A Hacker Group That’s Extorted $100,000 Doesn’t Actually Exist

That's one way to make a living

Illustration: Tara Jacoby
Apr 26, 2016 at 3:26 PM ET

A “hacker” group that threatens to take private companies offline—unless they pay up—has successfully extorted more than $100,000 over the past few months. Only, the group hasn’t actually proven it can do any damage, researchers say.

In 2015, a group called Armada Collective became a powerful force. It specialized in Distributed Denial of Service (DDoS) attacks, which overwhelm networks with traffic and render them unusable. In November, for instance, the group hit secure messaging service ProtonMail, essentially shutting it down for a week. In December, the Department of Homeland Security issued a warning about the group, which seems to have gone silent soon after.

But, for the past two months, someone else has been sending out extortion letters claiming to be Armada Collective, according to CloudFlare, a company that specializes in DDoS protection. In each letter, the sender sends a link to the search results for Armada Collective—seemingly to prove that group is legitimate—and demands payment in Bitcoin in exchange for not targeting the site. The emails even specify that the “group” can bypass CloudFlare’s protections, it says.

The only problem? “[W]e’ve been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack,” researcher Matthew Prince wrote.

Prince noticed that rather than creating a new Bitcoin address for each extortion letter, the senders would repeat just a handful of them. That means it’s possible to track how much was sent to those addresses, and get a sense of how much people were paying up. Researchers at Chainalysis, who tracked those addresses, told Vocativ that they saw “several very large payments for the ransom amount and many smaller amounts as well,” and that they totaled over $100,000 in Bitcoin.

That the new “Armada Collective” reused Bitcoin addresses may be an inadvertent admission they’re not the real thing. Since reusing the same addresses over and over in various extortion letters means the group wouldn’t know which companies had actually sent payments and which had not, it seems unlikely that the group is planning to wage DDoS attacks on those who don’t pony up.

Vocativ’s email to the group’s email address went unanswered, which is unsurprising, as its extortion letters instructed, “Do not reply, we will not read.”