Planning on entering the Bitcoin space? You might want to learn some DDoS mitigation techniques before diving in…

DDoS attacks against Bitcoin-related websites have resulted in numerous Bitcoin ransoms in recent weeks. At least four bitcoin exchanges and four Bitcoin news websites have came under rudimentary attacks in November. The exchanges and news websites have confirmed DDoS attacks and accompanying extortion letters. While Armada Collective claims to be behind some attacks, other attacks seem to stem from different sources.

On November 16, UK Bitcoin exchange BitBargain was attacked by Armada Collective:

The company confirmed on Twitter it would not pay the ransom.

Denial of service attack with ransom request – It will not be paid. — BitBargain (@BitBargain) November 16, 2015

Also on November 24, the Kraken Bitcoin Exchange – probably the largest compromised Bitcoin website by the November attacks – experienced a DDoS attack, as the company confirmed on Twitter:

The site is under DDoS at the moment. Extortion letter received. Obviously, not paying. Please bear with us. — Kraken Exchange (@krakenfx) November 24, 2015

Earlier this month – as Bitcoin reached $500 before consolidating and falling in price – Kraken suffered a DDoS attack for many hours. Traders on the website were not able to exit their Bitcoin positions at the top of the trading range.

Kraken, named after a legendary sea monster of giant size that is said to dwell off the coasts of Norway and Greenland, was founded in 2011 and is based in San Francisco. The company is the largest Bitcoin exchange in euro volume and is the Tokyo government’s court-appointed trustee.

The company said on Twitter that it would refuse to pay the extortion. They cite the same reason as other affected companies: that paying the extortions could lead to more extortion in the future. Despite being down for some time, the exchange still traded 3,748.23 bitcoins on November 24.

DDoS attacks are pretty common and it’s not economically feasible for most businesses to protect against the threat completely,” Kraken CEO Jesse Powell told CCN.com in an email. “You can certainly do things to reduce the attack surface and filter bad traffic but, in the end, it’s about how much of the overflow you can absorb.” Powell doesn’t agree with the widely held belief that if a site cannot endure a DDoS attack without suffering a performance loss, they’re doing something wrong.

“There is a cost to running a DDoS attack though, and if the attacker feels like you’re either well-protected or incapable of paying, they may let up soon after an exploratory bite,” he said. Powell further stated that Bitcoin companies, at this juncture, are not the best targets for such attacks DDoS, despite that it is these companies which have the bitcoins to pay such a ransom to an unknown source.

“Most Bitcoin companies aren’t profitable and we’re therefore not great targets,” Powell added. According to Powell, the most recent attack on Kraken turned out to be merely a quick demonstration.

“The attackers actually reported the weakness to our bug bounty program, and they were rewarded accordingly,” Powell said. “I do wish that they’d have made the report prior to the demonstration, but, they were actually helpful.”

He adds: “I can’t recommend running a bug bounty program highly enough.”

Bitcoin Co. Ltd., a Thai Bitcoin exchange that processed 406.585 bitcoins ($129,294.03) in the 24 hrs prior to the writing of this article, sustained a DDoS attack on November 17.

https://t.co/3eKbKWxum7 is currently inaccessible due to DDOS attack. All data and funds are safe, but we hare redirected traffic temporily — Bitcoin Co. Ltd. (@BitcoinThai) November 17, 2015

“We have received several DDOS-ransom letters to https://bx.in.th,” Bitcoin Co. Ltd Managing Director David Barnes told CCN.com. “[The] last was supposedly from Armada Collective requesting 10BTC.” Bitcoin Co. Ltd chose not to respond to these emails and instead focused on creating firewall filters and blocking attacks.

“The last DDoS did catch us by surprise and our site was unavailable for about one hour while we adjusted our filters,” Barnes said. “We would never consider paying the ransom, as this would only result in more attacks.”

As divulged by other websites, the attacks on Bitcoin Co. LTD appeared unsophisticated, “coming from less than a few hundred sources and traffic patterns are easy to analyse and filter by IP,” according to Barnes. This is further evidenced by the short amount of time the sites went offline.

“Attackers seem to lose interest quite quickly when you block them and don’t respond to their messages,” Barnes explained. “Our last attackers disappeared within 24 hours of the original ransom request.” Since the attacks, Bitcoin Co. LTD says it has improved the protections on their site in order to prevent another DDoS attack.

“I would expect to see more of this kind of thing, especially by script kiddies and copycats, so all exchange sites should be geared up to expect and handle small scale DOS/DDOS attacks,” the Managing Director said. He provided me with the text of the last email copy he received:

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time) Our attacks are extremely powerful – sometimes over 1 Tbps per second. And our bots can even bypass CloudFlare’s (and similar cheap protections) javascript visitors check. So, no cheap protection will help. So, your site will be DDoS-ed until you pay 10 Bitcoins @ 1BNiaNQurys86z9gVg2Ke9HNAX7jmQYduD Usually we ask for more, but since you are a small company we are offering you a discount. Right now we will start small attack just on bx.in.th to try to minimize eventual damage, which we want to avoid at this moment, because if we start full scale attack, Amazon will kick you out. If you don’t pay within 2 hours, massive attack will start on all your sites and price will increase to 20 BTC and will keep going up 2 BTC for every hour of attack! If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. This is not a joke. Prevent it all with just 10 BTC @ 1BNiaNQurys86z9gVg2Ke9HNAX7jmQYduD Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! And nobody will ever know you cooperated.

The same day, The Rock Trading LTD., a Malta-based Bitcoin exchange since 2011, suffered a DDoS attack. On November 24, the site traded 760 bitcoins ($241,680).

We are currently under DDOS. Working on it. — The Rock Trading (@TheRockTrading) November 17, 2015

Another, smaller Bitcoin exchange, Cryptsy, also endured a DDoS attack on November 24.

Website offline due to denial of service attack. We are working to mitigate. — BigVern (@cryptsy) November 25, 2015

Bitcoin News Websites DDoS’d

Basically, every Bitcoin news website in the space came under DDoS in the final few of weeks in November. There is currently no evidence that the attacks stem from the same sources.

CCN.com, and its sister website Hacked.com targeted in DDoS attacks. One of the extortionists going by the name ‘Jon’, sent the website an email demanding 2 bitcoins and threatened to inform the website’s advertisers about the downtime.

‘Jon’ wrote in the e-mail:

Pay us 2 Bitcoins now to: 18RJA5BpFe4CGDFQG59jLNhPqYCRaEFng1

adding:

[Pay us now] or we will keep attacking your website, we have only used 20% of the machines we have enslaved by our Trojan.

The email came from an email account under the name ‘Peter Evans.’ CCN.com offered five bitcoins to anyone who could help identify the extortionists and lead to a “successful police report.” Jonas Borchgrevink, the site administrator, says the site is still undergoing DDoS attacks.

“We have managed to block the IPs involved and introduced new DDoS-prevention rules,” he told me via email. “My personal belief is that it’s an amateur or an amateur group that wants to make a quick buck.”

Another Bitcoin news website, BitcoinFuturesGuide.com, posted a message it received by someone claiming to be the “Internet Police.”

“We received complaints about content that is hosted on your website. We kindly ask to remove this personal content or we have to proceed with our investigation of case no 245863.”

The threat came from an email address featuring IC3gov.com, mimicking the website IC3.gov, the FBI’s Internet Crime Complaint Center.

BitcoinFuturesGuide.com also called the attack unsophisticated, providing an image demonstrating a traffic spike to 4 million visits on November 24:

Reports about other Bitcoin news websites – namely, CoinTelegraph, CoinDesk and NewsBTC – also surfaced, meaning essentially all Bitcoin news websites were hit if reports are true.

For Kraken CEO Jesse Powell, the sort of attacks suffered by the Bitcoin websites are not the kind an online business loses sleep over.

“The attacks you worry about the most are those in which you don’t receive the extortion letter,” Powell explained. “These might be disgruntled clients, caught fraudsters, competitors or market manipulators – they would obviously have a motive other than extortion.”

Bitcoin, DDoS & Extortion

Extortion is not foreign to the Bitcoin community. Recent examples include a kidnapping of a Hong Kong billionaire by a Taiwanese criminal gang which demanded HK$70 million (approx. 30,000 BTC at the time). Further, Ryan Piercy, kidnapped in Costa Rica on January 20, 2015, was held for five weeks. He was chained by the neck to a tree for most of his captivity before being released after partial payments were made. His kidnappers had demanded tens of thousands of dollars in Bitcoin.

ProtonMail, provider of an encrypted email service, paid 15 Bitcoins in November to stop a series of DDoS attacks.

Instances of attacks on networks and systems in the public and private sector appear to be increasing, at least in Australia, according to Australian Cyber Security Centre.

For instance, a group that goes by DD4BC, which apparently stands for “Distributed Denial of service for Bitcoin”, forged a DDoS campaign against global financial institutions. The organization tried to extort Australian financial service providers.

“Australia is experiencing increasingly sophisticated attacks on networks and systems in the public and private sectors, including the finance sector — if you are connected to the internet, you are vulnerable,” according to the Australian Cyber Security Centre coordinator Clive Lines said.

However, as Motherboard reported in 2013, the so-called “Year of Bitcoin,” the cryptocurrency is not as anonymous as some think, meaning law enforcement, and/or vigilant Bitcoiners, could perceivably uncover the identities of Bitcoin extortionists.

Featured image from Shutterstock.