DDoS Extortions against thousands of firms by alleged Phantom Squad

  • Fabian Sinner
  • September 25, 2017

Table of content

    DDoS Extortions against thousands of firms by alleged Phantom Squad

    Since September 19, 2017 thousands of companies in many countries around the world have received extortion emails on behalf of the Phantom Squad. There are currently reports from Germany, Great Britain, Italy, the USA, and Japan.

    The contacted firms are supposed to pay 0.2 Bitcoin to buy their way out of the DDoS attacks. The payment deadline is September 30. The extortionists, who are probably bluffing, are likely not the original Phantom Squad.

    Attacks on global gaming platforms put them on the map

    Until now, Phantom Squad was only known for attacking gaming networks. In early November 2016, they claimed responsibility on Twitter for the attacks on the Steam platform. Shortly thereafter, they announced Christmas attacks on the PlayStation Network and Xbox live. As early as January 2016, the group – apparently in collaboration with Lizard Squad – paralyzed the PlayStation Network for a day.

    DDoS Extortion likely by copycats

    That the self-proclaimed cyber-security group has now re-oriented itself and focused on DDoS extortion is unlikely. In the opinion of the LSOC, it appears more credible that the one or several active perpetrators now have nothing to do with the original attacks and are only associating themselves with the Phantom Squad name to spread fear. Extortionists frequently use the names of internationally known DDoS attackers like Armada Collective, Lizard Squad, or New World Hackers to make their demands more credible. In these cases, the names are even interchangeable, however the emails with the demands for protection money are almost always identical.

    Extortion messages with standard formulations

    The current scattered text has very strong similarities to extortion messages from the alleged Armada Collective from Spring of 2016. Only the date for the payment deadline and the Bitcoin address vary. In as early as May 2016, the alleged Phantom Squad tried to get to Bitcoins with such emails. Their demand for protection money in the amount of 0.2 Bitcoin at the time is once again the same amount in the current message.

    Hello,

    FORWARD THIS MAIL TO WHOEVER IS IMORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

    We are Phantom Squad

    Your network will be DDoS-ed starting [date] if you don’t pay protection fee – 0,2 Bitcoins @ [Bitcoin Address].

    If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

    This is not a joke.

    Why the perpetrators in the current wave of extortion dispensed with the second part of the message, which was intended to increase the fear with the threat of 1-Tbps attacks, is unclear.

    Our attacks are extremely powerful – sometimes over 1 Tbps per second. And we pass CloudFlare and others remote protections! So, no cheap protection will help.

    Prevent it all with just 0.2 BTC @ [Bitcoin Address].

    Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

    Bitcoin is anonymous, nobody will ever know you cooperated.

    Probability of DDoS attacks by Phantom Squad rather low

    The LSOC currently has no indications that any attacks by the alleged Phantom Squad ever came to pass in protection rackets. There is a high probability that the perpetrators will never be heard from again after September 30. This was the case as well with the DDoS extortion by the Meridian Collective, Team Xball, und Collective Amadeus, who attempted to intimidate German companies in June 2017.

    The evolution of DDoS attacks: from small scale to a mass phenomenon
    DDoS attacks in Q3 2021: IT infrastructure providers targeted
    X