Operator of eight DDoS-for-hire services pleads guilty

Investigators tracked him down after he logged into his rented servers using his home IP addresses.

Analysis reveals that DDoS attacks against universities are probably the work of students DDoS attacks against university campuses are more likely in term time.

An Illinois man pleaded guilty today for running eight DDoS booter (stresser) services between August 2015 and November 2017.

According to court documents obtained by ZDNet, Sergiy Usatyuk, 20, of Orland Park, Illinois, ran ExoStress.in, QuezStresser.com, Betabooter.com, Databooter.com, Instabooter.com, Polystress.com, Zstress.net, and Decafestresser, together with an unnamed Canadian co-conspirator.

Authorities said Usatyuk ran these services on top of a botnet comprised of at least 31 powerful servers that the two rented from two US cloud hosting providers.

Investigators said Usatyuk advertised the DDoS stressers on HackForums.net, an infamous hacking forum, under the name of "Andy."

"You can DDOS any IP you want, we don't care," Usatyuk said in one of his HackForums posts before the forum's administrators decided to ban the advertising of DDoS booters on their site altogether, back in October 2016.

Court documents say users who signed up on Usatyuk's sites launched 3,829,812 DDoS attacks against thousands of companies, causing hundreds of thousands of downtime.

At the time of his arrest, US prosecutors seized 10.74 bitcoin and other funds totaling $542,924 from Usatyuk's accounts, which they believed he made from running the eight DDoS-for-hire portals.

Court documents reveal that police tracked down Usatyuk after he logged into one of his rented cloud servers using an IP address that resolved back to his former residence in Darien, Illinois, and later logged into another rented cloud server using an IP address that resolved back to his current home in Hollywood, Florida, cementing him as the primary suspect behind the booters.

With this information, authorities tracked down Usatyuk's server network, server payments, and even a hosting company he incorporated in Delaware named OkServers LLC, which security researchers said acted like a bulletproof hosting provider, ignoring abuse reports for the traffic it generated.

They also gained access to Usatyuk's online chat logs where he provided technical support for customers of his DDoS booters and ran the sites with his co-conspirator.

Authorities tracked down Usatyuk despite the suspect discussing with his co-conspirator about removing server access logs to hide evidence following the high-profile arrest of a similar DDoS booter operator in the UK.

US authorities started an investigation into Usatyuk's services after his sites were at the center of many DDoS attacks in 2016. For example, ExoStresser was used to launch DDoS attacks against a major video game manufacturer, and a Pennsylvania student used BetaBooter to attack her school's network, also bringing down the IT systems of 17 other organizations in a domino effect.

Usatyuk's DDoS-for-hire sites were so popular that he also sold advertising space in their backends to other DDoS booters.

His criminal endeavors were also noticed by PayPal, which banned ExoStresser's account in early 2016. This, in turn, made Usatyuk register irngur.org, which he used as an intermediary domain to receive funds made from renting the service.

In recent years, law enforcement agencies have been cracking down on major DDoS stresser services. Internationally-coordinated operations have taken place in December 2016, April 2018, and December 2018, and more recently authorities have started going after both admins and users of these services alike.

Article updated with extra information on OkServers LLC.

Related cybersecurity news coverage: