A group of individuals posing as the distributed denial-of-service (DDoS) extortionist group Armada Collective has used empty threats to scare victims into handing over USD$100,000.
In a blog post published Monday, Matthew Prince, CEO of Cloudflare, notes the DDoS posers have sent Armada Collective's extortion email to approximately 100 existing and prospective Cloudflare customers.
In each email, the group states that in exchange for paying a "protection fee," the victim will not be targeted by a large DDoS attack that could peak at over 1 Tbps per second. That protection fee ranges in value between 10 and 50 Bitcoin (USD$4,600 - USD$23,000).
There's a catch, however. Bitcoin payments are anonymous, which means there is no way for the Armada Collective posers to determine which targets have paid and which have not. As a result, all recipients of the email should have been targeted by a powerful DDoS campaign.
But not one suffered an attack.
"Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them," Prince explains. "To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats."
Unfortunately, some companies have paid the extortion fee. It is estimated the group successfully used empty threats to scare victims into paying upwards of USD$100,000.
Those victims likely paid as a result of learning about the real Armada Collective's reputation. That group did launch DDoS attacks against ProtonMail and other encrypted email services last year, and they made hundreds of thousands of dollars as a result of a sending out a number of threatening emails.
Prince believes the name "Armada Collective" was simply the original name used by DD4BC, a DDoS extortionist group whose members were arrested in January of this year.
"While the actual members of the original Armada Collective appear locked up in a European jail, with little more than some Bitcoin addresses and an email account, some enterprising individuals are drafting off the group's original name, sowing fear, and collecting hundreds of thousands of extorted dollars," he said.
Given those empty threats, anyone who receives an extortion email from a group claiming to be the Armada Collective should not pay the protection fee, urges Prince.