The study looked at four different types of interventions for cybercrime, the first evaluation of the effectiveness of different types of law enforcement interventions for this particular type of cybercrime.

The researchers found that, while high-profile arrests and sentencing of cybercriminals led to only a small drop in the number of attacks taking place, the takedown of infrastructure and targeted messaging campaigns were strongly associated with a sharper and longer-term reduction in attack numbers.

The results of the study, co-produced by the University of Cambridge, were presented at the ACM Internet Measurement Conference in Amsterdam.

Dr Daniel Thomas, of Strathclyde’s Department of Computer and Information Sciences, a co-author of the study, said: “’Booter service’ websites are an easy and inexpensive route into cybercrime, as they offer the means to attack other users’ systems.

“Tens of thousands of attacks are carried out through booter providers every day. Booting is not a well-regarded practice but this makes the market particularly vulnerable to disruption.”

For a small amount of money, almost anyone can become involved in cybercrime through the use of ‘booter’ service websites, where users can purchase targeted denial of service, or DoS, attacks. A DoS attack generates large amounts of traffic which overwhelms end users or web services, taking them offline.

DoS attacks have been deployed in the past as a protest tactic but, because of booter services and the relative ease of using them, they are a commonplace tactic of people on gaming sites, as a form of retaliation against other users. The largest booter provider carries out between 30,000 and 50,000 such attacks every day.

While DoS attacks are usually targeted at specific end users, they can often cause collateral damage, knocking out other users or systems.

The researchers used two datasets with granular data about the attacks from booter sites and modelled how the data correlated with different intervention tactics from the National Crime Agency (NCA) in the UK, the Federal Bureau of Investigation (FBI) in the US, as well as other international law enforcement interventions.

While operating a booter service or purchasing a DoS attack is illegal in most jurisdictions, earlier research found that most booter operators were unconcerned about the possibility of police action against them.

The researchers found that arrests have only a short-term effect on the volume of DoS attacks – about two weeks – at which point activity went back to normal. Sentencing had no widespread effect, as attackers in one country were unaffected by sentences in another.

Taking down infrastructure – as the FBI did at the end of 2018 – had a far more noticeable effect and suppressed the booter market for months.

The study also found that, from late December 2017 to June 2018, the NCA bought targeted Google adverts aimed at young men in the UK. When a user searched for booter services, a targeted advert popped up, explaining that DoS attacks are illegal.

While the researchers say this evidence suggests that targeted online messaging has the potential to be a potent tool for preventing crime, it also poses questions about what accountability structures might be required for its wider use as a police tactic.

This has already had direct policy impact, and the FBI and NCA have used this research to inform their strategies for dealing with booter services.



University of Strathclyde