Police site DDoSer/bomb hoaxer caught after jeering on social media

A UK man who DDoS-ed police websites was caught and imprisoned after he jeered at police about the attacks on social media.

Liam Reece Watts, 20, targeted the Greater Manchester Police (GMP) website in August 2018 and then the Cheshire Police site in March 2019, according to ITV News. Both of the public-facing websites were each disabled for about a day, The Register reported.

According to news outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS) attacks were done in retaliation for Watts having been convicted of calling in bomb hoaxes just days after the 2017 Manchester Arena suicide attack left 22 people dead and 500 injured.

Watts, who was 19 at the time of the DDoS attacks, was caught after he taunted police through Twitter. He used the handle Synic: a possible reference to SYN flood, which is a type of DoS attack in which servers are swamped with SYN – i.e., synchronize – messages.

Watts reportedly wrote this in one of his tweets:

@Cheshirepolice want to send me to prison for a bomb hoax I never did, here you f****** go, here is what I’m guilty of.

Watts reportedly posted that tweet while police were still investigating the first DDoS attack on the GMP site in 2018, and before he unleashed the March 2019 attack on the Cheshire Police site.

He reportedly admitted to carrying out the attack after police searched his home.

Watts said in court that botnets used to carry out DDoS attacks can be rented online for less than USD $100 (£82). DDoS-for-hire sites sell high-bandwidth internet attack services under the guise of “stress testing”. One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service… an attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.

The internet is riddled with these services. When the FBI cracked down on DDoS-for-hire sites in December 2018, it led to an 85% slash in attack sizes. That’s good, but it wasn’t cause to let down our guards: NexusGuard – provider of cloud-based DDoS defense – estimated that the 15 services kicked offline by the FBI represented only 11% of all attacks worldwide.

Within a month of Watts’s home being searched and his arrest, both on 26 March 2019, he pleaded guilty to two charges under the Computer Misuse Act.

On Monday, he was sentenced to 16 months in a young offenders’ institution, was given a five-year restraining order to stop him from deleting his browsing history, and had to hand over his computers for destruction. (One assumes the restraining order pertains to whatever computer(s) he buys to replace the demolished ones.) Watts was also handed a victim surcharge tax of £140 (USD $169).

This wasn’t his first conviction for DDoS: Watts was reportedly convicted of a Computer Misuse Act offense in 2016 after doing it to his college.

On his rap sheet, Watts also has a criminal conviction for attempted robbery and for the bomb hoax.