As part of an ongoing initiative targeting computer attack “booter” services, the Justice Department today announced the court-authorized seizure of 13 internet domains associated with these DDoS-for-hire services.
The seizures this week are the third wave of U.S. law enforcement actions against prominent booter services that allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet. Data relating to the operation of booter sites previously seized by law enforcement show that hundreds of thousands of registered users have used these services to launch millions of attacks against millions of victims. School districts, universities, financial institutions and government websites are among the victims who have been targeted in attacks launched by booter services.
Ten of the 13 domains seized today are reincarnations of services that were seized during a prior sweep in December, which targeted 48 top booter services. For example, one of the domains seized this week – cyberstress.org – appears to be the same service operated under the domain cyberstress.us, which was seized in December. While many of the previously disrupted booter services have not returned, today’s action reflects law enforcement’s commitment to targeting those operators who have chosen to continue their criminal activities.
Authorities emphasized that investigations into booter services remain ongoing.
In relation to the domains seized this week, the FBI opened or renewed accounts with each booter service and used cryptocurrency to pay for subscription plans. Each service was tested by using the website to launch DDoS attacks on computers controlled by the FBI. The FBI then observed the effects of the attacks at their “victim” computers, confirming that the booter websites operated as advertised. In some cases, despite the “victim” computer being on a network with a large amount of capacity, the test attack was so powerful that it completely severed the internet connection.
In addition to harming victims by disrupting or degrading access to the internet, attacks from booter services can also completely sever internet connections for other customers served by the same internet service provider via a shared connection point.
“Victims who are attacked by such services, or those providing Internet services to the victims, often have to ‘overprovision,’ that is, pay for increased Internet bandwidth in order to absorb the attacks, or subscribe to DDoS protection services, or purchase specialized hardware designed to mitigate the effects of DDoS attacks,” according to the affidavit in support of the seizure warrants filed this week. “The prices of such overprovision or DDoS protection services are usually significantly more expensive than the cost of a given booter service.
In conjunction with the domain seizures, the Justice Department announced today that four defendants charged in Los Angeles late 2022 pleaded guilty earlier this year to federal charges and admitted that they operated or participated in the operation of booter services. Those defendants are:
- Jeremiah Sam Evans Miller, aka “John The Dev,” 23, of San Antonio, Texas, who pleaded guilty on April 6 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named RoyalStresser.com (formerly known as Supremesecurityteam.com);
- Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337,” 37, of Belleview, Florida, who pleaded guilty on February 13 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named SecurityTeam.io;
- Shamar Shattock, 19, of Margate, Florida, who pleaded guilty on March 22 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Astrostress.com; and
- Cory Anthony Palmer, 23, of Lauderhill, Florida, who pleaded guilty on February 16 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Booter.sx.
All four defendants are scheduled to be sentenced this summer.
Assistant United States Attorneys Cameron L. Schroeder, Chief of the Cyber and Intellectual Property Crimes Section, and Aaron Frumkin, also of the Cyber and Intellectual Property Crimes Section, are prosecuting the criminal cases. Assistant United States Attorney James E. Dochterman of the Asset Forfeiture and Recovery Section is handling the seizure of the domains.
In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity. These types of DDoS attacks are so named because they result in the “booting” or dropping of the targeted computer from the internet. For additional information on booter and stresser services and the harm that they cause, please visit: https://www.fbi.gov/contact-us/field-offices/anchorage/fbi-intensify-efforts-to-combat-illegal-ddos-attacks.
The cases announced today are being investigated by the FBI’s Anchorage and Los Angeles field offices.
These law enforcement actions were taken in conjunction with Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructures worldwide, and holding accountable the administrators and users of these illegal services.
In the first law enforcement action targeting booters in late 2018, the Justice Department charged three defendants who facilitated DDoS-for hire services and seized 15 internet domains associated with DDoS-for-hire services.