ake78 (3D & photo) - Fotolia
When banks and websites in the Netherlands recently fell victim to aggressive distributed denial of service (DDoS) attacks, speculation about the culprit pointed to Russia, but then a local 18-year-old was arrested.
The DDoS attacks on Dutch banks Rabobank and ING began just days after a massive scoop revealed that Dutch intelligence agency AIVD was responsible for sending US authorities the information that prompted their “Russian investigation”. For days, customers could not log into their bank accounts or other services, and several news websites went offline in DDoS attacks that reached 100Gb/s.
The attacks began more than a week ago when ABN Amro, one of the Netherlands’ bigger banks, fell victim to the first DDoS attack. Customers could not log into their online banking accounts or use the bank’s mobile app.
After the first attacks were fended off, a new wave struck, this time also hitting other banks, such as Rabobank, and some other organisations. The Dutch Tax Authority was attacked, as well as DigiD, the country's login system for governmental services. The attacks on both the banks and institutions continued throughout the week, and later affected popular technology website Tweakers.net.
As the waves of DDoS attacks crippled the Netherlands’ financial system, many experts started speculating about who was behind them.
Fingers were quickly pointed at Russia. Although no concrete evidence emerged, many found the timing of the attacks to be a little coincidental – a matter of days after the news of the AIVD findings broke, so a retaliatory attack seemed a possibility.
ABN Amro CEO Kees van Dijkhuizen said that “attacks like these probably cost the perpetrators tens of millions of euros”, fuelling speculation that the attack had come from a nation state.
But the truth has proved rather less spectacular when police arrested an 18-year-old known as Jelle S in his home town of Oosterhout.
His name is familiar – four months ago, the teenager was caught attacking Bunq, a small Dutch bank. Rather than pressing charges, the bank confronted him and offered to let him off the hook if he did a week’s community service for Amnesty International.
“This kid is still in school and has apologised sincerely for his actions,” Bunq wrote in a statement. “Pressing charges would lead to jail time and hefty fines, effectively destroying his life.”
But in November, Bunq suffered fresh attacks, and the same teenager is a suspect in that case, as well as for the DDoS attack on the tax office. Police are also investigating whether the attacks on the banks can also be linked to him. In fact, it is alleged that he told the victims himself.
In the attack on tech site Tweakers.net, Jelle S signed into the website’s public chat channel and started chatting with the systems administrator to claim responsibility for the attack.
Tweakers published an in-depth explanation on how it tracked down the suspect. Although Jelle S had been using a virtual private network (VPN) to disguise his IP address, the same IP from the VPN was used to sign into a user account on the website. Tweakers discovered that the user account had been viewing an unusual number of articles about the attacks, and had even sent tips to the newsroom using a form on the website.
New information emerged later, when Dutch newspaper de Volkskrant published parts of an email exchange with the suspect after he had apparently launched an attack at it too.
From all these chatlogs and email exchanges, it became apparent that the hacker was seeking recognition and fame. When asked why he had done it, he said: “To see everybody freak out and blame Russia while you know you did it – that’s funny.”
When pressed on why he had targeted banks, the teenager said “they should have their security in order”.
In messages to the Tweakers systems administrator, Jelle S claimed to have bought a ready-made “stresser” DDoS package on the dark web for which he had paid €50 a week to send 50-100Gb/s of data to victims.
If he is convicted, Jelle S could face up to six years in jail, authorities say. That would be a lot more than usual in similar cases. Last week, the Dutch public prosecutor published guidelines for sentences for cyber offenders. Under the guidelines, a small DDoS attack, with limited impact, would be punishable by 60 hours’ community service, but the recent attacks are being regarded as more serious.