‘DerpTroll’ Faces 10 Years in Prison for DDoSing Gaming Sites as a Teen

He admitted to taking Steam, EA Origin and Sony Online Entertainment offline in 2013 and 2014, causing at least $95,000 in damages.

After a short but disruptive career knocking popular online gaming sites offline for sport, Austin Thompson, a.k.a. “DerpTroll,” has pleaded guilty to hacking charges. He faces a maximum penalty of 10 years prison and a $250,000 fine.

Thompson, a 23-year-old Utah resident, made his plea on Tuesday in federal court in San Diego, Calif. admitting that he had carried out a series of DDoS attacks on servers for Valve’s Steam platform, EA Origin and Sony Online Entertainment, between late December 2013 and early January 2014. According to the plea agreement, Thompson’s actions caused at least $95,000 in damages arising from hours of downtime.

Thompson showcased some of his exploits on Twitter via the @DerpTrolling handle, along with jokes about “escaping from the Feds through the window” and so on. At times, he would announce that an attack was imminent, and then sometimes later post screenshots of a crashed servers. The tweets indicate that there were likely other victims for Thompson, who was 17 or 18 at the time. For the most part however, the @DerpTrolling Twitter feed reads like a general log of various gaming servers’ state of availability, with credit taken only here and there.

The tweets also consistently used the plural “we” pronoun, with references to “our boys,” but the indictment did not mention accomplices.

Online gaming and DDoS attacks often go hand-in-hard; players have been known to knock services offline for what they perceive as unfair treatment or after a ban; sometimes rival teams or “clans” will target their opponents, knocking a specific game offline to prevent their progress. In February, an online gaming service itself was even found offering DDoS for hire via the IoT botnet known as JenX.

As researchers earlier in the year pointed out, the barrier to entry is very low for carrying out DDoS offensives, with entry-level hacker forums offering advertisements and reviews of various stresser and booter services available expressly for attacking gaming servers. These go for less than $100, making it possible for disgruntled or bored young people like Thompson to get into the act, even with little or no coding experience. For instance, a raft of teens last year around the world were charged with participating in the Lizard Squad DDoS attacks against Xbox Live and PlayStation Network during the 2014 holiday season. Their motive for the attack was simple: “Chaos is entertainment,” they told news outlets at the time.

Actions have big consequences — Steam alone has more than 125 million registered users and, according to Statista, Steam averages 18.5 million simultaneous users at peak times. That translates into big money for the gaming platform.

“Denial-of-service attacks cost businesses millions of dollars annually,” said U.S. Attorney Adam Braverman in announcing the plea. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”

Sentencing for Thompson is set for March 1.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.