On the edge of farmland in a suburban Minnesota community, Washburn Computer Group—an equipment repair company—seems an unlikely target to be barraged with over a year of distributed denial-of-service (DDoS) attacks.
As company executives sat down with investigators, they discussed receiving some strange emails in 2015 offering unsolicited technical assistance, with an animated GIF of a dancing mouse attached.
But absent a specific threat, agents didn’t have grounds for a search warrant. Without a suspect in mind, the FBI’s investigation into the attacks stalled. That is, until agents got their hands on the internal records of an Israeli DDoS-for-hire company in mid-2016.
In recent years, launching a DDoS attack has become as simple as watching a movie on Netflix: pay for a monthly subscription to a service, select your target, and click go. But while no technical experience may be needed to launch such an attack, it’s still a crime; increasingly, a federal felony.
Security researcher Brian Krebs spent years researching vDOS, one of many DDoS-for-hire websites, also known as ‘booter’ or ‘stresser’ services. Last summer, vDOS was hacked, exposing the individuals who subscribed to the service and their attack targets. The identity of the hacker isn’t known, but the stolen database made its way to researchers, and ultimately to the FBI.
Krebs analyzed the stolen vDOS database and wrote an exposé about their services, which in retaliation earned his website the largest reported DDoS attack in internet history. “To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement,” he writes.
In court documents, the FBI says that an undisclosed security researcher gave the Bureau stolen “information on the complete administration of vDOS, which includes user registrations, user logins, payment and subscription information, contact with users, and attacks conducted.”
As agents pored through the records of about 75,000 vDOS users and 900,000 attacks, they found one user that seemed to match the profile of the stalled Washburn investigation. Using grand jury subpoenas and search warrants, agents tracked down 54-year-old John Gammell, charging him in federal court with launching attacks against Washburn, intentionally damaging a computer under the Computer Fraud and Abuse Act (CFAA).
According to court documents, internet provider records linked Gammell’s home IP address to vDOS login records, PayPal records linked Gammell with subscription payments to vDOS, and he carried on several email conversations describing his experiences launching DDoS attacks. But without that stolen vDOS database leading agents to Gammell—which wasn’t exactly obtained through routine legal process—the FBI would’ve had nothing. And Gammell has some high-power legal counsel at his side to challenge that: former U.S. Attorney Rachel Paulose.
“It would be difficult if not impossible to obtain Mr. Gammell’s private information unless the researcher obtained unauthorized access to the database,” wrote Paulose in a brief seeking to suppress evidence, “The government utilized the researcher’s purloined information to draft a raft of subpoenas and search warrants. Eventually, the government used the vDOS database and the fruits of that database to chart a trail it claims led to Mr. Gammell.”
The government indeed describes a clear trail leading agents directly from that strange dancing-mouse 2015 email to Gammell’s IP address. But that’s not the trail agents took. Prosecutors did not send any search warrants or subpoenas, or otherwise investigate the strange dancing-mouse email until a year after it was received—curiously, about two months after agents obtained the stolen vDOS database, which allegedly identified Gammell by name.
Paulose, who declined comment about the case, argued the vDOS database containing information about Gammell was stolen “in apparent violation of state and federal statutes” and thus the hacker of vDOS “acted as [a government agent] to take what the government knew it could not take directly.”
“Every one of those government warrants and subpoenas issued after July 2016 [when the FBI obtained the vDOS database] is tainted by the fruit of the poisonous tree and should be suppressed,” Paulose argues.
It’s an argument many experts think Paulose will lose, though it ultimately depends on the wording of the first search warrant application in the case, which remains under seal.
Jay Leiderman, an attorney who has defended numerous prominent CFAA cases, says though he thinks it’s distasteful of government, generally “there is no Fourth Amendment issue when a citizen turns over data.”
Prosecutors argue that “the vDOS records did not come from the defendant’s computer, or from any location in which he had an expectation of privacy,” and that the researcher who handed the database to the FBI “was neither directed to obtain the database nor compensated in any way for providing the database to law enforcement.”
Paulose also attacks the government’s claim that Gammell’s alleged DDoS attacks resulted in a loss to Washburn of over $40,000, much of that for the cost of DDoS mitigation web hosting services for a small website “which experienced a grand total of three visitors in the months leading up to the alleged attack.”
“This is a bit like claiming Mr. Gammell took down an ‘open for business’ sign of a company which experienced no foot traffic, obtained no business through in person solicitations, and then installed a security camera to deal with such hijinks,” Paulose argues, “At worse, the actions alleged in the indictment rise to the level of a prank, not a federal felony.”
Leiderman offered another analogy: “What if 100 people go inside Bank of America simply to take up space, such that legitimate customers have to slowly weave through traffic, or they can’t get through at all? They’d get maybe a $50 to $200 fine, maybe go to jail overnight. But a DDoS [with conspiracy charges] can be 15 years in jail and a $500,000 fine,” Leiderman said, “What’s the difference between the two morally, ethically, and practically?”
Paulose also argues that Gammell didn’t launch the attack himself—but rather allegedly through vDOS—so it is vDOS whom the government should hold accountable. To that, Krebs says that although there are strained analogies on all sides, “it seems akin to hiring someone to trash someone else’s store, smashing windows and generally preventing customers from patronizing the establishment.” He says DDoS-for-hire services like vDOS attempt to hide behind legal terms of service which require users to agree their attacks will be for “testing only sites that you have permission to attack.”
According to New York University researchers who wrote a paper analyzing the leaked vDOS database, it’s common knowledge on hacking forums that services like it are primarily used for unauthorized targets. Indeed, the vDOS website advertised that the attacks were “untraceable” and “spoofed”—unnecessary features for an ordinary network testing utility. Both Krebs and the NYU researchers say they didn’t give the FBI the database.
Paulose argues the CFAA was designed for serious criminals, not small fish like Gammell. “This statute was enacted to punish criminals and crimes of significant import, e.g., Dread Pirate Roberts, master of the cyber underworld … Gammell is no Dread Pirate Roberts,” she writes in a legal brief.
Indeed, some percentage of DDoS-for-hire service users might have little clue of what power they wield when they launch online attacks, and many of their users are just trying to irritate and prank fellow gamers online.
Gammell, however, is quoted in purported emails obtained by the FBI as claiming to be affiliated with the hacktivist group Anonymous, discussing the technical methodology of an attack, and saying one of his targets “must now be removed from cyberspace.” At some point, according to these purported emails, Gammell wanted to go into business reselling the combined power of multiple DDoS-for-hire services: “I would offer on Craigslist and Facebook services for doing DDoS. I will arrange an untraceable payment gateway…”
FBI investigative reports say that in a post-Miranda interview, Gammell claimed to have little technical knowledge, denying knowing how to launch a DDoS attack or even knowledge of what a DDoS attack is. He then, according to agents, boasted that his computer was encrypted and he “would owe a beer” if the FBI managed to defeat it.
The Court has not yet made any ruling on whether to suppress any evidence or dismiss charges against Gammell. And he’s certainly not the only defendant accused of using DDoS-for-hire websites: the timing of recent law enforcement actions suggest hacked records of vDOS and one of its resellers are at least playing a role in other prosecutions.
According to court filings, the first subpoena relating to Gammell’s case was issued on December 12, 2016, a few months after the FBI obtained the vDOS database. The same day, Europol announced that it had just completed a “coordinated action” among a dozen nations, resulting in 34 arrests of DDoS-for-hire service users, with 101 individuals interviewed and cautioned.
Again the same day, the San Francisco office of the FBI announced charges against 26-year-old California student Sean Sharma, alleging that he “purchased a tool to conduct distributed denial of service attacks against a chat service company.” Technical details of the allegations were never made public, and the San Francisco office of the FBI confirmed that Sharma would plead guilty.
A “horse-and-buggy law in a jet plane society”
Paulose argues that, consistent with U.S. Supreme Court precedent, it is the states who should define and enforce most criminal laws. The CFAA—originally enacted in 1984 to criminalize computer crimes against the government, banks, and national security interests—is being applied in an era where most Americans carry a phone in their pocket that could be considered a “protected computer” under federal law, Paulose argues, saying there’s no “compelling federal interest” in federally prosecuting an attack on a small website with little traffic and no commerce functionality.
“Technology moves so much faster than policy,” says Minnesota legislator and former prosecutor John Lesch. And he would know: last year, he authored ‘revenge porn’ legislation because before it passed into law, there was nothing illegal about distributing pornographic images of others online without their consent.
“People think that this is the purview of the federal government because everything related to computers and the internet crosses state lines—which is true,” Lesch says, “but we still have plenty of state laws on the books that relate to [computer crimes], and we just draw in that the courts have jurisdiction regarding where the victim was found, or where the crime was perpetrated.”
Even with state laws that could be used to prosecute DDoS attacks, Lesch thinks states frequently defer such cases to federal authorities because “very few jurisdictions in the state have the expertise and resources to do the kind of computer forensics necessary to determine the source of DDoS attacks.”
“The CFAA was never meant to stretch this far,” said Leiderman. “It’s a horse-and-buggy law in a jet plane society.”
Prosecutors maintain that Washburn’s website was advertised beyond the borders of Minnesota, and the DDoS attacks were launched from vDOS servers far ouside Minnesota, so “the criminal conduct at issue in this case is well within Congress’s power to criminalize.”
Will fear of prosecution scare DDoS-for-hire users?
The NYU researchers who analyzed the leaked vDOS dataset discovered one way to slow down use of DDoS-for-hire services: disrupting their ability to accept payments. Because the vDOS database covered a period of time when PayPal shutdown vDOS’s account, researchers were able to measure a quantitative impact.
“We did some studies, and there was a falloff of about 40% revenue, and a similar falloff of subscribers, once they could no longer accept PayPal and went to Bitcoin only,” said Damon McCoy, one of the NYU researchers.
McCoy thinks vDOS being shuttered and its operators arrested might have resulted in at least a short-term decrease in worldwide DDoS attacks. But he cautions: “there will have to be a concerted effort on the part of law enforcement, payment processors, everyone, to keep the problem under control.”
“A lot of it is just about reducing the scale of the problem, and the scale has become so huge because it was just so easy, and there was so little risk in using the services,” McCoy said, “Making it more inconvenient on the payment end to purchase these subscriptions, and making it known that it’s actually risky to operate and use these services, will have a good impact on driving down their scale.”
The Minneapolis office of the FBI and the U.S. Attorney’s Office for the District of Minnesota did not respond to requests for comment about Gammell’s case. Gammell, who is currently in custody pending trial, did not respond to messages.