Industry News

Man who made $542,925 renting out DDoS services sentenced to prison

A 21-year-old man who made half a million dollars running DDoS-for-hire services has been sentenced to prison for 13 months.

Between August 2015 to November 2017 Sergiy P. Usatyuk of Orland Park, Illinois, and a co-conspirator, operated a number of “booter” services that launched millions of distributed denial-of-service attacks that rendered websites slow or inaccessible.

The illegal websites operated by Usatyuk had colourful names such as ExoStresser, QuezStresser, Betabooter, Databooter, Instabooter, Polystress, and Zstress.

Despite their different names, the “booter” (sometimes known as “stressser”) services were all designed for the same purpose – to make it simple for cybercriminals to hire a DDoS attacks that could swamp a targeted web server or computer with unwanted internet traffic, interrupting normal business operations and causing network downtime.

In one attack, highlighted by the Department of Justice, a subscriber to the Betabooter service launched a series of DDoS attacks against a school district in Pittsburgh, Pennsylvania. That attack is said to have not only disrupted the school district’s computer system, but also impacted the systems of 17 other organisations that shared the same IT infrastructure, including other school districts, the county government, and a Catholic Diocese in the area.

Low cost has made booter-based DDoS attack services offer an easy entry point for those tempted by a life as a cybercriminal.

Hiring a DDoS may cost relatively little, but the sheer number of website-clogging attacks initiated (over 3.8 million in the first 13 months of the criminal scheme) meant that significant sums of money were being earnt by Usatyuk and his accomplice. In addition, revenue was generated by selling ads for other booter services on the sites.

“The defendant made hundreds of thousands of dollars by launching countless indiscriminate cyber-attacks that victimized various segments of American society,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “The Criminal Division and our law enforcement partners will remain vigilant in protecting the American public from these types of sophisticated, far-reaching threats.”

Once his 13 month prison sentence is over, Usatyuk will have to serve three years of supervised release. In addition the 21-year-old has been ordered to forfeit dozens of servers and other computer equipment, as well as $542,925 he made through the criminal scheme.

Any company which relies upon its website to make money, and provide services to its customers, needs to consider very seriously what it is going to do about DDoS attacks.

The problem hasn’t gone away, and the availability of “booter” services has put the ability to bring down websites through a DDoS attack into the hands of even the least technologically-inclined criminals.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.