[ElemenoPicuares]

I wonder what sort of person is aware enough of DDoS attacks to want to buy one, savvy enough to find where to buy one, yet dumb enough to pay with PayPal. Or accept PayPal if you ran such a service. Given, it says the people running it were 16-24 and adolescent hubris knows no bounds... Maybe the customers were the same general age as the owners?

[wodenokoto]

When I was a kid you could buy these monthly warez CDs full of games and professional software.

The gang producing them got so overwhelmed with burning CDs in their basement, that they went to a factory in Germany.

Police looked at the serial number on the CD, went to the factory and asked who the customer was and that's how they got busted.

[Semaphor]

When I was a kid, I distributed warcraft 3 beta cracks from our ISP webspace (20 MB, unlimited traffic, fast speeds made my mirror one of the most favored), Blizzard didn't even need the police and just made our ISP call my dad at work to stop it ;)

[groestl]

Most criminals who are caught are not criminal masterminds. The opposite, actually, otherwise they'd probably not be caught, since their opponents aren't of the Sherlock Holmes kind either. Especially in the cyber crime field, where barrier to entry is pretty low. Source: been acting on both sides, for research.

[hnbad]

It's literally the WW2 airplane hit patterns image. Criminals who get caught are the ones making the kinds of mistakes that make it easier to catch them.

Organized crime also does a lot of "dumb" stuff but they do it at scale and make it harder to trace back the individual incident to the organization's core. They also heavily rely on disposable accomplices, which is why you still see these "make money doing nothing from home, just let us use your bank account" scams.

[groestl]

Exactly. Also, opsec does not need to be bulletproof if your operation is goverment sponsored or at least government tolerated. There's whole companies, doing downright illegal stuff in the open, enjoying sweetheart treatment by officials. OTOH, a Russian hacker, for example, would know better than to steal from their own countrymen. So they operate in other jurisdictions.

You would be mistaken btw to think this only applies to non-western parts of the world. The spectrum is a wide one, from completely covert operations, over organized crime, to companies and even the government itself. The ones who are caught are usually not the smart ones. Of course, the Dunning Kruger effect is also strong here, so most of them think they're too smart to be caught.

[tbrownaw]

Isn't almost any online payment method trivially trackable?

Bitcoin (and most other cryptocoins) needs a bit of effort to grovel the public transaction history, and XMR does things that supposedly make that not really work at all, but other than that...

[ajsnigrutin]

Considering it's criminals we're talking about here, they can easily use some rasomware attack on a few people and then use those bitcoins to pay for whatever they need, and noone can identify them through bitcoin "traffic".

[bayesian_horse]

You can at least make some people believe bitcoin isn't traceable at all, and it can be quite hard or even impossible to trace if you do it right.

[fiso64]

>XMR does things that supposedly make that not really work at all

Any source? Can't find anything.

[luckylion]

https://www.getmonero.org/resources/moneropedia/ringsignatur...

I'm not qualified to say whether that actually achieves that goal though

[CameronNemo]

We've had high schoolers DDoS their schools to avoid standardized testing. It is also a common way to interfere with esports. So yeah, the customers are often quite young.

[MikeDelta]

I cannot find the reference but I remember reading, not too long ago, that even the professional ransomware gangs can be extremely lazy with their own security. Apparently even some well-known players (not script kiddies) could be identified because they used their personal email address or something similar.

[gpm]

What identity verification does paypal actually do? I'd assume (potentially incorrectly) that criminals using it were doing so under an assumed (or stolen) identity so the account wouldn't lead back to them.

Which would limit what you could do with the money, but isn't that true of any crime related money?

[dogma1138]

PayPal has a banking license it does a pretty full KYC in most places or relies on others that do.

Outside of cash transfer services which often also require an ID on both ends albeit that is often easier to fake there aren’t ways to transfer money anonymously.

So companies use either alternative settlement methods such as crypto or gift cards or what is also quite common twin settlement.

You want a VPC? We’ll give you one for free just buy a 3 months VPN service from our sister company.

Basically the idea here is to split the records across as many platforms as possible and have as much separation as possible from payments and actual usage.

[zinekeller]

Before hordes of people respond with "PayPal is not a bank!", it is indeed not a bank in US, but its European subsidiary is legally a bank.

[dogma1138]

In the US it doesn’t have a license anymore mainly to avoid FDIC requirements but it is licensed in every state https://www.paypal.com/us/webapps/mpp/licenses

[bayesian_horse]

As far as I remember you need a credit card or banking account. Ok, you might have stolen those, but many people probably used their own.

[wolongong942]

For over 10 years they did nothing to people who bought these kind of things with Paypal, police going after booter users is a fairly recent thing that started in the UK.

[joshxyz]

yknow customers usually get away

whats funnier is those who run these booter sites then ACCEPTS payment with paypal. dios mio

[ipaddr]

In fairness paying for a Ddos attack sounds like a dumb thing with little upside