WASHINGTON – An Orland Park, Illinois, resident was sentenced yesterday to 13 months in prison, followed by three years of supervised release on one count of conspiracy to cause damage to internet-connected computers for his role in owning, administering and supporting illegal booter services that launched millions of illegal denial of service, or DDoS, attacks against victim computer systems in the United States and elsewhere.
Chief U.S. District Judge Terrence W. Boyle sentenced Sergiy P. Usatyuk, 21, in the U.S. District Court for the Eastern District of North Carolina. Usatyuk also was ordered to forfeit $542,925 in proceeds from the scheme, as well as dozens of servers and other computer equipment that facilitated the scheme and/or constitutes its proceeds.
According to the criminal information, Usatyuk combined with a co-conspirator to develop, control and operate a number of booter services and booter-related websites from around August 2015 through November 2017 that launched millions of DDoS attacks that disrupted the internet connections of targeted victim computers, rendered targeted websites slow or inaccessible, and interrupted normal business operations. The illegal services included ExoStress.in, (“ExoStresser”), QuezStresser.com, Betabooter.com (“Betabooter”), Databooter.com, Instabooter.com, Polystress.com and Zstress.net.
“The defendant made hundreds of thousands of dollars by launching countless indiscriminate cyber-attacks that victimized various segments of American society,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division. “The Criminal Division and our law enforcement partners will remain vigilant in protecting the American public from these types of sophisticated, far-reaching threats.”
“DDoS-for-hire services pose a malicious threat to the citizens of our district, as well as districts across the country, by impeding critical access to the internet and jeopardizing safety and security in the process,” said U.S. Attorney Robert J. Higdon Jr. for the Eastern District of North Carolina. “The operation and use of these services to disrupt the operations of our businesses and other institutions cannot be tolerated. Anyone who weaponizes web traffic in this manner will be vigorously pursued and prosecuted by my office.”
“This sentence demonstrates the FBI’s continuous commitment to unmasking malicious actors behind these type of egregious cyberattacks,” said Special Agent in Charge John Strong of the FBI’s North Carolina Field Office. “By calling out those criminals who hide behind their computer and launch attacks, the FBI is sending a strong message that we will work tirelessly with our law enforcement partners to investigate and hold all criminals accountable, no matter what weapon they use to terrorize others.”
“Booters” or “Stressers” are a class of publicly-available, web-based services that allow cybercriminals to launch distributed DDoS attacks that overwhelm a target computer system with unrequested traffic and, in turn, “boot” or “drop” the victim from the internet for a relatively small fee or no fee at all. To launch a DDoS attack using a booter, a cybercriminal often needs only a web browser and an online payment tool to subscribe to a provider, provide instructions for attacking a victim computer system, and deliver payment.
The DDoS attacks launched by the booters also harmed computer systems that were not directly targeted. For example, according to the criminal information, in November 2016, a Betabooter subscriber launched a series of DDoS attacks against a school district in the Pittsburgh, Pennsylvania, area that not only disrupted the school district’s computer systems, but affected the computer systems of 17 organizations that shared the same computer infrastructure, including other school districts, the county government, the county’s career and technology centers, and a Catholic Diocese in the area.
During the period of the conspiracy, Usatyuk and a co-conspirator gained in excess of $550,000 from charging subscriber fees to paying customers of their booter services and selling advertising space to other booter operators.
Over the past five years, booter and stresser services have grown as an increasingly prevalent class of DDoS attack tools. Booter-based DDoS attack tools offer a low barrier to entry for users looking to engage in cybercrime.
For additional information on booter and stresser services and the harm that they cause, please visit: https://www.ic3.gov/media/2017/171017-2.aspx.
The FBI’s Charlotte Field Office, Raleigh Resident Agency conducted the investigation. Additional assistance was provide by the FBI’s Chicago and Miami Field Offices, as well as the Defense Criminal Investigative Service.
Trial Attorney Aarash Haghighat of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorneys Adam Hulbig and Matthew Fesak of the Eastern District of North Carolina are prosecuting the case.
Source: U.S. Attorney’s Office, Eastern District of North Carolina
Comments from Dissent: Checking the docket for this case, I see that they listed a number of “also known as” for him:
Sergiy Petrovich Usatyuk
also known as
Sergio Usatyuk
also known as
Andy
also known as
Andrew Quez
also known as
Andy Quez
also known as
Brian Martinez
also known as
GIFTEDPVP
also known as
GIFTEDPV.P
Usatyuk reportedly used or controlled the [email protected] and [email protected] email accounts. Also according to the Information, he was the Chief Executive Officer (CEO) of OkServers LLC, which was incorporated in the State of Delaware.
As noted in the DOJ’s press release, there is a co-conspirator in this case, but they are not named and a lot of the court filings are sealed. All that was revealed is that “Co-conspirator A” is a citizen of Canada, and last resided in Regina, Saskatchewan. The information also indicates that Usatyuk and the co-conspirator frequented HackForums.net. Checking that forum, it seems that Usatyuk’s username was “Andy Quez,” although he may have had more than one account there.
Of interest, perhaps, this paragraph in the information:
On or around November 8, 2016, USATYUK and Co-Conspirator A used ·a chat platform to discuss the .arrest of an individual in the United Kingdom who operated a booter service. During that conversation, USATYUK indicated that he planned to remove his personal logs to get rid of evidence, and warned Co-Conspirator A that “[i]f they get the DB [database] and see your name in the log fields· they won’t care about much else.”
From what has been revealed, at the very least, law enforcement likely has Co-Conspirator A’s username from that chat log with Usatyuk. They also have the co-conspirator’s location (Regina) and probably information gleaned from their participation on HackForums.net. Will there be another arrest soon?