Federal prosecutors on Wednesday charged six people with allegedly operating websites that launched millions of powerful denial-of-service attacks spread across a wide range of victims on behalf of millions of paying customers.
The sites promoted themselves as booter or stressor services designed to test the bandwidth and performance of customer networks. Prosecutors said in court documents that the services were used to direct massive amounts of junk traffic to third-party websites and Internet connections that customers wanted to remove or severely restrict. Victims included educational institutions, government agencies, gaming platforms, and millions of individuals. In addition to charging six defendants, prosecutors also seized 48 Internet domains associated with the services.
“These booter services allow anyone to launch cyber attacks that harm individual victims and compromise everyone’s ability to access the Internet,” Martin Estrada, US Attorney for the Southern District of California, said in a statement. “This week’s extensive law enforcement activity is an important step in our continued efforts to root out the criminal conduct that threatens the infrastructure of the Internet and our ability to function in a digital world.”
The services offered user interfaces that were essentially the same except for cosmetic differences. The screenshot below shows the web panel offered by orphicsecurityteam.com as of February 28th. It allowed users to enter a target’s IP address, network port, and the specific type of attack they wanted. The panel allowed users to choose various methods to amplify their attacks. Amplification involved bouncing a relatively small amount of specially crafted data off a third-party server in a way that caused the server to hit the intended victim with payloads up to 10,000 times larger.
Ironically, most DDoS relied on DDoS protection, such as those from the Cloudflare content delivery network, to avoid being taken down by DDoS themselves. In some cases, defendants relied on Cloudflare’s free tier, while others used a more advanced tier that required payment.
According to an affidavit filed Wednesday, some services had a staggering number of customers registered and attacks launched. For example, logs indicate that a service called ipstressor.com had 2 million registered users, of which 1 million were conducting DDoS attacks. The service conducted or attempted to conduct 30 million DDoS attacks between 2014 and 2022. Securityteam.io allegedly conducted or attempted to conduct 1.3 million attacks and had 50,000 registered users. Prosecutors said astrostress.com conducted or attempted to conduct 700,000 DDoS and had 30,000 registered users.
The domains seized were:
- astrostress. com
- booter. vip
- dragonstresser. com
- ipstress. vip
- royalstresser. com
- silentstress. net
- stresser. app
- zerostresser. com
- kraysec. com
- stresser. shop
- nightmarestresser. com
- shock-stresser.com you will stress.com
The six people charged were:
- Jeremiah Sam Evans Miller, aka “John The Dev,” 23, of San Antonio, Texas, is charged with conspiracy to violate and violate the Act of Computer Fraud and Abuse relating to the alleged operation of a booter service called RoyalStresser.com (formerly known as Supremesecurityteam.com).
- Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337”, 37, of Belleview, Florida, is charged with conspiracy to violate and violate the Act of Computer Fraud and Abuse relating to the alleged operation of a booter service called SecurityTeam .I.
- Shamar Shattock, 19, of Margate, Florida, is charged with conspiracy to allegedly operate a booter service known as Astrostress.com.
- Cory Anthony Palmer, 22, of Lauderhill, Florida, is charged with conspiracy to allegedly operate a booter service known as Booter.sx.
- John M. Dobbs, 32, of Honolulu, Hawaii, is charged with aiding and abetting violations of the computer fraud and abuse act related to the alleged operation of a booter service called Ipstressor.com, also known as IPS, between 2009 and November 2022.
- Joshua Laing, 32, of Liverpool, New York, is charged with aiding and abetting violations of the computer fraud and abuse act related to the alleged operation of a booter service called TrueSecurityServices.io between 2014 and November 2022.
All six are yet to file a plea and are expected to make their first court appearance early next year.
The charges and seizures are part of “Operation PowerOFF,” an ongoing campaign by international law enforcement agencies to dismantle paid DDoS criminal services.