Croatian police said on Wednesday they had arrested a 19-year old man they suspect of being behind an illegal internet service for cyber attacks called Webstresser.org.
A police statement said the site allowed users to pay for so-called Distributed Denial of Service (DDoS) attacks, which would shut down or slow websites by flooding them with data.
Webstresser.org had 136,000 registered users and recorded four million cyber attacks by April this year, the statement said. The targets included online services of banks, businesses and public institutions across the globe.
Any user could buy access to online DDoS infrastructure for a price starting at 15 euros, police said.
Britain’s National Crime Agency said seven of the biggest British banks had been victims of attacks using the Webstresser service in November 2017, forcing them to reduce operations or shut down entire systems and incurring costs in the hundreds of thousands of pounds to get services back up and running.
The NCA did not name the institutions involved, but the Financial Times said they were Santander, Tesco Bank, RBS, Lloyds, HSBC, Clydesdale and Yorkshire Banking Group and Barclays.
The arrested Croat will be charged for criminal acts against computer systems. If found guilty, he could be jailed for up to eight years.
The Croatian police said they had cooperated with forces from The Netherlands, Great Britain, Canada, Spain, Italy, Serbia and Hong Kong in an international action where many helpers and users of the DDoS service were also arrested.
Andrei Barysevich, a researcher and dark web expert at security firm Recorded Future, said so-called stressors often portray themselves as legitimate services to assist security engineers to test the resilience of corporate networks against extreme traffic loads while explicitly barring any illegal use.
“In reality, such policies are just a facade, designed to create the appearance of legitimacy,” Barysevich said.
Alongside other similar services, Webstresser has been openly operating in the dark net since 2015 and was a commonly recommended solution for turn-key DDoS attacks.
Barysevich cautioned that since there are more than 50 underground DDoS vendors offering such services: “I am afraid the problem is not likely to be solved any time soon.”