Court documents obtained by Bleeping Computer reveal that the FBI has charged a Minnesota man for launching hundreds of DDoS attacks on companies all over the world, including his former employers and business partners.
The man named in the court documents is John Kelsey Gammell, 46, who used to work for the Washburn Computer Group, an IT company based in Monticello, Minnesota, specialized in Point of Sale (PoS) repairs.
The FBI says it got on the case after Washburn reported being the victim of numerous DDoS attacks on three of its websites (wcgpdb.com, washburngrp.com, and washburnpos.com) between July 2015 and September 2016.
What stood out was that during the first attacks, in the summer of 2015, the company had received emails from two email addresses made to look like they came from a former employee named Lxxxx Sxxxxxxxxxx, who worked for the company for 17 years, but had left 3.5 years before.
The emails mocked the company about its "ongoing IT issues" and included a GIF image of a laughing mouse.
Following subpoenas served by the FBI, both Yahoo and Google provided detailed logs for the two email addresses used to send the mocking messages (firstname.lastname@example.org and email@example.com).
IP addresses provided by Yahoo and Google linked the messages to Gammell's home CenturyLink IP address and to a VPN service named IPVanish.
Following this discovered, Washburn confirmed that Gammell also worked for them, but had left in good terms three years before, to start his own soldering training company.
Things turned sour between Gammell and Washburn in July 2014, when negotiations for Washburn employee training services fell through.
With probably cause in hand, the FBI subpoenaed Google for information on Gammell's official email address of firstname.lastname@example.org.
Here, FBI agents found registration emails for seven DDoS booter services such as cStress.net, InBoot.me, Booter.xyz, IPstresser.com, ExoStress.in, BooterBox.com, and vDOS-s.com.
According to investigators, Gammell ended up buying pro accounts at three of these services — cStress, InBoot, and vDOS.
The FBI says Gammell paid $234.93 via PayPal and Skrill to cStress, $28 via AioBuy to InBoot, and made two different payments for two accounts at vDOS. Gammell first paid vDOS $39.99 for an account with the username "anonrooster," and later paid vDOS another $349.95 for an account named "AnonCunnilingus." Logs showed Gammell made the vDOS payments via PayPal and Coinbase.
The FBI's job was made much easier because the vDOS service suffered a security breach in the summer of 2016, and a security researcher had provided the Agency with vDOS logs.
That is how investigators tied Gammell's accounts to DDoS attacks on Washburn, but also on other targets.
For example, Gammell launched DDoS attacks on the servers of Wells Fargo, JP Morgan Chase Bank, Honk Kong Exchanges and Clearing Limited, Hennepin County, Minnesota (hennepin.us), the Minnesota Judicial Branch (mncourts.gov), and the Dakota County Technical College (dctc.edu).
In addition, Gammell also targeted STI Electronics — a company with which he had business discussions, Kit Pack Co. — a company where he shortly worked in August 2016, and dmDickason — a job finding agency that got him the Kit Pack job.
Email logs also showed that at one point Gammell even wrote to the vDOS team to congratulate them that he was able to take down a website protected by Rackspace's DDoS mitigation system.
Further, Gammell also showed interest in HOIC (High Orbit Ion Cannon), an open-source DDoS toolkit, and even sought the help of other hackers to build his personal DDoS tool. In some of his emails, Gammell claimed to be a member of the Anonymous hacker collective.
A screenshot provided by Washburn of Gammell's Facebook page also showed the suspect calling for DDoS attacks on global banks on May 12, 2016. Gammell was promoting Operation Icarus, an Anonymous campaign that urged others to launch coordinated DDoS attacks on banks and financial institutions all over the world.
Besides the IP addresses linking all these acts together, the second most significant piece of evidence is that Gammell embedded the same GIF of the laughing mouse in his Facebook post calling for DDoS attacks on global banks.
The suspect was arraigned in a Minnesota court this week. Washburn said it suffered losses of over $15,000 because of the repeated DDoS attacks. According to local press, Gammell faces between 15 and 17 years in prison.
The FBI criminal complaint is available for download here.