Booters, Stressers and DDoSers

A 21-year-old Illinois man was sentenced last week to 13 months in prison for running
multiple DDoS-for-hire services that launched millions of attacks over several years. This
individual’s sentencing comes more than five years after KrebsOnSecurity interviewed both
the defendant and his father and urged the latter to take a more active interest in his son’s
online activities.

The jail time was handed down to Sergiy P. Usatyuk of Orland Park, Ill., who pleaded guilty in
February to one count of conspiracy to cause damage to Internet-connected computers and
owning, administering and supporting illegal “booter” or “stresser” services designed to knock
Web sites offline, including exostress[.]in, quezstresser[.]com, betabooter[.]com,
databooter[.]com, instabooter[.]com, polystress[.]com and zstress[.]net.

According to the U.S. Justice Department, in just the first 13 months of the 27-month long
conspiracy, Usatyuk’s booter users ordered approximately 3,829,812 DDoS attacks. As of
September 12, 2017, ExoStresser advertised on its website that this one booter service had
launched 1,367,610 DDoS attacks, and caused targets to suffer 109,186.4 hours of network
downtime (-4,549 days).

Usatyuk — operating under the hacker aliases “Andrew Quez” and “Brian Martinez,” among
others — admitted developing, controlling and operating the aforementioned booter services
from around August 2015 through November 2017. But Usatyuk’s involvement in the DDoS-
for-hire space very much predates that period.

In February 2014, KrebsOnSecurity reached out to Usatyuk’s father Peter Usatyuk, an

assistant professor at the University of Illinois at Chicago. I did so because a brief amount of
sleuthing on Hackforums[.]net revealed that his then 15-year-old son Sergiy — who at the
time went by the nicknames “Rasbora” and “Mr. Booter Master” — was heavily involved in
helping to launch crippling DDoS attacks.

I phoned Usatyuk the elder because Sergiy’s alter egos had been posting evidence on
Hackforums and elsewhere that he’d just hit KrebsOnSecurity.com with a 200 Gbps DDoS
attack, which was then considered a fairly impressive DDoS assault.

“I am writing you after our phone conversation just to confirm that you may call evening
time/weekend to talk to my son Sergio regarding to your reasons,” Peter Usatyuk wrote in an
email to this author on Feb. 13, 2014. “I also have [a] major concern what my 15 yo son [is]
doing. If you think that is any kind of illegal work, please, let me know.”

That 2014 story declined to quote Rasbora by name because he was a minor then, but his
father seemed alarmed enough about my inquiry that he insisted his son speak with me
about the matter.
Here’s an excerpt of what I wrote about Sergiy at the time:

Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality”
lists of servers that can be used to launch amplification attacks online. stresser Despite his
insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that
someone reading his posts on Hackforums might conclude that he was actively involved in
DDoS attacks for hire.

“I don’t see what a wall of text can really tell you about what someone does in real life
though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This
reply came in response to my reading him several posts that he’d made on Hackforums not
24 hours earlier that strongly suggested he was still in the business of knocking Web sites
offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has
since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline,
PM me.”

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but
he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe
his dad will ground him and take away his Internet privileges.

I’m guessing young Sergiy never had his Internet privileges revoked, nor did he heed advice
to use his skills for less destructive activities. His dad hung up on me when I called
Wednesday evening requesting comment.

In addition to serving the 13-month jail sentence and three years of supervised release,
Usatyuk will forfeit $542,925 in proceeds from the scheme, as well as dozens of servers and
other computer equipment that powered his many DDoS-for-hire businesses.