Lizard Squad DDoS-for-hire service hacked – users’ details revealed

Oh, the irony…

Remember, Lizard Squad the hackers who took down the XBox Live and PlayStation Networks at Christmas, in what they claimed was a publicity stunt for their DDoS-for-hire service?

Well now, in an act of supreme irony worthy of a singalong from Alanis Morissette, Lizard Squad has been hacked itself.

Oh dear. What a shame. Couldn’t happen to a nicer bunch of fellows…

As Brian Krebs reports, the gang’s LizardStresser DDoS-on-demand service – powered by thousands of hacked residential internet routers – has been “completely compromised” and details of over 14,000 users passed to the authorities.

Astonishingly, it appears that the Lizard Squad failed to encrypt its database of registered users – but instead stored details of their usernames and passwords in plaintext. A schoolboy error if ever I heard one.

LizardAs I said at the end of last year, the authorities are likely to take a dim view of anyone purchasing the services of the Lizard Squad to launch a denial-of-service attack against a website or internet service.

I wonder what LizardStresser’s users, who apparently have paid Lizard Squad the tidy sum of $11,000 in bitcoins to launch attacks so far, will think of their details now being in the hands of law enforcement agencies like the FBI?

Lizard Squad hasn’t been having a great time of it since their yuletide antics against video game fans.

Firstly, police in the UK arrested 22-year-old Vinnie Omari, a suspected member of the gang who perhaps made the unwise move of offering his expert advice about the Lizard Squad in an on-screen TV interview. Omari has since been bailed until March.

Then it was revealed that Finnish police had questioned another suspected member of the Lizard Squad gang – Julius Kivimäki. Like Omari, Kivimäki hadn’t been shy about courting the media’s attention.

And last Friday, British police announced that they had arrested an 18-year-old man in Southport in connection with the denial-of-service attacks against PlayStation Network and XBox Live.

According to a BBC news report, the latest arrest was the result of a joint investigation between British law enforcement agencies and the FBI. The man has now been bailed until May.

It would be a mistake to think, however, that the police action seen so far necessarily spells the end for Lizard Squad’s antics.

The group’s Twitter feed, for instance, remains as vocal as ever – even going so far as to mimic the final tweet posted by Jake “Topiary” Davis, the spokesperson of the busted Lulzsec hacking gang, before his arrest in 2011.

Tweet from Lizard Squad

Author Graham Cluley, We Live Security

  • Me

    Maybe you can’t arrest them…but they squish real nice underfoot.

  • thecritickitten

    Couldn’t have happened to a more deserving bunch of people. Hope every last person who registered to use that service is prosecuted to the fullest extent of the law. We don’t need a bunch of punks having the power to take out gaming networks and/or critical internet services just for the fun of it.

    • person

      They cannot be “prosecuted to the fullest extent of the law” alot of services like this are used to stress test servers people own which is why they buy it, not saying thats the case here they could only prosecute assuming they know they attacked someones connection that was not their’s

      • Coyote

        That doesn’t apply here: in those cases it would have been authorised; it wasn’t here. If it was their own connection they could PROVE it. So while stress-testing (keyword ‘testing’ – not denying service) is legit in cases so too is security audits (keyword ‘audit’). Doesn’t mean it always is legal though because why? If I grant a friend access to my server (for a certain service) then he’s authorised (keyword ‘authorised’) to log in (and while we use ssh-keys instead of passwords it is still the same) to it. However, YOU are not authorised. In other words, if you could get by the keys and ingress filtering (and other defences) it would be illegal for you to log in. It wouldn’t be illegal for those I grant access, however. (I wouldn’t go after you for a variety of reasons but that’s besides the point.)

  • Maxwelhse

    I can shoot a lizard though.. Do it all the time…

  • Vertical Camera Man From WSHH

    GLITCHED MATRIX warned them on twitter, now look at them.

  • RoG™

    I hope they end up in ‘federal pound me in the ass prison’.

  • shipdog7

    15 minutes of fame is all they wanted. To be known of and talked about. Attention they apparently weren’t getting at home. Couldn’t wait to be on camera. They will have mug shots to brag about now.

  • Coyote

    What a shame indeed. On the one hand, it is perfect because the irony (in this case, of course, it is also ‘cruel’ irony) is so perfect itself. But then there is the part where they are still being defiant (even more hilarious as they didn’t use encryption and they’re acting as if they’re still ahead. they might be. for now). If only they could realise just how unoriginal and how they are only the later generations of groups from the first decade of 2000, the 1990s, the 1980s… (i.e. they are not nearly as special as they seem to think and even the past decade was ancient, in this regard). It is a real shame that DDoS (remember DoS attacks ? to think that some had the effect of DDoS yet so much less potent than nowadays…but even those took no skill to cause (writing the exploits is one thing, using it is another)) take no skill whatsoever. If it did you could at least give them some credit (however poor judgement it is). But no.

    As for being unable to arrest a lizard. I might not be able to arrest lizards (although some countries DO arrest animals – be careful what you wish for…) but then I can’t arrest a person either. On the other hand, I could cause lizards to enter cardiac arrest. I wouldn’t because I’m not cruel. But given the definition of arrest, and given the fact I love all word play, I have to note it.

    And yes, one hopes those using the service do get prosecuted and severely. It is ironic itself that they’re paying for something that there exists so many tools for. Basically they’re paying someone else to be a script kiddie for them because they’re even more pathetic than the average script kiddie. While I do think they go too far with the law (at times and depending on the case (and even then probably so), that is nothing new and in the end DDoS (and its older cousin DoS) attacks impact many more hosts than the victim (not even counting backscatter). Waste of resources and frankly is as obnoxious as spam (which is a huge waste of resources (to the servers as well!)). If they’re going to be serious penalties then this type of thing is where it should be (it often is too far for penetrating a network and doing no harm aside). Still, except for the one wanting to learn, the curious, and particularly if they’re still young enough to not realise the full implications, you can’t feel much sympathy…

  • Michael Chapman

    “Worthy of a singalong by Alanis Morrissette?” You really think that’s a good thing?

Follow us

Copyright © 2017 ESET, All Rights Reserved.