Illinois man behind DDoS attack service given 2-year prison sentence

The Justice Department on Monday sentenced an Illinois man to two years in federal prison after he was convicted of running a service that helped people launch more than 200,000 distributed denial of service (DDoS) attacks.

Matthew Gatrel — a 33-year-old from St. Charles, Illinois — was convicted by a federal jury in September 2021 on a range of charges related to his ownership and operation of two DDoS facilitation websites: DownThem.org and AmpNode.com.

He was convicted on one count of conspiracy to commit unauthorized impairment of a protected computer, one count of conspiracy to commit wire fraud, and one count of unauthorized impairment of a protected computer.

The subscription websites could be used in tandem to launch multiple DDoS attacks. The DownThem service had more than 2,000 registered users. 

The DOJ said DownThem “sold subscriptions allowing customers to launch DDoS attacks while AmpNode provided ‘bulletproof’ server hosting to customers with an emphasis on ‘spoofing’ servers that could be pre-configured with DDoS attack scripts and lists of vulnerable ‘attack amplifiers’ used to launch simultaneous cyberattacks on victims.”

In a sentencing memo, prosecutors accused Gatrel of providing “infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks.”

“These attacks victimized wide swaths of American society and compromised computers around the world,” prosecutors said. 

According to DOJ, the site was used to launch hundreds of attacks targeting homes, schools, universities, municipal and local government websites and financial institutions worldwide. 

AmpNode was also used by other for-profit DDoS services, prosecutors said, and Gatrel personally provided users of both platforms with advice on the best way to launch attacks. Prosecutors obtained evidence showing that Gatrel frequently launched attacks on victims as a way to show customers how effective DownThem.org and AmpNode.com were. 

He would provide proof of their effectiveness through screenshots showing that he was able to get around DDoS protection tools and completely cut off victims’ internet connections. 

Gatrel’s platform was highly customizable and varied based on a tiered subscription system, offering customers attacks with different durations and power.

He was able to increase the destructiveness of attacks through “reflected amplification” – a process where he used his own servers to “appropriate the resources of hundreds or thousands of other servers connected to the internet.”

The Justice Department noted that it received help in the investigation of Gatrel from tech companies and organization like Akamai, Cloudflare, DigitalOcean, Google, Palo Alto Networks, the University of Cambridge Cyber Crime Centre and Unit 221B. 

Another man, 29-year-old Juan Martinez, was sentenced in August to five years probation after pleading guilty to one count of unauthorized impairment of a protected computer. He was a customer of Gatrel’s before becoming a co-administrator of the DDoS sites in 2018, according to DOJ.