Photoillustration containing a figure standing in a streetlight thread pinned to paper and a shadowy hacker figure with...
Illustration: Cameron Getty; Getty Images

The Team of Sleuths Quietly Hunting Cyberattack-for-Hire Services

For a decade, a group called Big Pipes has worked behind the scenes with the FBI to target the worst cybercriminal “booter” services plaguing the internet.

When the FBI announced the takedown of 13 cyberattack-for-hire services yesterday, it may have seemed like just another day in law enforcement’s cat-and-mouse game with a criminal industry that has long plagued the internet’s infrastructure, bombarding victims with relentless waves of junk internet traffic to knock them offline. In fact, it was the latest win for a discreet group of detectives that has quietly worked behind the scenes for nearly a decade with the goal of ending that plague for good.

Yesterday’s operation was just the most recent of three major cybercriminal takedowns in the past five years that all began inside an informal working group that calls itself Big Pipes. The team’s roughly 30 members, who communicate mostly through Slack and weekly video calls, include staffers from several of the internet’s biggest cloud service providers and online gaming companies—though members from those companies spoke to WIRED on the condition that their employers not be named—as well as security researchers, academics, and a small number of FBI agents and federal prosecutors.

Big Pipes’ detectives have for years methodically tracked, measured, and ranked the output of “booter” or “stresser” services that sell distributed denial-of-service (DDOS) attacks that allow their customers to barrage enemies’ servers with disruptive floods of data. They’ve hunted the operators of those services, with private-sector members of the group often digging up leads that they hand to the group’s law enforcement agents and prosecutors. Together, they worked to initiate a takedown operation in December 2018 that led to the arrest of three hackers and knocked a dozen booter services offline. Last December, their work laid the foundation for Operation Power Off, which led to six arrests and the takedown of no fewer than 49 DDOS-for-hire sites, the biggest bust of its kind.

Yesterday’s takedowns, just four months after Operation Power Off, suggest the operations resulting from the group’s work may be accelerating. And Big Pipes is still tracking and hunting the booters that remain online, warns Richard Clayton, who leads a security research team at Cambridge University and has served as one of the group’s longest-running members. “We’re hoping that some of the people who were not taken down in this round get the message that perhaps it’s time they retired,” says Clayton. “If you weren’t seized this time, you might conclude you’ve pushed up your chance of being investigated. You might not want to wait and see what happens.”

Big Pipes Start Fights

The idea for Big Pipes was sparked at the Slam Spam conference in Pittsburgh in 2014, when Allison Nixon, a security researcher then at Deloitte, met with Elliot Peterson, an FBI agent who’d recently worked on the takedown of the notorious Game Over Zeus botnet. Nixon suggested to Peterson that they collaborate to take on the growing problem of booter services: At the time—and still today—hackers were wreaking havoc by launching ever-growing DDOS attacks across the internet for nihilistic fun, petty revenge, and profit, increasingly selling their attacks as a service.

In some cases, attackers would use botnets of thousands of computers infected with malware. In others, they’d use “reflection” or “amplification” attacks, exploiting servers run by legitimate online services that could be tricked into sending large amounts of traffic to an IP address of the hackers’ choosing. In many instances, gamers would pay a fee to one of a growing number of booter services—often just around $20 for a subscription offering multiple attacks—to hit their rivals’ home connections. Those DDOS techniques frequently caused serious collateral damage for the internet service providers dealing with those indiscriminate floods of traffic. In some cases, DDOS attacks aimed at a single target could take down entire neighborhoods’ internet connections; disrupt emergency services; or, in one particularly gruesome case, break automated systems at a chicken farm, killing thousands of birds.

Big Pipes soon began to recruit staff from major internet services who had firsthand knowledge of booters based on their experiences as both victims and defenders in their attacks. (The group got its name from the phrase “big pipes start fights,” a joke about its members bragging about who among them had the biggest bandwidth on the internet.) Nixon and Clayton, for their part, contributed data from sensor networks they’d created—honeypots designed to join hackers’ botnets or act as their reflection servers and thus allow the researchers to see what attack commands the hackers were sending.

From Big Pipes’ inception, some members also went so far as to actively hunt for the identities of booter service operators, using clues from their forum posts and the websites where they advertised their attack services as starting points to try to unmask them. In one instance, a member of the group identified a booter operator by following a trail of online pseudonyms, phone numbers, and email addresses that led him from the hacker’s handle on the website HackForums—“itsfluffy”—to a web page that revealed his day job as a trainer for Pawfect Dog Training, along with his real name, Matthew Gatrel. “The operators of commodity DDOS services are not the most sophisticated actors out there,” says the Big Pipes member who followed those breadcrumbs, and who asked to remain unnamed. “They make mistakes.”

A Christmas Takedown Tradition

As Big Pipes’ data collection on booter service operators grew, so did the group’s partnership with the FBI. Eventually, that collaboration developed into an intermittent Christmas tradition of rounding up and disrupting as many of the internet’s worst booter services as possible. The timing of these operations, Big Pipes’ members emphasize, wasn’t intended for cruelty but as a response to the hackers’ own targeting of the holiday: For years, nihilistic hacker groups would wait until Christmas Day to launch disruptive DDOS attacks against online gaming services like the Playstation Network and Xbox Live, aiming to knock major gaming services offline on the busiest day of the year, just as kids were trying out their newly gifted games.

So in 2018, Big Pipes’ members worked with the FBI and the US Justice Department to stage their own pre-Christmas intervention, sifting through their data and giving leads to the group’s agents and prosecutors to take out the most active services in the growing booter industry. “We’re figuring out target selection: Which of these booter owners can be identified? Which of these booters are the highest harm in terms of the amount of DDOS traffic they’re pushing?” says Nixon, who today works at the security firm Unit221b. “So we figure out, OK, these are the highest-harm targets, these ones are low-hanging fruit. Who are we actually going to take down?”

In December of 2018, just five days before Christmas, the FBI announced a bust of 15 of the booters Big Pipes had suggested were the worst offenders. They included one called Quantum that the FBI says had launched 80,000 DDOS attacks and another, DownThem, accused of launching no fewer than 200,000. Three men operating those services in Pennsylvania, California, and Illinois—including the dog trainer Matthew Gatrel—were arrested and charged.

In the wake of that operation, Clayton’s Cambridge research team found that attacks from booter services fell by nearly a third for more than two months, and the services’ attacks with US victims were nearly cut in half for that time. So Big Pipes suggested they do it all again, only now going after every major booter service that remained online. “Let’s see what happens if we go after everything that matters,” says Peterson, the FBI agent. “How do they react?”

It would take four years for the FBI and Justice Department to work back up to a second major booter takedown, following long delays that included Gatrel’s trial—he was sentenced in 2021 to two years in prison—and the Covid-19 pandemic. But finally, last December the FBI pulled off an even bigger purge of the booter underworld. Along with UK and Dutch federal police, they arrested six booter operators and tore down 49 web domains for booter services—all based on a long list of targets assembled from Big Pipes’ data about the most prominent and high-volume cyberattack services.

In fact, Clayton says that the operation took offline 17 of the top 20 booter services, based on his Cambridge research team’s data. Among the larger list of targets of the operation, he found that half of the 49 services returned under new names, but they carried out only half as much attack traffic for the next several months, with the number of attacks only returning to their previous level in March. That sustained dip was due, Clayton guesses, to the deterrent effect of the operation on potential booter customers. “I’d been pushing this idea that we should take down every booter in the world,” Clayton says. “We got halfway there.”

Yesterday, the FBI and Justice Department announced the success of yet another mass booter takedown, this time seizing 13 web domains of booter services. In fact, the DOJ says that 10 of those domains were seizures of reincarnated, renamed booters that had also been seized in the previous sweep in December, an action meant to signal to booter operators that they can’t evade law enforcement by merely relaunching their service with a new name and domain. Meanwhile, prosecutors also announced yesterday that four of the six defendants charged in that previous operation have now pleaded guilty.

Honeypots, Google Ads, Knock-and-Talks

Despite their constant communication, the members of Big Pipes and the FBI are careful to note that the internet services with staff members in the group don’t share their users’ private information without going through the usual legal processes of subpoenas and search warrants. Nor does the FBI share private data with Big Pipes, or blindly arrest or search people based on the group’s leads, Peterson says; the FBI investigates the defendants from scratch, treating information from Big Pipes as it would tips from any source. The FBI’s 2018 case against Gatrel, for instance, began with a subpoena to Cloudflare—a DDOS mitigation service Gatrel was ironically using to protect his own booter website—and then search warrants for Gatrel’s Google accounts.

But Peterson says Big Pipes’ work has nonetheless significantly helped him understand who to target in the booter landscape and how to pursue them far more efficiently. “If you take Big Pipes away, could we have worked cases against booter services? Yes,” he says. “But it might have taken a few more years to get to a similar scale.”

The FBI and Big Pipes’ increasing tempo of disruption may well just push booter services deeper into the shadows, rather than eliminating them. But if booter operators stop advertising on the open internet and move to the dark web, for instance, Clayton argues that the move would make it more obvious to their customers that the services are illegal and risky, and thus reduce demand for them.

In fact, he and other members of Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.

A graphic created by the FBI and shown as part of a Google ad campaign to dissuade potential customers of booters who may not know the DDOS attack services are illegal.Courtesy of FBI

In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.

Big Pipes’ Allison Nixon says she hopes that softer tactics like those can intercept would-be booter service operators early, before they start committing felonies: She’s found that most booter operators start as customers before launching their own service. But for people who aren’t dissuaded by those interventions, she says, Big Pipes and its partners at the FBI will still be watching them.

“The hope is that this whole show of force will convince some of them to quit and get a real job,” Nixon says. “We want to send a message that there are people tracking you. There are people paying attention to you. We have our eyes on you, we might get you next. And it might not even be on Christmas.”