How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

1 2 3 4 Page 4
Page 4 of 4

eXe: i am 21 =) my name is Ivan. i'm from Russia. my nationality is Russian.

Hardcore: My name is Matt :) Ive always lived in canada

eXe: i happy to meet you

Hardcore: nice to meet you too ivan :)...do you work or go to school or just do this? ive made a lot of money doing this so far :) :)

eXe: school. i'm study. inginier-mechanic. etc=) i'm learn french. my English is very bad.

Sensing a new level of openness, Hardcore pressed Ivan, but Ivan's responses were vague and confusing, and his English, as promised, proved to be very bad indeed.

Hardcore: do you make money with ddos too? I have made about $150,000 so far this year hehehe =)

eXe: well done. no all paid =(

Hardcore: nobody paid? really?

eXe: somebody

At this point the good guys' giddiness seemed to betray them. Hardcore suddenly turned loquacious and leading. He told Ivan how he attacked sites and how much money he made doing it. (His description matched the tactics employed to attack BetCris and others.) Hardcore poured out 80 straight words about his nefarious activities, and Ivan responded only with an emoticon smiley face: =).

Hardcore continued chatting, suggesting to eXe that he could extort money easily "with the number of bots you have." He suggested Ivan attack people who "can't use the law against you," and added, "they always pay because they want their business back and they dont want to admit they have a weakness. stupid americans."

Ivan replied with another =).

Ivan had shut down. It could be that he was just tired; it was 1 a.m. in Russia. It's also possible that Ivan sensed what Hardcore was doing. Turner and Lyon kept trying. They sent three messages to Ivan's one, but Ivan's replies maxed out at three words.

Hardcore: i read in the news about some people who got letters about dos, i figured it would be you since you have so many bots

eXe: good idea. hehe

Hardcore: did anyone pay at all?

eXe: anyone

Hardcore: i remember when you guys were going after sports books a few months ago....they must have gone down hard.. haha...

eXe: =) i go to sleep

Hardcore: ok man

eXe: see you later

Hardcore: cya

eXe: bye friend

Two weeks later, on March 13, Ivan made an even bigger mistake. He logged on to IRC chat with his real domain name. Lyon and Turner had learned the domain was registered to an Ivan. But now they also had his last name, address and phone number. They promptly sent the information to the NHTCU.

July 2004: Turning Ivan Over to Scotland Yard

The NHTCU must have been pleasantly shocked to have a pro bono case worker sending a constant stream of useful documents.

The NHTCU did not condone Lyon's actions, even as they welcomed the product of his actions. "Mr. Lyon operated as a U.S. citizen, and therefore, we cannot comment on his tactics," a spokeswoman says. Investigators are not available to the press. "However, his report and his interpretation of DDoS threat proved to be an informative document."

Lyon says of the relationship: "The only answer I got from them was, 'Wow. This is great. We'll make it worth your while some day. Keep it coming.' I was hoping at the end of this we'd continue to collaborate, but I've never really heard from them."

Several people involved with the BetCris case say it was Lyon and Turner's report that cracked open the NHTCU's case, and in fact it was the BetCris case itself and how Lyon, Richardson and Lebumfacil fought it off that influenced how the NHTCU responds to online extortion attempts. (The unit would not discuss the matter.) On the NHTCU, one person close to the BetCris case says, "I think maybe [the NHTCU] weren't capable before. Not to blame them—no one was capable. Otherwise, it wouldn't have been such a problem. From what I understand, though, it was all that work [Lyon and Turner] did that helped educate the NHTCU."

"They wouldn't have made any arrests if we weren't around," Lyon says.

The spokeswoman at the NHTCU bristled at the suggestion. "Mr. Lyon's work formed a part of the investigation and assisted law enforcement in better identifying the problem with DDoS. Mr. Lyon has developed what appears to be a good defense against DDoS; however, he has not stopped it, nor can he prosecute the offenders of such attacks."

Ultimately, using Lyon and Turner's work, along with the tracing of several extortion payments, the NHTCU managed to locate three suspects, including Ivan. Significantly, they were able to work diplomatic channels with Russian authorities, and that diplomacy ultimately led to Ivan's arrest (in an Internet café, Lyon says, but the NHTCU won't confirm this) and the arrest of two others. The NHTCU describes the cooperation of Russian officials as "excellent" and says that those Russian officials anticipate a trial in late 2005.

Soon after the first three arrests, five more were made in connection with online extortion. Of the eight suspects, just two were allegedly involved in the BetCris case. Five were ultimately charged. Lyon, too, notes that his investigation led him to six separate online groups launching DDoS attacks. The extortion rings are proving to be deeper and more organized than even those involved suspected. Other online investigations are ongoing, and DDoS attacks continue to rise, the NHTCU says.

"Any company with an online e-trading presence needs to be aware of this type of attack," says the NHTCU spokeswoman.

In less guarded terms, Wilson at PureGig reflects on the problem: "Once we got deep into this and talked to customers about it, we started to hear more and more stories. People saying to us, 'Oh yeah, that happened to us. We were down for a week.'

"We needed to lift that veil of secrecy. Unless you talk about it, it's only going to keep happening and get worse. We need to be able to talk about online extortion and not assume it's a onetime thing or it's only going to affect gambling sites. It's only going to continue."

Today: A Defense Business Grows

All the while, Lyon's business grew. A second data center opened in June 2004 in Vancouver, a third came online in July, near Miami.

In May 2004, Lyon changed his company's name to Prolexic, a name that derives from his childhood. In third grade, Lyon learned he had severe dyslexia. As a child, he remembers thinking of his dyslexia simply as something that meant he learned differently from other kids. In college, the philosophers he studied were men and women with learning disabilities. "Instead of a learning disability," Lyon says, "I've decided it's a learning ability." In other words, he's decided he's not dyslexic, he's prolexic.

Another data center went live in December, in London. Two more are planned, and he has two patents pending. In January, the company moved its headquarters to Hollywood, Fla. He has close to 100 customers, many gaming websites but also mainstream financial services companies. The average client, he says, spends "less than $50,000 a year," but some spend much more for custom security services. Recently, Lyon turned 27.

Lyon understands marketing too. He never misses a chance to boast about what he now calls his "solution." He made the BetCris story the online extortion anecdote that led many general news stories about the problem. Everyone involved in this saga continues to promote one another. Wilson at PureGig fawns over Lyon. (He's still a customer of the ISP.) Lyon praises PureGig on PureGig's homepage. Richardson invested in Lyon. Lyon praises Richardson and his ISP, which also happens to be one of Lyon's customers.

It all fits together so nicely for Lyon. His eerie ability to anticipate the extortionists' moves. The fact he could build something so quickly that could fight attacks that no one had seen before. The way he turned that around into a business that benefited all the major players involved in the extortion fight.

It's enough to make a reporter paranoid. What if Lyon knew the extortionists?

"Did Barrett rig the whole thing? That's a valid question," Lyon says. "It used to come up a lot. This is why we've been an open book with law enforcement. All I can say is, I'd have to make a zombie out of myself to pull that off. I was working pretty hard when all the extortion was going on." Plus, he points out, people were arrested.

That's right. Lyon is one of the good guys. Still, Lyon's heroics weren't possible without Mickey Richardson's resolve. It's easy to forget that as Lyon worked to save him, Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees.

Copyright © 2005 IDG Communications, Inc.

1 2 3 4 Page 4
Page 4 of 4
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!