Friday 27 December 2013. The answer phone message was simple: “Get PhantomL0rd”. No one knew who it came from.
The message was left on a phone operated by “DerpTrolling”, a clandestine hacker group, active since 2011. Like many similar groups, Derp, as its tens of thousands of Twitter followers know it, is a loose collective of coders and computer experts, who have a taste and a talent for internet chaos. They identify a target – usually a large corporation, often a video game company – and attempt to break its online infrastructure.
But Derp has a unique approach. The group advertises a phone number on its Twitter page with the simple instruction: “call or text a request.” Dial the number and you can leave a message with the name of a website you would like to be taken offline. If they decide to act, the hackers then stage a distributed denial of service (DDoS) attack against the target.
A DDoS attack is not hacking, it does not require the perpetrator to gain illicit access to the system – instead it involves directing a colossal flood of network traffic at the site until its servers buckle under the load. During the past five years, many of the world’s largest and most powerful websites, including PayPal, Mastercard and even the US National Security Agency have been shut down by DDoS attacks instigated by amateur hacker groups like Derp.
This time, however, the target was not a website but a person.
Enter Phantomlord
Jason Varga is a popular internet TV presenter who earns his living playing and commentating on online video games. Varga, known to his channel’s subscribers as PhantomL0rd, is one of the most popular “casters” in the business: he earns an estimated $184,000 a year from YouTube advertising, which supplements his already sizeable income generated from subscribers who pay to watch to his channel on the popular Twitch service, recently bought by Amazon for $970m.
The person who called Derp was perhaps a rival presenter or a bored viewer who wanted to cause some trouble during the school holidays. But their simple request was accepted.
DDoS attacks have vastly increased in frequency during the past few years. While some of the attacks are financially motivated (groups have demanded a ransom to be paid before they call off the attack), many are motivated by anti-corporate sentiment. When Mastercard and PayPal blocked donations to Wikileaks in 2011, the best-known “hacktivist” group, Anonymous, launched a DDoS attack against both sites in a programme of chaos it called “Operation Payback”.
Other hacker groups aren’t doing it for money or activistism, they’re doing it for fun, and to boast about their success on social media. It is the electronic equivalent of graffiti with a vaguely anti-establishment theme. This is where Derp operates.
Three days after the answerphone message was left, perhaps drawn to the idea of one of their DDoS attacks being streamed live on air, Derp chose to act against Varga.
At 4:07pm GMT on 30 December, the group tweeted: “Something special planned for League of Legends”, a reference to the hugely popular online PC game that Varga was playing while streaming footage to his hundreds of thousands of viewers. During the next few hours the group staged multiple DDoS attacks on the League of Legends servers. They successfully took the game, its accompanying website and forum offline around the world.
Rather than report the incident, Varga entered into a dialogue with the hackers. Realising the spectator value of what was happening, he made a deal with them, concerning the next game he was planning to play on air – the popular arena battle title, Dota 2.
“If my team wins, we’ll keep going,” he said, live on air. “[But] if my team starts to lose, Derp Bros, take this shit down.” The hackers agreed.
When Varga’s team lost the match the hackers made good on their promise: at 21:12pm, DOTA2 disappeared from the internet.
Throughout the evening the hackers continued to follow Varga online. They convinced him to play a game on the Disney-owned Club Penguin before they took the entire site down. They were enjoying the attention. They got more ambitious.
During the next few hours they successfully brought down various game-related websites, including Origin, the online web store of giant video game publisher, Electronic Arts. Varga asked the group why they were doing this. “For the lulz,” they replied, before adding, perhaps to lend a sub-note of gravitas to their campaign, that they also wanted to target greedy game companies.
But they weren’t finished with Varga.
Mischief night
In an hour-long video released after the attacks, Varga explained that Derp had found his home address. He claimed that the group ordered pizzas to be delivered throughout the night, and says that, at one point, police officers arrived responding to an emergency call claiming there was a hostage situation at the address. On Twitter and Facebook, Varga wrote that he had an “automatic pointed at me” and that the “handcuffs hurt.” (The LAPD later refuted this.)
While some delighted in the anarchy of the night’s events, others weren’t so enamoured – or perhaps Derp’s high-profile escapades had triggered the antagonism of a rival group. The next day, personal details of Utah resident Austin Thompson were posted online alongside the claim that he was the leader of Derp and had orchestrated the nights’ attacks. Now Thompson was the target; within days his Facebook and Twitter profiles had disappeared and his parents’ home phone number was disconnected.
“Thompson was arrested on 7 January, 2014 by the New York police department,” writes one of Derp’s members, communicating with the Guardian via the group’s official Facebook account. He claims that the authorities found Thompson’s identity through his personal account on the Electronic Arts digital gaming site, Origin. The US Attorney’s Office, however, told the Guardian that it has no record of any such arrest.
So where was Thompson? “Whatever’s happened, he’s not in jail,” the Derp member claims. “But he can’t touch a computer for 29 years.”
This may not be true. Skilled hackers are sometimes employed by the authorities who catch them. In a key example, George Hotz, the hacker who first broke into Apple’s iPhone and, later, Sony’s PlayStation 3 firmware, was eventually hired by Facebook. A spokesperson for the FBI initially agreed to look into the case for the Guardian, but ceased communications when asked to confirm or deny the arrest.
Origins of an internet troll
According to the anonymous Derp source, the group was formed in 2011 after someone at school told him about DDoS attacks. “I started with the LOIC (Low Orbit Ion Cannon) program,” he says.
Ian Reynolds is an IT security consultant for MTI Technology, testing government and business networks for security flaws.
“The Low Orbit Ion Cannon is the weapon of choice for most DDoS participants,” he explains. “Users install the application on their computer and connect it to the hacker group’s chat server or Twitter RSS feed. When the hackers decide to take action against an organisation, all connected participant computers begin to send network traffic toward the target server. It doesn’t take many DDoS participants before a crippling torrent of network traffic is aimed towards the victim.”
Thompson wrote Derp’s current DDoS software, which uses a botnet – a collection of connected computer programs. “Another method of getting more participants in a DDoS attack is through the use of malware infection,” explains Reynolds.
“These allow a remote attacker to take control of an infected computer and use it as part of a DDoS attack. Large-scale malware infections of this type often form part of a botnet, which allows the owner to control potentially hundreds of thousands of infected machines to target a DDoS attack.” Botnets can even be rented from their owners. Reynolds estimates the going rate to be around £150 for 1,000 infected machines a day.
While Thompson appears to have been the technical wunderkind of the Derp operation, the group is still active. When the Guardian last spoke to the Derp hacker in May, he claimed there were now only three members. “One of us is from Sweden, one from the US and I’m from the UK,” he said. Since Thompson’s apparent disappearance, they have redoubled their security. “We’re more secure than before,” he writes. “We use proxies that change once a minute.”
Online companies are also involved in the technological race against DDoS attackers. “These attacks are incredibly difficult to prevent,” says Reynolds. “It is almost impossible to differentiate between a request being sent from a malicious computer and one from a valid customer.”
In the past couple of years, a number of companies who specialise in protecting large organisations from DDoS attacks have emerged. “These companies act as a proxy between the organisation’s web servers and the general Internet,” says Reynolds. “They utilise a vast artillery of defenses against DDoS attacks ranging from custom-written detection systems that can differentiate between valid network traffic and malicious traffic to tremendous bandwidth.”
Anarchy or apathy?
Nevertheless, owing to the ease with which amateurs can cause gross disruption, Reynolds believes that the scale and frequency of DDoS attacks will continue to increase in coming years. While some are criminally motivated, many derive from boredom.
“A large number are launched by individuals simply because they can. Many of the botnets in circulation have been spawned from the bedrooms of teenage hackers who may just want to aim a DDoS attack at an organisation for the hell of it.”
For the Derp hacker, this certainly appears to be the case. “We like to target games companies because game players have a strong reaction,” he says. “But mostly, we do it because it’s fun.” This type of crime is low cost and, due to the distributed nature of the attack, low risk.
Moreover, for the young and disillusioned, it’s an effective way to lash out at the system, be it video game companies employing unpopular business models, or governments that teenagers feel powerless to address in any other way.
But there are darker motives emerging. On 24 August, a high profile DDoS attack on Sony’s PlayStation Network brought the system down for several hours. Two groups have claimed responsibility: a hacker named Fame, and an emerging group named Lizard Squad.
The latter appears to be motivated, not by boredom, but by extremist dogma – its Twitter stream is filled with references to Isis and Islamist slogans. The group even appears to have tweeted a bomb threat to American Airlines, concerning a passenger flight with a Sony executive on board. The plane was diverted and landed safely.
The links to Jihadist groups may well be just the latest attention-grabbing joke, but causing the diversion of an aircraft is a whole new paradigm.
For his part, the Derp hacker shows no remorse, and the disappearance of the group’s leader hasn’t diluted his ambitions. “We don’t regret anything – I hope to take down NSA someday,” he says, before signing off, with faint irritation, “we don’t have the time to be on Facebook 24/7.”
