Experts believe that the success tied to a recent spate of DDoS-for-hire groups may be because many are copycat collectives operating with a shorter lifespan.

Researchers with Recorded Future, a Massachusetts-based firm that tracks real time threat intelligence, said Monday that they’ve noticed an increase in would-be hackers asking for guidance on forums when it comes to carrying out such attacks.

In particular, it has observed several requests on the dark web for instructions on how to perform DDoS attacks, set up Bitcoin wallets, and so forth. The frequency of the posts really picked up steam after publicity around the group DDoS 4 Bitcoin, according to Tyler Bradshaw, a solutions engineer with the firm.

The group DDoS 4 Bitcoin, or DD4BC, made headlines in mid-2014 and like most groups that deal in cyber extortion, warn victims they’ll be hit with a sizable DDoS attack, something around 400-500 Gbps, unless they pay a certain amount in Bitcoin.

The attackers usually harness a paid botnet to flood a victim’s site with traffic until they’re paid.

Research published in September by Akamai found the group carried out 141 attacks, albeit with a diminished average bandwidth of around 13 Gbps. After the report was issued, Recorded Future claims attacks “decreased sharply,” and that it seems the group has more or less went into hiding.

Bradshaw cites a few other examples, including a recent DDoS attack on encrypted email service ProtonMail. Officials at the service paid the group behind the hack, the fairly new The Armada Collective, a ransom, yet were still hit by a second, more intense attack that exceeded 100 Gbps.

The Armada Collective denied it was behind the second attack and even refunded Bitcoin to ProtonMail as a sign of solidarity, insisting “Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” and “WE DO NOT HAVE THAT POWER! NOT EVEN CLOSE.” The comments suggest to Recorded Future that like DD4BC, the attackers don’t possess the ability to carry out high profile DDoS attacks and also fear getting caught.

Last week, when three Greek banks were hit with a DDoS attack, the hackers purportedly represented The Armada Collective, but Bradshaw claims the amount of money the attackers asked for seemed uncharacteristic of the group.

In the past The Armada Collective have asked for anywhere between 10-200 BTC, or $3,600-$70,000, but attackers last week asked for 100 times that, 20,000 BTC, roughly $7.2 million.

“This extremely high ransom, in combination with the messages sent back to ProtonMail, strongly suggests that somebody may be using the Armada Collective name in order to appear more legitimate,” Bradshaw wrote.