Student walks free from court after admitting international cyber attacks

A student who carried out a string of international cyber attacks has walked free from court.

Jack Chappell, 19, of Stockport, committed distributed denial of service (DDoS) attacks, which involve the deliberate bombarding of a computer network with excessive data to crash or slow down its websites.

He taunted one of his victims, a Government supported educational network, after taking their services offline when he tweeted #GetBetterProtection and "down again?"

The Manchester College student also targeted that institution's network when he was due to submit an assignment online.

Investigators eventually traced those attacks to Chappell's home computer and went on to discover that he had been acting as administrator for a website which launched many thousands of DDoS attacks against high profile targets internationally.

But Manchester Minshull Crown Street heard he was "exploited" by the "criminally sophisticated" owners of the vDos site - based in Israel - and only received a token payment of £1,500 from activities which generated more than £600,000 in income.

Chappell had recently been diagnosed as being on the autism spectrum and was "particularly vulnerable to exploitation".

His barrister, Stuart Kaufman, even compared him to the character played by Dustin Hoffman in the 1980s hit film Rain Man, who wins a fortune at blackjack by counting cards.

Mr Kaufman said: "It's not him, but it gives you a little bit of a flavour ... he has been manipulated. He is in many ways just as much a victim. He has been totally exploited and abused.

"He is not a person who is malicious. He is mischievous."

Sentencing Chappell to a 16-month detention and training order in a young offender institution - suspended for two years - Judge Maurice Greene told him: "You played an important role over a long period of time and there is a considerable public interest in the disruption and harm that DDoS attacks cause to businesses and members of the public.

"Clearly it is a very serious offence.

"But at the time you were 16 or 17 and I have to discount any sentencing because of your age at the time.

"You are of positive good character. It is a tragedy to see somebody of your undoubted talents before the court.

"Looking at your history it is clearly evident when you were young you were socially isolated

"You were undoubtedly taken advantage of by those more criminally sophisticated than yourself."

The court heard that a psychologist who wrote a report for the court on the defendant said he was one of the most talented people he knew in the field of computing, which was "some feat" considering he shared an office with climate scientists who report to the United Nations.

Chappell has gained a BTEC in computer programming, was undergoing various treatment and counselling, and was said by the author of his pre-sentence report to be "making substantial progress".

He pleaded guilty at earlier hearings to various charges dating from May 2015 to April 2016, including carrying out unauthorised acts with intent to impair the operation of computers, conspiracy to commit the same offence, and money laundering.

Among the organisations targeted in more than 2,000 attacks by Chappell, of Curtis Road, Heaton Moor, were NatWest bank, the National Crime Agency, Vodafone, the BBC, BT, O2 and Amazon.

Other firms targeted were T-Mobile, EE, Sprint, the Massachusetts Institute of Technology, Verizon and the University of California San Diego (UCSD), where an American associate of the vDos operation had requested Chappell take its website down because he too could not meet an assignment deadline, the court heard.

Kevin Barry, prosecuting, said Chappell also launched 21 attacks on nine separate dates against Manchester College and Jisc, which provides computer networks to educational and research establishments across the UK.

Chappell went on to taunt Jisc on Twitter with the username @fractal_warrior as he claimed responsibility for the attacks.

Among the messages he sent were "offline again?"; "how come you can't handle my 100GBPS of DNS traffic"; "Yea I stopped the attacks. Will start again later :)" and "#GetBetterProtection".

Jisc outlayed £56,500 in staff costs to address the problem and also spent £5 million, with "future millions" to be spent, to mitigate future attacks, the prosecutor said.

An investigation was launched and it became apparent that someone was using a website to check the effectiveness of the attacks at the same time as launching them.

Those checks were traced to an IP address of a computer at the defendant's home and led to the uncovering of his vDos activities, the court was told.

Mr Barry said: "The defendant was an administrator of this site which launched many thousands of DDoS attacks against high-profile targets internationally.

"vDos was one of the biggest, most widely used and damaging services of its kind. He worked closely with the owners of this site, assisted with the illicit services delivered to its customers and helped monitor and improve the payment facility used by them.

"It is submitted that these were carefully planned attacks which did and were intended to cause harm to the organisations targeted. It must also have been obvious to the defendant that the attacks would also cause widespread harm to the many users of the networks targeted.

"He operated, in essence, a help desk whereby customers of vDos could request assistance in maximising the power of attacks they were looking to launch."

Two Israeli nationals, Yarden Bidani and Itay Huri, were running vDos from Israel and are the subject of law enforcement in that country, said Mr Barry.

He said Chappell had never met the pair and they only interacted digitally.

In a victim impact statement, telecoms firm O2 said the two attacks it suffered had caused "significant reputational and financial loss".

Mr Barry said the reasons for DDoS attacks were "many and varied" and range from those launched by anyone willing to pay as little as 25 US dollars online to those using it for "more sophisticated purposes" in distracting IT teams and leaving other areas within a company less well protected.

Mr Kaufman, defending, said nine "glowing" testimonials had been sent to the judge and a letter from Chappell which apologised to all those affected and expressed his "deep regret".

As part of his sentencing, Chappell will have to complete 20 days of an unspecified rehabilitation requirement.

Copyright (c) Press Association Ltd. 2017, All Rights Reserved.