Lizard Squad member jailed after offering DDoS‑for‑hire attack service

"Hacker-for-hire" service launched distributed denial-of-service (DDoS) attacks against websites and phone-bombed its victims.

“Hacker-for-hire” service launched distributed denial-of-service (DDoS) attacks against websites and phone-bombed its victims.

The Chicago Tribune reports that a federal judge has sentenced a man to three months in prison for the part he played in a “hacker-for-hire” service that launched distributed denial-of-service (DDoS) attacks against websites and phone-bombed its victims.

20-year-old Zachary Buchta – who went by online handles including “pein”, “@fbiarelosers”, and ““@xotehpoodle” – was a member of the Lizard Squad and PoodleCorp hacking groups, which hijacked victims’ online accounts, sold stolen payment card details, and launched crippling DDoS attacks against corporate websites.

Lizard Squad weren’t afraid to draw attention to themselves, creating headlines worldwide after knocking both the Sony Playstation Network and XBox Live game networks offline for Christmas 2014.

The hacking group later claimed that the high profile attacks were a publicity stunt for their DDoS-for-hire service known as LizardStresser.

Lizard Squad was certainly not the first online gang to offer DDoS attacks as “cybercrime as a service”. There are plenty of other online criminals offering booter tools on underground hacking forums. What made Lizard Squad different, however, was its audacity – both in its choice of targets and in its active use of social media to promote its activities.

Ironically, Lizard Squad’s DDoS-for-hire service was itself later hacked, spilling the plaintext details of its registered users and no doubt providing law enforcement agencies with a very interesting collection of names.

Another deeply unpleasant way in which Lizard Squad made the lives of others a misery was through their “Phonebomber” service that allowed customers paying $20 to target victims with repeated phone calls from spoofed phone numbers:

[Phonebomber] is a no-registration phone bombing service. We will call your target once per hour with one of our pre-recorded messages for $20 a month. Since our calls come from random numbers, your target will be unable to block our calls. Your target will be left with only 3 options: Change their number, Bend to your whim, Deal with a ringing phone for the length of our attack :\ For the extortionists amongst us we’ve added an option to cancel the calls at the click of a button, giving you complete control over the length of the attack. . . .

Since there is no registration, all purchases are untraceable. The only data a hacker / feds would be able to exfiltrate from our database are the phone numbers currently being called, and the last 30 days of targets. Rest assured your privacy is respected here and purchase in confidence.

One victim reportedly received the following (redacted) message every single hour for 30 days:

“When you walk the ****ing streets, Mother****er, you better look over your ****ing back because I don’t flying **** if we have to burn your ****ing house down, if we have to ****ing track your goddamned family down, we will **** your **** up mother****.”

It’s easy to imagine just how stressful it must have been to be on the end of continual phone calls like that.

Some of the hacking groups activities, however, appear to have been more mischievous than malicious. Take, for instance, the January 2015 compromise of pop star Taylor Swift’s Twitter and Instagram accounts.

Messages posted to the celebrity’s hijacked accounts appear to have been more aimed at encouraging Swifties into following Lizard Squad’s social media accounts than something with much more potential for serious impact – such as a link to a website harbouring a phishing page or an exploit kit.

At the time, Taylor Swift was the owner of the world’s fourth largest Twitter account (some 51 million followers) and had a further 20 million Instagram followers. As such, if they had wanted to the hackers could have caused a significant problem.

Taylor Swift reassured her fans that the hackers’ claims that they would release nude photographs was nonsense (“Have fun photoshopping cause you got NOTHING.”), and, to her credit, responded to the hack in witty fashion:

"Cause the hackers gonna hack, hack, hack, hack, hack..."

Buchta, of Fallston, Maryland, pleaded guilty in December 2017 to one count of conspiracy to commit damage to protected computers, and faced a potential sentence of ten years in prison. However, following a plea deal that acknowledged he had co-operated with the authorities in a way that led to the arrest of two of his former gang members, his prison sentence was set at three months.

As part of his plea agreement, Buchta must also pay restitution fees of $350,000 to two gambling companies that were impacted by his attacks.

Before sentencing, Buchta read a statement to the court apologising to victims and explaining how he felt had turned his life around to become “a productive member of society”. Upon hearing that he would be serving prison time, Buchta burst into tears.

I guess Lizard Squad’s online antics don’t seem quite so funny anymore.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center