Cybercrime , Cybercrime as-a-service , DDoS Protection
Defendant Pleaded Guilty to Disrupting Sony Online Entertainment and Others(euroinfosec) • July 4, 2019A distributed denial-of-service attacker who crashed a popular gaming service one Christmastime has been sentenced to serve 27 months in prison.
See Also: Webinar | Passwords: Here Today, Gone Tomorrow? Be Careful What You Wish For.
Utah resident Austin Thompson, 24, was sentenced on Tuesday in San Diego federal court and also ordered to pay $95,000 in damages to one of his victims: Daybreak Games, formerly known as Sony Online Entertainment.
On Nov. 6, 2018, Thompson pleaded guilty to one charge of damaging protected computers, admitting that he launched DDoS attacks from Dec. 19, 2013, to Jan. 6, 2014, when he was 17, that caused at least $95,000 in damages.
Thompson had faced a maximum of 10 years in prison and a $250,000 fine. His case was investigated by FBI's San Diego office as well as the U.S. Air Force Office of Special Investigations.
"Denial-of-service attacks cost businesses and individuals millions of dollars annually," says U.S. Attorney Robert Brewer. "We are committed to prosecuting hackers who intentionally disrupt internet access."
In a statement, the Department of Justice says Thompson's two-month DDoS attacks "were directed mainly at online gaming companies and servers," including Sony. At the time, Sony's networks were a frequent target for attackers (see DDoS Gang Targets Sony).
"Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted 'scalps' (screenshots or other photos showing that victims' servers had been taken down) after the attack," the Justice Department says, citing the defendant's plea agreement. "The attacks took down game servers and related computers around the world, often for hours at a time."
The @DerpTrolling account claimed to have been launching DDoS attacks since at least 2011, when Thompson would have been approximately 14 years old.
"His group, 'DerpTrolling,' was allegedly behind several denial-of-service attacks on online service for several SOE games, plus Battle.net, League of Legends, and Dota 2 in late 2013," the Justice Department says.
At least some of the group's attacks appeared designed to disrupt James Varga, a popular gaming live-streamer who uses the handle PhantomL0rd. Varga said the group also appeared to have "swatted" him by calling police and warning that there was a crime in progress at his house.
When Varga asked Derp online what its objectives were, the reply read: "For the lulz."
It's not clear how Thompson or other members of his group effected the DDoS attacks - for example, if he used popular but illegal DDoS-on-demand services, aka stresser/booter services.
Thompson appears to have been doxed multiple times, meaning his DerpTrolling identity was publicly linked to that of Austin Taylor Thompson, of St. George, Utah, born in May 1995. According to unverified information that was published online, Thompson joined the U.S. Air Force in August 2013, meaning that the attacks would have occurred when he was serving in the military. That would explain why the U.S. Air Force Office of Special Investigations was involved in his case.
Some Aspects of Case Remain Unclear
It's unclear when Thompson was first arrested and what he's been doing since then.
The Department of Justice couldn't be immediately reached for comment outside of normal business hours.
The first public records in the case against Thompson appeared on Nov. 6, 2018, when he filed both a waiver of indictment and plea agreement.
A waiver of indictment means that a defendant forgoes their right to have charges brought against them by a grand jury. Writing online, Tampa, Florida-based federal criminal attorney Jason Mayberry says that waiving the indictment is a strategy sometimes pursued if the evidence against a suspect is substantial. "If there is very little doubt that an indictment will be returned and that the evidence against you is overwhelming, cooperation may be your best bet and that can often start with waiving indictment," Mayberry writes.
Selected Court Records Unavailable
While most documents pertaining to Thompson's case are publicly available via the U.S. government's electronic public access service Public Access to Court Electronic Records, attempts on Thursday to access his plea agreement, filed on Nov. 6, 2018, returned this message: "You do not have permission to view this document."
Thompson's defense attorney, Hector Jesus Tamayo, couldn't be immediately reached for comment outside normal business hours.
The court's judgment against Thompson states in part that after his release from prison, he is not allowed to "use or possess devices which can communicate data via modem or dedicated connection and may not have access to the internet without prior approval from the court or the probation officer." In addition, he must "consent to the installation of systems that will enable the probation officer to monitor computer use on any computer owned or controlled by the offender."
Stresser/Booter Disruptions Continue
While Thompson's DDoS attack spree may have ended in 2014, such attacks live on. Authorities say they're aided in large part by the ready availability of stresser/booter services as well as a seemingly endless supply of children who want to try and disrupt gaming sites (see Cybercrime Gangs Advertise Fresh Jobs, Hacking Services).
Such attacks also continue to be driven by extortionists, as well as others with an "ideological, political or purely malicious reason," the EU's law enforcement intelligence agency, Europol, says in its 2018 Internet Organized Crime Threat Assessment, released last September (see Cybercrime: 15 Top Threats and Trends).
Europol notes that in 2017, the volume of DDoS attacks was second only to malware, adding that on-demand disruptsions were "also becoming more accessible, low cost and low risk," thanks to ongoing, easy access to "stresser/booter" services (see Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).