Student: Jailed For Global Reach Cyber Attacks

25 April 2017, 15:04 | Updated: 25 April 2017, 15:16

Hertfordshire Cyber Attacker

A student has been jailed for two years after admitting creating an internationally-used cybercrime tool from the comfort of his own bedroom.

Following a complex investigation by the Eastern Region Special Operations Unit (ERSOU) Regional Cyber Crime Unit, working with the National Crime Agency, officers tracked down Adam Mudd, 19, of Toms Lane, Kings Langley in Hertfordshire.

Mudd admitted three counts of computer misuse which involved creating and administrating the stressor tool, 'code named the titanium stressor' which was used by other cyber criminals internationally,  and a count of money laundering in relation to the financial gains he made as a result. Also during his interviews, he admitted security breaches against his own college while he was a pupil studying computer science.

Attacks were carried out affecting Cambridge University, Essex University and the University of East Anglia amongst many other sites around the world. 

The police operation into Mudd was internationally recognised, with investigators receiving the National Police Chiefs Council (NPCC) Blue Light Digital Award for its use of advanced digital forensics last month.

During the case the Central Criminal Court heard that Mudd had developed a stressor tools to flood the computing networks with data, creating a DDoS (Distributed Denial of Service) attack which prevented them from functioning and left the systems vulnerable to compromise.

The teenager sold the tool on the internet and ran his stressor as a business, gaining proceeds from its distribution to other cyber criminals and analysis of the tool showed that it had been used by others in more than 1.7million denial of service attacks against victims worldwide, with most countries in the world effected (heat map attached).

In total, Mudd had benefited to the tune of approximately $300,000 worth of ill-gotten gains, though the final amount will be confirmed in future confiscation hearings.

Police from the Regional Cyber Crime Unit, supported by the National Crime Agency, were alerted to Mudd's criminal activity and he was arrested at his home, where devices including his computer were seized for investigation.

Adam Mudd

Police: (Being online) "does not mean we cannot trace you"

Detective Chief Inspector Martin Peters of ERSOU's Regional Cyber Crime Unit said:

"My team has learnt a lot from this complex investigation, due to the nature of the criminality, the sheer volume of data and the global reach of the offending. It is important that this case sends out a clear message to others who may be tempted by committing cybercrime or who are already engaging in cyber scams from the comfort of their own bedrooms, to consider what they are doing and it is for parents to know and understand what your children are doing online.

Criminality is now no longer solely on the streets and harm can be caused to individuals and globally, but that does not mean we cannot trace you and bring you to justice if you over step the line. We will work with law enforcement agencies, locally, regionally, nationally and globally to combat this criminality.

Adam Mudd's case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others. We want to make clear it is not our wish to unnecessarily criminalise young people, but want to harness those skills before they accelerate into crime.

We are working at local, regional and national level with partners to educate people about cyber-crime and personal safety online, as this is our best chance of preventing offences from being committed and beating cyber-crime. To support this further work is to take place regionally, coordinated centrally by the NCA, to work on identification and diversion of individuals from cyber crime."

Mudd pleaded guilty to three offences under the Computer Misuse Act and a further offence of money laundering under the Proceeds of Crime Act in October 2016. Today (Tuesday) at London's Old Bailey he was sentenced to 24 months imprisonment for his own DDoS attacks, nine months for running a titanium stressor service and 24 months for money laundering the proceeds made from the stressor service, all to run concurrently.