Cybercrime , Cybercrime as-a-service , DDoS Protection

DDoS Attacker Austin 'DerpTrolling' Thompson Gets Sentenced

Defendant Pleaded Guilty to Disrupting Sony Online Entertainment and Others
DDoS Attacker Austin 'DerpTrolling' Thompson Gets Sentenced

A distributed denial-of-service attacker who crashed a popular gaming service one Christmastime has been sentenced to serve 27 months in prison.

See Also: Ransomware Costing Organizations Billions as CIO's and CISO's Lose Their Jobs

Utah resident Austin Thompson, 24, was sentenced on Tuesday in San Diego federal court and also ordered to pay $95,000 in damages to one of his victims: Daybreak Games, formerly known as Sony Online Entertainment.

On Nov. 6, 2018, Thompson pleaded guilty to one charge of damaging protected computers, admitting that he launched DDoS attacks from Dec. 19, 2013, to Jan. 6, 2014, when he was 17, that caused at least $95,000 in damages.

Thompson had faced a maximum of 10 years in prison and a $250,000 fine. His case was investigated by FBI's San Diego office as well as the U.S. Air Force Office of Special Investigations.

“Denial-of-service attacks cost businesses and individuals millions of dollars annually,” says U.S. Attorney Robert Brewer. “We are committed to prosecuting hackers who intentionally disrupt internet access.”

In a statement, the Department of Justice says Thompson's two-month DDoS attacks "were directed mainly at online gaming companies and servers," including Sony. At the time, Sony's networks were a frequent target for attackers (see DDoS Gang Targets Sony).

"Thompson typically used the Twitter account @DerpTrolling to announce that an attack was imminent and then posted 'scalps' (screenshots or other photos showing that victims’ servers had been taken down) after the attack," the Justice Department says, citing the defendant's plea agreement. "The attacks took down game servers and related computers around the world, often for hours at a time."

The @DerpTrolling account claimed to have been launching DDoS attacks since at least 2011, when Thompson would have been approximately 14 years old.

"His group, 'DerpTrolling,' was allegedly behind several denial-of-service attacks on online service for several SOE games, plus, League of Legends, and Dota 2 in late 2013," the Justice Department says.

At least some of the group's attacks appeared designed to disrupt James Varga, a popular gaming live-streamer who uses the handle PhantomL0rd. Varga said the group also appeared to have "swatted" him by calling police and warning that there was a crime in progress at his house.

When Varga asked Derp online what its objectives were, the reply read: "For the lulz."

It's not clear how Thompson or other members of his group effected the DDoS attacks - for example, if he used popular but illegal DDoS-on-demand services, aka stresser/booter services.

Thompson appears to have been doxed multiple times, meaning his DerpTrolling identity was publicly linked to that of Austin Taylor Thompson, of St. George, Utah, born in May 1995. According information dumped online, Thompson joined the U.S. Air Force in August 2013, meaning that the attacks would have occurred when he was serving in the military. That would explain why the U.S. Air Force Office of Special Investigations was involved in his case.

Some Aspects of Case Remain Unclear

It's unclear when Thompson was first arrested and what he's been doing since then.

The Department of Justice couldn't be immediately reached for comment over the July 4 holiday.

The first public records in the case against Thompson appeared on Nov. 6, 2018, when he filed both a waiver of indictment and plea agreement.

A waiver of indictment means that a defendant forgoes their right to have charges brought against them by a grand jury. Writing online, Tampa, Florida-based federal criminal attorney Jason Mayberry says that waiving the indictment is a strategy sometimes pursued if the evidence against a suspect is substantial. "If there is very little doubt that an indictment will be returned and that the evidence against you is overwhelming, cooperation may be your best bet and that can often start with waiving indictment," Mayberry writes.

Selected Court Records Unavailable

While most documents pertaining to Thompson's case are publicly available via the U.S. government's electronic public access service Public Access to Court Electronic Records, attempts on Thursday to access his plea agreement, filed on Nov. 6, 2018, returned this message: "You do not have permission to view this document."

Thompson's defense attorney, Hector Jesus Tamayo, couldn't be immediately reached for comment over the July 4 holiday.

The San Diego Tribune reports that Tamayo told the court in a sentencing memorandum that Thompson was “an insecure and injudicious” teenager who'd succumbed to peer pressure from others in the online gaming community. Access to that sentencing memorandum via PACER has also been restricted.

Thompson joined the Air Force at age 18 but was subsequently dishonorably discharged due to an unspecified criminal conviction, The San Diego Tribune reports.

Federal judgment against Austin Thompson

In the court's judgment against Thompson, dated Tuesday, the mandatory conditions of his release form includes a checkbox next to a stipulation that he "must comply with the requirements of the Sex Offender Registration and Notification Act." That law requires convicted sex offenders to register with their state's sex offender registry as well as to update authorities if they move out of state.

The judgment also states that after his release from prison, Thompson is not allowed to "use or possess devices which can communicate data via modem or dedicated connection and may not have access to the internet without prior approval from the court or the probation officer." In addition, he must "consent to the installation of systems that will enable the probation officer to monitor computer use on any computer owned or controlled by the offender."

Stresser/Booter Disruptions Continue

While Thompson's DDoS attack spree may have ended in 2014, such attacks live on. Authorities say they're aided in large part by the ready availability of stresser/booter services as well as a seemingly endless supply of children who want to try and disrupt gaming sites (see Cybercrime Gangs Advertise Fresh Jobs, Hacking Services).

Such attacks also continue to be driven by extortionists, as well as others with an "ideological, political or purely malicious reason," the EU's law enforcement intelligence agency, Europol, says in its 2018 Internet Organized Crime Threat Assessment, released last September (see Cybercrime: 15 Top Threats and Trends).

Europol notes that in 2017, the volume of DDoS attacks was second only to malware, adding that on-demand disruptsions were "also becoming more accessible, low cost and low risk," thanks to ongoing, easy access to "stresser/booter" services (see Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.