Man Jailed for Attacking Millions of Websites

John Lister's picture

A man who launched millions of separate attacks on websites has been jailed for 13 months for conspiracy to damage Internet-connected computers. Sergiy Usatyuk, who is 20, offered an attacks-for-hire service using Distributed Denial of Service (DDoS) tactics.

A Denial Of Service attack is a crude but often effective technique that simply involves flooding a site with bogus "visits" until the web server becomes overloaded, which then causes the website to become inaccessible for ordinary users. It's roughly equivalent to tying up a company's switchboard with prank calls.

The "distributed" element involves building a network of computers - usually hijacked remotely by malware - that can work together to unleash such an attack. That can make it more difficult to defend against as it becomes harder to figure out which site visits are legitimate and which are part of the attack.

300,000 Attacks A Month

Usatyuk, who is a US citizen, partnered with an unnamed Canadian to operate Exostress, a "service" that people could hire to carry out DDoS attacks. Prosecutors say that it operated for 27 months and in the first 13 months alone Exostress carried out 3,829,812 attacks. (Source:

The illegal service appears to have been incredibly cheap, with the average revenue from an attack being a matter of pennies. It was a numbers game, however, with Usatyuk and his partner making an estimated $550,000.

Prosecutors detailed two of the victims. One was a school district, with knock-on effects impacting the county's government and a local Catholic diocese. Another attack brought down the servers of an online videogame, with an estimated cost to the game manufacturer of $164,000.

No Stranger To DDoS Allegations

Usatyuk will now forfeit a computer, cell phone, seven hard drives and three dozen servers which he used to carry out the attacks.

It's not the first time Usatyuk has been linked to in such attacks. Security reporter Brian Krebs recalled interviewing the then 15-year-old after he posted a series of messages on a hacker forum discussing DDoS techniques. At the time Ustayuk denied carrying out attacks. (Source:

What's Your Opinion?

Is the 13-month sentence adequate? What's more important in deciding the punishment: how much money Usatyuk made or how much damage he caused? Should officials put strong efforts into finding the people who hired the service?

Rate this article: 
Average: 4.9 (10 votes)


Jim-in-kansas's picture

No sentence can adequately punish these people short of a long (10 years?) prison term. A prison term bereft of any access to the internet, cellphone or computer.

restitution for the monetary damages inflicted due to their activities would never be realized, of course.