A 23-year-old Utah man plead guilty in federal court on Tuesday and admitted to carrying out a series of denial-of-service (“DOS”) attacks in 2013 and 2014 that mainly targeted online gaming companies and servers.
A DoS attack happens when hackers flood a host or network with so much traffic it crashes, leaving legitimate users unable to use the service. Austin Thompson committed such attacks against multiple victims between December 2013 and January 2014, including Sony Online Entertainment, according to the U.S. Attorney’s Office, Southern District of California. Former SOE president John Smedley mentioned the attack on Twitter at the time and said it was “being dealt with.” Later that day, he said his flight was diverted for “security reasons” after an online hacking group called Lizard Squad allegedly tweeted a bomb threat at the airline.
Thompson typically used the Twitter account @DerpTrolling to announce an attack and then posted screenshots after the victims’ servers were taken down. His actions caused at least $95,000 in damages, according to the plea agreement. “Denial-of-service attacks cost businesses millions of dollars annually,” said U.S. attorney Adam Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”
DerpTrolling is a clandestine hacker group that takes requests for targets of its attacks by phone, according to a 2014 report in The Guardian. People can leave the group a message with the name of a website and it will take it offline. In late 2013, DerpTrolling allegedly accepted a request to go after a popular Twitch streamer and YouTuber named Jason “PhantomLord” Varga. It attacked “League of Legends,” a popular multiplayer online battle arena game Varga streamed for his followers. It also reportedly took down rival MOBA “Dota 2” and Electronic Arts’ online store Origin.
When Varga later asked DerpTrolling why it was carrying out the DoS attacks, it replied, “For the lulz.”
Thompson’s sentencing is set for Mar. 1, 2019. He’s charged with damage to a protected computer, which has a maximum penalty of 10 years in prison, a $250,000 fine, and three years supervised release.