Posted on September 20, 2021 at 4:12 PM

US Department of Justice Charges Illinois Man running two DDoS Attack Platforms

The US Department of Justice has found an Illinois man guilty of facilitating distributed denial of service (DDoS) attacks. The 32-year old Matthew Gatrel operated two subscription-based websites that facilitated the attacks.

According to the DoJ, Gatrel used these attacks to overload the targeted computers with much information, thus preventing them from accessing the internet.

Operated Two DDoS Facilitation Websites

The DOJ stated that the man ran two websites, namely DownThem.org and AmpNode.com. The first site, DownThem, offers a subscription service, where those who paid were able to launch DDoS attacks on their targets.

The DOJ also noted that the second website, AmpNode, offered “Bulletproof server hosting to customers with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims.” 

On Thursday, Gatrel was found guilty of one count conspiracy with the intent of disrupting the operations of a protected computer. He was also charged with one count of conspiracy concerning wire fraud and one count of impairing a protected computer without authorization.

With these charges, the 32-year old faces a sentence of up to 35 years in federal prison. The hearing for a sentence will be given on January 27, 2022, by US District Judge John A. Kronstadt.

Gatrel was not the only party involved in these charges. Juan Martinez, 28, was a co-defendant. He pled guilty to one count of attacking a protected computer. Martinez was a customer of Gatrel, and he later became a co-administrator of the site in 2018. Martinez faces a sentence of up to 10 years in federal prison. A hearing for his sentence will happen on December 2.

The FBI first interrogated Gatrel in November 19, 2018, after a complaint. During the interrogation, Gatrel admitted to being an administrator of the two sites, DownThem and AmpNode. He stated that he first registered the two sites using Cloudflare, which offers anti-DDoS services.

DDoS Attacks on the Rise

In 2018, the US Attorney’s Office in Alaska charged David Bukoski for aiding in computer intrusions using a stresser or booter service. The Quantum Stresser used by Bukoski is the largest and most dominant DDoS service in use.

The Quantum Stresser was created in March 2011, and last month, the service had over 80,000 registered users. Statistics in 2021 from authorities show that the site launched over 50,000 DDoS attacks, both actual and attempted, and targeted victims in different countries.

Authorities investigating the recent DDoS attacks made by the two websites created by Gatrel revealed that the user base was also large. The DownThem website has over 2000 registered users, and since its creation in 2014, the site has launched over 200,000 attacks. These attacks have been done on homes, government websites, schools, universities and financial institutions globally.

The DOJ also talked about how the DownThem service operated. “Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services.”

Gatrel also got in touch with his customers and provided them with information about successfully launching the attacks. He guided customers who purchased services on the different types of attacks that would best work in different computers.

He also shared his knowledge about hosting providers and how a customer can circumvent DDoS protection services. The DOJ also pointed out evidence that Gatrel used the DownThem website to illustrate how effective his services are to lure prospective customers into buying these products.

As part of his illustration, Gatrel would inquire about the customer’s intended victim and then launch an attack to prove later that he had infiltrated the victim’s device and severed their internet connectivity. The provided the required proof using screenshots.

The DownThem website had a subscription package that allowed a customer to select from different options. The prices of these plans varied with the magnitude of an attack, the attack duration or the ability to conduct a DDoS attack simultaneously or concurrently. Hence, the more expensive a plan was, the more damage the offered service could cause to the intended victim.

In the details, the DOJ also noted that “Once a customer entered the information necessary to launch an attack on their victim, Gatrel’s system was set up to use one or more of his own dedicated AmpNode attack servers to unlawfully appropriate the resources of hundreds or thousands of other servers connected to the internet in what is called, “reflected amplification attacks.”