Operator of ‘Booter’ Service for Cyber Attacks Sentenced to 13 Months

November 19, 2019 by

An Illinois man who has been hacking since he was a teenager was sentenced last week to 13 months in prison and ordered to forfeit $542,925 for operating a service that charged subscription fees to hackers who launched millions of cyberattacks from 2015 to 2017, the U.S. Justice Department announced.

Federal prosecutors say Sergiy Petrovich Usatyuk, 21, of Orland Park, conspired with an unidentified resident of Canada to operate illegal “booter services” that launched distributed denial-of-service attacks against websites to make them slow or inaccessible from around August 2015 through November 2017. He pleaded guilty on February 27 to conspiracy to cause damage to protected computers and agreed to forfeit all the money he had earned through the crime, as well as hand over dozens of computer servers that were used to carry out the DDoS attacks.

Cybersecurity expert and author Brian Krebs, a former Washington Post journalist, reported on his blog in February that Usatyuk’s arrest is part of a crackdown by the FBI against “DDoS-for-hire” services. Federal prosecutors in Los Angeles charged in January that Matthew Gatrel from St. Charles, Illinois and Juan Martinez of Pasadena, Calif. sold continuously updated lists of Internet addresses tied to devices that could be used by booter services to make more effective attacks against websites. That criminal case has not yet gone to trial.

Curiously, Krebs himself was an early victim of Usatyuk. Krebs wrote that after his website, KrebsonSecurity, was attacked in 2014 that he tracked down the culprit through posts that Usatyuk wrote on a website called Hackforums. He said he interviewed both Usatyuk, who was 15 at the time, and his father, an assistant professor at the University of Chicago. Sergiy denied that he was the attacker, but the FBI thought differently and told him that his DDoS attacks are illegal, according to a pre-sentencing report.

Prosecutors had recommended that Usatyuk be sentenced to 57 months in prison, the amount called for under federal guidelines. The U.S. Attorney’s office noted that Usatyuk had been warned and had promised to discontinue his cyber attacks.

“The defendant’s promises proved hollow,” the report says. “Within two years of the FBI’s visits to his home, the defendant not only elected to resume launching DDoS attacks; but dramatically escalated the seriousness and scope of his criminal conduct by unveiling services that could help thousands of other cyber criminals do the same.”

Prosecutors say Usatyuk’s booter service was used to attack U.S. military webpages, law enforcement agencies, large and small corporations and residential communities. In a victim impact statement, MCNC, a nonprofit technology provider for North Carolina schools, said DDoS attacks disrupt business operations by overwhelming networks with bogus traffic, preventing legitimate requests from getting through. The organization has spent $4 million since 2015 on hardware, software and maintenance to protect itself from cyber attacks, stated Chris Beal, chief information security officer.

Beal said that DDoS attacks are similar to pulling a fire alarm to disrupt classes.

“Students utilize DDoS attack (or ‘Booter’ services because they make DDoS attacks very inexpensive, and very little technical skill is required to implement an attack,” Beal said. “These services can make it trivial for students to launch these attacks against their schools, and the attacks can be highly disruptive.”

The FBI says Usatyuk created a Delaware corporation called OkServers that offered a “booter” service that allowed hackers to launch DDoS attacks in exchange for subscription fees. He and his Canadian co-conspirator operated domains including exostress.in, ipbooters.com and databooter.com that launched attacks from servers in Chicago and Bucharest, Romania.

Usatyuk told one ExoStresser user, “You can DDOS any IP you want, we don’t care,” according to the criminal information.

Prosecutors said Usatyuk’s servers were used for at least three DDoS attacks against the Franklin Regional School District in the Pittsburgh, Pennsylvania that disrupted the school district’s network and also the computer systems of more than 17 organizations that shared the same infrastructure in Westmoreland County.

A manufacturer of Internet games was also targeted by OkServers’s equipment and had to pay $164,000 to resume operations after a DDoS attack, according to charging papers.

The Justice Department said that in the first 13 months of the conspiracy, 385,863 separate users made 3,829,812 DDos attacks. Computer logs for the final 14 months of the conspiracy had been deleted and were no longer available, according to court documents.

U.S. District Judge imposed the 13-months prison sentence on Friday. On Monday, the judge ordered Usatyuk to report to prison on Jan. 2.