Federal Bureau of Investigation, "Private Industry Notification: Individuals Threatening Distributed Denial of Service of Private-Sector Companies for Bitcoin," June 26, 2017. Unclassified.
National Security Archive
The FBI’s 2017 alert on Bitcoin‑demanding DDoS threats reveals how hacktivist branding became a cash‑grab tool and why public‑private alerts matter.
Source: Federal Bureau of Investigation, "Private Industry Notification: Individuals Threatening Distributed Denial of Service of Private-Sector Companies for Bitcoin," June 26, 2017. Unclassified. Date: Jun 26, 2017 Archive: Public Intelligence
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Cyber‑Extortion Alert from the FBI’s Cyber Division
The June 26 2017 Private Industry Notification (PIN 170628‑001) is a routine, yet revealing, product of the FBI’s cyber‑crime outreach program. Issued under the Traffic Light Protocol (TLP: GREEN), the bulletin was intended for IT security teams, ISPs, and corporate incident‑response units, warning that individuals masquerading as the hacktivist collectives “Anonymous” and “Lizard Squad” were dispatching extortion emails demanding Bitcoin in exchange for refraining from Distributed Denial‑of‑Service (DDoS) attacks. The document does not name any specific victims, but it cites at least six companies that received such threats in April‑May 2017, and it situates the campaign within a broader pattern of ransomware‑style extortion that the FBI had been tracking since at least 2014.
The wider wave of Bitcoin‑based extortion
The PIN arrives at the height of a three‑year surge in cryptocurrency‑driven cyber‑extortion. By 2017, Bitcoin’s price volatility made it an attractive ransom medium: payments could be demanded in a globally transferable, pseudonymous currency while victims faced the reputational risk of a public DDoS. The FBI’s historical notes in the bulletin trace the lineage from the “DDoS ‘4’ Bitcoin” (DD4BC) operation of 2014‑15, which combined a low‑level demonstration attack with a ransom demand, to the 2016 Lizard Squad campaign that targeted over twenty UK firms. The continuity suggests that the same threat actors—or at least the same business model—were iterating on a proven playbook: a cheap, high‑visibility threat followed by a financial demand.
What the language reveals about the perpetrators and the FBI’s strategy
The notice repeatedly emphasizes that no victims have reported actual DDoS retaliation for non‑payment, a phrase that serves two purposes. First, it signals to recipients that the threat may be bluster, discouraging knee‑jerk ransom payments that would financially empower the criminals. Second, it underscores the FBI’s confidence in its investigative reach; the agency likely had intercepted the emails, traced IPs, or otherwise gathered intelligence that allowed it to assess the credibility of the threats.
The bulletin also deliberately blurs the line between “Anonymous” and “Lizard Squad”—two groups with very different public personas. By grouping them together, the FBI signals that the extortion market has become a commodity space where the brand value of a notorious name can be borrowed for profit, regardless of ideological consistency. This reflects a shift from earlier, ideologically motivated hacktivism toward profit‑driven cybercrime.
Operational guidance as a soft power tool
Beyond the threat description, the document devotes considerable space to mitigation recommendations: pre‑emptive DDoS mitigation strategies, incident‑response planning, firewall hardening, and data‑backup protocols. The FBI’s emphasis on coordination with ISPs and third‑party mitigation services reveals an evolving doctrine of public‑private partnership. By positioning itself as a source of actionable intelligence and as a facilitator of industry‑wide resilience, the bureau cultivates trust and encourages voluntary compliance with best‑practice security standards.
Legacy and relevance today
Although the specific Bitcoin‑extortion campaigns of 2017 have faded, the PIN foreshadows the ransomware‑as‑a‑service ecosystem that now dominates cyber‑crime. Modern ransomware groups still employ DDoS threats as a secondary pressure valve, and they continue to demand payment in cryptocurrencies. The FBI’s 2017 bulletin thus serves as an early public acknowledgment of a hybrid threat model—combining denial‑of‑service intimidation with financial extortion—that has become commonplace.
For contemporary readers, the PIN is a snapshot of a transitional moment: law‑enforcement agencies moving from reactive investigations to proactive information‑sharing with the private sector. It also illustrates how the FBI calibrated its public messaging to undercut the extortionists’ leverage while bolstering industry defenses. The document’s legacy endures in today’s cyber‑threat alerts, which routinely blend threat intelligence with prescriptive hardening steps, reflecting a now‑standard approach to collective cyber resilience.
TLP: GREEN Private Industry Notification FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
26 June 2017
PIN Number 170628-001
Please contact the FBI with any questions related to this Private Industry Notification at either your local Cyber Task Force or FBI CyWatch.
Local Field Offices: www.fbi.gov/contact-us/field
E-mail: cywatch@ic.fbi.gov
Phone: 1-855-292-3937
The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals.
This PIN has been released TLP: GREEN: The information in this product is useful for the awareness of all participating organizations within their sector or community, but should not be shared via publicly accessible channels.
Individuals Threatening Distributed Denial of Service of Private-Sector Companies for Bitcoin
Summary An individual or group claiming to be “Anonymous” or “Lizard Squad” sent extortion emails to private-sector companies threatening to conduct distributed denial of service (DDoS) attacks on their network unless they received an identified amount of Bitcoin. No victims to date have reported DDoS activity as a penalty for non-payment.
Threat In April and May 2017, at least six companies received emails claiming to be from “Anonymous” and “Lizard Squad” threatening their companies with DDoS attacks within 24 hours unless the company sent an identified amount of Bitcoin to the email sender. The email stated the demanded amount of Bitcoin would increase each day the amount went unpaid. No victims to date have reported DDoS activity as a penalty for non-payment.
TLP: GREEN
TLP: GREEN
Private Industry Notification
FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
Reporting on schemes of this nature go back at least three years.
* In 2016, a group identifying itself as “Lizard Squad” sent extortion demands to at least twenty businesses in the United Kingdom, threatening DDoS attacks if they were not paid five Bitcoins (as of 14 June, each Bitcoin was valued at 2,698 USD). No victims reported actual DDoS activity as a penalty for non-payment.
* Between 2014 and 2015, a cyber extortion group known as “DDoS ‘4’ Bitcoin” (DD4BC) victimized hundreds of individuals and businesses globally. DD4BC would conduct an initial, demonstrative low-level DDoS attack on the victim company, followed by an email message introducing themselves, demanding a ransom paid in Bitcoins, and threatening a higher level attack if the ransom was not paid within the stated time limit. While no significant disruption or DDoS activity was noted, it is probable companies paid the ransom to avoid the threat of DDoS activity.
**Background**
Lizard Squad is a hacking group known for their DDoS attacks primarily targeting gaming-related services. On 25 December 2014, Lizard Squad was responsible for taking down the Xbox Live and PlayStation networks. Lizard Squad also successfully conducted DDoS attacks on the UK’s National Crime Agency’s (NCA) website in 2015.
Anonymous is a hacking collective known for several significant DDoS attacks on government, religious, and corporate websites conducted for ideological reasons.
**Recommendations**
The FBI suggests precautionary measures to mitigate DDoS threats to include, but not limited to:
* Have a DDoS mitigation strategy ready ahead of time.
* Implement an incident response plan that includes DDoS mitigation and practice this plan before an actual incident occurs. This plan may involve external organizations such as your Internet Service Provider, technology companies that offer DDoS mitigation services, and law enforcement.
* Ensure your plan includes the appropriate contacts within these external organizations. Test activating your incident response team and third party contacts.
TLP: GREEN
TLP: GREEN Private Industry Notification FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
- Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
- Ensure upstream firewalls are in place to block incoming User Data Protocol (UDP) packets.
- Ensure software or firmware updates are applied as soon as the device manufacturer releases them. If you have received one of these demands:
- Do not make the demand payment.
- Retain the original emails with headers.
- If applicable, maintain a timeline of the attack, recording all times and content of the attack.
The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI's 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI's national Press Office at npo@ic.fbi.gov or (202) 324-3691.
Administrative Note
This product is marked TLP:GREEN. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP: GREEN information may not be released outside of the community.
TLP: GREEN
TLP: GREEN Private Industry Notification FEDERAL BUREAU OF INVESTIGATION, CYBER DIVISION
Your Feedback Regarding this Product is Critical
Please take a few minutes to send us your feedback. Your feedback submission may be anonymous. We read each submission carefully, and your feedback will be extremely valuable to the FBI. Feedback should be specific to your experience with our written products to enable the FBI to make quick and continuous improvements to these products. Feedback may be submitted online here: https://www.ic3.gov/PIFSurvey
TLP: GREEN
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu