Polish programmers jailed for 5 years for DDoS and cyber-extortion of online casino

Polish programmers jailed for 5 years for DDoS and cyber-extortion of online casino

DDoS image, courtesy of ShutterstockTwo online gaming programmers from Poland have been jailed for trying to cyber-extort the owner of an online marketing company based in Manchester, UK, and the CEO of an unnamed US internet software platform company that hosts online companies.

Greater Manchester Police on Wednesday said in a statement that the duo initially tried to shake down the Manchester business owner and that the US business got into the act as part of an elaborate sting.

(The Register and Sky News have identified the Manchester business as being a casino, although the police report identifies it as an online marketing company.)

The blackmailers demanded a 50% cut of their UK victim’s company – a 65-person, nearly £30 million ($48.6 million) business – lest they knock it offline with the help of a “notorious computer hacker” they knew who could unleash a distributed denial-of-service (DDoS) attack.

In what they called the first prosecution of its kind, police set up a complicated sting that concluded with the seizure of the two programmers at a bugged room in the luxury Sofitel hotel at Heathrow Airport.

Piotr Smirnow, 31, of Warsaw, Poland, and Patryk Surmacki, 35, of Szczecin, Poland, pleaded guilty at Manchester Crown Court to two offences each of blackmail and one offence of unauthorised acts on computers under the Computer Misuse Act 1990.

Both men were sentenced on Wednesday to five years and four months in prison.

The Register reports that both of the men are programmers who worked in the online gaming business.

Police say that the pair knew their UK target because they all worked in the same line of business.

On 23 July, police say that Smirnow contacted the victim and asked to meet him to talk about “a business proposition”.

The victim initially declined, but Smirnow finally talked him into meeting with himself and Surmacki at Heathrow Airport Terminal 5.

Once all arrived at the terminal, the pair revealed the details of the “proposition”: if their target didn’t give them a 50% share of his business, they’d enlist the services of a US hacker named “Wapo”, Sky News reports.

First, the hacker would shut down the Manchester business, they said. They’d move the business to a separate server, attack the platform server, and corner the market with the original firm.

Police said that the victim at some point turned on his mobile device and started to record the conversation. In order to buy time, he agreed to meet with the extortionists’ hacker.

After the meeting, the victim called the police, who in turn called in the National Crime Agency.

Smirnow called his victim within a few days, offering a meeting with the hacker in Kiev, Ukraine.

During a final call with Smirnow, the victim said he declined, explaining that he was frightened of flying to Kiev.

Several days later, on 2 August, Smirnow and Surmacki made good on their threat.

They unleashed the DDoS attack, shoving the targeted company’s servers offline and keeping customers from using the site for 5 hours.

Police say that the DDoS cost the company around £15,000 ($24,300).

According to Sky News, the duo paid the US hacker £12,000 ($19,440) for the attack.

That’s when the second victim, the CEO of the US-based platform server, got involved, as he attempted to mediate between the crooks and their victim.

The CEO spoke to Smirnow over Skype, at which point, the police say, the blackmailer admitted to the DDoS attack, saying it was triggered because another customer had failed to pay him as promised.

Smirnow told the CEO that he felt entitled to take down the platform unless they handed over operations to him.

Smirnow said he hadn’t contacted the Manchester business owner before the attack was launched because he wanted to show off his cyber-brawn and that the pair could take down every site on the platform if the victim refused to comply with their demands.

The police quoted Smirnow from the Skype conversation:

We offered him something that would keep his business alive and he refused the deal. He has problem now. You have to understand last time we tried diplomacy, we talked, did call, meet, etc. After that we understand only power talks in this world, now we have enough power so people can’t try to push us around anymore.

The US CEO agreed to meet the duo at the Heathrow Airport hotel on 7 August.

They all went into the bugged room, where more threats and admissions to pulling the DDoS ensued.

The pair said they wouldn’t stop until they got the code for the CEO’s business.

The CEO refused. The extortionists got annoyed, promising that now they were “going to war”.

The CEO asked for a break, at which point the two Polish men left the room, walking into the waiting arms of the police, who’d been listening in on the conversation and who promptly arrested them.

The Greater Manchester Police were assisted by the National Crime Agency and the Crown Prosecution Service throughout the operation, they said.

Detective Inspector Chris Mossop, of the Serious Crime Division, said in the police statement that cyber extortion is an emerging global cyber threat:

Denial of service attacks have become increasingly common offences in recent years and can have a devastating effect on the victim’s online business. With millions of pounds and potentially dozens of jobs involved, Smirnow and Surmacki were playing for incredibly high stakes and clearly knew what they were doing.

They used their intimate, expert knowledge of on-line business to attempt to bully the victims into submission. But make no mistake, they may have been using the latest technology, but this was simply good old-fashioned blackmail. They behaved like a couple of sinister playground bullies who thought they could use the threat of financial annihilation to extort compliance from these companies. But their greed was ultimately their downfall as they failed to reckon with the victims' bravery in the face of extreme intimidation.

The UK victim, for his part, said that fear motivated his bravery:

This case made me fear for my personal safety as well as for the future of my business. Which is why I felt compelled to take action against the perpetrators. No-one should have to succumb to blackmail and this sentence should act as a warming to those involved in cyber extortion that the police and the courts will view this type of conduct very seriously.