shift from traditional crime to cyber crime going on indeed. 

SA1

In cases that move forward to prosecution, how do the accused react? Do they see their actions as morally wrong?

Of course reactions to prosecutions depend on the accused. These reactions might depend on their motives and the damage done. Some might start DDoS-ing for fun, and later realise the amount of damage and change their minds. ~ SA1

Do you ever consider that by shutting down darknet markets which allow drugs to be sold, you might be pushing people to buy drugs from less accountable street dealers instead?

Of course we do not have a full impression of the effects of the operation on Hansa market, but TNO -- an independent Dutch research body -- has published a report in which they conclude that the Operation Bayonet (which included the Hansa takedown) seems to have been more effective (less of a waterbed effect) than previous interventions.

When it comes to the accountability of the dealers or the market, we would dispute the fact that online markets offer a "safe heaven" of kinds per se: several people have died from the drug Fentanyl and it was not until we were the admins of Hansa that this drug was banned from the market. We do not know how the previous market operators would have handled that. Finally, although the issue is obviously more complex than can be treated in this comment, we do not advise in favour of buying drugs in any market (whether online or offline) and see the online drugs market as lowering the barrier to entry for the consumption of illegal drugs.

~ DA1

Are you going to bring everyone a visit who has an account there?

As far as visits go I can state that in our action plan the following is mentioned:

• 25 April 2018: actions (house searches/arrests/talks) against users in NL by ALL police regions.

Further investigation can always lead to more visits than only the ones carried out today. ~DA2

What do Dutch police stereotypically eat, like donuts here in the US? Oliebollen would be the closest analogy, but only during Christmas?

Kroketten, hagelslag, melk, stroopwafels, coffee, frikandellen speciaal, patatjes oorlog, pindakaas or normal kaas. Basically all the stereotypical things. Oliebollen are traditionally mostly eaten during NYE. ~DA2

They eat raw haring every day.

Don't forget the raw unions and pickles!

What's the coolest thing about the job?

If I don't say my colleagues right now, I'll probably get hacked. ~DA2

have y’all been watching webstresser?

was it the amount of bandwidth?

ive never personally used it before but i’m wondering.

The National Crime Agency (NCA, UK) provided the police in The Netherlands with information in October 2017 stating that part of the infrastructure of Webstresser was in The Netherlands, which gave rise to this investigation.

It was not just about the bandwidth alone, on which we cannot comment at the moment. In terms of number of attacks, webstressers.org was one of the biggest providers of this service. Webstressers are considered to be illegal in The Netherlands, depending on the targets and methods of attacks, under articles 138b, 350a, 350d, 161 sections of the Criminal Code. They were not a regular pentesting service since there was:

• no check up on the customers and the IPaddresses and/or URL’s of targeted websites
• some attack methods are illegal by nature
• administrators were active anonymously
• payments could be done anonymously
• potential targets had to pay to be put on a ‘blacklist’, which meant they could not get attacked
• administrators advised customers on which targets to hit or not hit to stay out of sight of law enforcement.

~ DA1

How did you end up as an data analyst at the police? What is your background?

I've got a bachelor in IT from a well known Dutch University and a masters in Data Technology from a well known International University. Furthermore it is about personal motivation and a feeling I wanted to contribute to the well-being of the Dutch people and utilising my expertise for 'doing good' ~ DA2

Edit:

To add to this: formally my background is in Criminology, in which I hold a master's degree, but besides that I was already quite involved in IT, mathematics and data analytics before I started working for the police. Obviously, development of my skills has not stopped since. ~DA1

Hi! Thanks for this operation. We are a hostingcompany and these booters are a real pain in the *ss for us.

Do you have a list of victims (ips) ? If so is it possible to check if our network was impacted by this service and so we can do an "aangifte"?

THTC does not have an public intake/service function. Would you be be so kind to contact your local/regional Law Enforcement and tell them you want to know whether or not you have been a victim of this webservice (mention the operation/name). With some further explanation about your situation the question will be escalated to us. From this point we will notify the local/regional police as soon as we can provide you with the relevant information. ~DA2

Why does the "sleepwet" help catch terrorists if they can use encrypted/anonymous communication channels like Telegram, Signal and TOR?

I cannot comment on this because it is not concerned with the National Police, the 'sleepwet' is a means that can only be used by the Dutch Intelligence Services (AIVD/MIVD). ~DA2

How do you feel about your operation trying to scare online drug users? Do you think it's working? Has it shown a reduction in fatalities or hospitalizations from drugs?

I know how the other side views it, I'm curious as to your view on the outcome and if you have statistics to verify. Surely Hansa has been down long enough for there to be stats

Since we are mostly an export country I do not have any relevant numbers on the impact the 'take-down' of Hansa Market has had on the Dutch Community. But I'm sure we have had a big positive impact on numbers outside of NL. ~DA2

Edit: It is also important to mention that as Hansa Market is part of an ongoing investigation, we cannot comment extensively on this operation apart from what has been said on earlier moments. TNO, an independent Dutch research body, has published a report in which they conclude that the Operation Bayonet (which included the Hansa takedown) seems to have been more effective (less of a waterbed effect) than previous interventions.

~DA1

How was the Croatia involved?

A certain number of people were apprehended in Croatia in relation to this investigation. Since the Croatian Law Enforcement has an independent investigation on this matter we cannot comment any further. ~ DA2

How long did it take from the moment you started the operation to success?

The National Crime Agency (NCA, UK) provided the police in The Netherlands with information in October 2017 stating that part of the infrastructure of Webstresser was in The Netherlands. From that moment on Webstresser was on our radar, and today it went offline.

~ DA1

Any of you worked on the operation where the dark net market hansa was taken over? Why were the buyers threathened? Even for user quantities? Do you believe the operation improved the general health or worsened it?

As Hansa Market is part of an ongoing investigation, we cannot comment extensively on this operation apart from what has been said on earlier moments. Neither can we comment on which specific colleagues work(ed) on that case. TNO, an independent Dutch research body, has published a report in which they conclude that the Operation Bayonet (which included the Hansa takedown) seems to have been more effective (less of a waterbed effect) than previous interventions.

Edit: included a link to the report.

~DA1

Would it be possible for a belgian citizen to work for the dutch police?

I'm afraid only people with a Dutch Nationality can work for the Dutch Police. But I'm sure there are a lot of excellent jobs within the Belgian Forces as well. Good luck! ~DA2

How many manhours were/are spend in an international investigation like this?

I can only speak on behalf of the Dutch Police; from October 2017 until now there has been an investigative unit on Operation Power Off. These units are composed of around 20-30 people who, next to other cases, took part in this case. ~DA2

Hey there!

I am the community manager for a website (based in the US) where we have had our userbase impacted by other users/trolls who would use these services to commit ddos attacks as a way of harassing members. What is the best way of working together (or providing information) with your team to help your cause in taking down more of these sites?

I'd love nothing more than to help take a more proactive stance against these sites and people who use them to harass others.

Small copy paste of a comment I made above:

Everyone who experiences (substantial) undergoing attacks is advised to log all data and inform your local Law Agency as soon as possible. Any relevant information about the attacks is appreciated. A more pro-active stance by victims of cyber-crime is highly recommended and sought after by Law Agencies across the world, and is something we strive to educate the public about. ~DA2

So in your case I would highly recommend contacting your relevant (local) Law Enforcement Agency. Good Luck!

~DA2

Since this booter most likely is using a botnet of compromised machines, are you talking steps to "clean" the infected machines or notify their owners? Or is that not needed since you've taken down their C&C?

Do you think taking down this booter will have a big impact?

Further, out of curiosity, is it allowed to use a booter like this (that allows anonymous payments and isn't legit in general) to stress-test hardware you own? Or is any and all use of it illegal?

Since this booter most likely is using a botnet of compromised machines, are you talking steps to "clean" the infected machines or notify their owners? Or is that not needed since you've taken down their C&C?

The attack infrastructure of Webstresser is still under investigation. Actually cleaning infected machines without their owner's knowledge raises legal and ethical questions.

In regard to notification: if we find that we have the information needed to be able to alert the victims of such infections, then this is certainly something which we will be discussing.

Do you think taking down this booter will have a big impact?

In the short term, taking down the largest booter site has reduced the total DDoS-capacity of the internet. More importantly, by taking down Webstresser, and the resulting media attention, we are spreading awareness that a) using such DDoS services will usually be illegal, and b) law enforcement agencies and public prosecutors throughout the world are actively investigating and prosecuting those involved.

To have an effect in the long term, we cannot stop with just Webstresser, which is why together with academic, public and private (national and international) partners, we have the NoMoreDDoS initiative, to prevent, disrupt, and attribute DDoS-attacks.

We expect more actions like the ones in Operation Power Off in the future.

Further, out of curiosity, is it allowed to use a booter like this (that allows anonymous payments and isn't legit in general) to stress-test hardware you own? Or is any and all use of it illegal?

The tricky part is that depending on the type of attack, a user of such a site may be participating in the illegal use of other people's systems to execute the 'stress test' even if the target is their own. Also, any attack from the internet will impact network infrastructure which is not their own. They may be risking collateral damage.

~ DI1

Thanks for doing this AMA! The answers so far have been really interesting! I have a few questions of my own:

I saw you created your account 5 days ago. Was this before the takedown? Why were you planning to do an AMA if I may ask? (Not that I mind though, I find it awesome that you're doing this!)

Cybercrime teams like yours have a lot of people with an IT background in them, obviously. Are some other disciplines also part of the team? For example, are there psychologists, legal people, or other disciplines involved?

I've read that you want to educate victims of DDoS attacks, which sounds like a good plan. Are there also plans to educate the public on DDoS attacks? And specifically how to make sure you're not part of a bot net yourself?

I saw you created your account 5 days ago. Was this before the takedown?

Yes, the takedown was yesterday.

Why were you planning to do an AMA if I may ask? (Not that I mind though, I find it awesome that you're doing this!)

We think it is awesome too.

Cybercrime teams like yours have a lot of people with an IT background in them, obviously. Are some other disciplines also part of the team? For example, are there psychologists, legal people, or other disciplines involved?

Yes there are a lot of different disciplines involved in an operational investigative team. For example we have financial experts, data analysts, detectives, case agents, forensic experts, legal people and so on.

I've read that you want to educate victims of DDoS attacks, which sounds like a good plan. Are there also plans to educate the public on DDoS attacks? And specifically how to make sure you're not part of a bot net yourself?

This take-down gets a lot of attention and it creates awareness by the victims and the public so there is already some kind of education going on. At this moment we are not actively educating the public on how to protect their digital devices from being part of a botnet.

~ DI2

How was the suspect traced?

The National Crime Agency (NCA, UK) provided the police in The Netherlands with information in October 2017 stating that part of the infrastructure of Webstresser was in The Netherlands. By obtaining copies of the server on which it ran the Dutch police was able to rebuild the Webstresser panel. A lot of information about targets, users and the administration of the website was found.

What in general is needed to apply for a job in your sector? Is studying a must, or do you recognize a normal training as an IT-Specialist with normal certificates like CCNA/CCNP?

Please refer to the body of our AMA post (2nd edit), all information concerned about job applications and requirements should be there. ~DA2

How do you keep from over reaching into a companies freedoms for offering a perfectly legal service that can and could be used responsibly by companies to see if they are at a threat for ddos . Sort of like ethical hacking. What did they do that was illegal enough to warrant such measuresbesides offer a service? To me this seems like government taking out it's issues on a company for what it's users decide to do with it's service. I know how ddos attacks effect millions. I'm just not sure such a heavy handed measure is necessary?

What did they do that was illegal enough to warrant such measures

Stresser/booters are considered to be illegal in The Netherlands, depending on the targets and methods of attacks, under articles 138b, 350a, 350d, 161sexies of the Criminal Code. The police does not consider them a regular pentesting service since generally:

• Unlike pentestesing companies, they do not ask their customers to provide a (written) consent from the owners of the IP addresses and/or URL’s of targeted websites to prove that they have permission to test their systems.

• Some attack methods used are illegal by nature (e.g. the use of botnets);

• The service has no legal entity;

• The service is not paying taxes;

• Potential targets can pay to be put on a ‘blacklist’, which means they cannot get attacked;

• Administrators give customers advise on which targets to hit or not hit to stay out of sight of law enforcement.

~DI2

Maybe a stupid question, but is purchasing a stresser service a crime or just using one?

What is the legal term?

Dutch criminal law outlaws acquiring or having at ones disposal any tools which are mainly designed to perform denial of service attacks, if this is with the intent to perform such attacks.

This intent would need to be proven, for which other evidence will be needed.

~DI1

Here is a tough question OP. What do you do in the event that someone's computer is being used to help do the DDoS attacks but they have no knowledge of it?

Like if some old lady left her computer on and it gets a vicious RAT or other malware by a criminal and said criminal then uses her computer to do these attacks?

What would the protocol for that be?

The old lady's computer is used in a crime (without her consent) and probably her IP address is logged somewhere. So in The Netherlands there is a possibility that law enforcement pays the old lady a visit and investigates her computer for evidence. Prosecution is unlikely because she did not commit the crime herself. And we might even give the old lady some security advice :-)

~ DI2

What would be the best way to avoid getting caught up and considered a criminal when buying substances online?

Pretty simple, only buy legal substances. ~DI2

What kind of legislative changes do you think would help you in operations like this? Are the current laws sufficient, both for having something to charge offenders with as well as for offering the means to investigate and shut down these types of things?

Currently a legislative proposal is being treated by the Senate of the Dutch parliament which would extend our investigative powers and create more grounds for prosecution when it comes to cyber crime. You can find this proposal and its status here, but it only seems to be available in Dutch.

~ DA1

[deleted]

http://lmgtfy.com/?q=How+do+VPNs+work

~ DA2

EDIT: Thanks for the gold, furthermore it was not my intention to harm any feelings. The question was so broad I felt like an accurate google search would provide all information needed