The author of a banking Trojan called Nuclear Bot — a teenager living in France — recently released the source code for his creation just months after the malware began showing up for sale in cybercrime forums. Now the young man’s father is trying to convince him not to act on a job offer in the United States, fearing it may be a trap set by law enforcement agents.

In December 2016, Arbor Networks released a writeup on Nuclear Bot (a.k.a. NukeBot) after researchers discovered the malware package for sale in the usual underground cybercrime forums for the price of USD $2,500.

The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites.

Malware analysts at IBM’s X-Force research division also examined the code, primarily because the individual selling it claimed that Nuclear Bot could bypass Trusteer Rapport, an IBM security product that many banks offer customers to help blunt the effectiveness of banking trojans.

“These claims are unfounded and incorrect,” IBM’s researchers wrote. “Rapport detection and protection against the NukeBot malware are effective on all protection layers.”

But the malware’s original author — 18-year-old Augustin Inzirillo — begs to differ, saying he released the source code for the bot late last month in part because he wanted others be able to test his claims.

In an interview with KrebsOnSecurity, Inzirillo admits he wrote the Nuclear Bot trojan as a proof-of-concept to demonstrate a method he developed that he says bypasses Rapport. But he denies ever selling or marketing the malware, and maintains that this was done without his permission by an acquaintance with whom he shared the code privately.

“I’ve been interested in malware since I [was] a child, and I wanted to have a challenge,” Inzirillo said. “I was excited about this, and having nobody to share this with, I distributed the code to ‘friends’ who tried to profit off my work.”

After the source code for Nuclear Bot was released on Github, IBM followed up with a more in-depth examination of it, which argued that the author of the code appeared to release it in a failed bid to shore up his fragile ego.

According to IBM, a hacker calling himself “Gosya” tried to sell the malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be sold.

“He did not have the malware tested and certified by forum admins, nor did he provide any test versions to members,” IBM researchers Limor Kessem and Ilya Kolmanovich wrote. “At the same time, he was attacked by existing competition, namely the FlokiBot vendor, who wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s capabilities were indeed viable.”

The IBM authors continued:

“In posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among other forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.”

“For his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the malware’s name to Micro Banking Trojan in one last attempt to buy it a new life.”

Inzirillo said the main reason he released his code was to prevent others from profiting off his creation. But now he says he regrets that decision as well.

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat. 

Inzirillo released the code on Github with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Augustin’s dad, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

Daniel Inzirillo said he’s worried because his son has expressed a strong interest in traveling to the United States after receiving a job offer from a supposed recruiter at a technology firm which said it was impressed by Augustin’s coding skills.

“I am very worried for him, because some technology company told him they wanted to fly him to the U.S. for a job interview as a result of him posting that online,” Daniel Inzirillo said. “There is a strong possibility that in one or two weeks he’s going to be flying to California, and I am concerned that maybe some guy in some law enforcement agency has his sights on him.”

Augustin’s dad said he had hoped his son might choose a different profession than his own.

“I didn’t want him to do software development, I always wanted him to do something else,” Daniel said. “He was introduced to programming by a math teacher at school. As soon as he learned about this it became a passion for him. But I was so pissed off about this. Even though I have been doing software all my life, I didn’t have a good opinion about this profession. I got a degree in software development as a kind of ‘Plan B,’ but I always felt there was something missing there, that it wasn’t intellectually satisfying.”

Nevertheless, Daniel said he is proud of his son’s intellectual abilities, noting that Augustin is completely self-taught in computer programming.

“I haven’t taught him anything, although sometimes he comes and he asks me some questions,” Daniel said. “He’s a self-made made man. In terms of software security and hacking, nearly everything he knows he learned by himself.”

Daniel said that after he and his wife divorced in 2012, his son went from being the first or second best student in his class to dropping out of school. After that, computers became an obsession for Augustin, he said.

Daniel said his son is extremely opinionated but not very emotionally intelligent, and he believes Augustin has strong misgivings about his chosen path. By way of example, he related a story about an incident in which Augustin was recently arrested after an altercation at a local establishment.

“When he got arrested, for no reason, he blurted out everything he was doing on his computer,” Daniel recalled. “The policemen couldn’t believe he was telling them that for no reason. I realized at that moment that he just wanted to get out. He didn’t want to continue doing what he was doing.”

Daniel said he’s deeply concerned for his kid’s future, but also recognizes that his son won’t listen to his counsel.

“He respects me, he admires me, and he knows in terms of software development I’m very good, and he wants to become like me but on the other hand he doesn’t want to listen to me,” Daniel said. “If my vision of things is written about, that might help him. But I’m also worried now that he might feel I have hijacked his notoriety. This is his story, his way of surpassing me, and he might hate me for being here.”

Augustin said he wasn’t interested in discussing his father or his family life, but he did confirm (without elaborating) that he recently was offered a job in the United States. He remains somewhat ambivalent about the opportunity, but indicated he is leaning toward accepting it.

“Well, I don’t think it’s fair that I would feel bad about getting a job because of this code, I just feel bad about having released the code,” he said. “If people want to offer me something interesting as a result, I don’t think it makes sense me saying no.”

“He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes.”

The above snippet is the subhead of a story published last month by the The Daily Beast titled, “FBI Arrests Hacker Who Hacked No One.” The subject of that piece — a 26-year-old American named Taylor Huddleston — faces felony hacking charges connected to two computer programs he authored and sold: An anti-piracy product called Net Seal, and a Remote Administration Tool (RAT) called NanoCore that he says was a benign program designed to help users remotely administer their computers.

The author of the Daily Beast story, former black hat hacker and Wired.com editor Kevin Poulsen, argues that Huddleston’s case raises a novel question: When is a programmer criminally responsible for the actions of his users?

“Some experts say [the case] could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways,” Poulsen wrote.

But a closer look at the government’s side of the story — as well as public postings left behind by the accused and his alleged accomplices — paints a more complex and nuanced picture that suggests this may not be the case to raise that specific legal question in any meaningful way.

Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), said cases like these are not so cut-and-dry because they hinge on intent, and determining who knew what and when.

“I don’t read the government’s complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this,” Rumold said. “Whether or not [the government’s] claims are valid is going to be extraordinarily fact-specific, but unfortunately there is not a precise set of facts that would push this case from being about the valid reselling of a tool that no one questions can be done legally to crossing that threshold of engaging in a criminal conspiracy.”

Citing group chat logs and other evidence that hasn’t yet been made public, U.S. prosecutors say Huddleston intended NanoCore to function more like a Remote Access Trojan used to remotely control compromised PCs, and they’ve indicted Huddleston on criminal charges of conspiracy as well as aiding and abetting computer intrusions.

Poulsen depicts Huddleston as an ambitious — if extremely naive — programmer struggling to make an honest living selling what is essentially a dual-use software product. Using the nickname “Aeonhack,” Huddleston marketed his NanoCore RAT on Hackforums[dot]net, an English-language hacking forum that is overrun with young, impressionable but otherwise low-skilled hackers who are constantly looking for point-and-click tools and services that can help them demonstrate their supposed hacking prowess.

Yet we’re told that Huddleston was positively shocked to discover that many buyers on the forum were using his tools in a less-than-legal manner, and that in response he chastised and even penalized customers who did so. By way of example, Poulsen writes that Huddleston routinely used his Net Seal program to revoke the software licenses for customers who boasted online about using his NanoCore RAT illegally.

Huddleston makes the case in Poulsen’s story that there’s a corporate-friendly double standard at work in the government’s charges, noting that malicious hackers have used commercial remote administration tools like TeamViewer and VNC for years, but the FBI doesn’t show up at their corporate headquarters with guns drawn.

But Nixon notes that RATs sold on Hackforums are extremely dangerous for the average person to use on his personal computer because there are past cases when RAT authors divert infected machines to their own botnet.

Case in point: The author of the Blackshades Trojan — once a wildly popular RAT sold principally on Hackforums before its author and hundreds of its paying customers were arrested in a global law enforcement sweep — wasn’t content to simply rake in money from the sale of each Blackshades license: He also included a backdoor that let him secretly commandeer machines running the software.

“If a person is using RAT software on their personal machine that they purchased from Hackforums, they are taking this risk,” Nixon said. “Programs like VNC and Teamviewer are much safer for legitimate use, because they are actual companies, not programs produced by teenagers in a criminogenic environment.”

All of this may be moot if the government can’t win its case against Huddleston. The EFF’s Rumold said while prosecutors may have leverage in Shames’s conviction, the government probably doesn’t want to take the case to trial.

“My guess is if they want a conviction, they’re going to have to go to trial or offer him some type of very favorable plea,” Rumold said. “Just the fact that Huddleston was able to tell his story in a way that makes him come off as a very sympathetic character sounds like the government may have a difficult time prosecuting him.”

A copy of the indictment against Huddleston is available here (PDF).

If you enjoyed this story, take a look at a related piece published here last year about a different RAT proprietor selling his product on Hackforums who similarly claimed the software was just a security tool designed for system administrators, despite features of the program and related services that strongly suggested otherwise.

Once you understand how easy and common it is for thieves to attach “skimming” devices to ATMs and other machines that accept debit and credit cards, it’s difficult not to closely inspect and even tug on the machines before using them. Several readers who are in the habit of doing just that recently shared images of skimmers they discovered after gently pulling on various parts of a cash machine they were about to use.

Viewed from less than two feet away, this ATM looks reasonably safe to use, right?

But something fishy comes into view when we change our perspective slightly. Can you spot what doesn’t belong here?

Congratulations if you noticed the tiny pinhole in the upper right corner of the phony black bezel that was affixed over top of the cash dispenser slot. That fake bezel overlay contained a tiny pinhole camera angled toward the PIN pad to record time-stamped videos of people entering their PINs:

How about the card acceptance slot? Looks legit (if a tad shinier than the rest of the ATM), right?

What happens if we apply a tiny bit of pressure to the anti-skimming green bezel where customers are expected to insert their ATM cards? Look at that! The cheap plastic bezel that skimmer thieves placed on top of the real card acceptance slot starts to pull away. Also, you can see some homemade electronics that are not very well hidden at the mouth of the bezel.

ATM card skimmers contain tiny bits of electronics that record payment card data from the magnetic stripe on the backs of cards inserted into a hacked ATM. Most commonly (as in this case), a card skimmer is paired with a pinhole spy camera hidden above or beside the PIN pad to record time-stamped video of cardholders entering their PINs. Taken together, the stolen data allows thieves to fabricate new cards and use PINs to withdraw cash from victim accounts.

Card skimmers designed to look like the green anti-skimming devices found on many ATMs are some of the most common cash machine skimming devices in use today, probably because they are relatively cheap to manufacture en masse and there are many fraudsters peddling these in the cybercrime underground.

Typically, the fake anti-skimmer bezels like the one pictured above are made of hard plastic. However, the reader who shared these images said this bezel card skimming device was made of a semi-flexible, vinyl-like plastic material.

“I immediately went in and notified the manager who shut down the machine,” the reader said in an email to KrebsOnSecurity. “All the tellers were busy so he asked me to stand by the ATM and stop people from trying to use it while he called his security team. In the three minutes I was standing there a young woman came up and started to dip her card in the slot even thought the screen was black. I stopped her and told her and pointed out what was going. She was thankful.”

Normally, these bezel skimmers look more like the hard plastic one that came off of this ATM at a 7-Eleven convenience store in Texas in February, after a customer yanked on the ATM’s card acceptance slot:

Many people believe that skimmers are mainly a problem in the United States, where most ATMs still do not require more secure chip-based cards that are far more expensive and difficult for thieves to clone. However, it’s precisely because most U.S. ATMs lack this security requirement that skimming remains so prevalent in Europe.

Mainly for reasons of backward compatibility to accommodate American tourists, many European ATMs allow non-chip-based cards to be inserted into the cash machine. What’s more, many chip-based cards issued by American and European banks alike still have cardholder data encoded on a magnetic stripe in addition to the chip.

When thieves skim ATMs in Europe, they generally sell the stolen card and PIN data to fraudsters on the other side of the pond. Those fraudsters in turn will encode the card data onto counterfeit cards and withdraw cash at ATMs here in the United States.

Interestingly, even after most U.S. banks put in place chip-capable ATMs, the magnetic stripe will still be needed because it’s an integral part of the way ATMs work: Most ATMs in use today require a magnetic stripe for the card to be accepted into the machine. The main reason for this is to ensure that customers are putting the card into the slot correctly, as embossed letters and numbers running across odd spots in the card reader can take their toll on the machines over time.

Below is part of a skimming device that a reader recently pulled off of a compromised ATM in Dusseldorf, Germany. This component actually cracked off of the hard plastic fake anti-skimming bezel that was placed by a fraudster over top of the card acceptance device of an NCR cash machine there.

Here’s the plastic overlay that the piece pictured in the reader’s hand above broke away from:

It’s fine to tug on parts of an ATM before using it (heck, I’ve been known to do this even for machines I have no intention of using), but just know that doing so doesn’t guarantee that you will detect a cleverly hidden skimmer.

As I’ve noted in countless skimmer stories here, the simplest way to protect yourself from ATM skimming is to cover your hand when entering your PIN. That’s because most skimmers rely on hidden cameras to steal the victim’s PIN. As easy as this is, you’d be amazed at how many people fail to take this basic precaution.

Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).

Also, if you visit an ATM that looks strange, tampered with, or out of place, try to find another cash machine. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Finally, don’t neglect your own physical security while at the cash machine: As common as these skimmers are, you’re probably more likely to get mugged withdrawing cash from an ATM than you are to find a skimmer attached to it.

Did you enjoy this post? Are you fascinated by skimming devices? Check out my series, All About Skimmers.

Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.

On Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.

Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.

I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.

In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.

Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.

If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.

That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.

Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.

My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).

Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.

Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.

Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video.

These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.

For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here.

A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.

Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years).

Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — searchinternethistory.com — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe.

As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization.

Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation.

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

After those restrictions came and went, some readers expressed surprise that there were no formal charges announced against either of the young men. This week, however, Israeli police sent letters to lawyers for both men stating that the official investigation was nearing completion and that they planned to urge government prosecutors to pursue criminal charges.

The police are preparing to recommend prosecutors charge the men with computer fraud and extortion, alleging they caused more than six million shekels worth of damage (approximately USD $1.65 million).

Bidani’s attorney Perach Aroch told KrebsOnSecurity that her client has not yet been officially charged with any crime. But she said once the investigation is complete the defense will have 30 days to review the evidence and to make arguments as to why the case should be dismissed.

“They have to give us 30 days to see all the evidence and to try to convince them why they should not take this case to court,” Aroch said. “After that, [the prosecutors will] decide if it should go to trial.”

The arrest of Bidani and Huri came after the police received information from the Federal Bureau of Investigation (FBI). But the United States apparently isn’t the only country weighing in on this case: According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.

It’s unclear exactly why the Swedish government is so interested in this case, but the vDOS service has been implicated in a series high-profile attacks that brought down some of the country’s largest news media Web sites last year.

Shortly after those attacks in March 2016, Somerville, Mass.-based security intelligence firm Recorded Future published an analysis linking the assaults against Swedish media sites to vDOS and to “applej4ck,” the hacker nickname allegedly used by Bidani.

In publicizing the news of vDOS’s hack last year, KrebsOnSecurity also published several months of attack logs from the vDOS service. However, those logs only dated back to May 2016.

Itay Huri’s lawyer declined to comment for this story, but TheMarker’s Amitai Ziv obtained a statement from Huri’s attorney, who accused Israeli police of applying pressure and terror through the media instead of looking for the truth.

Ziv said sources he’s spoken to believe the case will almost certainly go to trial.

“Professionals involved in the case said the likelihood of indictments in the affair is very high,” he wrote.

According to Bidani’s lawyer Aroch, the two former friends are now pointing the finger of blame at each other and are no longer speaking to one another.

“They each now accuse each other in things, so it’s a little bit of a problem,” Aroch said.

Aroch said both Bidani and Huri are free to travel and even leave the country, although both men have had their bank and PayPal accounts frozen.

Bidani and Huri allegedly started vDOS when they were 14 years old. By the time the service was shut down last September, it had attracted tens of thousands of customers who paid for attacks in PayPal (when vDOS’s PayPal accounts were shut down, the service briefly shifted to accepting payment via Bitcoin).

My Sept. 2016 investigation into the hacking of vDOS revealed that in just two of the four years the service was in operation, it brought in revenues of more than $600,000.

It’s unclear how many digital sieges were launched by vDOS, but it was likely several million. The aforementioned user logs stolen from vDOS and leaked to KrebsOnSecurity show that in just the span of less than three months last year the service was responsible for more than 150,000 attacks.

KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.

That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.

Lawyers for Bidani and Huri have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks. The owners of these stresser services have sought to hide behind wordy “terms of service” agreements which all customers must agree to, arguing that these agreements absolve them of any sort of liability for how their customers use the service.

Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail. In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.