Polish programmers jailed for 5 years for DDoS and cyber-extortion of online casino

Filed Under: Denial of Service, Featured, Law & order, Security threats

DDoS image, courtesy of ShutterstockTwo online gaming programmers from Poland have been jailed for trying to cyber-extort the owner of an online marketing company based in Manchester, UK, and the CEO of an unnamed US internet software platform company that hosts online companies.

Greater Manchester Police on Wednesday said in a statement that the duo initially tried to shake down the Manchester business owner and that the US business got into the act as part of an elaborate sting.

(The Register and Sky News have identified the Manchester business as being a casino, although the police report identifies it as an online marketing company.)

The blackmailers demanded a 50% cut of their UK victim's company - a 65-person, nearly £30 million ($48.6 million) business - lest they knock it offline with the help of a "notorious computer hacker" they knew who could unleash a distributed denial-of-service (DDoS) attack.

In what they called the first prosecution of its kind, police set up a complicated sting that concluded with the seizure of the two programmers at a bugged room in the luxury Sofitel hotel at Heathrow Airport.

Piotr Smirnow, 31, of Warsaw, Poland, and Patryk Surmacki, 35, of Szczecin, Poland, pleaded guilty at Manchester Crown Court to two offences each of blackmail and one offence of unauthorised acts on computers under the Computer Misuse Act 1990.

Both men were sentenced on Wednesday to five years and four months in prison.

The Register reports that both of the men are programmers who worked in the online gaming business.

Police say that the pair knew their UK target because they all worked in the same line of business.

On 23 July, police say that Smirnow contacted the victim and asked to meet him to talk about "a business proposition".

The victim initially declined, but Smirnow finally talked him into meeting with himself and Surmacki at Heathrow Airport Terminal 5.

Once all arrived at the terminal, the pair revealed the details of the "proposition": if their target didn't give them a 50% share of his business, they'd enlist the services of a US hacker named "Wapo", Sky News reports.

First, the hacker would shut down the Manchester business, they said. They'd move the business to a separate server, attack the platform server, and corner the market with the original firm.

Police said that the victim at some point turned on his mobile device and started to record the conversation. In order to buy time, he agreed to meet with the extortionists' hacker.

After the meeting, the victim called the police, who in turn called in the National Crime Agency.

Smirnow called his victim within a few days, offering a meeting with the hacker in Kiev, Ukraine.

During a final call with Smirnow, the victim said he declined, explaining that he was frightened of flying to Kiev.

Several days later, on 2 August, Smirnow and Surmacki made good on their threat.

They unleashed the DDoS attack, shoving the targeted company's servers offline and keeping customers from using the site for 5 hours.

Police say that the DDoS cost the company around £15,000 ($24,300).

According to Sky News, the duo paid the US hacker £12,000 ($19,440) for the attack.

That's when the second victim, the CEO of the US-based platform server, got involved, as he attempted to mediate between the crooks and their victim.

The CEO spoke to Smirnow over Skype, at which point, the police say, the blackmailer admitted to the DDoS attack, saying it was triggered because another customer had failed to pay him as promised.

Smirnow told the CEO that he felt entitled to take down the platform unless they handed over operations to him.

Smirnow said he hadn’t contacted the Manchester business owner before the attack was launched because he wanted to show off his cyber-brawn and that the pair could take down every site on the platform if the victim refused to comply with their demands.

The police quoted Smirnow from the Skype conversation:

We offered him something that would keep his business alive and he refused the deal. He has problem now. You have to understand last time we tried diplomacy, we talked, did call, meet, etc. After that we understand only power talks in this world, now we have enough power so people can’t try to push us around anymore.

The US CEO agreed to meet the duo at the Heathrow Airport hotel on 7 August.

They all went into the bugged room, where more threats and admissions to pulling the DDoS ensued.

The pair said they wouldn't stop until they got the code for the CEO's business.

The CEO refused. The extortionists got annoyed, promising that now they were "going to war".

The CEO asked for a break, at which point the two Polish men left the room, walking into the waiting arms of the police, who'd been listening in on the conversation and who promptly arrested them.

The Greater Manchester Police were assisted by the National Crime Agency and the Crown Prosecution Service throughout the operation, they said.

Detective Inspector Chris Mossop, of the Serious Crime Division, said in the police statement that cyber extortion is an emerging global cyber threat:

Denial of service attacks have become increasingly common offences in recent years and can have a devastating effect on the victim’s online business. With millions of pounds and potentially dozens of jobs involved, Smirnow and Surmacki were playing for incredibly high stakes and clearly knew what they were doing.

They used their intimate, expert knowledge of on-line business to attempt to bully the victims into submission. But make no mistake, they may have been using the latest technology, but this was simply good old-fashioned blackmail. They behaved like a couple of sinister playground bullies who thought they could use the threat of financial annihilation to extort compliance from these companies. But their greed was ultimately their downfall as they failed to reckon with the victims' bravery in the face of extreme intimidation.

The UK victim, for his part, said that fear motivated his bravery:

This case made me fear for my personal safety as well as for the future of my business. Which is why I felt compelled to take action against the perpetrators. No-one should have to succumb to blackmail and this sentence should act as a warming to those involved in cyber extortion that the police and the courts will view this type of conduct very seriously.

, , , , , , ,

You might like

8 Responses to Polish programmers jailed for 5 years for DDoS and cyber-extortion of online casino

  1. Guitar Bob · 617 days ago

    I think you need to be a bit more careful to explain the details of situations like this. The relationship between the 2 businesses involved is not too clear ( you said the second business was an intermediary--how did this come about), and the details as to how the first business was going to be taken down is not clear either--the host was going to be taken over and the business was to be moved to another server--where/how? That looks to me like it is a bit more than simple DDOS. See?)


  2. Andrew · 617 days ago

    5 years for this kind of fraud is not enough considering other types of fraud can land you with 20 years

  3. Poland · 613 days ago

    Correction: the city is Szczecin not Szezecin. It's one of the biggest cities in Poland. Why do English speakers don't care for the names of people or places from other countries? We in Poland do pay special attention to names as this is very important. Don't you think so? Would you write: Sen Frencisco? Waszinghton? Now Jork?

    • Paul Ducklin · 613 days ago

      Fixed, thanks.

      (We make occasional spelling mistakes in English, too, if that makes you feel any better.)

    • Don't get so pissy mate, I'm polish myself. Typos happen, especially when you've got groups of letters such as "szcz". Not hard to make a mistake, calm your tits ;)

  4. roy jones jr · 610 days ago

    The good guys get a win!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.