20
Nov 19

DDoS-for-Hire Boss Gets 13 Months Jail Time

A 21-year-old Illinois man was sentenced last week to 13 months in prison for running multiple DDoS-for-hire services that launched millions of attacks over several years. This individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both the defendant and his father and urged the latter to take a more active interest in his son’s online activities.

A screenshot of databooter[.]com, circa 2017. Image: Cisco Talos.

The jail time was handed down to Sergiy P. Usatyuk of Orland Park, Ill., who pleaded guilty in February to one count of conspiracy to cause damage to Internet-connected computers and owning, administering and supporting illegal “booter” or “stresser” services designed to knock Web sites offline, including exostress[.]in, quezstresser[.]com, betabooter[.]com, databooter[.]com, instabooter[.]com, polystress[.]com and zstress[.]net.

According to the U.S. Justice Department, in just the first 13 months of the 27-month long conspiracy, Usatyuk’s booter users ordered approximately 3,829,812 DDoS attacks. As of September 12, 2017, ExoStresser advertised on its website that this one booter service had launched 1,367,610 DDoS attacks, and caused targets to suffer 109,186.4 hours of network downtime (-4,549 days).

Usatyuk — operating under the hacker aliases “Andrew Quez” and “Brian Martinez,” among others — admitted developing, controlling and operating the aforementioned booter services from around August 2015 through November 2017. But Usatyuk’s involvement in the DDoS-for-hire space very much predates that period.

In February 2014, KrebsOnSecurity reached out to Usatyuk’s father Peter Usatyuk, an assistant professor at the University of Illinois at Chicago. I did so because a brief amount of sleuthing on Hackforums[.]net revealed that his then 15-year-old son Sergiy — who at the time went by the nicknames “Rasbora” and “Mr. Booter Master” — was heavily involved in helping to launch crippling DDoS attacks.

I phoned Usatyuk the elder because Sergiy’s alter egos had been posting evidence on Hackforums and elsewhere that he’d just hit KrebsOnSecurity.com with a 200 Gbps DDoS attack, which was then considered a fairly impressive DDoS assault.

“I am writing you after our phone conversation just to confirm that you may call evening time/weekend to talk to my son Sergio regarding to your reasons,” Peter Usatyuk wrote in an email to this author on Feb. 13, 2014. “I also have [a] major concern what my 15 yo son [is] doing. If you think that is any kind of illegal work, please, let me know.”

That 2014 story declined to quote Rasbora by name because he was a minor then, but his father seemed alarmed enough about my inquiry that he insisted his son speak with me about the matter.

Here’s  an excerpt of what I wrote about Sergiy at the time:

Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire.

“I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.”

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

I’m guessing young Sergiy never had his Internet privileges revoked, nor did he heed advice to use his skills for less destructive activities. His dad hung up on me when I called Wednesday evening requesting comment.

In addition to serving the 13-month jail sentence and three years of supervised release, Usatyuk will forfeit $542,925 in proceeds from the scheme, as well as dozens of servers and other computer equipment that powered his many DDoS-for-hire businesses.

Tags: , , , ,

42 comments

  1. It’s all too common that parents believe their kids can do no wrong, even when confronted with the evidence. When it’s something technology related, many parents don’t know enough to understand the evidence.

    Brian, thank you for trying to help this family.

  2. Funny, growing up playing on Call of Duty, how many of these websites are so popular amongst gamers and modders (“cheaters”) alike.

    The fact that getting a players IP was so easy and how a “free booter” (QuezStresser) is so enticing grew made the perfect breeding ground for skids to DDoS enemy teams and people who they didn’t like (usually other “modders”).

  3. The Sunshine State

    Sergiy Usatyuk father wasn’t a very good role model getting his son on the straight and narrow on following the rules in life.

    • Mikey Doesn't Like It

      @The Sunshine State:

      There’s a difference between being a role model (i.e., setting standards of behavior by example) and simply being sufficiently “connected” with his own son to have some idea what he was up to.

      The boy may have been “well-behaved” in public, but a good parent will have some idea about what’s going on behind the closed door of the son’s bedroom.

      This professor should have received some tutoring…

  4. That sentence is nowhere near long enough. Where’s the deterrent?

    This isn’t a kid who stumbled across a website with a directory traversal vulnerability or who discovered you could put any number you liked in a URL and retrieve content!

    It’s a kid that damaged legitimate businesses for money!

    • Unless he’s more of a financial genius than he was a “covering his tracks” genius, by its size the forfeiture looks complete. He probably hasn’t realized a dime after his apprehension, and he doesn’t sound old enough or worldly enough to have dropped much on Dom Perignon and the VIP room while his scam was operational.

      It costs taxpayer money to keep anyone ‘in stir.’ A year of “time”–even in a Club Fed–will be a rude awakening for someone from the sheltered life he seems to have led. Unless he’s incorrigible, his sentence will probably be a strong enough deterrent to keep him out of major crime. That will be a good return on our “investment.” For intelligent, young, prospective crooks, the total forfeiture will be a strong warning. In my opinion, that will be at least as good as a long sentence would have been, and to belabor the point, cheaper than long imprisonment.

  5. If he comes out of the prison sentence all tatted up and primed to go even deeper into a life of electron-oriented crime, there won’t be much good to show for his incarceration. Hope that Brian keeps in touch with him and his father, and provides a periodic update as the sentence unfolds.

  6. Please don’t treat these kinds of cyber criminals as some kind of geniuses. Doing a DDoS attack requires the lowest of skills that even an idiot can do. There’s no wizardry involved in it. Just flood the server with traffic and that’s it. You don’t even have to write your own script for that – just use what has already been written. Like most of these script kiddies do.

  7. I hope 13 months is long enough for this kid to learn his lesson! I doubt that it really is. He needs to refocus his energies towards something productive. Maybe follow his dad’s lead and become a Professor in information systems?

    Thanks Brian for keeping up with this story.

  8. Hmmm. It seems like the father is lot more interested in his son’s online activities now.

    Once again, another laughably light sentence for cyber crime. The sentence is lighter than the one faced by Coalfire’s pentesting team members who were arrested by the the very agency they were testing!

    • I think it’s fine for someone who was a minor at the time. Despite the destruction, a long sentence at that age can run the rest of his life. In the US spirit of rehabilitation, I hope it all works out for him.

      • Quite so. The goal here should be to help both the son and the father understand how to channel the son’s efforts towards building something better in the world, not merely destroying things. This is true even you someone has some form of “good” reason for the destruction/damages.

        If the son doesn’t learn that lesson then he really should expect more prison time, or worse depending on just who he attacks.

    • As other’s have pointed out, keeping this guy in jail isn’t free. It costs upwards of $50k/year. If he can be deterred, keeping him in for 13 months should do the job. No need to double down on mistakes made elsewhere.

      Speaking of which, I wasn’t aware the Coalfire guys had been tried yet, let alone sentenced. Link?

  9. I never tired of receiving these e-mails from Brian. I only wished there were many more people like him, willing to dedicate time and effort to find and disarm these computer criminals.

    • There actually are. They just don’t always focus on the cyber side of things.

      You don’t get kids shooting up schools without serious breakdowns in inter generational ties that bond people to each other and humanize them. A lot of people are parents in name only and a lot more are parents because they couldn’t avoid it. Because of that a lot of kids are growing up being neglected and since more and more people these days have less and less free time, people aren’t looking out for and getting these kids the help they need to keep from turning into their own parents (best case scenario) or killers (worse case scenario).

      Online gaming forums, PC building and coding forums, and firearms, knives, and combat forums are filled with kids just trying to do the best they can without having adults interested in their even being alive.

      And it’s been like that for quite some time.

  10. good content,thank you for sharing

  11. In a season when the Ukraine has been mentioned in nearly every news hour, it’s amusing that this article draws no comment about the convict’s traditional Ukrainian name, middle name, and surname.

    • Because like the character attacks against Vindman,… it doesn’t matter. It isn’t relevant to the facts and is only brought up to smear and demonize based on nationality.

  12. Well, you certainly went out of your way to offer him a way out. Some people have to face harsher consequences than a parental slap on the wirst, maybe?

    Also, I appreciate how you follow up on old stories, which in other news media may have faded from the focus they had when first reported.

  13. This is impressive on a technological perspective, but on the other end is just criminal intention. You did the right thing and the kids blindness led to punishment, hopefully he was enlightened about ethical hacking. At first i remember studying code because i hated being picked on, now Im over it and just wanna use my powers for the greater good, to see you do all these amazing things and write reports on critical stories that give the world perspective on criminal hackers.. is truly inspirational. I hope to be like you one day, I don’t want to go to jail. I come from a neighbourhood of criminals and its an ugly environment, last thing i would ever consider dreaming of in my life, is crimes against humanity. I too take interest in Slavic language but i am native american(canadian), i really am impressed by the cyber criminals we have today, but in the long run all i see is career suicide and lack of education into moving on with better choices. Hai Hai (thank you in Cree native language).

  14. I am not sure throwing someone into jail for mistakes made when one was only 15 years old is the right approach. What 21 year old Sergiy would be able to do with his life after his sentence concludes, other than go back to the life of cybercrime? He won’t be able to get a job in IT with a record, that much is certain.

    • Mikey Doesn't Like It

      @Anon:
      You mean like Kevin Mitnick, Frank Abagnale and (undoubtedly) others?

      Aside from serving as meaningful punishment for something that (even at 15) the kid knew was wrong — and the damage it created — it may well help him make a wiser choice to become an ethical hacker. If he’s good at it, he could do very well indeed, and he (and we) are all the better for it.

      • I agree, it should be taken into account the potential to be a productive member of society if rehabilitation is successful.

        But lets actually use the facts to compare him to the short list of successful ex-cons who use their talent for good.

        Was there a significant showing of remorse and contrition that suggests he will turn it around?

        The motivations the most successful ex cons usually involved curiosity, excitement or the classic “under achieving genius” personality. Beating the system was usually the reward. Is this the case? Probably not.
        This crime of DDOS is way more emotional (rage quitting a video game opponent) and his goal seems to be making money on providing this service to others.

        Also, the technical talent needed is WAY LOW. This is script kiddie stuff. So what talent could even be used for good?

        • So what’s the alternative? Throw him in prison for the remainder of his life because, at 15, he demonstrated no ability to ever be a productive member of society?

          What were you doing when you were 15? Would a summary judgement of your life’s accomplishments up until that point been an adequate benchmark for what you’ll accomplish for the rest of your life?

          There are plenty of ex-cons who go on to live long productive lives. You don’t hear about them because they don’t feed the prison industrial complex narrative.

          • The alternatives aren’t at either extreme… so please save the hyperbole.
            I happen to agree with the short sentence. His life doesn’t need to be destroyed, and I think 1 year serves as good rehab.

            What I was refuting, was the concept that he should be given leniency based on the technical skill of the crime.
            We have a bunch of arrogant people who consider themselves “elite” and thus should be given special consideration from the criminal justice system. They point to the rare geniuses who managed to actually be smarter than law enforcement, and thus a valuable asset to work for the good guys.

            He indeed should be given the opportunity to be a contributing member of society when his sentence is complete… but this kid will probably still have to start in the Geek Squad at Best Buy, and go to college to learn cyber security, because nothing in his criminal activities suggest he is particularly smart.

        • Mikey Doesn't Like It

          @Joe:

          “…it should be taken into account the potential to be a productive member of society if rehabilitation is successful.”

          You seem to be hung up on this perp’s technical skills (or lack thereof). But that’s not what courts base their sentences on. Genius or lack thereof don’t play into these decisions.

          Courts assess penalty based on the nature of the crime (whether with or without skills) AND the impact on the victims, both tangible ($$) and intangible.

          The only other criterion a judge will consider is whether this person constitutes a danger to society. The judge can only “hope” that he has been rehabilitated — but ultimately, in this case, that’s for the kid to decide.

          In the cases of Abagnale and Mitnick, the judges had to base their sentences on the factors I mentioned above. Fortunately, both A & M took the high road. (And it ha$ certainly paid off for them.)

          Sergiy’s technical skills may or may not be that impressive, but he wa$ good enough to ama$$ a tidy $um for his “kiddie stuff” efforts. He couldn’t be totally stupid.

          Time will tell which path he chooses when he completes his sentence. Let’s hope that he takes whatever skills he has and applies them to something positive. (And that his father pays a bit more attention to his son.) Lest we read about him again here!

          • “You seem to be hung up..”.
            Nope, just responding to one of the many comments that had already brought up / suggested that technical skills ‘should’ play a role.

            “But that’s not what courts base their sentences on.”
            Yep… and I agree with that, which is why I wrote..
            “I happen to agree with the short sentence. ….
            What I was refuting, was the concept that he should be given leniency based on the technical skill of the crime.”

            “He couldn’t be totally stupid”
            That isn’t what I said or even suggested. That is an extreme. Yes, people with questionable morals can amass lots of money until they get caught. Street drug dealers can make a lot too, I don’t call them smart, nor stupid. Yet people don’t suggest they should get special consideration based on how well they did in the criminal world.

            Several comments here seem based on ego, and projecting their own arrogant belief that their personal skill would somehow make a difference if they were to find themselves in front of a judge.
            This isn’t really about Sergiy. It is about people here wanting to live in a world that appreciates their own talent. And so they project themselves onto this case, and it scares them that maybe nobody is going to give them any slack for being smart.

    • This type of attitude is one of the reasons society is degrading right aling side our moral integrity.

      15 y/o may be a minor according to the law, but there is a difference as wide as the universe between malum en se and malum prohibitum, and a normal 15 y/o is more than old enough to grasp every relevant perspective on the seriousness of his crimes. Nothing of the kind is lost on a 15 y/o. He can be held accountable and should be held accountable. Don’t let legislation warp your common sense. There are universal truths embedded in your soul if you are just willing to drop all the denial and accept them for what you know in your soul is right.

  15. If we put Everybody in prison who Got brain then the prisons Will be full of People and who Will pay that??
    Tax payers offcourse!
    Government should Think how to give Good jobs to smarter people instead of putting them in prison

    • Nothing in his crime portfolio suggests he has a brain. DDOS is script kiddie stuff, and anyone can sell services online. Being able to click on script files and opening an Etsy store is no indication of intelligence.

      • Things have advanced to be more simplified and modern like anything, it’s like saying making websites take no skill because there are website builders now just answers from people who have 0 knowledge on the subject.
        Oh low level networking/programing takes no skill because there is high level that made it easier for us.
        Doubt any of you saying “ddos takes no skill” would ever be able to make $550k this way, go download some scripts and try, same reason you can’t make a 100k+ salary as a network admin even though there are scripts to “manage your servers”.
        Think before you post, you sound pretty unintelligent yourself.

        • Another script kiddie ^
          No, it does not take any significant amount of skill. It does takes some patience to learn how to apply scripts, yes, and low morals to continue into what you know is illegal and harmful to others.

          Again, this myth that making lots of money means you have to be smart. That is laughable. Being smart helps… but it isn’t a prerequisite. Some gang drug dealers on the street can make a lot of money. They make it because there is high demand and they are willing to take risks to supply that demand. It doesn’t mean they are smart.
          Are you the type that hero worships the guys riding around in Bentleys, because they are “smart”?

          Being able to run drugs on a street corner doesn’t mean you are a financial genius. And being able to run scripts, or sell access to them, doesn’t mean you are a computer genius. The arrogance of these people is ridiculous.

  16. I actually knew Rasbora back before the original article on him was written. Had not heard that name in a long time. Crazy to hear.

  17. Previous comments assume that the punishment is for crimes committed at 15 yrs old. The article says he was still at it in 2017 and now he’s 21, so he was 19 at the time.
    19 is young, but he was not a schoolboy.
    As a man, he chose to continue making easy money as a criminal.
    The father has no more responsibility in this matter.

    There was a golden window when the father could have maybe turned the boy around by denying him internet privileges, but the moment he became financially independent through the proceeds of crime, there is little that the father could have done, short of reporting him to police and/or ISPs.
    But that horse has bolted.

    Maybe prison will scare him straight.

  18. People forget the primary reason for discipline. Discipline (i.e. a spanking) is not meant as punishment. It is done to change behavior. Those that ask for a harsher sentence also forget that one of the primary reasons children rebel is overly harsh discipline. Been there and done that…

    • In criminal justice, there are actually many reasons for sentencing.
      Rehabilitation is only one.
      Justice, the social concept that bad behavior is punished for the sake of good order. Its the type of society we want to live in.. that has “justice”.
      Deterrance is another. Both by that criminal, and others.
      Prevention of crime by removing the criminal from the opportunity to continue the crime.

      • there is no justice, lol justice and prison system is flawed, law enforcement is a business. you’re brain is just too small to see that.

Leave a comment