The FBI Is Arresting People Who Rent DDoS Botnets

Source: bleepingcomputer.com/news/security/fbi-arrests-customer-of-xtreme-stresser-ddos-for-hire-service/

>Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

>"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.

Good.

>going out of your way to harass someone
>get charged with a crime
hmmm

good news? on MY Sup Forums ?!

it's more likely than you think.

Though I did wish more news was posted on here... better than most of the shit posts that goes around.

>Sharma rented it for an attack on Chatango, an online chat service

Why Chatango out of all websites?

1) Autist gets banned from some chatroom for sperging out all the time
2) Autist spergs out and attacks chatango in revenge

>hire hitman
>get arrested

wtf it's not like i actually killed the guy i just paid someone to do it for me

Rom is a cute!

Land of the free

How do they know it was used for a DDoS and not a computation cluster.

Come on...

yeah because as we all know, ddosing services is a side effect of cluster computing

dumbass

/thread

I can't wait to disconnect from the internet.

Why would these people even live in the United states?

Thats a lie. Nobody was arrested in Spain

>rent a computer lab full of windows PCs for a work seminar
>do 6 to 36 months

This individual is not being charged for renting computing power. They are being charged for using rented computing power in a DDoS attack.

kek

skidforums BTFO

b-b-b-but user... image if he WAS???!!!

Why do people do this shit.

Like the people who whiteknight for malware authors and say shit like "Yeah he shouldn't get in trouble! There's plenty of practical applications to a bot with formgrabbing capabilities and a bootkit component. Nothing wrong here!"

it's my skull and bones remote administration tool, it's a legitimate product!

Yeah, the webinjects and formgrabbers are totally legitimate!

The program attempts to hide itself from the user and disable antivirus software... there's uh... plenty of legit uses for that!

a botnet is a botnet

>My software was created to evade anti viruses/anti malware programs and also be hard to analyze by security researchers, with the main goal of earning money through fraud...

>BUT IT'S TOTALLY LEGIT, IT HAS LEGIT USES

why do people do this?

>2016
>top sites with malware ads totally legal
>even talk of banning ad blocker

>Post on hackerforums
"Hey guys wanna rent my botnet to ddos people/web services? Cheap prices, I got lots of bots - also known as illegally infected computers without the owners' knowledge!"

>Tiny font size: "Oh by the way only use this on networks YOU OWN, im not responsible for people using my services for any illegal purposes"

>exchanging currency for certain goods/services is illegal
really fires your neurons

>A certain combination of 0's and 1's is illegal

>Certain movements of your body in a certain pattern is illegal

>Creating a certain thing is illegal

>Pointing a certain object at a certain living organism is illegal

Huh, now that REALLY makes me think

I'm assuming this retard paid with his credit info?

I wouldn't be surprised.

see

>Sharma is banned from accessing certain sites such as HackForums

I keep refusing to go there because I keep assuming it's a group of kids asking people to hack facebook, but then I see shit like this.

It hackforums worth looking at?

99% is absolute garbage
No.
If you want to become a hacker, do NOT go there.
Learn a fucking web language intimately if you want to hack websites, a low level language if you want to have a buttnet.

If you want to get buy hacking services, there are better sites.
If you don't believe me, go make an account your self.

>hello, pleased to be helping you today, sir. my name is Sean

Keep up the good work I guess.

are you suggesting DDoS is inherently illegal?

i hope they crack down hard on DDOS'ers, there are few things that i hate more than these faggots

DDoSing a commercial online service sure as fuck is inherently illegal

only if you do so without their permission

* Buying and using a car is not illegal. Using that car to drive over pedestrians is.
* Buing and using a computational cluster is not illegal. Using that cluster to attack servers is.
* Writing malware software is not illegal. Using that malware software to infect PCs and steal credit card data is.

This is not exactly rocket science, come on.

Are you trying to suggest Mr Krishanmakoto Sharma had permission by Chatango to DDoS their servers?

>pay someone to commit a crime for you
>surprised that that is also a crime
only in 'merica

>Writing malware software is not illegal. Using that malware software to infect PCs and steal credit card data is.

When does the FBI start arresting NSA operatives?

Silly user, laws don't apply to the NSA

>"As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."
>banned from using VPNs

I can't wait for this kind of ban to be handed out to people en masse.

You used HTTPS, you shall be fined $150,000 and be banned from all encryption for a year

Technically VPS is enforced by the host, not client. VPN is not.

>VPS

s/VPS/HTTPS/

>imagine if he was
Then they wouldn't be in the news for being arrested for DDoSing a server.

>there's plenty of practical applications to...
But this is irrelevant. The crime committed is not the purchase of the stress tester, but the use of it for illegal purposes. If it was used to stress test one's own server, there would not be arrests.

You can't treat this as an example of creeping fascism. This was not a preemptive arrest to prevent a DDoS from being made with the service, suggesting that legitimate users could be stopped. This is an arrest made after a crime had already been committed, against the perpetrator.

There are people all over the world who are dumb enough not to know the law.

>Sean krishanmakoto Sharma
>49 replies
>0 pooinloo jokes

I am disappoint Sup Forums.

>type http:// instead of https://
how is this not client-side?

With all the recent ~2 Tbps DDOS attacks on the internet, good riddance to these assholes. IoT devices have allowed these extremely extensive botnets to open virtually overnight because lazy Chinamen can't into firmware security for their wireless door locks and cameras.

The real solution for these attacks won't happen until someone that's way more intelligent than me creates a truly intelligent application algorithm that can mitigate the attacks.

I don't understand how it's a criminal issue, though? I mean, worst case scenario isn't it just a civil matter?

It is a service provided by the host and most hosts that provide HTTPS also redirect to it from HTTP. This prevents retards from getting hit by MitM and blaming it on the host.

Well, if you sabotage the power lines to your nearest walmart, it's a criminal case, so why shouldn't DDoS be?

In that case you would be charged for destroying public property, not for shutting down the Wal-Mart. The only "damage" was whatever revenue the victim can claim they lost from the downtime, which would be a matter of awarding damages in civil court.

If they only lost business for a few days that's one thing, but frequently the owners of sites affected by DDoS attacks have to pay for bandwidth usage even though it was all phony traffic. It's basically vandalism.

That's still just revenue loss, which is a civil matter that can be fully rectified by simply paying for the damages.

Can still probably be charged with disrupting public services (ie internet) or something like that.

After the damage reaches a certain point I think it becomes a criminal offense.

>Most suspects arrested in Operation Tarpit are under the age of 20, much younger than Sharma.
Literal scriptkiddies

Most likely because it was both willful and frequent.
>He used this service to attack Chatango and brought down the company's services on different occasions for a two-month period, between November 6, 2014 and January 20, 2015.

If it only happened once, a civil case would be more likely. But because he did it multiple times, a criminal case becomes more plausible as it involves a person willfully trying to disrupt your business with harassment and interruption.

Because we all bear the cost.
Data centers have to mitigate DDoS attack and all their customers pay for it, and in turn their customers.
That means if you buy something in an online store, you're paying for some man/child/manchild shit head's DDoS.

All right, what if I block the entrances to Walmart with concrete blocks, am I going to get civil charges only?

This is great.
The faster they start throwing these cunts in jail the better.

It's hard to make an equivalent situation to a DDoS in real life.

It's kinda like if some invisible man just suddenly erected a giant wall or wide and deep moat around a business and then left the business with the bill to have the thing removed.

Once might not cause much damage except for the lost revenue and the removal costs but the invisible man could do that any number of times for a relatively small amount of money. In this case the guy was apparently harassing these businesses for two months.

It would be like blowing up the parking lot. No one can get in until the parking lot is fixed, and it's destruction of private property, which is both criminal and civil.

except DoS attacks are not destructive and need to be sustained. as soon as you stop them everything is back to normal.

It's more like paying a bunch of hobos to block the entrance. once their booze runs out the shop can resume business.

Something I didn't actually think about before but abnormally high CPU load can cause electricity bills to soar also. No it's not physically destructive but it is highly disruptive since the owner has physical bills to pay afterward. Should the owner be forced to foot those bills? Many of the people that stage these attacks are in countries with shitty laws and wouldn't honor civil suits against their citizens. What does the owner do in that case?

It's both.

>In the United States, DDoS attacks fall under federal statutes. Participants run the risk of being charged with both criminal and civil complaints.

Civil charges from the company. Criminal charges from LEAs catching you do it. It doesn't matter what or how much you affected it. You did it, you got caught, you get charged.

retard

>virtual hitman
kek

Unrelated but I wonder if that one guy will actually be able to subpoena and sue the person that sent him a strobe image over twitter knowing that it could cause him to have an epileptic seizure.

>create Mirai botnet variant
>make sure it bricks infected devices
>let it run for a while
>internet is now safe of chinamen shitty security

While the guy is a retard and deserves any punishment he gets, I feel like 10 years and a quarter of a million dollars is a little extreme.

You lot also think it's legal to meet up with 200 retards and start going 5km/h over the highway together?

...

What if you rent a stresser to test your own infrastructure against ddos attacks?

Then you don't commit any crime. You won't report yourself to the police as well.
However a DDoS service is not allowed to contain any infected computers, or else it's breaking laws as well.

Yeah that does seem like a lot but I think that's just the maximum he could get if the judge felt like charging him with everything to make a point. The judge usually hands out much more lenient sentence at the end.

>chatango
shit's dead anyways, why waste your money

>Sean Krishanmakoto Sharma
DEDIGNATED HACKING STREET

Remember, no one takes these things seriously until the government steps in. Some chick might have told him off on Chatango and he felt like going full NERDRAGE on it. Who knows?

> What if you break down your own door?
> Burglary laws are retarded.

RAM A CUTE
CUTE!

In this case, unless you're an idiot, you probably rent a legal service and have paperwork to prove it.

More like "What if you pay a wanted criminal to break down your own door?"

Good. I thought they already did this, however. Maybe it's just become a bigger issue in the past few years.

Although once you see who is behind these attacks, you'll realize that arresting them doesn't matter. They've suffered enough.

I used to know the type of people that did this a few years ago. There's a reason they hide behind a keyboard. It's not that they're anonymous and cool. They're embarrassed. They really live a sad life. I'd go on TeamSpeak and they'd get my IP (not like it was difficult) and would mess with me. I'd get annoyed, but after I realized who they were, I'd feel sorry for them. Sure, it's an inconvenience, but whatever.

Fuck that white noise. Keep arresting them. Arrest all of them. I have long since gotten past this whole "pity the weak and forgotten for they have nothing else to claim" nonsense. You don't earn the right to HACK THE CYBERSPACE just because you couldn't hack it in real life. Either don't get caught or get fucked.

>hiring a botnet through public webportals
are people really this dense?

>costs them money via bandwidth
>lost revenue via ads
>can cause loss of users
>makes the company look bad
>some server hosts kick you off if you get a lot of attacks meaning it could cause the company downtime and force them to migrate everything to another provider

Fuck them and fuck you all who read this

I just can't get into the mindset of doing that though I mean how can they think it's safe to create and account and pay for an illegal service on the surface web..., I've only ever used a illicit botnet once and it was a friends who agreed to stress test a few of my servers

>shit-tier hacker names
No. Who the fuck would want to hang out with skids named HackRain, Vyrez, Chill Dill, solid triangle square circle, SGD God, HitzSPB, Tree of Life, xscatta, The Global Elite, +Arcane, etc. Look at all these fucking loser names. Imagine being in an irc while The Host is going, "Yo, I'm all hardcore and shit." Gnarly retorts, "I just pissed all over your modem, brah." While Roses is all like, "Nobody noticed that I slightly dimmed their Philips Hue bulbs." The inanity of the comments dulls your excitement at your recent discovery of a buffer overflow exploit giving you permission above ring zero. The sleepless weekends and their accompanied groggy Mondays over the past nine months haven't been all for nothing, yet here you are, with nothing to say. "Shouldn't I feel elated?," you wonder to yourself. "These guys are real hackers, they'll understand. I can't expect everyone to find something this exciting all the time.," as you console yourself in preparation to share the fruit of your labors with your fellow practitioners of the dark arts. As you begin to press the keys, "Where do you keep your buttcoins, dudes? I keep mine in the freezer, for safety, of course.," comes gently gurgling from the bottom, like the unwelcomed overflow of a public commode. You hit the switch, the gentle hum waning as you stare into a dark room wondering where you went wrong.

I fucking love skids it's a great fucking time desu, it's a good past time - just search how to ddos on youtube or join the anonops IRC, some guy was talking about how he upgraded his raspberry pi to an I7 and installed 16gb of ram and everyone was just sucking him off cause he's a mod

desu I cant tell if he's a white or Indian weeb. Sean is a western name, krishan/sharma Indian I guess, but the makoto part also threw me off.

Good, good. We need more news like this.

i'll take digital rights management for $500

>they are doing their job
I suppose that's shocking enough to warrant this worthless thread

they could just drop the traffic for the duration of the DoS if electricity is a problem. and no, electricity is not a problem, it's like cents per kWh.