How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

By Scott Berinato

Page 15

January and February: Online Chats with Extortionists

By this time, Lyon and Lebumfacil had recruited Dayton Turner, an engineer from eHorse, an extorted gaming site that operated out of the same building as BetCris. Like Lyon, Turner wanted to exact a certain justice, having lived through an extortion. He agreed to go undercover. Turner and Lyon spent the next several months chatting with the extortionists while they also monitored and logged the extortionists' activities. They shared what they learned with law enforcement, mainly the NHTCU but also the FBI.

January and February's gumshoeing produced an astonishing 36-page dossier—complete with chat transcripts, log file analysis and other data. Lyon and Turner gave it the hyperbolic title "DDoS Terrorism Report." The following comes from that report.

When they were logging the DDoS attack traffic at BetCris, the team traced some of it back to a chat server. Turner and Lyon called themselves "Hardcore," made sure they masked their real location and hopped onto the chat line. (While Turner did most of the chatting, Lyon was always on the line, "managing" the conversation and chatting with Turner, but it appeared to anyone else that Turner and Lyon were one in the same.)

The leader of the chat room clique went by many names, including eXe, Key, k9, NASA, x3m1st (pronounced "extremist"), x890 and others. For simplicity's sake, we'll always call him "eXe"—even if he was going by another name at the time—and we'll always call Turner and Lyon "Hardcore." (We've also cleaned up some typos for clarity, and skipped extraneous conversation for the sake of space.)

When Turner logged on, he told eXe that he had been out of the game for a while but wanted to get back into DDoS attacks. EXe took the bait and began chatting, cautiously, with Hardcore. The first few chats didn't yield much. At one point a bodyguardlike heavy named "uhdfed" came online and bullied Hardcore, proclaiming, "We have 5,000 bots, and we don't need help." He attacked Turner's chat client. Lyon and Turner were forced to log off, but not before their log showed uhdfed was at the same time trying to attack another site: BetCris.com.

In ensuing chats, Turner gathered circumstantial connections to BetCris and the gaming extortion wave. EXe asked Hardcore, "how u know about our work? about bettings & sportsbooks"; at another point, Turner saw a reference to BoDog, a sports book that had been attacked. Another time, eXe inadvertently exposed his real ISP, in Russia.