Lizard Squad DDoS-for-hire service hacked – users’ details revealed

Oh, the irony…

Remember, Lizard Squad the hackers who took down the XBox Live and PlayStation Networks at Christmas, in what they claimed was a publicity stunt for their DDoS-for-hire service?

Well now, in an act of supreme irony worthy of a singalong from Alanis Morissette, Lizard Squad has been hacked itself.

Oh dear. What a shame. Couldn’t happen to a nicer bunch of fellows…

As Brian Krebs reports, the gang’s LizardStresser DDoS-on-demand service – powered by thousands of hacked residential internet routers – has been “completely compromised” and details of over 14,000 users passed to the authorities.

Astonishingly, it appears that the Lizard Squad failed to encrypt its database of registered users – but instead stored details of their usernames and passwords in plaintext. A schoolboy error if ever I heard one.

LizardAs I said at the end of last year, the authorities are likely to take a dim view of anyone purchasing the services of the Lizard Squad to launch a denial-of-service attack against a website or internet service.

I wonder what LizardStresser’s users, who apparently have paid Lizard Squad the tidy sum of $11,000 in bitcoins to launch attacks so far, will think of their details now being in the hands of law enforcement agencies like the FBI?

Lizard Squad hasn’t been having a great time of it since their yuletide antics against video game fans.

Firstly, police in the UK arrested 22-year-old Vinnie Omari, a suspected member of the gang who perhaps made the unwise move of offering his expert advice about the Lizard Squad in an on-screen TV interview. Omari has since been bailed until March.

Then it was revealed that Finnish police had questioned another suspected member of the Lizard Squad gang – Julius Kivimäki. Like Omari, Kivimäki hadn’t been shy about courting the media’s attention.

And last Friday, British police announced that they had arrested an 18-year-old man in Southport in connection with the denial-of-service attacks against PlayStation Network and XBox Live.

According to a BBC news report, the latest arrest was the result of a joint investigation between British law enforcement agencies and the FBI. The man has now been bailed until May.

It would be a mistake to think, however, that the police action seen so far necessarily spells the end for Lizard Squad’s antics.

The group’s Twitter feed, for instance, remains as vocal as ever – even going so far as to mimic the final tweet posted by Jake “Topiary” Davis, the spokesperson of the busted Lulzsec hacking gang, before his arrest in 2011.

Tweet from Lizard Squad

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.