Lizard Squad, PoodleCorp members arrested in DDoS-for-hire bust


You remember Lizard Squad, right? And PoodleCorp?

As in, those guys who claimed to have launched Distributed Denial of Service (DDoS) attacks against Pokémon GO servers and who ruined gamers’ Christmas with a DDoS against the servers that power PlayStation and Xbox consoles – for our own good.

For our own good, as in, these server clogger-uppers didn’t feel bad: some kids would just have to spend time with their families instead of playing games, one of them said at the time.

Well, two teenager members of Lizard Squad and PoodleCorp have now been arrested.

According to a press release from the US district attorney’s office in Northern Illinois, an international investigation into the two hacking groups has resulted in arrests on both sides of the Atlantic.

According to the criminal complaint from the US Department of Justice (DOJ), the US suspect is Zachary Buchta, also known as “pein,” “@fbiarelosers,” “@xotehpoodle,” and “lizard,” from Fallston, Maryland.

The other is Bradley Jan Willem van Rooy, also known as “Uchiha,” “@UchihaLS,” “dragon,” and “fox,” from the Netherlands.

Both of the suspects are 19 years old.

They’re being charged with operating cyberattack-for-hire websites that launched attacks on companies and individuals around the world, and with trafficking payment accounts stolen from thousands of unsuspecting victims in Illinois and beyond.

They allegedly ran a few attack-for-hire sites. Those sites are all now offline.

It was the launch of a nastiness-for-hire site called that triggered the investigation. That service enabled paying customers to select victims to receive repeated harassing and threatening phone calls from spoofed phone numbers.

The going rate to antagonize people: $20/month.

From one of the site’s pages, as quoted in the complaint:

We will call your target once per hour with one of our pre-recorded messages for $20 a month. Since our calls come from random numbers, your target will be unable to block our calls. Your target will be left with only 3 options: Change their number, Bend to your whim, Deal with a ringing phone for the length of our attack :\

For the extortionists amongst us we’ve added an option to cancel the calls at the click of a button, giving you complete control over the length of the attack…

Since there is no registration, all purchases are untraceable. The only data a hacker / feds would be able to exfiltrate from our database are the phone numbers currently being called, and the last 30 days of targets. Rest assured your privacy is respected here and purchase in confidence.

The investigation, coupled with an announcement from @LizardLands, revealed that the first victim to be targeted, identified as “Victim O” in court documents, was from the Chicago area.

Just as promised, the calls came in once an hour for 30 days. The audio recording from the calls, edited with enough asterisks to make it printable and to also look like marshmallows floating in a bowl of Unlucky Charms:

When you walk the f**king streets, Motherf**ker, you better look over your f**king back because I don’t give a flying f**k if we have to burn your f**king house down, if we have to f**king track your goddamned family down, we will f**k your s*** up motherf**k.

Yet another offering was a website named Shenron, which enabled paying customers to issue DoS attacks with the click of a button against victims of their choosing.

One of the packages, available for $19.99 a month, gave buyers the ability to carry out attacks of up to 15 Gbps, for 1,200 seconds at a time, for an “unlimited” number of attacks.

According to the complaint, the attacks targeted victims including gaming (no surprise there!), entertainment and media companies, and relied on a “massive network of compromised computers and devices.”

Four sites associated with the alleged conspiracy have been seized:,,, and

Buchta and van Rooy were each charged last Wednesday with conspiring to cause damage to protected computers. The conspiracy charge carries a maximum sentence of 10 years in prison, though maximum sentences are rarely handed out.

They’re not the first Lizard Squaders to wind up in courts. A 17-year-old member of the group was convicted of 50,700 computer crime charges in July 2015. He escaped jail time entirely.

Besides kicking gamers to the curb and renting out cyber-enabled attacks, Lizard Squad was also responsible for forcing a plane carrying Sony Online Entertainment’s president John Smedley to land following a tweeted bomb threat.

The group also targeted Malaysia Airlines in January 2015, apparently, and characteristically, for the “lulz”. Lizard Squad changed the carrier’s homepage to read “404 – Plane Not Found” in what was apparently a reference to missing flight MH370.

It hasn’t been all lulz and roses for Lizard Squad, though. Computer security analyst Vinnie Omari was apparently arrested and then bailed in connection with the Christmas blocking of Playstation network and Xbox Live systems.

In mid-January 2015, a second person was arrested in Southport, UK, in connection with the Grinchy DDoS.

Later that same month, the group found the tables further turned as one of its own DDoS-for-hire services – LizardStresser – was hacked.

According to the Chicago Tribune, Buchta will be allowed to live with his mother in Maryland while he awaits trial but is forbidden from accessing the internet or having any contact with van Rooy, who’s in custody in the Netherlands.