British Student Jailed For Creating DDoS Tool And Selling It To Cybercriminals
Adam Mudd, a 19-year-old computer science student from Toms Lane, Kings Langley in Hertfordshire, was tracked down as part of a complex multi-agency law enforcement investigation. During the police action, the Eastern Region Special Operations Unit (ERSOU) of the Regional Cyber Crime Unit, and the National Crime Agency (NCA) worked together to identify and arrest the young suspect. According to the local media outlet bobfm.co.uk, the law enforcement operation was internationally recognized. Investigators received the National Police Chiefs Council (NPCC) Blue Light Digital Award for the use of advanced digital forensics last month.
The Regional Cyber Crime Unit, supported by the NCA, was alerted to the 19-year-old’s illicit activities. In March 2015, law enforcement authorities arrested Mudd in the bedroom of his home in King’s Langley and refused to unlock his computer until his father intervened.
“My team has learned a lot from this complex investigation, due to the nature of the criminality, the sheer volume of data and the global reach of the offending,” Detective Chief Inspector Martin Peters of ERSOU’s Regional Cyber Crime Unit said. “It is important that this case sends out a clear message to others who may be tempted by committing cyber crime or who are already engaging in cyber scams from the comfort of their own bedrooms, to consider what they are doing and it is for parents to know and understand what your children are doing online. Criminality is now no longer solely on the streets and harm can be caused to individuals and globally, but that does not mean we cannot trace you and bring you to justice if you overstep the line. We will work with law enforcement agencies, locally, regionally, nationally and globally to combat this criminality.”
According to the court documents at the Central Criminal Court, Mudd had developed a “stressor tool”, called the “titanium stressor”, which could be used by cybercriminals to flood the computing networks with data, creating a DDoS (Distributed Denial of Service) attack, which, if successful, could take down whole websites and networks, leaving the systems vulnerable. Court documents stated that the defendant sold the tool on the internet, gaining profits from the distribution of the stressor to the cybercriminals. Analysis of the tool showed that hackers used it in more than 1.7 million DDoS attacks against victims worldwide, with most countries in the world affected. Court documents did not disclose whether the suspect sold the tool on the clearnet (the normal part of the internet most people know of) or on darknet marketplaces or forums.
“Adam Mudd’s case is a regrettable one because this young man clearly has a lot of skill, but he has been utilizing that talent for personal gain at the expense of others. We want to make clear it is not our wish to unnecessarily criminalize young people, but want to harness those skills before they accelerate into crime. We are working at local, regional and national level with partners to educate people about cybercrime and personal safety online, as this is our best chance of preventing offenses from being committed and beating cybercrime. To support this further work is to take place regionally, coordinated centrally by the NCA, to work on identification and diversion of individuals from cybercrime,” Peters added about the case.
Mudd pleaded guilty to three offenses under the Computer Misuse Act, and on a money laundering charge under the Proceeds of Crime Act in October 2016.
“The prosecution team was able to demonstrate how Adam Mudd developed technology to attack computer networks and profited from selling it to others,” Adrian Flasher, Specialist Prosecutor from the CPS International Justice and Organized Crime Division, said. “The CPS worked with investigators from an early stage, providing crucial advice on methods of obtaining admissible evidence in this complicated area of law. Prosecuting cyber-criminals is a priority and this case should serve as a reminder that, however much the crime is concealed, the perpetrators will be pursued by the authorities.”
On April 25, at the Old Bailey of London, the 19-year-old was sentenced to 24 months in prison for DDoS attacks he personally conducted, nine months for running a titanium stressor service, and 24 months for money laundering the profits made from the stressor service, all to run concurrently.