Naked Security Naked Security

Booter boss behind millions of DDoS-for-hire attacks jailed

The US is also juicing him for over half a million in profits from multiple DDoS-for-hire services.

The US has sentenced a 21-year-old man from the US state of Illinois to 13 months in prison for running multiple distributed denial of service (DDoS) services with names that sound like somebody squeezed them out of a London youth subculture: ExoStresser, QuezStresser, Betabooter, Databooter, Instabooter, Polystress, and Zstress.

A profitable set of snazzily named services, at that: Sergiy P. Usatyuk has also been ordered to forfeit the more than half a million – $542,925 – that he made from the DDoS-for-hire scheme. That money came both from renting out his services and from space he sold to his brethren booter operators so they could advertise on his sites.

Also up for forfeiture: all the gear Usatyuk used to run his site-jamming floods, or which he bought with his ill-gotten loot – namely, dozens of servers and other computer equipment.

Usatyuk was convicted on one count of conspiracy to cause damage to internet-connected computers.

He and an unnamed buddy developed and ran the so-called booter services and related websites from around August 2015 through November 2017. They were behind the launch of millions of DDoS attacks against targeted victim computers that rendered targeted websites slow or completely zombified, and that discombobulated normal business operations. During just the first 13 months of the scheme, the users of the booters launched 3,829,812 attacks.

The bragging rights went up as advertising collateral: As of 12 September 2017, ExoStresser advertised on its website that the one booter service alone had launched 1,367,610 DDoS attacks and caused targets to suffer 109,186.4 hours of network downtime: some 4,549 days.

Booters – also known as stressers or DDoS-for-hire – are publicly available, web-based services that launch these server-clogger-upper attacks for a small fee or, sometimes, none at all.

As befits the “stresser this” and “stresser that” brand names for Usatyuk’s offerings, DDoS-for-hire sites sell high-bandwidth internet attack services under the guise of “stress testing.” DDoS attacks are blunt instruments that work by overwhelming targeted sites with so much traffic that nobody can reach them. They can be used to render competitor or enemy websites temporarily inoperable out of malice, lulz or profit: some attackers extort site owners into paying for attacks to stop.

One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service. An attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.

You might remember Lizard Squad as the Grinch who ruined gamers’ Christmas with a DDoS against the servers that power PlayStation and Xbox consoles – an attack it carried out for our own good.

For our own good, as in, the attackers didn’t feel bad: some kids would just have to spend time with their families instead of playing games, one of them said at the time.

In similar anti-kid fashion, one of Usatyuk’s services – Betabooter – was rented by an attacker who launched a series of DDoS attacks against a school district in the Pittsburgh, Pennsylvania area, the Justice Department (DOJ) said on Friday. It not only disrupted the district’s computer systems; it also affected the computer systems of 17 organizations that shared the same computer infrastructure, including other school districts, the county government, the county’s career and technology centers, and a Catholic Diocese in the area, according to the indictment.

The DOJ noted that booter-based DDoS attack tools offer a low barrier to entry for users looking to engage in cybercrime. Indeed, hiring a service to paralyze your enemies’, your competition’s and/or your targets’ sites makes it as easy as simply handing over the money, no technical skill required.

In April 2018, when the world’s largest DoS site – Webstresser.org – got busted, we got a look at how little money the crooks were being charged for all this mayhem. According to Webstresser’s pricing table, archived before the site was taken down, memberships started at $18.99/month for the “bronze” level, went up to $49.99/month for the “platinum” service, and topped out at $102/month for “lifetime bronze.”

In January 2019, Europol announced that it was coordinating the mop-up to track down Webstresser’s more than 151,000 registered users.