Ukrainian authorities have sentenced two individuals —a man and a woman— to five years suspended sentences for allegedly launching DDoS attacks and running a DDoS extortion scheme.

The two are Inna Yatsenko, 32, and Gayk Grishkyan, 24, both residents of Cherkassy, Ukraine. The two were part of a larger hacker group, allegedly headed by Yatsenko, who was also the administrator of a local marriage agency.

According to a report published today, the two started their crime spree in 2015. Their first target was AnastasiaDate, an online dating website that connects men from North America to women from Eastern Europe. Yatsenko's agency had previously collaborated with AnastasiaDate for two years before they ended their collaboration.

AnastasiaDate ferociously attacked for two years

In September 2015, after this relationship ended, AnastasiaDate suffered a series of DDoS attacks. But while many companies suffer a one-off DDoS attack once in a while, these attacks lasted days, and later continued through 2016.

"The attack caused the company's website failure," Group-IB, a Moscow-based cyber-security company, wrote today in a report shared with Bleeping Computer.

"For several days the site was inaccessible to users, being down for 4 to 6 hours every day," Group-IB said, adding that a ransom demand of $10,000 soon followed the initial attacks. Qrator Labs, a Russia-based DDoS mitigation firm, has more details about the attacks.

In [the] autumn 2015 our systems indicated a DDoS attack on one of AnastasiaDate resources, during which Qrator filtering network blacklisted approximately 2000 source IP-addresses. There were no visible spikes in packets, nor in requests. The decrease in both web application efficiency and server performance (growth of responses with latency over 1 second, which is a massive service degradation) indicates that most probably AnastasiaDate resources were aimed with application layer attack, targeting a specific stress point within application architecture.

Almost a year later, in 2016, AnastasiaDate started receiving extortion e-mails, as well as experiencing somewhat ferocious DDoS attacks of nearly 20 Gbps mitigated volumetric requests, with over 10 000 IPs blacklisted. Such attacks are generated by a botnet, with several protocols being utilized. There were peaks in TCP traffic and packet rate with rather average RPS [requests per second].

AnastasiaDate didn't pay, but contacted authorities instead, and worked with Group-IB and Qrator Labs to track down the perpetrators.

Their investigation took a few years, but they eventually identified both Yatsenko and Grishkyan, along with other members of their group.

Group moved from DDoS attacks to ransom demands

According to Group-IB, the attackers didn't stop attacks after the AnastasiaDate extortion attempt. For the rest of 2015 and throughout 2016, the group operated a similar scheme, aimed at other companies —such as US data and hosting company Stafford Associates and electronic payment system PayOnline.

In most cases, the attackers operated under the nickname of CyberSec Group and threatened companies with DDoS attacks unless they paid a fee of 50 Bitcoin. An image of the ransom note, obtained by Group-IB and shared with Bleeping Computer is below.

CyberSec ransom note

Data gathered by Group-IB and Qrator Labs was later provided to Ukrainian authorities, who arrested the two in 2017. A Ukrainian court sentenced Yatsenko and Grishkyan in January.

Not the first DDoS extortionists arrested

According to Group-IB CEO Ilya Sachkov, "this [was] the first large-scale international DDoS-extortion case in the Ukraine" that authorities dismantled.

This isn't, though, the first DDoS extortion crew dismantled by authorities. The first was DD4BC, the group who pioneered the DDoS extortion model, whose members were arrested after a Europol investigation in December 2015.

On a side note, Ukrainian authorities have been quite prodigious in recent weeks. Ukrainian police forces have disrupted a major Bitcoin phishing scheme, have arrested an employee trying to sell his former company's database online, have arrested another hacker trying to sell a mail carrier's database, and have also arrested a group responsible for infecting over 2,000 Android devices with malware.