British teenager pleaded guilty to bomb threats – was also behind plague of repeated DDoS attacks on popular Swiss email provider
A 19-year-old from Hertfordshire has been accused by Swiss encrypted email provider Protonmail of being behind persistent Distributed Denial of Service (DDoS) attacks that plagued the company over the summer.
Double-barrelled script kiddie George Duke-Cohen, 19, on Monday pleaded guilty at Luton Magistrates’ Court to three counts of making hoax bomb threats following an investigation by the UK’s National Crime Agency.
Protonmail DDoS Attacks: Bomb Threats Bust
As a member of the so-called “Apophis Squad” Duke-Cohen pleaded guilty to the bomb threats that resulted in over 400 schools in the UK being evacuated in March 2018, for which he was initially arrested just days later.
Feds cant touch us. NCA cant touch us. KEK we the big bois running around the internet with our 1337 bootnet! Come catch us we are untouchable! Living on TOR nodes and Open DNS. Smoking that good stuff with our bois at radware.
— APOPHIS SQUAD (@apophissquadv2) July 18, 2018
Yet amid the higher profile charges, a secondary story has gone overlooked: Protonmail claimed Thursday that the teenager was a leading member of one of the five groups that have persistently launched DDoS attacks on its servers this year, as well as on the website of security researcher Brian Krebs.
(A DDoS attack relies on multiple compromised computer systems to attack a target, such as a server or website to disrupt service or serve as a mask to hide more targeted intrusions into an organisation’s infrastructure.)
The teenager was a Protonmail user and even used the company’s virtual private network (VPN) to make the bomb threats.
In a blog published Thursday, Protonmail said: “Our security team began to investigate Apophis Squad almost immediately after the first attacks were launched. In this endeavor, we were assisted by a number of cybersecurity professionals who are also ProtonMail users. It turns out that despite claims by Apophis Squad that federal authorities would never be able to find them, they themselves did not practice very good operational security. In fact, some of their own servers were breached and exposed online.”
The company, which has been a persistent target of DDoS attacks from a range of actors, added: “In addition to attacking ProtonMail, Duke-Cohan and his accomplices were engaged in attacking government agencies in a number of countries. Predictably, this triggered law enforcement agencies to make MLAT requests asking us to render assistance to the extent that is possible given ProtonMail’s encryption.”
“What we found, combined with intelligence provided by renowned cyber security journalist Brian Krebs, allowed us to conclusively identify Duke-Cohan as a member of Apophis Squad in the first week of August, and we promptly informed law enforcement. British police did not move to immediately arrest Duke-Cohan however, and we believe there were good reasons for that. Unfortunately, this meant that through much of August, ProtonMail remained under attack, but due to the efforts of Radware, ProtonMail users saw no impact.”
Brian Krebs added in a post: “Unsophisticated but otherwise time-wasting and annoying groups like Apophis Squad are a dime a dozen. But as I like to say, each time my site gets attacked by one of them two things usually happen not long after: Those responsible get arrested, and I get at least one decent story out of it. And if Protonmail is right, there are additional charges on the way.”
Protonmail DDoS Attacks Believed to Have Hit Record High
The Apophis Squad had been boasting on Twitter about the attacks throughout the summer, with Protonmail’s DDoS protection provider Radware describing it to Bleeping Computer as a “high volumetric, multi-vector attack” that included “several UDP reflection attacks, multiple TCP bursts, and Syn floods.”
DDoS attacks are increasingly common amid a The longest DDoS attack in Q2 overall lasted 258 hours (almost 11 days), slightly short of the previous quarter’s record of 297 hours (12.4 days), analysis by Russia’s Kaspersky Lab shows, with the target an IP address belonging to China Telecom.