December 14, 2022

The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The booter service OrphicSecurityTeam[.]com was one of the 48 DDoS-for-hire domains seized by the Justice Department this week.

The DOJ said the 48 domains it seized helped paying customers launch millions of digital sieges capable of knocking Web sites and even entire network providers offline.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Prosecutors in Los Angeles say the booter sites supremesecurityteam[.]com and royalstresser[.]com were the brainchild of Jeremiah Sam Evans Miller, a.k.a. “John the Dev,” a 23-year-old from San Antonio, Texas. Miller was charged this week with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). The complaint against Miller alleges Royalstresser launched nearly 200,000 DDoS attacks between November 2021 and February 2022.

Defendant Angel Manuel Colon Jr., a.k.a Anonghost720 and Anonghost1337, is a 37-year-old from Belleview, Fla. Colon is suspected of running the booter service securityteam[.]io. He was also charged with conspiracy and CFAA violations. The feds say the SecurityTeam stresser service conducted 1.3 million attacks between 2018 and 2022, and attracted some 50,000 registered users.

Charged with conspiracy were Corey Anthony Palmer, 22, of Lauderhill, Fla, for his alleged ownership of booter[.]sx; and Shamar Shattock, 19, of Margate, Fla., for allegedly operating the booter service astrostress[.]com, which had more than 30,000 users and blasted out some 700,000 attacks.

Two other alleged booter site operators were charged in Alaska. John M. Dobbs, 32, of Honolulu, HI is charged with aiding and abetting violations of the CFAA related to the operation of IPStresser[.]com, which he allegedly ran for nearly 13 years until last month. During that time, IPstresser launched approximately 30 million DDoS attacks and garnered more than two million registered users.

Joshua Laing, 32, of Liverpool, NY, also was charged with CFAA infractions tied to his alleged ownership of the booter service TrueSecurityServices[.]io, which prosecutors say had 18,000 users and conducted over 1.2 million attacks between 2018 and 2022.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

Dobbs, the alleged administrator of IPStresser, gave an interview to ZDNet France in 2015, in which he asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks.

“None of these sites ever required the FBI to confirm that it owned, operated, or had any property right to the computer that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose),” reads an affidavit (PDF) filed by Elliott Peterson, a special agent in the FBI’s Anchorage field office.

“Analysis of data related to the FBI-initiated attacks revealed that the attacks launched by the SUBJECT DOMAINS involved the extensive misuse of third-party services,” Peterson continued. “All of the tested services offered ‘amplification’ attacks, where the attack traffic is amplified through unwitting third-party servers in order to increase the overall attack size, and to shift the financial burden of generating and transmitting all of that data away from the booter site administrator(s) and onto third parties.”

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The charges unsealed today stemmed from investigations launched by the FBI’s field offices in Los Angeles and Alaska, which spent months purchasing and testing attack services offered by the booter sites.

A similar investigation initiating from the FBI’s Alaska field office in 2018 culminated in a takedown and arrest operation that targeted 15 DDoS-for-hire sites, as well as three booter store defendants who later pleaded guilty.

The Justice Department says it is trying to impress upon people that even buying attacks from DDoS-for-hire services can land Internet users in legal jeopardy.

“Whether a criminal launches an attack independently or pays a skilled contractor to carry one out, the FBI will work with victims and use the considerable tools at our disposal to identify the person or group responsible,” said Donald Alway, the assistant director in charge of the FBI’s Los Angeles field office.

“Potential users and administrators should think twice before buying or selling these illegal services,” said Special Agent Antony Jung of the FBI Anchorage field office. “The FBI and our international law enforcement partners continue to intensify efforts in combatting DDoS attacks, which will have serious consequences for offenders.”

The United Kingdom, which has been battling its fair share of domestic booter bosses, in 2020 started running online ads aimed at young people who search the Web for booter services. And in Europe, prosecutors have even gone after booter customers.

In conjunction with today’s law enforcement action, the FBI and the Netherlands Police joined authorities in the U.K. in announcing they are now running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

“The purpose of the ads is to deter potential cyber criminals searching for DDoS services in the United States and around the globe, as well as to educate the public on the illegality of DDoS activities,” the DOJ said in a press release.

Here is the full list of booter site domains seized (or in the process of being seized) by the DOJ:

api-sky[.]xyz
astrostress[.]com
blackstresser[.]net
booter[.]sx
booter[.]vip
bootyou[.]net
brrsecurity[.]org
buuter[.]cc
cyberstress[.]us
defconpro[.]net
dragonstresser[.]com
dreams-stresser[.]io
exotic-booter[.]com
freestresser[.]so
instant-stresser[.]com
ipstress[.]org
ipstress[.]vip
ipstresser[.]com
ipstresser[.]us
ipstresser[.]wtf
ipstresser[.]xyz
kraysec[.]com
mcstorm[.]io
nightmarestresser[.]com
orphicsecurityteam[.]com
ovhstresser[.]com
quantum-stresser[.]net
redstresser[.]cc
royalstresser[.]com
securityteam[.]io
shock-stresser[.]com
silentstress[.]net
stresser[.]app
stresser[.]best
stresser[.]gg
stresser[.]is
stresser[.]net/stresser[.]org
stresser[.]one
stresser[.]shop
stresser[.]so
stresser[.]top
stresserai[.]com
sunstresser[.]com
supremesecurityteam[.]com
truesecurityservices[.]io
vdos-s[.]co
zerostresser[.]com


43 thoughts on “Six Charged in Mass Takedown of DDoS-for-Hire Sites

  1. Reason V.

    The logic behind “I will only use this tool to test my own network” will be interesting to see once it is argued in court.
    I can see both sides, then again, I’m not a lawyer.

    1. Terri

      Nobody uses that as a defense, because a case only goes to court after it’s used against systems NOT OWNED by the defendant.

    2. ohrz

      There are legitimate Load-testing as a service providers out there such as Loader & K6

    3. Nathan’s protections

      Honestly just be smart and use a good nfo server website ddos panels are not as good as u think they don’t even compare to the real power of botnets that can run through putty can’t tell u how many times someone tried to hit me off with a website and it just tickled my nfo

  2. turkey

    i LOVE krebs on security! I hate hackres and booters hopefuly this maks an example outof futuree owners of these types of service wohoo great post krebs

  3. JohnB

    Agreed, great post. The statistics on number of DDoS attacks and customers of these systems boggle the mind. What motivates this — is it extortion, akin to ransomware?

    1. Jovan

      No barelly anyone does it for ransom, mostly its for the sole feeling of power, ddosing other peoples vpns, sites, games like r6 because if you ddos it it will crash and ur lost wont count.

  4. Marco

    I’m curious to know from others how can one properly test their network(s) for validating DDoS protection, etc. if not using a third party booter service?

    1. Dennis B.

      There are legitimate stressors “RedWolf Security” that leverage hyperscalers (with their approval) to generate DDoS load. You may also want to ask the Cloud Provider or on-prem provider (if managed support is on contract) for permission, as most of the times, it violates their AUP or T&Cs.

      Stressing origin with DDoS for due diligence is the same concept as Pen testing for WAF. Ipso Facto!

  5. Crypto Botnet

    Damn this is so sad. The FBI and CIA are honestly slow mentally. They cannot get all of “them” . I do “do not condone DDoS attacks” these are horrible and NEED to stop.

  6. Sasino

    As a legit service owner who is fighting against DDoS attacks on a weekly basis, thanks FBI ♥️

    1. BOGO

      I’m curious. As a legit business owner, are you being extorted ? Why are you fighting DDoS attacks frequently ? What type of “legit” service are you running?

      1. ohrz

        One of my friends run a game server (FiveM) & he said that they often get DDoSed by their competitions.

  7. Big Boy Danny

    Booters always ticked me off because it takes no skill and are easy to access.

  8. Mihai

    Do read mister Krebs post on Mastodon. He talks about one individual he got in contact with. I hope all the money they made with the sites gets confiscated and they all realize how many people they have hurt in time.

  9. Morgan Parry

    This is so a fantastic article. Thanks for sharing this informative blog. I have become a fan of your blogs, and this blog is so exciting and informative.

  10. Anon

    I predict the prosecutor will question why there was no form of technical verification of ownership against targets before the attacks were permitted. It wouldn’t be hard to automate a check against DNS records, robots.txt, whois info or web beacon.

    If they allowed their service to be used for only legitimate testing, the authorities probably wouldn’t have cared, even with the abuse of misconfigured devices.

    1. timeless

      DNS records don’t matter here. I can set up a DNS record pointing to your IP address.

      What matters are IP addresses and AS/ASNs.

      There are reverse DNS records, but they’re generally not used for things like this to my knowledge.

      I don’t know of an AS(N) oriented approach.

      You could probably require a timestamped https response from a server based on a certificate for a public IP address. That doesn’t show authorization to send traffic to the AS. And someone could hack a computer to put up this and answer that query. Should that really be all that’s necessary for a service to decide it’s ok to send traffic? I’d say no.

      I’d want actual money to cover liability. Way more than the pennies these hacking sites possibly charge. Enough to cover damages when it turns out that the procured service was a malicious attack.

  11. Ursula Blanchat

    I’m still getting attacked so apparently there are more out there. Look at how many are in florida hahaha

    1. jack

      if you think that public stressers are the only services out there then you are bigly misstaken

  12. Mike

    They should go after the customers and if the penalties are not high enough, then the
    Congress should raise them. Dry up the demand and that will limit the booters. Also make it easy for the booters and their customers to be sued by the victims. It is all about money for the booters after all.

    1. jack

      you cant go after the costumers as its run on their servers thats their whole unique selling point

  13. Anonghost720

    Well everyone thinks going after the stressers will stop ddos attacks and they are wrong, all is going to happen is the next bored kid at home will open another one, targeting the main providers that sale spoof Hosting’s its how you slow this attacks down because stopping it maybe impossible since this days any 13 year old can run a script and have a botnet Running, is like saying GitHub should be taking down by the fbi because most of this scripts are in GitHub but like you said we cant control what everyone does with the scripts.

  14. Mike

    The law enforcement is doing nothing except making the market in the DDoS community grow. The more stressers that get taken down, the less competition other stress owners have to deal with. If they try to take them “all” down, it just makes the service worth more.

    1. Anonghost720

      I completely Agree, I am one of the people named in the post. And they dont understand ddos is not an issue that just comes from the usa they also come from other country’s with poor laws and kids know that, i’ve been telling many people stop ddosing ever since i found out the seriousness of it and i was raided and all they say is my country dont care about ddos, some kid even has the nerves to say his country gives him 5 warnings before prosecuting.

  15. Mike Klo

    The law enforcement is doing nothing except making the market in the DDoS community grow. The more stressers that get taken down, the less competition other stress owners have to deal with. If they try to take them “all” down, it just makes the service worth more.

    1. X2U

      This is stupid and uneducated. Half of these stressers are already back up on different domains and there customers have been redirected there via telegram groups etc

  16. Benedict Addis

    Nobody yet spotted that the FBI agent running the case, Elliott Peterson, managed to get elliot.ns.cloudflare.com as one of the nameservers?

    *I* want a vanity nameserver too!

  17. Oddball

    So it’s illegal because these guys used other folks devices in their botnet for hire without the network device owners permission breaking cfaa. Pretty simple. Now if however they owned all the devices and/or has explicit permission to do use said devices for their stress test service then that’s totally different but again if you are legitimate then you would log who used the services and what proposes.

  18. ClientSurfer

    Well, CyberHero Krebs, you DO know a thing or two about getting DDoSed, now don’t you… LOL 😉

    Which makes me wonder if you have seen any increased ne’r-do-well activity along the lines of Mirai/BASHLITE/Miori/SpeakUp offerings as perhaps stealthier alternatives to these DDoSaaS stresser-sites that are apparently finally receiving well-deserved scrutiny…?

    How many more nanny cams, DVRs, thermostats and window blinds are being conscripted as we speak to fill in the void!?!

    Every user on the planet that cares about the current and future state of security and safety on the Internet owes their personal gratitude to Cyberhero Brian “CBK” Krebs for continuing non-stop to put his ass on the line in endless pursuit of the ne’r-do-wells (and threat actors too LOL) who want to take all of the good out of what could be a really, really, really good World Wide Web! Sounds flowery…? It’s true!

    Many thanks to Bruce Schneier as well!

    P.S. Brian, thanks to your frequent allusions to “Mr. Robot”, I finally started watching it on Netflix tonight; where in the HECK have I been??!! Way awesome show – it even has Freddie Mercury playing the lead! Best thing since DOS 3.3…

  19. Joseph

    DDoS For Hire Sites Not Being Seized Why

    List:
    kraysecurity.com formerly kraysec.com
    stressthem.to
    quality-api.org

  20. Michael

    I’ve dealt with one of these guys last year, glad to see him get locked up after years of harassment.

Comments are closed.