An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.
Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016.
DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can’t handle visits from genuine users.
In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted.
“In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business,” wrote the Department of Justice in a statement released on January 16.
The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.
US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston’s guilty plea.
The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey.
Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be “the new industry standard in DDoS mitigation” and is currently online using an invalid certificate.
Preston was featured in the 2016 KrebsOnSecurity story “DDoS Mitigation Firm Has History of Hijacks,” which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn’t own in a bid to protect clients from DDoS attacks.
Preston will reappear before the court on May 7 for sentencing.