DOJ Seizes Websites Related to DDoS Attacks, Files Computer Fraud Charges
The United States Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI), in tandem with international law enforcement agencies from Europe, have seized dozens of websites pursuant to a court order. The federal agencies have also charged six people with crimes related to the use of those websites to conduct distributed denial-of-service, or DDoS, attacks for hire.
The seizure is a significant escalation by law enforcement in the world of computer hacking, data privacy, and cybersecurity. However, the nature of the charges that were filed and the investigatory techniques that were used raise some important questions about this aggressive regulation of a line of business where the line between a normal and a nefarious transaction can be difficult to see.
Feds Seize Websites, File Charges in DDoS Sting
According to the announcement on the DOJ’s website on December 14, 2022, the Justice Department used a court order to seize 48 internet domains that offered DDoS services on demand. Some of these domains are among the leading sites in this industry, which plays an important role in cybersecurity. A single one of these sites had been responsible for carrying out over 30 million DDoS attacks alone.
In addition to seizing the sites, the DOJ also filed computer fraud and conspiracy charges against six individual defendants.
American enforcement agencies were not working alone. Europol announced that it was also a part of the sting, which involved agents in the United Kingdom, Germany, the Netherlands, and Poland.
The DDoS Industry Straddles Cybersecurity and Cybercrime
To fully understand the importance of this development, it is essential to have a basic understanding of how the DDoS industry works.
DDoS attacks are a primitive form of cyberattack: The hacker basically unleashes a swarm of traffic onto the target website, slowing it down with the activity on the domain until it is forced off line. While primitive, DDoS attacks are frequently used by hackers to demand ransom payments, effectively holding a website hostage until the payment is made. They can also be used by businesses to overwhelm online assets that their competitors use, an underhanded way of getting the upper hand over them.
The potential for a website suffering a DDoS attack gave spawn to an upstanding and legitimate DDoS industry. These cybersecurity companies offer “stresser” or “booter” services for a fee – effectively auditing their clients’ systems by conducting a controlled DDoS attack against it.
These “stresser” or “booter” companies are thus in a precarious position: When a potential client asks them for a DDoS attack on a given website, if the client in fact owns the domain being stressed then it is a cybersecurity audit. However, if the client does not in fact own the domain, the DDoS-on-demand may be committing a cybercrime for hire.
Seized Domains are Among the Leaders in the DDoS Industry
Some of the domain names that were seized by the DOJ include some of the largest companies in the DDoS industry, including:
Some of these booter providers have conducted millions of DDoS audits or attacks.
Criminal Charges Carry Significant Penalties
Six people associated with the seized DDoS domains have been charged with crimes, four in the Central District of California and two in the District of Alaska.
Of the four in California:
- Defendants 1 and 2 have both been charged with a violation of the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030), as well as conspiracy to violate the Act
- Defendants 3 and 4 have been charged with conspiracy
Both of the defendants in Alaska have been charged with aiding and abetting violations of the CFAA.
The specific penalties that come with a conviction depend on the precise provision within the CFAA that was violated. However, nearly every type of violation is a felony offense that carries over a year in federal prison. Some of the worst offenses, including violations of subsection (a)(5)(A), which prohibits the intentional damage of a computer by knowing transmission and which appears to be the specific charges that are to be filed, carry up to 10 years in prison for a first offense, and up to 20 years for a subsequent offense.
How Much Due Diligence is Sufficient?
These serious criminal charges raise an extremely important question: How diligently must these DDoS-for-hire companies vet their potential clients before providing them the services that they want to purchase?
One of the defendants in Alaska, a native of Honolulu, Hawaii, ran his DDoS services company for 13 years and conducted an estimated 30 million DDoS attacks, amassing two million registered users on his platform. During an interview that he gave with a French publication in 2015, he claimed that he was immune from legal liability because his company required users to sign the terms and conditions with a digital signature, and those terms and conditions:
- Disclaimed all liability for damage caused by the DDoS attack,
- Told the user not to attack third party websites without their consent, and
- Made the user promise that they were not using the DDoS attack for illegal activity.
Is this enough? While it might not appear to be at first blush, it is important to remember that small-scale DDoS services can be purchased for only a couple of dollars. How extensively are DDoS providers legally required to vet these clients? Do they have to perform more due diligence when the services become larger? The difficulties in drawing that scale are readily apparent, and demanding an extensive DDoS version of a financial institution’s “know your customer” obligations bears the very real possibility that the industry would become too expensive for all but the users who want to use DDoS attacks for the most lucrative, and nefarious, purposes.
Investigation Process Raises Questions As Well
A final concern is that federal agencies pursued the case in a way that might amount to entrapment.
During the law enforcement sting operation, which was codenamed Operation Power Off, FBI agents attested that they worked undercover to purchase booter and stresser services from DDoS companies. They said that they never had to prove that they owned the websites and domains to be attacked before completing the transaction and receiving the DDoS service.
However, this might not go far enough. If law enforcement agents were never asked to divulge the target of the DDoS services, it implies that those same agents never offered any details that might put a DDoS provider on alert that the services would be misused against a third party site without its consent.
Reach Out to the Defense Lawyers at Oberheiden P.C.
The federal white collar defense lawyers at the national defense law firm Oberheiden P.C. legally represent defendants who have been accused of computer crimes across the country. Contact them online or call their law office at (888) 680-1745.