A British man who pleaded guilty to selling homemade distributed denial-of-service attack tools reportedly used to carry out more than 600,000 attacks has escaped jail time, with a judge calling him "young and naïve."
See Also: The Inconvenient Truth About API Security
Grant Manser, 20, who lives in Kidderminster, England, appeared last week in Birmingham Crown Court, where he pleaded guilty to six charges under the U.K. Computer Misuse Act, as well as four charges under its Serious Crime Act, the Birmingham Mail newspaper reports.
Judge Nicholas Cole imposed a two-year sentence on Manser - to be served in a youth detention center. But the judge suspended imposing that sentence for 18 months. That means that if Manser stays out of trouble for 18 months, he'll avoid jail time. Cole also sentenced Manser to 100 hours of unpaid community service and an £800 ($1,100) fine.
Manser's attorney, Jamie Baxter, told the court that his client wasn't a hacker, hadn't ever stolen or sold information, and programmed his software to avoid certain types of targets, including banks, healthcare organizations, police agencies and the FBI, Birmingham Mail reports. "He is not a hacker; the system doesn't take or hack any information from the websites being attacked," Baxter said. "He was only 16 when he started to do this and it was his immaturity and naivety which led him to commit these offenses."
Prosecutor Raj Punia told the court that Manser created four pieces of "stresser" software - named Dejabooter, netspoof, Refinedstresser and Vexstresser - that sold for £5 to £20 ($7 to $29) via unnamed "dark web" sites.
While that might seem inexpensive, the price range is typical for many of today's cybercrime tools and services. On the outsourcing front, for example, several Russian underground markets charge $5 per hour or $50 per day to wage a DDoS attack on a site, according to a new report from Dell SecureWorks. For longer disruptions, Dell researchers found that attackers were charging $200 per week - $350 if the site to be disrupted had anti-DDoS defenses in place - or $1,000 per month.
Illegal DDoS Attacks
As with the Russian outsourced DDoS services, Manser's software was not sold for the legitimate purpose of testing websites' resiliency, but instead to enable buyers to launch illegal DDoS attacks, Birmingham Mail reports. Punia told the court that Manser started his business at the age of 16, in January 2012, and that it ran until November 2014, when he was arrested by England's West Midlands Regional Cyber Crime Unit. At that point, she said, Manser counted nearly 4,000 clients who had paid him a total of £50,000 ($71,000) via PayPal and used his software to carry out more than 603,000 DDoS attacks against almost 225,000 targets (see How Do We Catch Cybercrime Kingpins?).
Manser ploughed his earnings into buying better computer equipment and fixing up his motorcycle and was so successful that he was advertising for additional employees, Birmingham Mail reports (see Cybercrime Recruiters Want You).
Punia told the court that the victims of Manser's DDoS floods against websites, servers and email addresses included not only businesses but also schools, colleges and government agencies across not just the United Kingdom, but also other EU countries - including France, the Netherlands and Poland - as well as the United States. Manser reportedly told police that he cooked up the DDoS software business after working for someone in the United States who was running a similar scheme and witnessing the profit potential.
Stresser Software Arrests
Manser isn't the first young man to be arrested for selling or using stresser software. Last year, for example, the U.K.'s National Crime Agency announced that it arrested six teenage boys for buying and using the online "Lizard Stresser" DDoS tool sold by hacking gang Lizard Squad, and that it was visiting and warning 50 other individuals - one-third of whom were teenagers - who it believed had registered for the service, but not yet used it (see UK Police Detail DDoS-for-Hire Arrests).
The preponderance of young hacking offenders is concerning and begs the question of whether sentences should be more severe. But Dublin-based cyber psychology expert Grainne Kirwan says that most young people who commit crimes tend to naturally stop doing so as they "age out," referring to their getting more responsibilities - including a job, long-term relationship, mortgage or children - that leave little time for cybercrime (see Young Hackers: Jail Time Appropriate?).