Federal prosecutors on Wednesday indicted six people for allegedly operating websites that launched millions of powerful distributed denial-of-service attacks on a wide range of victims on behalf of millions of paying customers.
The sites presented themselves as startup or stress services designed to test the bandwidth and performance of customer networks. Prosecutors said in court documents that the services were used to direct massive amounts of unwanted traffic to third-party websites and Internet connections that customers wanted to remove or seriously restrict. The victims included educational institutions, government agencies, gaming platforms and millions of people. In addition to indicting six defendants, prosecutors also seized 48 Internet domains associated with the services.
“These startup services allow anyone to launch cyberattacks that harm individual victims and compromise anyone’s ability to access the Internet,” said Martin Estrada, U.S. Attorney for the Southern District of California, said in a press release. “This week’s enforcement activity is a major milestone in our ongoing efforts to root out criminal behavior that threatens the infrastructure of the Internet and our ability to function in a digital world.”
The services offered user interfaces that were essentially the same except for cosmetic differences. The screenshot below shows the web panel offered by orphicsecurityteam.com as of February 28. It allowed users to enter a target’s IP address, network port, and the specific type of attack they wanted. The panel allowed users to choose different methods to amplify their attacks. Amplification involved bouncing a relatively small amount of specially crafted data onto a third-party server in such a way that the server would hit the intended victim with payloads up to 10,000 times larger.
Ironically, most DDoS have relied on DDoS protection, like those from the Cloudflare content delivery network, to avoid being taken down in the DDoS themselves. In some cases, defendants relied on Cloudflare’s free tier, with others using a more advanced tier that required payment.
According to an affidavit filed Wednesday, some of the services had impressive numbers of registered customers and launched attacks. For example, logs indicate that a service called ipstressor.com had 2 million registered users, with 1 million doing DDoS. The service conducted or attempted to conduct 30 million DDoS attacks between 2014 and 2022. Securityteam.io reportedly conducted or attempted to conduct 1.3 million attacks and had 50,000 registered users. Prosecutors said astrostress.com conducted or attempted to conduct 700,000 DDoS and had 30,000 registered users.
The domains seized were:
- shock-stresser.com stresserai.com
The six people charged were:
- Jeremiah Sam Evans Miller, aka “John The Dev”, 23, of San Antonio, Texas, is charged with conspiracy to violate and violate the Computer Fraud and Abuse Act in connection with the alleged exploitation of a booter service named RoyalStrasser.com (formerly known as Supremesecurityteam.com).
- Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337”, 37, of Belleview, Florida, is charged with conspiracy to violate and violate the Computer Fraud and Abuse Act in connection with the alleged operation of a startup service named SecurityTeam.io.
- Shamar Shattock, 19, of Margate, Florida, is charged with conspiracy for allegedly running a startup service known as Astrostress.com.
- Cory Anthony Palmer, 22, of Lauderhill, Florida, is charged with conspiracy for allegedly running a booter service known as Booter.sx.
- John M. Dobbs, 32, of Honolulu, Hawaii, is accused of aiding and abetting violations of the Computer Fraud and Abuse Act related to the alleged operation of a startup service named Ipstressor.com , also known as IPS, between 2009 and November 2022.
- Joshua Laing, 32, of Liverpool, New York, is accused of aiding and abetting violations of the Computer Fraud and Abuse Act related to the alleged operation of a startup service named TrueSecurityServices.io between 2014 and November 2022.
All six have not yet pleaded guilty and are expected to appear in court for the first time early next year.
The charges and seizures are part of “Operation PowerOFF,” an ongoing campaign by international law enforcement agencies to dismantle criminal DDoS services against hire.