Matthew Gatrel, Operator of 'DownThem' DDoS Service Gets 2 Years
June 15, 2022
An Illinois man was sentenced today to 24 months in federal
prison for running websites that allowed paying users to launch
powerful distributed denial of service, or DDoS, attacks that
flood targeted computers with information and prevent them from
being able to access the internet.
Matthew Gatrel, 33, of St. Charles, Illinois, was sentenced by
United States District Judge John A. Kronstadt.
At the conclusion of a nine-day trial in September 2021, a
federal jury found Gatrel guilty of one count of conspiracy to
commit unauthorized impairment of a protected computer, one
count of conspiracy to commit wire fraud, and one count of
unauthorized impairment of a protected computer.
“Gatrel ran a criminal enterprise designed around launching
hundreds of thousands of cyber-attacks on behalf of hundreds of
customers,” prosecutors wrote in a sentencing memorandum. “He
also provided infrastructure and resources for other
cybercriminals to run their own businesses launching these same
kinds of attacks. These attacks victimized wide swaths of
American society and compromised computers around the world.”
Gatrel owned and operated two DDoS facilitation websites:
DownThem.org and AmpNode.com. DownThem sold subscriptions
allowing customers to launch DDoS attacks while AmpNode provided
“bulletproof” server hosting to customers with an emphasis on
“spoofing” servers that could be pre-configured with DDoS attack
scripts and lists of vulnerable “attack amplifiers” used to
launch simultaneous cyberattacks on victims.
Records from the DownThem service revealed more than 2,000
registered users and more than 200,000 launched attacks,
including attacks on homes, schools, universities, municipal and
local government websites, and financial institutions worldwide.
Many AmpNode customers were themselves operating for-profit DDoS
Gatrel offered expert advice to customers of both services,
providing guidance on the best attack methods to “down”
different types of computers, specific hosting providers, or to
bypass DDoS protection services. Gatrel himself often used the
DownThem service to demonstrate to prospective customers the
power and effectiveness of products, by attacking the customer’s
intended victim and providing proof, via screenshot, that he had
severed the victim’s internet connection.
DownThem customers could select from a variety of different paid
“subscription plans.” The subscription plans varied in cost and
offered escalating attack capability, allowing customers to
select different attack durations and relative attack power, as
well as the ability to launch several simultaneous, or
“concurrent” attacks. Once a customer entered the information
necessary to launch an attack on their victim, Gatrel’s system
was set up to use one or more of his own dedicated attack
servers to unlawfully appropriate the resources of hundreds or
thousands of other servers connected to the internet in what are
called “reflected amplification attacks.”
Co-defendant Juan Martinez, 29, of Pasadena, pleaded guilty in
August 2021 to one count of unauthorized impairment of a
protected computer and was sentenced to five years’ probation.
Martinez was one of Gatrel’s customers and became a
co-administrator of the site in 2018.
The FBI’s Anchorage Field Office and its Los Angeles-based Cyber
Initiative and Resource Fusion Unit investigated this matter.
Akamai Technologies, Inc.; Cloudflare, Inc.; DigitalOcean, Inc.;
Google, LLC; Palo Alto Networks - Unit 42; University of
Cambridge Cyber Crime Centre; and Unit 221B, LLC assisted this
Assistant United States Attorney Cameron L. Schroeder, Chief of
the Cyber and Intellectual Property Crime Section, and Assistant
United States Attorney Adam Alexander of the District of Alaska
are prosecuting this case.