Late in the evening of February 13, Paul and Robin Laudanski were planning the following day's Valentine's celebration when they received word that CastleCops, the volunteer security website they run, was under assault.

Greg C. King in a photo from his Yahoo Profile.

At its peak, the five-day attack flooded CastleCops with close to 1 gigabyte of data every second. The distributed-denial-of-service deluge was so severe that the husband-and-wife team were forced to take their site offline 15 minutes after it started. It also knocked CastleCops' webhost offline for two days, causing more than $160,000 worth of damage to the company and its customers.

"We were planning on having a family Valentine's event," said Paul Laudanski, who along with Robin was forced to spend the next several days migrating to a new hosting provider. "Then, of course, the DDoS started, which ruined those plans."

The attack, according to federal prosecutors, was the handiwork of Greg C. King, a 21-year-old California resident who at one point maintained a 7,000-node botnet. On Monday, he was publicly charged with four counts of illegal hacking, charges that carry a maximum penalty of 40 years in prison and a $1m fine.

King has pleaded not guilty, and he reiterated his claims of innocence in a telephone interview with The Register. He said he was released on $25,000 bond and is under orders not to use computers outside of his job, which he declined to identify.

The indictment comes three weeks after a yearly report from Arbor Networks found for the first time that internet service providers rated botnets as the top operational threat to their infrastructure.

Revenge of the King

While more and more of today's cyber criminals are driven by financial gain, King's four-year DDoS spree was motivated by revenge for perceived slights, according to court documents and interviews. King's need to lash out ran so deep that his crippling attacks continued even after federal authorities raided his parents' Fairfield, California home in 2004, prosecutors allege. Even a conviction for attempted armed robbery, for which King served seven months jail time earlier this year, didn't weaken his resolve.

King "just continued on and on and on and on," said Tami Quiring, owner of KillaNet Technologies, a British Columbia-based website for high school students preparing for careers in online media. "He would make appearances on IRC and just taunt the kids and threaten them and post links to some really disgusting porn sites."

Quiring says one of her first brushes with King dated back to 2003, before the suspect had even turned 18. A chat server she maintained was subjected to a smurf attack, a particularly powerful type of DDoS that bounces spoofed ping requests off thousands of vulnerable routers and, in the process, significantly amplifies the amount of traffic directed at a victim. As a result, she said, she was forced to pull the plug on her site.

Over the years, Quiring says, she tried all kinds of evasive maneuvers. She repeatedly changed servers. She blacklisted his IP address. She and her employees engaged him in chat dialogs. None of it had any effect. She said the attacks continued through last year, when a site she set up to host a large video game tournament was taken offline, preventing Nvidia, ATI and other partners from accessing the site at a crucial moment.

"We withstood attacks that took Yahoo! down," Quiring said. "For a long time, our servers were locked up like Fort Knox."

The SilenZ Treatment

A key element in the vengeance allegedly meted out by King was acknowledgment from his victims that they were being punished. And as a result, he took few steps to cover his tracks. He frequently taunted his victims in chat rooms before and during his attacks, and on several of those occasions, he dropped hints about his real-life identity, according to court documents.

He went by the same handful of online monikers, including SilenZ, SilenZ420 and Gregk707, and he also used the same several email addresses - including gregk707@yahoo.com and silenz420@gmail.com - to establish accounts on the systems he attacked. He frequently used his parents' SBC DSL line to log in to the accounts and read email. He was partial to using the passwords "1fuckhead" and "1fuckhead1" on many of those accounts.

"My good friend's ISP shut him over this fucking post," a user by the name of SilenZ wrote in a CastleCops forum shortly before the February 13 attack began. "I have the right to be angry. If you edit my post once more, you will be sorry."

SilenZ was banned from the boards at 10:40 that night. About four minutes later, the DDoS started.

Alias: The Belgian Bean Farmer

According to CastleCops logs, the SilenZ account was activated by someone who used the email address silenz420@gmail.com and the MD5 value for his password matched the encryption string for "1fuckhead." CastleCops located the command and control for the offending botnet to an IP address that resolved to the domain name beanfarmer.be, a site that is registered to a Greg King, according to DNS records.

Previous IP addresses for the domain resolved to SBC IP addresses beginning with "71.132," the same initial digits for addresses frequently assigned to King when he was using his parents' DSL service.

Beginning in August of 2004, according to court documents, someone using the name Greg began a series of chats via IRC with people responsible for running myg0t, which bills itself as an online gaming authority. Greg said he was responsible for prior attacks on the myg0t website and then announced he would initiate new attacks on myg0t's IRC board as well.

Eventually, Greg said he would suspend the DDoS assault if officials posted an apology for "myg0t being the asses we are." Greg listed his email address as gregk707@yahoo.com.

Big Mac, Filet-O-Fish, Quarter Pounder, Botnet

After authorities seized King's computers in December 2004, he began using computers at the Solano County Library and a Best Buy store. According to evidence Quiring provided authorities, six of the attacks on KillaNet were carried out by someone accessing the library computers.

Someone using the alias SilenZ who chatted via MSN messenger with a KillaNet administrator later admitted to using McDonald's for an internet connection, then began discussing the FBI raid on his parents' house.

"I denied dong the attacks but told them where my botnets were," according to a log of the session. "I dont see what they expect, not like i robbed their house, i just took their server offline for a few hrs."

The web is also rife with posts, some of them abusive, from an individual who goes by the handle gregk707. This thread from the Fairfield High School AP Calculus Homepage, for example, contains a comment that repeats itself 13 times.

"My ip does happen to be logged, And u wont do shit," the May, 2005 post reads. "Can u ban me from posting? NOPE and do u know why? BECAUSE IT IS DYNAMIC, anytime i get off the internet it changes. SO ALL I HAVE TO SAY IS FUCK YOU HAVE A NICE DAY."

Herd Mentality

King acknowledged to The Reg that several years ago he maintained a botnet, which he says he stole after discovering the command and control center used by a bot herder. While the zombie network originally contained about 30,000 nodes, he only managed to take control of somewhere between 7,000 and 12,000 of them, he said. He surrendered the botnet when authorities searched his parents house in 2004, he said.

He confirmed that the email address gregk707@yahoo.com is his and also admitted to using the computers at the Solano County Library and Best Buy. But he declined to say exactly what he did with them, under advice from his attorney. He also declined to say if he's ever carried out a DDoS attack or discuss specific allegations contained in court documents.

"A lot of this was so long ago, I don't even remember it," he said.

Indeed, many of the alleged attacks occurred more than three years ago. But with signs that botnet herding and other types of cybercrime are only getting worse - the FBI, for example, recently logged its millionth bot-infected IP address - federal law enforcers want to send a message that online miscreants will be sought out and prosecuted.

"What bot herders or potential bot herders need to worry about is that even years after they do a DDoS attack they may wind up under arrest, long after they thought it was all over," said Matthew Segal, the assistant US attorney who is prosecuting King. "We do this to deter this kind of conduct and also because we believe in retributive justice." ®

If you have tips, story ideas or inside scuttlebutt about this or any other security-related story, please send them to Dan Goodin using this link.

Related stories

• Cable employee admits replacing Superbowl feed with porn (21 October 2011)

  https://www.theregister.com/2011/10/21/superbowl_computer_tampering/

• Man accused of DDoSing conservative talking heads (19 May 2010)

  https://www.theregister.com/2010/05/19/bill_oreilly_ddos_attacks/

• 'Virtual sit-in' tests line between DDoS and free speech (9 April 2010)

  https://www.theregister.com/2010/04/09/virtual_protest_as_ddos/

• Trial set for 'botnet for hire' duo (16 September 2009)

  https://www.theregister.com/2009/09/16/botherder_trial_set/

• Teen cuffed for bomb threat webcam pay-per-view (9 July 2009)

  https://www.theregister.com/2009/07/09/swatting_indictment/

• Feds: Hospital hacker's 'massive' DDoS averted (1 July 2009)

  https://www.theregister.com/2009/07/01/hospital_hacker_arrested/

• Teenage hacking menace jailed for 11 months (21 April 2009)

  https://www.theregister.com/2009/04/21/swatting_hacker_jailed/

• Web maven gives convicted botmaster keys to new kingdom (5 March 2009)

  https://www.theregister.com/2009/03/05/mahalo_computer_felon/

• BOFH-loving botmaster wants life as security consultant (23 January 2009)

  https://www.theregister.com/2009/01/23/botmaster_sentencing_kerfuffle/

• CastleCops shuts up shop (29 December 2008)

  https://www.theregister.com/2008/12/29/castlecops_closes/

• Teen hacker confesses three-year crime spree (19 November 2008)

  https://www.theregister.com/2008/11/19/dshocker_pleads_guilty/

• Feds indict international cyber crook accused of $1.7m ATM spree (30 October 2008)

  https://www.theregister.com/2008/10/30/analyzer_hacker_indictment/

• CastleCops nemesis gets two-year sentence (13 October 2008)

  https://www.theregister.com/2008/10/13/castlecops_attacker_sentenced/

• 19-year-old p2p botnet pioneer agrees to plead guilty (28 June 2008)

  https://www.theregister.com/2008/06/28/nugache_creator_plea_agreement/

• Fired IT manager accused of venting spleen on organ bank (26 June 2008)

  https://www.theregister.com/2008/06/26/fired_it_manager_rampage/

• Disgruntled admin gets 63 months for massive data deletion (13 June 2008)

  https://www.theregister.com/2008/06/13/it_manager_rampage_sentence/

• Rubbermaid bot master sentenced to 41 months (11 June 2008)

  https://www.theregister.com/2008/06/11/rubbermaid_botmaster_sentenced/

• Hacker cops to $70k botnet rampage (11 June 2008)

  https://www.theregister.com/2008/06/11/botherder_admits_to_ddos_assault/

• TJX credit card heist suspect, 2 others, accused of new scam (13 May 2008)

  https://www.theregister.com/2008/05/13/trio_accused_in_carding_scam/

• I Was A Teenage Bot Master (8 May 2008)

  https://www.theregister.com/2008/05/08/downfall_of_botnet_master_sobe_owns/

• DDoS packets soak up to 3 per cent of net traffic (3 April 2008)

  https://www.theregister.com/2008/04/03/arbor_ddos_analysis/

• How an app called WarmTouch nailed a grenade-stockpiling cyber extortionist (1 April 2008)

  https://www.theregister.com/2008/04/01/warmtouch_brings_down_cyber_extortionist/

• DSL Reports back up after DDoS attack (19 March 2008)

  https://www.theregister.com/2008/03/19/dslreports_under_ddos_attack/

• LSDigital drops federal botnet confession (14 March 2008)

  https://www.theregister.com/2008/03/14/bot_herder_cops_plea/

• Québec cops bust massive botnet ring (21 February 2008)

  https://www.theregister.com/2008/02/21/canada_botnet_bust/

• MayDay! MayDay! Ruskies reinvent cyber crime (13 February 2008)

  https://www.theregister.com/2008/02/13/new_botnet_advances/

• Man siphons info for 300 credit cards from hotel kiosks (19 December 2007)

  https://www.theregister.com/2007/12/19/hotel_kiosk_hijacks/

• Phone phreaks spoof LSD-induced multiple homicide (5 December 2007)

  https://www.theregister.com/2007/12/05/swat_conspiracy_guilty_pleas/

• Botmaster owns up to 250,000 zombie PCs (9 November 2007)

  https://www.theregister.com/2007/11/09/botmaster_to_plea_guilty/

• eBay: Botnets are Linux-happy (3 October 2007)

  https://www.theregister.com/2007/10/03/ebay_paypal_online_banking/

• Zombies flood broadband networks (18 September 2007)

  https://www.theregister.com/2007/09/18/arbor_botnet_survey/

• Uber-hacker Max Vision misses the killswitch (18 September 2007)

  https://www.theregister.com/2007/09/18/max_butler_affidavit/

• Trojan-fuelled botnet menaces UK eBay users (10 September 2007)

  https://www.theregister.com/2007/09/10/ebay_botnet_attack/

• ISPs turn blind eye to million-machine malware monster (10 September 2007)

  https://www.theregister.com/2007/09/10/isps_ignore_strorm_worm_and_other_malware/

• Fast flux foils botnet takedown (11 July 2007)

  https://www.theregister.com/2007/07/11/fast_flux_botnet/

• Rival malware gangs wage turf war (1 July 2007)

  https://www.theregister.com/2007/07/01/malware_gang_war/

• eBay goes hacker hunting in Romania (8 March 2007)

  https://www.theregister.com/2007/03/08/who_is_vladuz/