How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

By Scott Berinato

Page 14

That business talk, though, was in the background. Lyon relaxed, went deep-sea fishing and zip-lining through the rain forest.

Jan. 12, 2004, Phoenix: A Defensive Arms Buildup

On Jan. 12, Lyon met Lebumfacil in Phoenix. They drove to PureGig to rip out and replace the system that saved BetCris. Lyon knew it was already a relic. He had to build something that could support 10, 20, 50 customers or more without one customer's traffic interfering with another's, and without his customers affecting the rest of PureGig's customers too. He also planned to hone his traffic logging and analysis. His new system would not include commercial products.

The Super Bowl—a significant moment for betting sites that extortionists would exploit—was just weeks away. Some gaming sites had heard about Lyon's exploits with BetCris and wanted to sign up. Lyon had customers before he had a product.

Lyon and Lebumfacil "went on a rampage" of building and testing, and three days later, Lyon says most of the system was online. Over the coming months, as more customers signed on, Lyon flew to Phoenix more than 20 times to build up the infrastructure. A routine developed. Dozens of hardware boxes would arrive. Wilson from PureGig would sign for the equipment and store it until Lyon showed up to get it. "He'd live here for a couple of days installing everything," Wilson remembers. Once, Lyon slept in the data center.

But even as Lyon's business grew, the extortionists' business did too. That fall, after CanBet and a site called eHorse were attacked, BetCris was attacked, and then the extortionists hit other sites across the industry: BoDog Sportsbook, BetWWTS, WagerWeb, William Hill, BetFair and Blue Square. And those are only the cases that became public, usually through postings on online industry discussion boards or in gaming industry newsletters. Just how many sites either paid or never reported their cases will never be known, but it's certain many fall into this category.

Usually, the extortionists followed the attack methodology they used against BetCris. (In Blue Square's case, they demanded 7,000 euros, or else they would send out child pornography in the company's name.) Many ended up calling Lyon for help.

"It became a personal vendetta to track these guys down," Lyon says. "I wanted them stopped. So I asked some law enforcement people, 'Is this illegal, for me to talk to them?' And they'd tell me, 'No, but we can't help you or tell you what to say. However, if you did want to say something along these lines, that would be very interesting to us.'"