January 14, 2019

Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against a number of hospitals in 2014. Also last week, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.

Daniel Kaye. Photo: National Crime Agency

Daniel Kaye, an Israel-U.K. dual citizen, admitted attacking an African phone company in 2016, and to inadvertently knocking out Internet access for much of the country in the process. Kaye launched the attack using a botnet powered by Mirai, a malware strain that enslaves hacked Internet of Things (IoT) devices like poorly-secured Internet routers and Web-based cameras for use in large-scale cyberattacks.

According to court testimony, Kaye was hired in 2015 to attack Lonestar, Liberia’s top mobile phone and Internet provider. Kaye pocketed $10,000 for the attack, which was alleged to have been paid for by an individual working for Cellcom, Lonestar’s competitor in the region. As reported by Israeli news outlet Haaretz, Kaye testified that the attack was ordered by the CEO of Cellcom Liberia.

In February 2017, authorities in the United Kingdom arrested Kaye and extradited him to Germany to face charges of knocking more than 900,000 Germans offline in a Mirai attack in November 2016. Prosecutors withheld Kaye’s full name throughout the trial in Germany, but in July 2017 KrebsOnSecurity published findings that named Kaye as the likely culprit. Kaye ultimately received a suspended sentence for the attack in Germany, and was sent back to the U.K. to face charges there.

The July 2017 KrebsOnSecurity investigation also linked Kaye to the development and sale of a sophisticated piece of spyware named GovRAT, which is documented to have been used in numerous cyber espionage campaigns against governments, financial institutions, defense contractors and more than 100 corporations.

The U.K.’s National Crime Agency called Kaye perhaps the most significant cyber criminal yet caught in Britain. A report on the trial from the BBC says Kaye wept as he was taken away to jail.

Here across the pond, 34-year-old Martin Gottesfeld was sentenced to 10 years in prison and ordered to pay $443,000 in restitution for damages caused by a series of DDoS attacks he launched against several Boston-area hospitals in 2014. Like Kaye, Gottesfeld was identified thanks to clue he left behind on the Internet: Prosecutors reportedly linked him to a video he uploaded to Youtube about the attack campaign.

The Boston Globe reports that Gottesfeld and his wife in 2016 tried to flee to Cuba in a rented boat, but the trip didn’t go as planned. It seems the high seas had their own denial-of-service in store for the Gottesfelds: They were rescued from the Gulf of Mexico by a Disney ship that answered Martin’s SOS distress call and brought them back to the United States.

Ten years may seem like a stiff sentence for DDoS and fleeing from justice, but as the recipient of hundreds of DDoS attacks over the years I can’t say it bothers me one bit — especially considering how few of the anonymous cowards responsible for DDoS attacks are ever held accountable.

Cue the usual comments here about how these guys deserved jobs and not jail, but I for one am glad the courts are starting to recognize that these are real and costly crimes that deserve equally real consequences. Remember: Don’t do the crime if you can’t do the time.


57 thoughts on “Courts Hand Down Hard Jail Time for DDoS

  1. The Sunshine State

    What no excuses from Martin Gottesfeld on why he committed a cyber-crime because he thought in his crazy mind that the Boston Hospital was holding that teenage girl against her will?

    1. Mahhn

      Gottesfeld was wrong in his method but the issue is real. Her parents have a active lawsuit against the hospital and state for kidnapping, and its a strong case.

    2. Bob

      Kidnap a child? Civil matter. Shut down the kidnapping institution’s website on a big donation day? Go to jail.

  2. Larry

    Agree with your last paragraph 100%!!
    I get tired of reading how the criminals should be given jobs!

  3. ralph l. seifer

    As Seinfeld used to say, “Ah, that’s a shame.” Ralph L. Seifer, Long Beach, California.

  4. Shawn Clark

    Brian – Bit of a soapbox here, apologies for the wordiness “… do the crime” implies legislation exists to define the letter, if not spirit, of laws being broken. Anecdotally, laws often lag technical capability. Also, the question of intent, e.g., self-proclaimed white-hat researchers dropping zero-days to “raise attention” versus Kaye’s black-hat profit motive. (Aside: Can/should we factor out “profit motive” in the “burnished reputation” of a researchers leading to jobs, degrees, tenure, etc?) Have you ever produced or seen a substantial survey of the kinds of legal decision &/or legislation driving the most sophisticated malware/ DDoS/ other relevant laws? Does it include Pros / Cons? Inquiring minds …

    1. Jon

      Apparently there is a law because he was tried and sentenced.

      Regarding intent, I can’t imagine what a white hat would accomplish by DOSing a hospital.

      1. shawn clark

        I was not implying there is no law, nor was I looking at intent w.r.t DOS specifically. Apologies if it read that way …

        Rather, I was trying to up-level by asking about any “survey of the kinds of legal decision &/or legislation driving the most sophisticated malware/ DDoS/ other relevant laws”

        On intent, profit motive can manifest in direct $$ via blackhat extortion, as well as in the dropping of zero-day exploits via whitehat research that indirectly leads to $$ via consulting, tenure, etc.

  5. JCitizen

    I mean HOSPITALS??? Let the guy rot in HELL!!

    Oh, and thanks for your good work Brian. We all will be forever beholden to you!

    1. Bob

      He shut down the donation page for a hospital that kidnapped a sick child, took her off treatment for her illness, and persisted for far longer than anyone could possibly consider reasonable.

      A donation page.

  6. Tim

    I haven’t followed Krebs for that long, but the crowd in this comment section has never seemed like the “jobs instead of jail” type to me, so Krebs parting shot seemed a bit strange to me.

    That said, obviously the criminals need to be separated from society, but the goal should be rehabilitation, not throwing away the key, or else you’re just ensuring they will continue to be criminals at the end of their sentence and lather rinse repeat.

    Yes, rehabilitation is not perfect and has a long way to go because, news flash, we still don’t understand everything there is to know about how grey matter works, but that doesn’t mean you don’t stop trying to do better, or else we’re no better than the criminals themselves.

    1. BrianKrebs Post author

      Tim, there are countless stories here about cyber justice where several people chime in that young men don’t deserve prison for cybercrimes and should instead be rewarded with a job from the hacked company.

    2. Joe

      It is a vocal minority, but they are definitely here. I suspect a lot of them are grey hats, flirting with the line between legal and illegal activity. It helps them justify their actions and stroke their own egos to think these people are “gifted” and should recognized for their talents.
      In reality, DDOS is a cowards weapon. And a low-skill tactic at that.

      1. SeymourB

        I suspect it’s because a certain country has made a habit of doing just that, hiring their criminals to work for the government as their punishment. And if their country does it then of course all countries to do it and these news pieces are just propaganda.

        Maybe this isn’t exactly what they believe but I’m pretty sure its in the ballpark of their general sentiment.

      1. Rob Shein

        Are you sure about that? This guy is the one who DDoS’ed a children’s hospital.

  7. miles.from.nowhere

    Cyber crimes are too often sluffed off as if there are victimless white collar (black hat) crime. Its time for .com and .gov to create dedicated black ops units to track down and shut down these operators.
    If you check out the recent US Nuclear Posture Review (easy to find on line) you will see the US has announced to the world that it reserves the right to use nuclear weapons against nations that carryout cyberwarfare.
    Men without conscience are dangerous to the world. If not knowing someone personally makes it easy to harm them, that is a man without conscience. Lock them away and forget the pin.

    1. miles.from.somewhere

      “Men without conscience are dangerous to the world. If not knowing someone personally makes it easy to harm them, that is a man without conscience.”

      I do agree to a certain extent, however, I think it’s more of a ‘keyboard warrior’ concept for some. It reminds me so much of Social Media and how people act so differently in a medium where they’re not face-to-face with someone. Similar to that, these people–in my opinion–think there’s no consequence to their actions while they’re carrying out these attacks on the internet. I believe it’s a sad reality to them once they get caught. I agree 100% with you though, they should lock them up and throw away the key. The cost of cyber-attacks is astronomical today, and people aren’t getting the sentences that they deserve. If you think about it, they are essentially robbing the company if that company loses millions of dollars from a DDoS or other data breach.

  8. Anon404

    “As reported by Israeli news outlet Haaretz, Kaye testified that the attack was ordered by the CEO of Cellcom Liberia.”

    Anyone know if this CEO has been charged or is being investigated? Because that person needs to serve as much if not more jail time then the guy who carried out his orders.

  9. russ

    Exactly on the money Brian, time is long past when these,”young men” bring down systems, brag about it, then when caught, get a tap on the head, “and don’t do it again.” I’ve seen the damage from them, and know they need jail for sizeable amounts of time. And I mean long sentences, not probation or “get a job doing it and all is ok now.”

  10. Rico Finelli

    Any one who can attack a hospital with DDOS should never be let free in society again and he should earn his keep in prison. That is one screwed up individual!

    1. Jim Andrakakis

      As I understand, he DDOSed the donation page, not the HIS or anything health related.

      I’m not defending the guy; I still think what he did was and he deserves punishment. But when judging the severity of his actions, we have to consider the impact and scope of them.

  11. Niteprowl2

    As this world becomes more and more dependent on computers, the Black Hat Hacking being done becomes more and more dangerous and costly. They know going in that what they are doing is causing pain and suffering to more and more individuals. Knowing this they chose to create the havoc and then brag about it. These individuals have a warped set of morals and obviously do not care about the people and companies that they affect. When they are caught and punished with hard time they cry because they then realize that what they did has consequences. The only way to possibly deter their actions is to show them that the consequences of creating havoc on a wide scale is to lose their freedom. I have no sympathy for those that create such havoc. A physical criminal act affects a few while a massive DDoS can affect a whole country.

  12. KFritz

    Both of these sociopaths were well past their teenage years when they committed their crimes (the ones charged against them). Scientific research suggests that teenage brains have trouble comprehending consequences of action. So, it’s sometimes a good idea to cut teens some slack–on a case by case basis.

    The combination of a high IQ teenage brain with the power of keyboard and its additional detachment from tangible consequences of action is a very dangerous formula. Parents, acquaintances, and teachers of bright young men who fit this profile are well advised to keep as close a watch as possible on them without being unduly intrusive. Unfortunately, the parents of this variety of miscreant are often the least likely to suspect that their offspring could be up to anything nefarious–at least in part because its an affront to their own vanity.

    Cheery thought, huh?

    1. KFritz

      Just in case anyone cares, I wrote the above as a sort of counterweight to the “punishment is good” crowd of punitives who pipe up whenever BK writes on the subject. I’m glad these miscreants will do time. Kaye’s sentence doesn’t seem long enough to me, and his cry at sentencing is a hallmark of narcissists and psychopaths.

      Since I wrote the above, it’s occurred to me that an excellent deterrent to teenage thrill hackers would be parental financial accountability. The bottom line punishment might increase parental vigilance.

      1. Daniel M

        Respectfully disagree. These teens should be held accountable for their own actions. Parents can do everything right for their kids but that still does not guarantee a productive member of society. Kids have to make their own decisions and be held accountable for their actions. That is the only way they learn. The only way I can possibly see this would be acceptable is if the parents had prior knowledge or suspicions of what was going on but did nothing to intervene – Highly unlikely, given most parents ask their KIDS for help with new technologies.

  13. Victor Hogg

    Hooray. I couldn’t agree with you more Brian. Attacking hospitals, depending on the impact on patients (did anyone die, where emergency services prevented or even delayed), could well be considered manslaughter.

    1. Bob

      Children’s claimed the attack cost $300,000 to mitigate, and resulted in another $300,000 in losses due to the hospital’s donation website being shut down.

      That was the impact. I wonder how many more children they have to kidnap to make that up now.

  14. Readership1

    I don’t care about these guys. They’re jerks.

    But I do care that it’s so easy to take down hospitals and a country’s telecommunications services.

    I care that Internet-based EHR is evil, a known source of privacy breaches and medical errors. Doctors now spend all day looking at stupid screens instead of treating people.

    I wasn’t annoyed when my doctor had to turn to face me because his computer froze. Maybe it should freeze more often.

    I care that prosecutors are inventing creative applications for laws that weren’t intended to be used for DDOS. In their zeal to extract a pound of flesh, they drag defendants across time zones to separate them from resources, family, and familiar counsel. This isn’t how justice should be achieved.

    I care that these two turds won’t be rehabilitated in a manner that leaves them with the possibility of contributing to society when their sentences conclude. Neither sentence imposes training, counseling, or post-prison supervision.

    I care that our world isn’t doing enough to prevent young men from entering criminal lives. Young men are disproportionately incarcerated, as well as victims of violence, substance abuse, injuries, and suicides.

    I don’t care about these two jerks. But I care about the issues their stories raise.

  15. alex

    u do crime u do time!!
    btw.. hea Will do maybe few Years uk jail is Not Bad.
    i guess he Will keep himself healthy with Work out.

    but IF he Get the Good solicitor then he might Not do time at all.

    since its Not violant crime and i Don’t Think its crime at all the law is Still Gray area.

    1. Tom

      Yeah! Because DOS attacks are worse than rape! /s
      You sick fuck.

  16. RobRoy

    10 years should be the minimum for these crimes.

    Are these guys allowed access to computers in jail? I hope not.

    They’ll still be young when they get out and if they’re smart they won’t fall back into it but, as we know, people tend to be stupid.

  17. Jeff L

    I always wondered what happened to Danny Kaye after he stopped tap dancing with Bing Crosby. I thought he died back in 1986 or so, but apparently he went underground and started a ddos service. Who knew?

    🙂

    1. Readership1

      “I wasn’t born a fool. It took work to get this way.” -the original Danny Kaye

      Haha

  18. John M

    The lot of you advocating for (or not taking issue with) a 10 year sentence for DDOS make me sick.

    10 years is what murder gets you in the civilized world. The idea that you would toss someone away for clicking some buttons in a booter panel is a fucking disgrace, an obvious wrong that we will all be ultimately judged for.

    1. RobRoy

      In the U.S. 1st degree murder gets you 25 years to life.

      1. John M

        When I said ‘civilized world’, I was not speaking about the United States.

        1. Bob

          I don’t think a lot of these commenters have a real deep understanding of what a DDOS attack entails, what was affected in this case, or the reasoning behind it in this case. That falls on Krebs, and it’s not the first time I’ve noticed it here.

          A lot of them also strike me as the “law and order” types who place more values on their cars than they do on things like human dignity and human rights.

          I’ve just lost a whole of respect for Krebs and his readers.

    2. Orph Gibberson

      A person who shuts down healthcare systems and other critical infrastructure with a DDOS is committing a premeditated act which they know to be potentially lethal.

      1. Bob

        A donation page is “critical infrastructure” now, huh?

        I would say the same for anyone who kidnaps a sick child and tortures her, but the hospital employees who did that are protected because they’re connected to Harvard through BCH.

        1. Orph Gibberson

          If your position were strong, you could argue based on the facts instead of making things up as you go along. Gottesfeld took down more than a “donation page”. Either you know that’s true and you were being disingenuous, or you don’t know the facts of the case. No point in blustering at this point, anyone who cares can verify the facts with a simple internet search.

  19. greg

    IF People are suffering then They make Others suffer too.
    wealthy People Don’t need to do crimes like this.

    IF You are poor u Got be ruthless.
    wealthy see that and They hire guys like HIM After.
    keep Only Week Enemy and Get the Strong one byside You.

    Strong Will Get success money wealth and so.
    this is Our world we created ourselfes

  20. vb

    I’m conflicted on the Martin Gottesfeld sentence. I completely agree with why he did it. There was little girl caught up in a medical pissing contest. No proposed diagnosis was medically testable, so they dumped her in the psych ward. It was an awful situation.

    But I completely disagree with his means of activism. Even Anonymous members tried to reason with him. The BCH website is more than an “donation page”. A lot of internet infrastructure is connected together. An attack on one node impacts a lot of nodes. The days of DDOS need to be over. It’s not a misdemeanor, it’s felony. As it should be. I think that Gottesfeld deserves serious prison time for his actions, but 10 years seems pretty harsh for a non-violent crime.

  21. JimV

    Throw away the key to his cell — literally if ensconced in some old-style lockup, and metaphorical if a new-style electronic version (e.g. irrevocably delete the verification key to open his cell’s door).

  22. jarsea Burphy

    I work for the Regulator in Liberia and this is good news. Now the process of finding a way to bring the Cellcom CEO to justice.

  23. Ted leaf

    And just for a change, autism wasn’t attempted as some kind of defence.
    Yes, go after their assets, including their parents, UNLESS parents can prove that they took all reasonable care to ensure the person they are legally responsible for was not committing an offence or behaviour they should have reasonably suspected may be illegal,or suspect in any way, why should parents be allowed to just wash their responsibility by claiming ignorance ?
    These idiots obviously are not good enough to be made offers of work, the ones you want are the ones who don’t get caught, but like real world crime, how do you know who is a really skilled burglar,say, if they have never. been caught, keep their mouths shut and don’t become suspect due to others becoming involved with authorities ?
    And with some of the reasoning/excuses posted above, I’m just glad that the interweb didn’t exist for the public in the 1970’s,the trick cyclists involved in my “treatment” would have been having litters of kittens on a daily basis, as I fulfil most of “problem characteristics” of those offenders, was treated as if I was the second coming of Al capone/hitler/genghis kahn etc etc for no good reason, and I’ve lived a productive, honest, simple life, never used violence except when in immediate danger of being killed at others hands and instigated by others, am far more honest and law abiding than most of the public..
    Don’t bother with jail time for these jerks and wasters, giant trebuchets and a coast line will sort them out nicely !!

Comments are closed.