A British and Dutch-led operation on Wednesday brought down a website linked to more than four million cyber-attacks around the world, with banking giants among the victims, European law enforcement agencies said.
"Authorities in five countries including the Netherlands, Serbia, Croatia and Canada, with support from Police Scotland and Europol, targeted six members of the crime group behind webstresser.org," Britain's National Crime Agency said in a statement.
Cybercriminals used the website's services, which could be rented for as little as $14.99 (EUR 12.31), to launch so-called distributed denial of service (DDOS) attacks, which swamp targets with spam traffic and disable their IT systems.
British police searched an address in Bradford, northern England, and seized a number of items, while Dutch police, with assistance from Germany and the United States, seized servers and took down the website.
British police believe an individual linked to the address used the site, the world's largest illegal DDOS seller, to hit seven of Britain's biggest banks in November, forcing them to reduce operations.
"Stressers" services give users the ability to stress-test the resilience of servers, causing disruption to the target.
Police also arrested two suspects, aged 19 and 21 in Serbia and a third, aged 19, in Croatia, Serbian and Croatian authorities said in separate statements.
The Croatian national faced a sentence between "one and eight years in prison," the Croatian interior ministry added.
Two men have also been arrested in Scotland, police said.
'Warning to all DDOS-ers'
Europol, which set up a command and control post in The Hague on Tuesday to coordinate the operation, said "further measures" would be taken against the online marketplace's top users in Australia, Britain, Canada, Croatia, Hong Kong, Italy and the Netherlands.
"This could include arrests or just 'knock-on-door' operations but it depends from country to country," Europol spokeswoman Claire Georges told AFP in The Hague.
"A significant criminal website has been shut down and the sophisticated crime group behind it stopped as a result of an international investigation," said the NCA's Jo Goodall.
"The arrests made over the past two days show that the internet does not provide bulletproof anonymity to offenders and we expect to identify further suspects linked to the site in the coming weeks and months as we examine the evidence we have gathered," Goodall added.
Dutch national police's Gert Ras was quoted in the NCA statement as saying the operation had had "an unprecedented impact on DDOS cybercrime."
"This is a warning to all wannabe DDOS-ers... we will identify you, bring you to court and facilitate that you will be held liable by the victims for the huge damage you cause".
But Steven Wilson, who heads up Europol's EC3 Cybercrime Centre, warned in a statement that DDOS and other malicious online activities were on the rise, "victimising millions of users in a moment."
Law enforcement cooperation needs to be "as good as" the collaboration between criminal gangs "to turn the tables on these criminals and shut down their malicious cyber-attacks," Wilson said.