Cybercrime , Cybercrime as-a-service , DDoS Protection
DDoS Attacker Austin 'DerpTrolling' Thompson Gets Sentenced
Defendant Pleaded Guilty to Disrupting Sony Online Entertainment and OthersA distributed denial-of-service attacker who crashed a popular gaming service one Christmastime has been sentenced to serve 27 months in prison.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
Utah resident Austin Thompson, 24, was sentenced on Tuesday in San Diego federal court and also ordered to pay $95,000 in damages to one of his victims: Daybreak Games, formerly known as Sony Online Entertainment.
On Nov. 6, 2018, Thompson pleaded guilty to one charge of damaging protected computers, admitting that he launched DDoS attacks from Dec. 19, 2013, to Jan. 6, 2014, when he was 17, that caused at least $95,000 in damages.
Thompson had faced a maximum of 10 years in prison and a $250,000 fine. His case was investigated by FBI's San Diego office as well as the U.S. Air Force Office of Special Investigations.
“Denial-of-service attacks cost businesses and individuals millions of dollars annually,” says U.S. Attorney Robert Brewer. “We are committed to prosecuting hackers who intentionally disrupt internet access.”
In a statement, the Department of Justice says Thompson's two-month DDoS attacks "were directed mainly at online gaming companies and servers," including Sony. At the time, Sony's networks were a frequent target for attackers (see DDoS Gang Targets Sony).
"Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted 'scalps' (screenshots or other photos showing that victims’ servers had been taken down) after the attack," the Justice Department says, citing the defendant's plea agreement. "The attacks took down game servers and related computers around the world, often for hours at a time."
The @DerpTrolling account claimed to have been launching DDoS attacks since at least 2011, when Thompson would have been approximately 14 years old.
We're back, and ready to launch warheads.
— Derp Trolling (@DerpTrolling) October 17, 2011
"His group, 'DerpTrolling,' was allegedly behind several denial-of-service attacks on online service for several SOE games, plus Battle.net, League of Legends, and Dota 2 in late 2013," the Justice Department says.
At least some of the group's attacks appeared designed to disrupt James Varga, a popular gaming live-streamer who uses the handle PhantomL0rd. Varga said the group also appeared to have "swatted" him by calling police and warning that there was a crime in progress at his house.
When Varga asked Derp online what its objectives were, the reply read: "For the lulz."
Remember the time I got swatted 5 1/2 years ago? Well the guy who doxed me & who DDOSed all the game servers is in jail now: https://t.co/kq4P7YuuZL pic.twitter.com/Se5HFZPHU7
— PhantomL0rd (@PhantomL0rd) July 4, 2019
It's not clear how Thompson or other members of his group effected the DDoS attacks - for example, if he used popular but illegal DDoS-on-demand services, aka stresser/booter services.
@DerpTrolling Austin Taylor Thompson
— Leanne Harkleroad (@lharkleroad) February 11, 2014
Thompson appears to have been doxed multiple times, meaning his DerpTrolling identity was publicly linked to that of Austin Taylor Thompson, of St. George, Utah, born in May 1995. According information dumped online, Thompson joined the U.S. Air Force in August 2013, meaning that the attacks would have occurred when he was serving in the military. That would explain why the U.S. Air Force Office of Special Investigations was involved in his case.
Some Aspects of Case Remain Unclear
It's unclear when Thompson was first arrested and what he's been doing since then.
The Department of Justice couldn't be immediately reached for comment over the July 4 holiday.
The first public records in the case against Thompson appeared on Nov. 6, 2018, when he filed both a waiver of indictment and plea agreement.
A waiver of indictment means that a defendant forgoes their right to have charges brought against them by a grand jury. Writing online, Tampa, Florida-based federal criminal attorney Jason Mayberry says that waiving the indictment is a strategy sometimes pursued if the evidence against a suspect is substantial. "If there is very little doubt that an indictment will be returned and that the evidence against you is overwhelming, cooperation may be your best bet and that can often start with waiving indictment," Mayberry writes.
Selected Court Records Unavailable
While most documents pertaining to Thompson's case are publicly available via the U.S. government's electronic public access service Public Access to Court Electronic Records, attempts on Thursday to access his plea agreement, filed on Nov. 6, 2018, returned this message: "You do not have permission to view this document."
Thompson's defense attorney, Hector Jesus Tamayo, couldn't be immediately reached for comment over the July 4 holiday.
The San Diego Tribune reports that Tamayo told the court in a sentencing memorandum that Thompson was “an insecure and injudicious” teenager who'd succumbed to peer pressure from others in the online gaming community. Access to that sentencing memorandum via PACER has also been restricted.
Thompson joined the Air Force at age 18 but was subsequently dishonorably discharged due to an unspecified criminal conviction, The San Diego Tribune reports.
In the court's judgment against Thompson, dated Tuesday, the mandatory conditions of his release form includes a checkbox next to a stipulation that he "must comply with the requirements of the Sex Offender Registration and Notification Act." That law requires convicted sex offenders to register with their state's sex offender registry as well as to update authorities if they move out of state.
The judgment also states that after his release from prison, Thompson is not allowed to "use or possess devices which can communicate data via modem or dedicated connection and may not have access to the internet without prior approval from the court or the probation officer." In addition, he must "consent to the installation of systems that will enable the probation officer to monitor computer use on any computer owned or controlled by the offender."
Stresser/Booter Disruptions Continue
While Thompson's DDoS attack spree may have ended in 2014, such attacks live on. Authorities say they're aided in large part by the ready availability of stresser/booter services as well as a seemingly endless supply of children who want to try and disrupt gaming sites (see Cybercrime Gangs Advertise Fresh Jobs, Hacking Services).
Such attacks also continue to be driven by extortionists, as well as others with an "ideological, political or purely malicious reason," the EU's law enforcement intelligence agency, Europol, says in its 2018 Internet Organized Crime Threat Assessment, released last September (see Cybercrime: 15 Top Threats and Trends).
Europol notes that in 2017, the volume of DDoS attacks was second only to malware, adding that on-demand disruptsions were "also becoming more accessible, low cost and low risk," thanks to ongoing, easy access to "stresser/booter" services (see Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).