The crime and punishment of DDoS attacks General, news for Ireland, Blog,

article headline

At this point in time, you won’t meet many people who are informed on cyberattacks like ransomware, data theft and DDoS attacks who would claim that cybercrime isn’t as serious as other types of criminal theft, intrusion and vandalism. Lives can be seriously impacted by cybercrime, and businesses can be ruined.

Yet if you look at the sentencing history of those arrested for serious cyber offenses, you might wonder if the courts know how serious cybercrime can be, especially DDoS attacks. For a long time, it seemed like it was only the targets of cybercrime who were suffering consequences as a result of the perpetrators’ actions. With a couple of recent sentencings regarding distributed denial of service attacks, however, are we starting to see the tide turn?

Getting off lightly

Many DDoS attackers, even the ones behind DDoS for hire services raking in hundreds of thousands of dollars, are teenagers. So regardless of the fact that they’re running global crime services or inflicting serious damages on businesses, educational institutions, gaming platforms and governments, when it comes to the topic of punishing these criminals for their crimes, the argument that they’re just kids with their whole lives ahead of them inevitably rears its head.

This is why an 18-year-old hacker known as Jelle S. was given just 10 hours of community service when he was found to be behind a distributed denial of service attack on a Dutch bank in 2017, a punishment that ultimately proved ineffective as four months later he launched a week-long string of DDoS attacks on other Dutch banks and government services that was so severe it was initially blamed on Russian hackers. Jelle S. has not yet been convicted or sentenced for his second spate of attacks, so it remains to be seen how severe his slap on the wrist will be this time.

Joining Jelle S. in the lightly punished category is vDOS DDos-for-hire accomplice Jack Chappell, a UK teen given a 16-month suspended sentence for attacks on multinational organizations including the BBC, Amazon and Nat West Bank. If he complies with a set of conditions surrounding his release, he will never have to serve one day of that sentence.

Zachary Buchta, one of the founding members of hacktivist group Lizard Squad, is one of the attackers to actually serve jail time as a result of his crimes which involved running a DDoS-for-hire service, targeting online gaming and gambling companies with DDoS attacks, and launching phone-bombing attacks that inundated his targets with 30 days worth of continuous obscene phone calls. He received a sentence of just three months, and was ordered to pay $350,000 in restitution to two of the online gambling companies he attacked.

Stiffer punishments

Another UK teen, Adam Mudd, was just 16 when he created his DDoS-for-hire service the Titanium Stresser. Almost two million attacks later, Mudd wasn’t given the break his peers were when it came time to be sentenced, receiving two years in jail. There was no mention made of restitution in his sentence, however, even though he had made an estimated $500,000 USD selling his DDoS services.

Leaving the teens behind temporarily, the United States handed a serious sentence to John Kelsey Gammell, a man convicted of a long campaign of DDoS attacks against a range of victims, with a former employer targeted the most heavily. Gammell has been sentenced to 15 years in prison, though some of that prison time stems from two charges of being a previously convicted felon in possession of a gun. The court stated that it would see about restitution at a later date.

The maximum sentence for a single charge of causing intentional damage to a protected computer, which is something every DDoS attacker could be charged with, is 10 years in prison. As we see above, the maximum sentence is rarely applied.

Putting a price tag on DDoS

As frustrating as it is to see attackers get off with light sentences, it must be even more frustrating for the victims of distributed denial of service attacks to see no mention of restitution in a sentencing. It’s been known for years that a DDoS attack can cost a business anywhere from $20,000 to $100,000 hourly. The company behind the game Runescape, one of Adam Mudd’s victims, spent over $7.5 million USD fighting DDoS attacks and suffered a further $230,000 in lost revenue. The restitution orders handed to convicted DDoS attackers haven’t come close to touching these figures…until now.

Paras Jha is a man behind the Mirai botnet, one of the most well-known DDoS botnets to ever exist thanks to its attack on the Dyn DNS server. In two separate trials he has been convicted for DDoS-related crimes, and though he was given no actual jail time, receiving five years of probation and six months of house arrest instead, the restitution he has been ordered to pay is likely even better justice for his victims. For his Mirai-related attacks he must pay $186,000 USD to his victims, and for a series of attacks on his alma mater Rutgers University, he must pay an astounding $8.6 million USD. For one victim of DDoS attacks, justice has been served at last.

It will be interesting to see if DDoS-related sentences continue to get harsher and restitution orders continue to get bigger. They should, since these attacks aren’t getting any less damaging and the attackers behind them clearly know the kind of devastation they’re causing. However, until the legal system fully catches up to cybercriminals, the best justice for businesses will be to keep these attackers from succeeding in the first place with professional DDoS protection.