Two years for hacker who created programme used to attack 1.7 million sites

Kings Langley

 

A computer nerd who made nearly £300,000 from his bedroom selling home-made software used to crash websites and computer networks around the world was jailed for two years.

Adam Mudd, 20, created a programme called ‘Titanium Stresser’ which was used to attack 1.7 million sites by overloading them with millions of simultaneous requests for access.

He used it to personally carry out 595 ‘distributed denial of services’ attacks – or DDoS – against 181 different IP addresses, including his own college, between September 2013 and April 2015.

Mudd also sold his creation to thousands of hackers across the globe, who used it to block countless websites.

It affected dozens of schools and colleges across the UK including Cambridge University.

Prosecutor Jonathan Polnay QC likened the DDoS attacks to a home being bombarded with millions of catalogues, meaning legitimate post is missed.

The hacker, who began his illegal career aged just 16, took payment into hundreds of different PayPal accounts and in Bit Coin, and by the age of 19 had amassed a fortune of £298,267.

Mudd admitting a charge of doing unauthorised acts with intent to impair the operation of computers.

He admitted a further charge of making or supplying an article for use in an offence contrary to the computer misuse act, and one charge of concealing criminal property in relation to the money.

His sentence was delayed to give his legal team time to prepare reports into his autism, and to allow time for the prosecution to assess the scale of the damage done by his software.

The Old Bailey heard that the TitaniumStresser.net was first registered on 12 September 2013 for a small fee using a false name and address.

Between 18 September 2013 and 1 September 2015, 16 different IP addresses – computer services – were used to host the TitaniumStresser.net.

The code used to write the programme was found on Mudd’s computer with ‘themuddfamily’ recorded as the founder and owner.

Mudd even set up a price programme for his customers, ranging from 100 seconds-per-month for $2.99 (£2.3) to 30,000 seconds over five years for $309.99 (£242.314).

He netted a total of $307,298 and 249.81 bitcoins from sales of the programme – or a total of £298,267.

Mr Polnay described the programme as ‘not an unimpressive piece of software’.

He said: ‘A distributed denial of services attack is an attack on websites, namely a computer sends a request to a website “please can you show me what’s on your page” but if a website is asked many, many times “please show me what’s on your page” it can’t do it and crashes.’

‘The Titanium Stresser, which is a not unimpressive piece of software, effectively carries out distributed denial of service attacks and takes down computer networks and websites,’ said Mr Polnay.

‘The defendant charged for use of it so others all over the world would pay money to use the programme.

‘There were 1.7 million attacks taking down websites and computers all over the world, no doubt causing considerable damage and loss.’

The court heard that Mudd laundered money cash through PayPal but spent very little of his ill-gotten cash because he was living at home with his parents.

But $18,000(£14,100) had been transferred into the bank account of Anthony Mudd, his father.

It emerged Mudd had registered himself as a business and used the transfers to pay tax on his earnings from selling his invention.

Sentencing him to two years in a young offenders’ institution today (tues) Judge Michael Topolski, QC, said: ‘It’s probably of little comfort to the victim’s of crime like this that the person responsible may not be motivated by money but by revenge, bravado, a wish to feel big, important or impressive.’

‘I’m satisfied that it with standing the defendant’s condition he knew full well he was committing serious crime and that in doing so he was taking a risk with his liberty.

‘I’m satisfied that he knew that this was not just a game, a game for fun, it was a serious money making business and your software was doing exactly what you had created it to do.’

Mudd went to great lengths to get PayPal to process the payments he received from his customers.

‘PayPal refused to allow its services to be used for payments for use of TitaniumStresser,’ said Mr Polnay.

‘To get around this limitation 328 separate PayPal accounts were created to receive payments for use if the websites, all under fake details.

‘The defendant also used sophisticated techniques to disguise the source of the funds he was receiving, including peer blocking and the use of other websites as payment gateways. Attempts were also made to block PayPal from accessing the sites.’

On one occasion Mudd arranged for a legitimate website to be linked to Titanium Stressor so PayPal would refuse to accept payments from them.

The software allowed Mudd’s customers to choose which server they wanted to attack and the method of attack.

Other tools included with the software included an IPLogger to identify addresses for attack, a FAQ sheet and a referral system.

It also had a system to allow the user to record IO addresses as ‘friends or enemies’.

When the ‘attack’ button is clicked, the DDoS assault is launched.

Mudd kept a digital log that kept a running tally of the number of times his invention had been copied and sold.

He had a total of 112,298 registered users who carried out a total of 1,738,828 attacks between them against 666,532 IP addresses.

Over 50,000 of the attacks were made against servers in the UK.

One of the sites repeatedly targeted was online fantasy game RuneScape, which suffered 25,000 attacks.

The company that owned RuneScape spent £6 million trying to protects itself against DDos attacks – every attack that took place in January 2015 came from Titanium Stressor.

Mudd carried out 593 of the attacks personally, and in total RuneScape lost £184,000.

He also attacked his own college – West Herts College – on four different occasions, taking down the entire college network and costing around £2,000 to repair.

One of the attacks on West Herts was so massive it affected 70 linked schools and universities including the Universities of Cambridge, Essex and East Anglia, as well as local and district councils.

He was eventually arrested in March last year following an investigation by the Eastern Region Special Operations Unit (ERSOU) Regional Cyber Crime Unit.

Mudd was found in his bedroom still glued to his computer which he initially refused to unlock, but was eventually persuaded to do so by his father.

He claimed that he had initially designed the software as a legitimate stressing tool for people to stress test their own Minecraft servers – a hugely popular online game.

Mudd said the software had just got out of control when people started using it as a DDoS service, but later admitted he was willingly running it and selling it as a DDoS programme.

Mr Polnay said: ‘With regard to the contended use of the software as a ‘legitimate steering tool’, whilst this is theoretical use, it would be highly niche and improbable.’

He added: ‘In any event, the Skype chats [between Mudd and his customers] make clear the precise purpose that the defendant’s software was being used for.’

Mudd has been working as a kitchen porter in a hotel since his arrest.

Ben Cooper, for Mudd, blamed his behaviour on the relentless bullying he had suffered at school as a result of his Asperger’s Syndrome.

‘At the time he had been lost in a fantasy world for a long period – he withdrew from his school after a sustained spell of bullying .

‘He withdrew also from his family into his bedroom – this went on for a protracted period of time and he became more and more sucked into it.’

‘There was a lack of professional treatment that he is now benefiting from.

‘He benefits from strong parenting – his mother is a deputy head teacher and she’s tried very hard to provide him with an appropriate level of support.’

‘He was looking to form friendships in the community which he couldn’t do in real life, but he was very successful in doing it on the online community.’

Mr Cooper told the court that despite being very bright, Mudd had failed most subjects at school apart from maths and computer science.

‘It’s worth identifying that this was an unhappy period for him during which he suffered greatly.’

Mudd, of Toms Lane, Kings Langley, Hertfordshire, was accompanied to court by his parents and his sister.

He did not react as his sentence was read out.

Detective Inspector Martin Peters of ERSOU’s Regional Cyber Crime Unit said in a statement: ‘Adam Mudd’s case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others.

‘We want to make clear it is not our wish to unnecessarily criminalise young people, but want to harness those skills before they accelerate into crime. We are working at local, regional and national level with partners to educate people about cyber-crime and personal safety online, as this is our best chance of preventing offences from being committed and beating cyber-crime.’