A British teenager has avoided jail time after pleading guilty to a string of offenses, including thousands of distributed denial-of-service attacks against such organizations as Amazon and Netflix, as well as a 2015 attack that disrupted online banking systems at National Westminster Bank, better known as NatWest.
Jack Chappell, now 19, appeared Tuesday at Manchester Minshull Crown Court, where he received a 16-month sentence to be served in a young offender institution, with the sentence suspended for two years.
The suspended sentence means that if Chappell stays out of trouble and follows the court’s instructions, he will avoid having to serve time in jail.
The court heard how Chappell, when he was 16 and 17, launched 2,000 attacks on behalf of vDos, a so-called stresser/booter service that enabled anyone to order DDoS disruptions against sites of their choice.
Speaking in court on Tuesday, prosecutors said that at the time of the attacks, vDos was one of the world’s biggest DDoS-on-demand services, responsible for more than 1 million disruptions, and Chappell played an important role in the enterprise (see FBI to DDoS Victims: Please Come Forward).
“Chappell offered denial-of-service attacks on a subscription basis for a fee; users simply had to select the extent and duration of attack they wanted and pay with bitcoin, PayPal or a credit card. It was that simple,” Detective Sergeant Simon Biggs from the West Midlands Regional Cyber Crime Unit says in a statement.
“Stresser services like vDos allow amateurs, sometimes motivated by a grudge, to launch attacks easily and with little or no specialist knowledge,” Biggs says. “[Chappell] even offered customer support on how to pick the right malware for the site they wanted to crash; it was tailor-made cybercrime solutions.”
Acting on a tip from the FBI, in 2016, Israeli police arrested two Israeli nationals and charged them with running vDos, which has been tied to more than 1 million DDoS attacks launched over a two-year period (see DDoS for Hire: Israel Arrests Two Suspects).
British police say they identified Chappell as a vDos accomplice after tying his IP address to DDoS attacks.
Their investigation was led by the South East Regional Organized Crime Unit – SEROCU – and West Midlands Police, who arrested Chappell in April 2016. He was charged with violating the Computer Misuse Act by impairing the operation of computers as well as encouraging or assisting an offense. He was also accused of money laundering together with an unnamed U.S. citizen who is reportedly under investigation by the FBI.
West Midlands Police and SEROCU could not be immediately reached for comment on Chappell’s sentencing.
Targets: Amazon, Netflix, Others
Chappell admitted to launching DDoS attacks against numerous organizations, including not just Amazon, NatWest and Netflix, but also the BBC, the National Crime Agency, and telecommunications companies BT, O2, Virgin Media and Vodafone. He also launched DDoS attacks against Manchester College as well as the U.K. government’s Janet Network, used by British researchers and educators.
Besides being a student at Manchester College, Chappell’s LinkedIn profile also lists him as being an apprentice software developer at a Manchester firm called Bright Future Software.
“We are very pleased to have been able to assist the police in their investigation of this case; it sends a strong message to other would-be attackers that such criminal behavior will not be tolerated,” Paul Feldman, chief executive of Jisc, which provides the Janet Network, tells Times Higher Education. Jisc said it took 180 days and £5 million ($6.7 million) to upgrade its infrastructure to better repel such attacks in the future.
Help From FBI, Europol, Israel Police
West Midlands Police say they received assistance during their investigation from Israel Police, the FBI and Europol’s European Cybercrime Center.
Police say that none of the DDoS attacks Chappell was accused of launching led to any customer data being lost or stolen.
Chappell’s defense attorney, Stuart Kaufman, said that his client had been recruited by the alleged vDos ringleaders. “He is in some ways as much of a victim; he has been exploited and used. He is not malicious, he is mischievous,” Kaufman told the court, Manchester Evening News reports.
Chappell also admitted to helping launder vDos proceeds worth about £600,000 ($800,000), while receiving only £1,500 ($2,000) in return.
“It is a tragedy to see someone of undoubted talent before the courts,” Judge Maurice Greene said during the Tuesday sentencing hearing, the Sun reports.
“You were undoubtedly taken advantage of by those more criminally sophisticated than yourself,” the judge added, but said he opted to suspend Chappell’s sentence, in part, due to concerns for his welfare. “You would be extremely vulnerable in a custodial element,” the judge said, referring to prison.
Lizard Squaddie Pleads Guilty
This isn’t the first time a teenager has pleaded guilty to being part of a DDoS-as-a-service attack operation (see Teen Hacker Sentenced Over ‘Titanium Stresser’ Attacks).
On Tuesday, 20-year-old Zachary Buchta pleaded guilty before U.S. District Judge Manish Shah to conspiring to damage a protected computer as well as participating in DDoS disruptions and other online attacks launched by the Lizard Squad and PoodleCorp hacking groups (see PlayStation, Xbox Disruptions Continue).
“Buchta … conspired with other members of Lizard Squad to operate websites that provided cyberattack-for-hire services, facilitating thousands of denial-of-service attacks, and to traffic stolen payment card account information for thousands of victims,” according to a criminal complaint and affidavit filed in U.S. District Court in Chicago in 2016.
Anecdotal evidence suggests PoodleCorp may also have developed and later released the source code for the devastating Mirai malware that began infecting internet of things devices in 2016 (see Can’t Stop the Mirai Malware). That said, none of Buchta’s charging documents appear to mention Mirai.
He’s due to be sentenced on March 27, 2018, and faces up to 10 years in prison. He’s also agreed to pay at least $349,000 in restitution for the losses suffered by disrupted organizations. The Chicago Sun Times reports that Buchta’s plea deal says that if he continues to collaborate with the government, he could face less than three years of prison time.