In July 2017, British man 19-year-old Jack Chappell was arrested by the U.K. police and charged with using the vDoS attack-for-hire service to launch attacks against various U.K. and U.K.-based companies, including the BBC, British Telecom, Virgin Media, Vodafone, Netflix and Amazon. However, he avoided jail in his recent trial.
vDoS was a DDoS attack-for-hire service based out of Israel responsible for the majority of DDoS attacks between 2012-2016 and it being shutdown and the advent of even more massive IoT botnets, such as Mirai and Reaper.
The U.K. man pleaded guilty to launching over 2,000 DDoS attacks between May 1, 2015 and April 30, 2016 against some of the world’s biggest companies. Before he launched the attacks, he would taunt his targets using the Twitter handle @fractal_warrior. In particular, his school, Manchester College, which, along with the government’s Jisc Janet educational support network, he attacked on his own at least 21 times.
Chappell was arrested in April 2016 after the police matched his Internet address with his home address in Stockport. He also pleaded guilty to helping vDoS launder money from customers who wanted to pay for DDoS attacks with PayPal accounts. Chappell helped run a help desk for people having problems with vDoS. Even though the proceeds of the DDoS attacks equalled around £600,000 (around $450,000), Chappell was only paid £1,500 ($1100).
Chappell appears to have been tracked down as a result of a number of common mistakes, including domain names registered in his actual name, password re-use and being an active presence on hacking websites, such as Hackforums, which until recently, hosted the most popular open-air market for rival attack-for-hire services.
vDoS was also forced to round-robin customer PayPal payments after academic researchers began to sign up for its services and then reported the email addresses being used to receive payments.
Chappell was eventually banned from using vDoS, although it’s unclear why that happened.
During Chappell’s trial, his lawyer, Stuart Kaufman, argued that his client was just an impressionable young man with autism, a condition characterized by poor social skills, challenges with communication and repetitive behaviors. “He is in some ways as much of a victim, he has been exploited and used”, Kaufman told the court, according to the Manchester Evening News. In sentencing Chappell, Judge Maurice Greene said, “You were undoubtedly taken advantage of by those more criminally sophisticated than yourself. You would be extremely vulnerable in a custodial element.” Rather than sentencing him to time in jail or a young offender’s institute, Chappell was ordered to “undertake 20 days rehabilitation activity”.
Security researcher Brian Krebs was amazed by the ruling, saying, “It’s remarkable when someone so willingly and gleefully involved in a crime spree such as this can emerge from it looking like the victim.”