HACK THE PLANET, PART II
The week of August 9, 2015

The year of the Lizard Squad

By William Turton

In 2014, John Smedley, then-president of Sony Online Entertainment, was on an airplane on his way to San Diego during what had already been a stressful week. A large-scale denial-of-service attack was taking Sony offline, and to make matters worse, his flight was about to get diverted to Phoenix.

Smedley’s Aug. 24 flight wasn’t being changed for weather or mechanical problems; someone had issued a tweet mentioning explosives on board the aircraft. That someone was Julius “zeekill” Kivimaki, a teenage hacker from Finland, who was also responsible for the attacks on Sony.

That was the first time most people heard about Lizard Squad, a nefarious group of hackers responsible for some of the most notable cyberattacks of the past decade. The plane’s diversion made international news, with TV stations showing the group’s Twitter page. It was “really big, bigger than I thought it’d be,” recalled one Lizard Squad member, known only as antichrist.

Some hacking groups are in it for the money. They’ll snatch a database full of usernames and passwords and quickly sell it to the highest bidder, securing payment through the digital cryptocurrency Bitcoin. Some are in it for political activism, attacking websites of oppressive governments, military contractors, or anyone else that falls outside their worldview. The rest are in it for the infamy and lulz, doing whatever it takes to make the nightly news or the New York Times.

What makes Lizard Squad so dangerous is that their motivation is a combination of all three. They’ve figured out how to make each element work for them—and they’re just getting started.

• • •

Lizard Squad was formed in Darkode, an online forum and marketplace for cybercriminals and hackers. It was shut down last month by a U.S-led coalition, dubbed the “largest coordinated international law enforcement effort ever directed at an online cybercriminal forum” by the Department of Justice. U.S Attorney General David J. Hickton said Darkode “represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world.”

Some of the Lizard Squad members were longtime users of the forum. Darkode hosted two Lizard Squad domains and its Internet Relay Chat server. In that IRC room, online hackers abdilo, antichrist, komodo, sp3c, chf, and zeekill met and formed Lizard Squad last year. The group also has what they refer to as “affiliates,” or friends of the group, who will occasionally carry out some dirty work in an attack.

“If you include all the affiliates we have, it’s like 20-30 members,” antichrist told me in a private chat. The group doesn’t have a core set of members; the people who participate in attacks come and go.

“If you include all the affiliates we have, it’s like 20-30 members.”

The group started small. A week before the American Airlines tweet, Lizard Squad launched an attack on the popular online game League of Legends and followed it with a blitz on the roleplaying game Runescape. The group’s brute-force tactics—using distributed denial-of-service (DDoS) attacks to overwhelm servers with data and force them offline—didn’t earn them any accolades in the hacking community, but their success, coupled with their juvenile antics on Twitter, had people openly wondering who exactly Lizard Squad was and if they were as reckless as they appeared. It was a harbinger of things to come.

While Kivimaki served a three-month sentence in a maximum-security prison for the American Airlines tweet and other cybercrimes, the other members of Lizard Squad were planning their next attack, one the group said would take “lots of work.” Lizard Squad was aiming for maximum outrage and media attention. “I was nervous it wouldn’t happen and we would look like jokes,” antichrist recalled.

Lizard Squad wanted to steal Christmas.

• • •

While most were still opening presents or enjoying a holiday brunch, Vinnie Omari woke up slightly hungover on Dec. 25, 2014. He’d spent the previous night getting “shitfaced” in London celebrating his 22nd birthday, he told me later, and logged onto his computer around 1pm.

His friends in Lizard Squad were about to take down Xbox Live and PlayStation Network at the same time, and he was going to be the front man for the whole operation. As gamers across the world were setting up the new Xbox and PlayStation consoles they had just received for Christmas, Lizard Squad was gearing up to make them inoperable.

Lizard Squad had spent months acquiring 150,000 bots and 30 servers to overload Xbox Live and PlayStation Network. Initiating the attacks was as simple as entering a single command into a console: .upd [IP address] [port] 21600. That last field represents the length of time, in seconds, of each bot attack, equivalent to six hours .

Within two minutes, some users began to get kicked out out their games. Three minutes later, there was a complete worldwide outage. Five minutes after that, Twitter “went nuts,” antichrist recalled.

Every angry tweet or upset comment only spurred Lizard Squad to keep the servers offline longer. Lizard Squad tweeted with glee an excerpt from one article quoting a child’s parent: “He has spent most of the day in tears. He says it’s been his worst Christmas ever.”

Kivimaki claimed at the time that the group had direct access to Microsoft and Sony networks, and that their attacks topped out at 1.2 terabits per second: a figure that, if true, would’ve been nearly three times more powerful than any other DDoS attack on record, according to Ars Technica. (Microsoft and Sony have not released any details about the size of the hack.)

“Microsoft and Sony are fucking retarded, literally monkeys behind computers,” Omari, who—contrary to previous reports—operates under his real name and serves primarily as the group’s spokesperson, told me shortly after the attack. “They would have better luck if they actually hired someone who knew what they were doing. Like, if they went around prisons and hired people who were convicted for stuff like this, they would have a better chance at preventing attacks.”

“They would have better luck if they actually hired someone who knew what they were doing. Like, if they went around prisons and hired people who were convicted for stuff like this, they would have a better chance at preventing attacks.”

Lizard Squad quickly went on an international media tour, appearing on the BBC and various other outlets. Sky News dubbed the group “The Hackers Who Ruined Christmas.” Kivimaki appeared on camera in a Sky News interview.

When asked if he felt guilty, Kivimaki responded: “I’d be rather worried if these kids didn’t have anything better to do than play games on their consoles on Christmas Day. I mean, I can’t really say I feel bad.”

Kivimaki gave a somewhat convoluted explanation that hid the group’s true motivations for the attack, which they would reveal several days later. “One of the aspects here was raising awareness regarding the low state of computer security at these companies, because these companies make tens of millions from just their subscriber fees,” Kivimaki said. “They should have more than enough funding to be able to protect against these attacks.”

Lizard Squad kept two of the biggest online gaming providers offline for more than 12 hours and likely would’ve kept them off longer if Internet entrepreneur Kim Dotcom hadn’t intervened. Dotcom offered 3,000 vouchers to his online storage service MEGA—each worth $99—if Lizard Squad called off the attack.

Lizard Squad quickly cashed out. They sold the vouchers on underground online marketplaces at a discounted rate of $50 each, earning around $150,000 for the attacks.

All told, Xbox Live and PlayStation Network stayed offline for more than 48 hours. The attacks were so large that the services had trouble recovering, yet many were quick to deride the hacking group’s technical capabilities.

“There’s plenty of people saying we’re not hackers and DDoS isn’t hacking,” Kivimaki told the Daily Dot last December. (He was using an alias at the time, “Ryan Cleary,” which referred to a disgraced LulzSec hacker.) “For attacks of this scale, you can’t really do them without either having access to insane amounts of funding or being able to gain access to the computers via hacking.

“You can’t just do DDoS attacks from your home computer. It doesn’t work.”

• • •

The devastating Christmas Day cyberattacks were, in fact, a marketing scheme.

On Dec. 30, 2014, still riding a high from international press coverage and outraged tweets, Lizard Squad began offering Lizard Stresser, a commercial service that essentially allowed willing customers to carry out the same sort of attacks that crippled Xbox Live and the PlayStation Network.

“Playing games on a Twitter is fun, but it comes down to the money,” Lizard Squad member dragon told the Daily Dot at the time.  “The objective here, for me at least—can’t speak for others—is money.”

“Playing games on a Twitter is fun, but it comes down to the money.”

It takes a virtual army of sorts to carry out powerful DDoS attacks. They utilize botnets—networks of computers that have been commandeered by a hacker, often without the owner’s knowledge—to generate staggering amounts of data requests that overwhelm service. It’s access to such a network that Lizard Squad offered—for a price.

There are dozens of similar services, known as “rental booters,” available on hacking forums on the Dark Net—the portion of the Web accessible only via encrypted browsers like Tor. What set Lizard Stresser apart was its past accolades and the alleged size and strength of the botnet. Lizard Stresser offered attacks with an “average” load of 5 terabits per second (Tbps)—the total amount of fake traffic with which all customers can bombard their targets.

ScreenShot2014-12-30at4.52.04AM

The cost of attacks ranged from $5.99 to $500, and the service allowed customers to send a DDoS to a victim of their choosing. The first iteration “only made $15,000 to $20,000,” antichrist said. Lizard Stresser 2.0 was much more lucrative, allegedly raking in about $55,000 before a DDoS attack—ironically—compromised Lizard Squad’s servers and revealed customer usernames and passwords. The service has been down ever since.

Lizard Squad has lain relatively low since the launch of Lizard Stresser. The group is currently under investigation by the FBI. Kivimaki was convicted last month of an astounding 50,700 charges related to computer crimes, which included data breaches, felony payment fraud, and  telecommunications harassment, according to Finnish media. He will not serve time in prison but will have to undergo active monitoring of his online activities.

Considering the havoc he’s wreaked online, the punishment was seen by many as a mere slap on the wrist. “I’ve lost complete faith in the justice system and that includes the FBI. He’s harmed American targets, and the FBI should have stepped in by now,” Blair Strater, a frequent target of Kivimaki’s online harassment, told the Daily Dot after the sentencing. “The reality is Julius Kivimaki will never be made to pay for his crimes.”

That sentiment was echoed by John Smedley, the former president of Sony Online Entertainment whose flight was diverted by Kivimaki’s antics. “You shouldn’t be able to do crap like this without any hint of a consequence. I plan on doing everything in my power to see him get what’s coming to him in court one way or another,” he wrote on Reddit. “I’ve been working with law enforcement to put him and others into jail where they belong. Some of them are minors, which makes it tough. Most of them are outside the U.S., which makes it tougher. But I’m patient and I’m going to be relentless about this.”

Lizard Squad doesn’t seem fazed by Smedley’s pursuit. In fact, the group responded with another DDoS attack, this time on Daybreak Game Company, where Smedley worked at the time. And Omari and Kivimaki are currently in Amsterdam, planning something—they won’t say what—to commemorate the first anniversary of that fateful American Airlines flight.

Smedley seemed less determined when I reached out for comment for this story. He declined to speak on the record, but not before offering this telling piece of advice: “[I’m] staying as far away from this as I can now.”

Illustration by Tiffany Pai