Teen sentenced for vDOS rampage

It can sometimes seem that Britain produces more than its fair share of teen hackers – or perhaps it’s just good at catching and prosecuting them.

Another, 19-year-old student Jack Chappell, was this week handed a suspended 16-month sentence for his “substantial” role in launching an extraordinary DDoS rampage against a who’s who of big-brand US and UK websites during 2015 and 2016.

Listing the victims offers an insight into an important theme that emerges from the case: how a single, relatively unsophisticated cyber-attacker can, at a stroke, cripple big websites hosted anywhere in the world by flooding them with unwanted traffic.

Commercial targets included Netflix, Amazon, Verizon, Sprint, Vodafone, O2, Virgin Media, and NatWest Bank and – just because – Pornhub.

Public-sector victims included the BBC, the Massachusetts Institute of Technology (MIT), the University of California San Diego (UCSD), and even Britain’s National Crime Agency (NCA).

Plus around 3,000 others, all of which found themselves on the receiving end of a DDoS-for-hire service called vDOS, which Naked Security covered in more detail last year.

The vast majority were carried out in return for a fee, but it’s Chappell’s reported role in this as a then 17-year-old that brings us to a second theme: how the young and impressionable can be drawn into cybercrime for the visible power and status it confers.

As suggested by the following sarcastic tweet directed at the UK Government:

Offline again? how come you can’t handle my 100GBPS of DNS traffic.

Or:

Yea I stopped the attacks – will start again later :) #GetBetterProtection.

And yet behind all of this, we now know, were two Israeli teens, who pocketed almost all the money vDOS generated during its existence, using accomplices such as Chappell as remote low-wage helpers.

His defence argued that the fact Chappell received only £1,500 ($2,000) for his role, which included laundering the site’s proceeds as well as acting as DDoS admin, meant he deserved to be viewed as another of its victims.

On the other hand, Chappell’s earliest DDoS attacks were directed against colleges in his native Manchester, the court heard, which points to personal motives.

The case bears a startling similarity to previous examples of Brit teens running amok, such as that of Charlton Floate, who from 2012 onwards launched a series of DDoS-for-thrills attacks on UK Government websites. Like Chappell, Floate also took to Twitter to brag about his exploits, before being caught in 2014.

Or the 15-year-old Adam Mudd who created the Titanium Stresser/booter DDoS-for-hire service in 2012 and used it to attack 594 websites, mainly for profit.

Spot the pattern? Young British men using relatively simple services to launch DDoS attacks for money and perverse inverted glory, or both.

Inevitably, they were caught (largely because their attempts to hide their actions were incompetent), put on trial, and given a sentence that accepted the mitigating fact of their youth and immaturity.

When patterns like this emerge, it seems reasonable to ask whether simply legal sanctions are enough or whether more computer misuse education might be warranted at school level.

Instructing youngsters on how to use computers is a challenge, but teaching them how to stay away from the dark side with what they learn, even harder still.