Illinois Man Convicted of Running DDoS Facilitation Websites

An Illinois man has been found guilty of running subscription-based distributed denial of service attacks that flood targeted computers with information and prevent them from being able to access the internet, reports the Department of Justice.

See Also: Top 50 Security Threats

Matthew Gatrel, 32, owned and operated two DDoS facilitation websites: DownThem.org and AmpNode.com. DownThem provided subscriptions to users which enabled customers to launch DDoS attacks.

The second site, AmpNode, “Provided “bulletproof” server hosting to customers with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims,” the DOJ notes.

Gatrel was found guilty on Thursday for one count of conspiracy to commit unauthorized impairment of a protected computer, one count of conspiracy to commit wire fraud, and one count of unauthorized impairment of a protected computer. Gatrel is now facing a statutory maximum sentence of 35 years in federal prison. United States District Judge John A. Kronstadt has scheduled a January 27, 2022 sentencing hearing.

Another co-defendant, Juan Martinez, 28, of Pasadena, pleaded guilty on August 26 to one count of unauthorized impairment of a protected computer. He was one of Gatrel’s customers, who in 2018 became a co-administrator of the site. Martinez faces a maximum sentence of 10 years in federal prison at his sentencing hearing, which is scheduled for December 2.

During investigation of Downthem and Ampnode, the FBI first interviewed Gatrel on Nov. 19, 2018, according to a criminal complaint written by FBI Special Agent Elliott Peterson, who works in the bureau’s Alaska Counter Intelligence/Cyber Squad.

During the course of the interview, Gatrel admitted to being an administrator of both the Downthem and Ampnode sites, saying he’d first registered them using Cloudflare, which provides anti-DDoS services, according to the complaint.

As part of a crackdown, back in 2018, the Alaska U.S. Attorney’s Office charged David Bukoski, 23, of Hanover Township, Pennsylvania, with aiding and abetting computer intrusions by running a stresser/booter service.

Bukoski has been accused of running Quantum Stresser, one of the world’s largest and longest-running DDoS services in operation. First launched in March 2011, Quantum Stresser counted a total of more than 80,000 registered users by last month. Looking just at this year, the site was to launch more than 50,000 actual or attempted DDoS attacks targeting victims worldwide, authorities say (see: Feds Disrupt Top Stresser/Booter Services)

Website Offerings

Investigators found that the DownThem service had more than 2,000 registered users and more than 200,000 launched attacks since 2014, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide.

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services,” according to the DOJ.

In addition, Gatrel offered advice to customers of both the services, providing guidance on the best attack methods to “down” different types of computers, specific hosting providers, or how to bypass DDoS protection services. The DOJ states that Gatrel himself often used the DownThem service to demonstrate to prospective customers the power and effectiveness of his products.

He used to give examples by attacking the customer’s intended victim and providing proof, via screenshot, that he had severed the victim’s internet connection.

Another service offered to customers by Gatrel’s DownThem site was an option to select a variety of different paid “subscription plans.” The plans varied in cost and offered escalating attack capability, allowing customers to select different attack durations and relative attack power, as well as the ability to launch several simultaneous, or “concurrent” attacks.

“Once a customer entered the information necessary to launch an attack on their victim, Gatrel’s system was set up to use one or more of his own dedicated AmpNode attack servers to unlawfully appropriate the resources of hundreds or thousands of other servers connected to the internet in what are called “reflected amplification attacks”,” the DOJ notes.