October 6, 2016

The U.S. Justice Department has charged two 19-year-old men alleged to be core members of the hacking groups Lizard Squad and PoodleCorp. The pair are charged with credit card theft and operating so-called “booter”or “stresser” services that allowed paying customers to launch powerful attacks designed to knock Web sites offline.

The PoodleCorp attack-for-hire service. Image: USDOJ.

The PoodleCorp/PoodleStresser attack-for-hire service. Image: USDOJ.

Federal investigators charged Zachary Buchta of Fallston, Md., and Bradley Jan Willem Van Rooy of Leiden, the Netherlands with conspiring to cause damage to protected computers.

According to a statement from the U.S. Attorney’s Office for the Northern District of Illinois, Buchta, “who used the online screen names “@fbiarelosers,” “pein,” “xotehpoodle” and “lizard,” and van Rooy, who used the names “Uchiha,” “@UchihaLS,” “dragon” and “fox,” also conspired with other members of Lizard Squad to operate websites that provided cyber-attack-for-hire services, facilitating thousands of denial-of-service attacks, and to traffic stolen payment card account information for thousands of victims.”

The PoodleCorp’s “Poodlestresser” attack-for-hire service appears to have drawn much of its firepower using an application programming interface (API) set up by the proprietors of vDOS — a similar attack service that went offline last month following the arrest of two 18-year-old Israeli men who allegedly ran vDOS.

vDOS was hacked earlier this summer, and a copy of the user database was shared with KrebsOnSecurity. The database indicates that Poodlestresser was among vDOS’s biggest clients, and that KrebsOnSecurity was a frequent target of the attack-for-hire services.

Federal investigators allege that van Rooy and Buchta also operated a service called phonebomber[dot]net, a site that enabled paying customers to select victims to receive repeated harassing and threatening phone calls from spoofed phone numbers. The service, which cost $20 per month, would call the target number once per hour with pre-recorded messages. Here’s one of those messages, according to the Justice Department:

“When you walk the fucking streets, Motherfucker, you better look over your fucking back because I don’t flying fuck if we have to burn your fucking house down, if we have to fucking track your goddamned family down, we will fuck your shit up motherfuck.”

According to a complaint (PDF) filed by the United States Attorney for the Northern District of Illinois, at least one incarnation of the attack-for-hire services included a section where customers could purchase stolen credit cards.  The government alleges that the card shop contained approximately 347 pages of payment card data available for purchase with each page appearing to contain approximately ten records per page.

Buchta was arrested last month in Maryland and was slated to make an initial court appearance in Chicago on Wednesday. Authorities in the Netherlands arrested van Rooy last month and he remains in custody there. The conspiracy charge carries a maximum sentence of ten years in prison.


49 thoughts on “Feds Charge Two In Lizard Squad Investigation

  1. Tim

    I can see how these guys made money, but why would anyone pay for these services?

    1. WingerLife

      I’m almost certain most of their business came from other angry nerds who were probably toxic and wanted retaliatory denial of service attacks against people. You wouldn’t imagine how toxic some of these online people can be.

    2. Cerious

      I’ve run a gaming community for ten plus years and our servers are a constant target for these stressors.

      Our server IP’s appeared in the dump. And to our shock one of our IP’s appears as the originating IP calling for the attack. I happened two months before we leased that IP. I contacted our GSP (game server provider) with the info and passed the dump along to them.
      It turns out the the previous customer was using it a VPN. I don’t know if any more info was discovered.

      Thanks for all you do Krebs. It helps.

    3. NodOff

      School districts in the US are frequently DDos’d, especially around testing time.

  2. SJM

    At last! These guys were so full of themselves, good thing they will now have to face the consequences of their acts. You reap what you sow.

  3. IA Eng

    Not a better time for the four of these thugs to get the book thrown at them. Set a tone that even though they are/were young, obnoxious, applied limited thinking skills and think they are above receiving any jail time, they DO get a good dose of it. Some one has to be hung out for all the other wanna-be’s to see whats coming to them if they think they are going to get a slap on the wrist, community service and no internet for like 2 weeks.

    Potentially they are felons, give them a sentence like one. One can only hope.

    1. MIKE COXLONG

      This same ignorant thinking has Ross Ulbricht in SOLITARY CONFINEMENT FOR LIFE for creating a marketplace that allowed dealers to sell there wares. Its extremely ignorant and not the correct way to go about things

      1. Greg D.

        The judge in that case was trying to set an example for all people who were even contemplating setting up a site similar to Silk Road. Doesn’t seem to have worked as there are a couple of wanabee-Silk Road sites out there. Still I have no pity for Ross and believe he deserves his sentence 100%. Remember that he was ordering people to be murdered and he was under the impression that these “hits” were actually occurring. As much as a nice guy the media tried to make him out to be, that behavior shows his true character. Cold blooded idealist demagogue that was a true danger to society and law and order.

      2. Jarek

        While I agree with you in spirit, Ulbricht absolutely, undeniably ordered the murders of at least two people (and possibly more). And not even for remotely justifiable or self-defense related reasons.

        So, I have no sympathy. Let him rot.

  4. mark

    I look forward to their sentencing, when they get five? ten? years in jail, with, given their computer expertise, no access to prison computers, and their only contact with the outside world are snail mail, and the massively overpriced (and corrupt in jail) phone calls..

  5. Anonymous

    YESSSS!

    Hopefully this will start happening to more and more of these lil skiddie types. They get a lil slice of power and then think they are internet gods and untouchable.

    Lock them all up and throw away the keys. Make examples out of them.

    1. Sean

      I agree that these kids are getting way ahead of themselves but lets be honest who didn’t do something incredibly stupid, possibly criminal and something we all look back on as an adult and regret between the ages on 18-24? Instead of putting these kinds in jail we need to chain them to a desk an make them work for the systems they once attacked. I believe that given the opportunity the use of these troubled youths could be molded in to a great asset for the security community. What they did was wrong and deplorable but locking them up and throwing away the key, in my opinion, is a waste of resources!

      1. EricksonT

        >> locking them up and throwing away the key, in my opinion, is a waste of resources!

        Not sure I want that kind of resource in my house, think I will stick with the honest proven individual that ‘didn’t’ break the law thinking they would never get caught.

        1. Bill

          “Not sure I want that kind of resource in my house”

          Too late. Prisoners are working for major corporation call centers. You thought calling your credit card company was safe?

      2. Rick

        Wow, really? You act like they egged a house. It is patently obvious you are unfamiliar with the case and clearly fail to comprehend the magnitude of their crimes. Since when did a high school prank ruin lives and run costs for companies and organizations to over a billion, that’s billion with a b, dollars.

        At least where they are headed there will be no Denial of Service.

      3. BrianKrebs Post author

        I’m with Erikson and Rick here. Sean, it”s not like we’re talking about a night of youthful indiscretion, like keying some cars or setting fire to a dumpster.

        These kids hacked, extorted, threatened countless people, and held entire businesses offline for extended periods of time, costing them no doubt countless millions. The sheer disruption they caused by their actions needs to have consequences, and people need to stop acting like these are somehow victimless crimes.

        The one sentiment I absolutely can’t stand in response to this level of malice is that we should somehow give these guys a job. I would entertain that idea for kids who could get an intervention at a much younger age, but once they’ve been doing this for a while they develop seriously sociopathic tendencies and the rate of recidivism into the criminal side of things for these guys is very high.

        1. Dustin

          Case study Mitnick. They gave him a job and look at him now.

          1. BrianKrebs Post author

            Not the same at all. Mitnick and others from his generation were about getting one over on The Man, which was kind of a conflation between the US Govt and Ma Bell.

            The kids doing the above are malicious sociopaths who are in it for the money, to hurt others and for the strokes that it gives their egos from the virtual little worlds they’ve built around themselves.

          2. BrianKrebs Post author

            Also, who “gave” Kevin a job. It didn’t work like that. Seems to me you’re just talking out the other end.

  6. Richard

    I hope this is not off-topic. The last couple of weeks I’ve answered 3 calls that turned out to be recorded marketing calls. I couldn’t hang up on them. A couple times each, I hung up, waited a few moments, then SEVERAL moments, and I couldn’t break the connection. This is new to me. My phone line is tied up a few minutes each time. That could be serious harassment if done repeatedly.

    1. Catwhisperer

      That can be useful Richard. I had that happen, and their end didn’t hang up and I could hear the background conversations in their office. Sadly not well enough to get any pertinent information from that listening. Those usually come from auto-dialer systems that can be used for other nefarious purposes.

      I’ve had DDoS attacks on my servers over the years hosting a modest IT business website. If I post something that ruffles feathers, I get DDos or email spam. Upgraded hosting has helped mitigate that…

    2. timeless

      NeoWin has a thread talking about it [1].

      StackExchange [2] describes it as “Call Clearing”/”Called Subscriber Held”/”Called Party Clear”

      Roughly, in certain places in the old analog days, since calls were billed (by time) to the caller, it made sense to someone (and required less signaling support) to rely on the caller to hang up.

      FWIW, when I call into call centers w/ my cell phone, sometimes it seems like they need me to hang up on them, otherwise the call isn’t released — I’m not sure if this is more of some odd edge of how a PBX might be implemented…

      [1] https://www.neowin.net/forum/topic/1130388-automated-robocall-that-you-cant-hang-up/
      [2] http://security.stackexchange.com/questions/100268/does-hanging-up-on-a-uk-landline-call-not-terminate-the-connection

  7. Starfall

    Wow. Alright, good job FBI. Didn’t expect that one.
    Still not quite sure if they got ’em all though… by my count there’s two left, one in the UK and one unidentified.

    Maybe those guys have disappeared by now, or decided it’d be better to give up. I dunno.

    1. Hayton

      “Two left”? More than that, I think. Brian’s been writing about and exposing the Lizard Squad for nearly two years now. Time to revisit his earlier articles, maybe – here’s a sample, for starters.

      http://krebsonsecurity.com/2014/12/whos-in-the-lizard-squad/

      https://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail

      https://krebsonsecurity.com/2015/01/another-lizard-arrested-lizard-lair-hacked/

      If Buchta is “pain” or “pein” then he is only one of four hackers who named themselves on a hacked webpage –
      “A previous attack on gaming and media streaming site Machinima, Inc. names Criminal, Jordie, Pain and Plague as the hackers”.
      http://www.bbc.co.uk/newsbeat/article/30306319/who-are-lizard-squad-and-whats-next-for-the-hackers

      So there are more still to be uncovered. I hope Brian is still on the case.

        1. Starfall

          To clarify, Jordie was a spokesperson/scapegoat for the smarter members. Criminal was minimally involved and simply had his name mentioned.

  8. Robert Bamford

    Three CloudFlare-user domains down, three million to go.

    1. CaptainObvious

      Did you actually read the linked PDF? Says ClodFlare helped here.

      1. Robert Bamford

        Yes, I read it. CloudFlare helped those lizards for months by hiding their original IP addresses. Then the FBI comes knocking on their door and CloudFlare says, “Oh good gracious! Are they bad guys? We had no idea!”

        Give me a break.

  9. Mahhn

    Good job FBI.
    Now if your bosses would let you start going after crooked politicians instead of pandering to them, that’d be great, mmmkay.

  10. tanya

    Lizard squad was made by the FBI. You meet these guys in the so cold dark forums or something, but easy to find in google. Once the 19 year old kid starts the secret chat messenger program advertised by them, you go a story.
    It’s patetic.

    1. Greg D.

      Where is the evidence that Lizard Squad was made up by the FBI? I have heard a couple of people claim this but I looked and can find nothing resembling evidence of that claim. Just curious, that’s all.

  11. VW

    And what happen to those running vDOS? They were arrested and released the next day or are they still locked up?

  12. Jay

    Ah, good..they finally got these rats. PoodleCorp was the responsible group for crashing the Pokémon game down for an entire weekend during its opening debut. Hopefully they lock these thugs up for a while.

  13. CP127

    I hope the FBI isn’t using released stolen purchase records (from vDOS) as evidence against these guys. What a massively slippery slope that would be. The timing certainly suggestions a relation between the two events.

  14. GreyPeterson

    Well color me surprised. I thought PoodleCorp spent all their time DDoS’ing game servers. I didn’t think they trafficked stolen credit card data too.

  15. vb

    There is a reason why harassing and threatening phone calls are nearly a thing of the past. The phone companies are damn good at tracing calls. These dorks are so very wrong in thinking that spoofed phone numbers were going to hide them.

    Once a complaint is made, the police and phone companies trace the calls using ANI (Automatic Number Identification determines the origination telephone number for billing purposes). Spoofing the caller ID is laughable.

    1. Dick Masterson

      Seems to me like you don’t have a clue how these things work. The attackers use stolen credit cards to fill stolen Skype accounts with credits, then they VPN and proxy up and make calls as they wish.

      Really nowhere even close to spoofing.

  16. Andy Brice

    I guess fellow convicts will now “stress” test them ;), I wonder how they like them apples now?

Comments are closed.