Teenage Lizard Squad and PoodleCorp members arrested in international crackdown on DDoS-for-Hire service.

News by Max Metzger

Two teenage members of PoodleCorp and Lizard Squad face long prison sentences after an international investigation

Two teenagers have been arrested on both sides of the Atlantic as Dutch and American police swooped down on infamous hacktivist/hackster groups PoodleCorp and Lizard Squad.

According to a release from the US district attorney's office in Northern Illinois, Zachary Buchta of Fallston, Maryland and Bradley Jan Willem Van Rooy of Leiden in the Netherlands, both 19, have been charged with “conspiring to cause damage to protected computers”.

Specifically, the defendants are believed to have violated sections of Title 18 of the United States Code or “conspiring to knowingly cause the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caused damage with authorisation to a protected computer”.

According to the criminal complaint, Buchta, also known as Pein, and Van Rooy, also known as Fox, are suspected of, between November 2015 and September 2016, planning to launch attacks “around the world” and trafficking “payment account that had been stolen from unsuspecting victims in Illinois and elsewhere.”

The investigation, involving the FBI and Dutch authorities, was started after the launch of phonebomber.net, a harassment-on-demand service where customers could pay to send a series of aggravating phone calls to a chosen victim. From there investigators followed a series of DDoS attacks, account hijacks and cyber-attacks by the groups until they saw the defendants allegedly advertising a service called Shenron, which much like phonebomber, allowed paying customers to DDoS targets of their choosing.

While a link has not been confirmed to this in particular, a botnet entitled Lizardstresser was found leveraging hundreds of cameras earlier this year, to perform DDoS attacks on Brazilian banks, government agencies as well as US gaming companies.

On top of the charges, the Chicago court, which issued the criminal complaint, ordered the seizure of several domains including shenron.lizardsquad.org, lizardsquad.org, stresser.poodlecorp.org and poodlecorp.org. As of writing, all four websites are not active, although both defendants' Twitter accounts, named in the complaint, still are.

PoodleCorp and Lizard Squad have made names for themselves hacking, not necessarily in the service of political causes, but their own amusement. The groups have earned a reputation for, among other things, claiming to have DDoSed the massively popular game, Pokemon Go.  The groups have performed a number of attacks on gaming platforms and social media sites but many of these claims turn appear to be just that: Claims.

Commonly, they then go straight to Twitter to show off their new scalps. This, it turns out, was how the FBI tracked them down. Both Buchta (@fbiarelosers) and Van Rooy (@UchihaLS) had been trumpeting the group's various achievements over social media, and it didn't take long for the FBI to couple those accounts with their IP addresses.

Another, unidentified individual with the Twitter handle @chippyshell is believed to have collaborated with the two defendants.

It is not yet known by this magazine if Van Rooy will be extradited to face US Justice. Buchta however, could face a 10 year sentence if found guilty of the conspiracy charge.

The potential decade of prison time these teenage suspects may end up serving is a contentious point for some, not least Pete Herzog, a security researcher and managing director of ISECOM, who conducted the hacker profiling project.

Herzog told SC, “these are teens who are being charged. They were minors when some of these crimes were committed. What they did was harassment and because it was a business service, we know they had the intent to harass. So it's a clear-cut decision.”

However, “ it looks like they will instead apply the Computer Misuse Act which is so old and badly written that any one of us is guilty of it in any given day. In this case, you could argue that if these attacks worked then the computers weren't protected and that nothing was stolen.”

Although both defendants are legally considered adults, Herzog adds that this is not quite the case in clinical terms: “the frontal lobe where risk decisions are made is undeveloped in a male until about age 26. Which is why car insurance is higher for teens. “

More than that, the internet appears to be a padded room to many - where certain decisions which would have consequences in the real world don't immediately occur. So, said Herzog, “there i>>s psychological ground to show that they were not fully aware of the extent of their actions nor had the capacity to assess the risk properly. So I don't see how you can ask them to do any prison time at all. It's a witch hunt.”

Vince Warrington, who currently runs the cyber-security programme at the Financial Conduct Authority thinks there's something slightly more ominous at work here. Whilst I can see the argument that some would consider the alleged actions of Buchta and van Rooy as teenage pranks,” he told SC, “there's actually a very sinister undertone to their operation.”

What may have started out small and relatively benign, “looks to have escalated quite quickly into something a lot more serious. Whilst a lot of their targets were fellow gamers or games companies that they DDoS'd, the alleged trafficking of stolen credit card data would up the seriousness of the offences a notch or two.”

Ten years, however, seems steep added Warrington. Van Rooy, may get off lightly if he's not extradited. Buchta, however, “might be looking at a significantly longer sentence, though, as it seems the US Judicial system is keen to start making examples of those involved in cyber-crime and hacking. I wouldn't be surprised if he were to get a multi-year prison sentence.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews