Federal prosecutors on Wednesday charged six people for allegedly operating websites that launched millions of powerful distributed denial-of-service attacks on a wide array of victims on behalf of millions of paying customers.
The sites promoted themselves as booter or stressor services designed to test the bandwidth and performance of customers’ networks. Prosecutors said in court papers that the services were used to direct massive amounts of junk traffic at third-party websites and Internet connections customers wanted to take down or seriously constrain. Victims included educational institutions, government agencies, gaming platforms, and millions of individuals. Besides charging six defendants, prosecutors also seized 48 Internet domains associated with the service.
“These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone’s ability to access the Internet,” Martin Estrada, US attorney for the Southern District of California, said in a statement. “This week’s sweeping law enforcement activity is a major step in our ongoing efforts to eradicate criminal conduct that threatens the internet’s infrastructure and our ability to function in a digital world.”
The services offered user interfaces that were essentially the same except for cosmetic differences. The screenshot below shows the web panel offered by orphicsecurityteam.com as of February 28. It allowed users to enter an IP address of a target, the network port, and the specific type of attack they wanted. The panel allowed users to pick various methods to amplify their attacks. Amplification involved bouncing a relatively small amount of specially crafted data at a third-party server in a way that caused the server to pummel the intended victim with payloads that were as much as 10,000 times bigger.
Ironically, most of the DDoSes relied on DDoS protection, such as those from content delivery network Cloudflare, to keep from being taken down in DDoSes themselves. In some cases, defendants relied on Cloudflare’s free tier, with others using a more advanced tier that required payment.
According to an affidavit filed on Wednesday, some of the services had staggering numbers of registered customers and attacks launched. For instance, logs indicate that a service called ipstressor.com had 2 million registered users, with 1 million of them conducting DDoSes. The service conducted or attempted to conduct 30 million DDoSes between 2014 and 2022. Securityteam.io allegedly conducted or attempted to conduct
1.3 million attacks and had 50,000 registered users. Prosecutors said astrostress.com conducted or attempted to conduct 700,000 DDoSes and had 30,000 registered users.
The domains seized were:
- shock-stresser.com stresserai.com
The six individuals charged were:
- Jeremiah Sam Evans Miller, aka “John The Dev,” 23, of San Antonio, Texas, is charged with conspiracy to violate and violating the computer fraud and abuse act related to the alleged operation of a booter service named RoyalStresser.com (formerly known as Supremesecurityteam.com).
- Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337,” 37, of Belleview, Florida, is charged with conspiracy to violate and violating the computer fraud and abuse act related to the alleged operation of a booter service named SecurityTeam.io.
- Shamar Shattock, 19, of Margate, Florida, is charged with conspiracy for allegedly running a booter service known as Astrostress.com.
- Cory Anthony Palmer, 22, of Lauderhill, Florida, is charged with conspiracy for allegedly running a booter service known as Booter.sx.
- John M. Dobbs, 32 of Honolulu, Hawaii, is charged with aiding and abetting violations of the computer fraud and abuse act related to the alleged operation of a booter service named Ipstressor.com, also known as IPS, between 2009 and November 2022.
- Joshua Laing, 32, of Liverpool, New York, is charged with aiding and abetting violations of the computer fraud and abuse act related to the alleged operation of a booter service named TrueSecurityServices.io between 2014 and November 2022.
All six have yet to enter a plea and are expected to make their first court appearance early next year.
The charges and seizures are part of “Operation PowerOFF,” an ongoing campaign by international law enforcement agencies to dismantle criminal DDoS-for-hire services.