Skip to content
Naked Security Naked Security

Lizard Squad, PoodleCorp members arrested in DDoS-for-hire bust

For $20/month, one of the services, PhoneBomber, would call a victim once an hour for a month with streams of expletive-sprinkled threats.

You remember Lizard Squad, right? And PoodleCorp?

As in, those guys who claimed to have launched Distributed Denial of Service (DDoS) attacks against Pokémon GO servers and who ruined gamers’ Christmas with a DDoS against the servers that power PlayStation and Xbox consoles – for our own good.

For our own good, as in, these server clogger-uppers didn’t feel bad: some kids would just have to spend time with their families instead of playing games, one of them said at the time.

Well, two teenager members of Lizard Squad and PoodleCorp have now been arrested.

According to a press release from the US district attorney’s office in Northern Illinois, an international investigation into the two hacking groups has resulted in arrests on both sides of the Atlantic.

According to the criminal complaint from the US Department of Justice (DOJ), the US suspect is Zachary Buchta, also known as “pein,” “@fbiarelosers,” “@xotehpoodle,” and “lizard,” from Fallston, Maryland.

The other is Bradley Jan Willem van Rooy, also known as “Uchiha,” “@UchihaLS,” “dragon,” and “fox,” from the Netherlands.

Both of the suspects are 19 years old.

They’re being charged with operating cyberattack-for-hire websites that launched attacks on companies and individuals around the world, and with trafficking payment accounts stolen from thousands of unsuspecting victims in Illinois and beyond.

They allegedly ran a few attack-for-hire sites. Those sites are all now offline.

It was the launch of a nastiness-for-hire site called that triggered the investigation. That service enabled paying customers to select victims to receive repeated harassing and threatening phone calls from spoofed phone numbers.

The going rate to antagonize people: $20/month.

From one of the site’s pages, as quoted in the complaint:

We will call your target once per hour with one of our pre-recorded messages for $20 a month. Since our calls come from random numbers, your target will be unable to block our calls. Your target will be left with only 3 options: Change their number, Bend to your whim, Deal with a ringing phone for the length of our attack :\

For the extortionists amongst us we’ve added an option to cancel the calls at the click of a button, giving you complete control over the length of the attack…

Since there is no registration, all purchases are untraceable. The only data a hacker / feds would be able to exfiltrate from our database are the phone numbers currently being called, and the last 30 days of targets. Rest assured your privacy is respected here and purchase in confidence.

The investigation, coupled with an announcement from @LizardLands, revealed that the first victim to be targeted, identified as “Victim O” in court documents, was from the Chicago area.

Just as promised, the calls came in once an hour for 30 days. The audio recording from the calls, edited with enough asterisks to make it printable and to also look like marshmallows floating in a bowl of Unlucky Charms:

When you walk the f**king streets, Motherf**ker, you better look over your f**king back because I don’t give a flying f**k if we have to burn your f**king house down, if we have to f**king track your goddamned family down, we will f**k your s*** up motherf**k.

Yet another offering was a website named Shenron, which enabled paying customers to issue DoS attacks with the click of a button against victims of their choosing.

One of the packages, available for $19.99 a month, gave buyers the ability to carry out attacks of up to 15 Gbps, for 1,200 seconds at a time, for an “unlimited” number of attacks.

According to the complaint, the attacks targeted victims including gaming (no surprise there!), entertainment and media companies, and relied on a “massive network of compromised computers and devices.”

Four sites associated with the alleged conspiracy have been seized:,,, and

Buchta and van Rooy were each charged last Wednesday with conspiring to cause damage to protected computers. The conspiracy charge carries a maximum sentence of 10 years in prison, though maximum sentences are rarely handed out.

They’re not the first Lizard Squaders to wind up in courts. A 17-year-old member of the group was convicted of 50,700 computer crime charges in July 2015. He escaped jail time entirely.

Besides kicking gamers to the curb and renting out cyber-enabled attacks, Lizard Squad was also responsible for forcing a plane carrying Sony Online Entertainment’s president John Smedley to land following a tweeted bomb threat.

The group also targeted Malaysia Airlines in January 2015, apparently, and characteristically, for the “lulz”. Lizard Squad changed the carrier’s homepage to read “404 – Plane Not Found” in what was apparently a reference to missing flight MH370.

It hasn’t been all lulz and roses for Lizard Squad, though. Computer security analyst Vinnie Omari was apparently arrested and then bailed in connection with the Christmas blocking of Playstation network and Xbox Live systems.

In mid-January 2015, a second person was arrested in Southport, UK, in connection with the Grinchy DDoS.

Later that same month, the group found the tables further turned as one of its own DDoS-for-hire services – LizardStresser – was hacked.

According to the Chicago Tribune, Buchta will be allowed to live with his mother in Maryland while he awaits trial but is forbidden from accessing the internet or having any contact with van Rooy, who’s in custody in the Netherlands.


Handing out a slap on the wrist serves no purpose but to allow them to get back to their mischief sooner. They are both adults and should be treated as such, not be allowed to run to their mommy(s). They have cause financial and in some cases emotional harm there should be a consequence.


These are the people we need to have working on our own security teams for the government and large corporations, tbh.. Remember what happened to Aaron Swartz and Jonathan James? Who knows what greatness they could have accomplished if given a positive chance to use their skills for good.. So many people are so quick on throwing brilliant, talented-minded geniuses in jail which is not only a waster of all of our time and money but theirs too, because we all know they are going to one day be released and head right back into doing what they love, so why not use their passion for the greater good? *food for thought*


@Cat so if someone is good at killing then make them a solider? the real question is how does one go from doing bad, to doing good? even if, lets say one is giving a chance, who’s to say there will be no repercussions? you must face the consequence before growing, it’s the reason why jail has something called parole. Don’t be naive and think just because they are so called brilliant, talented-minded geniuses that it’s not for the greater good


This is why we need new laws on the books that would bring back the practice of black holing entire ISPs and their ASNs if they do not disconnect zombie PCs from their networks. (like they used to in the Usenet days)

If only we could make botnets to be as big an issue as piracy… (it already is, but they’ll never acknowledge it)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!