Hubbry Logo
Lizard SquadLizard SquadMain
Open search
Lizard Squad
Community hub
Lizard Squad
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Lizard Squad
Lizard Squad
Lizard Squad
View on Wikipedia
from Wikipedia

Lizard Squad was a black hat hacking group, mainly known for claiming responsibility for a series of distributed denial-of-service (DDoS) attacks that disrupted video-gaming-related services.[1]

Key Information

On September 3, 2014, Lizard Squad seemingly announced that it had disbanded[2] only to return later on, claiming responsibility for a variety of attacks on prominent websites. The organization at one point participated in the Darkode hacking forums and shared hosting with them.[3][4]

On April 30, 2016, Cloudflare published a blog post detailing how cyber criminals using this group's name were issuing random threats of carrying out DDoS attacks. Despite these threats, Cloudflare claim they failed to carry through with a single attack.[5][6] As a result of this, the British National Fraud Intelligence Bureau issued an alert warning businesses not to comply with ransom messages threatening DDoS attacks.[7][8]

Notable actions

[edit]

Lizard Squad has claimed responsibility for launching a string of DDoS attacks against high-profile game-related services over the course of a few months in late 2014. On August 18, 2014, servers of the game League of Legends were taken offline with a DDoS attack; this was claimed as Lizard Squad's first attack.[9] Days later, on August 24, the PlayStation Network was disrupted via a DDoS attack.[10] On November 23, the group claimed they attacked Destiny servers with a DDoS attack.[11] On December 1, Xbox Live was apparently attacked by Lizard Squad: users attempting to connect to use the service would be given the 80151909 error code.[12] On December 2, Lizard Squad defaced Machinima.com, replacing their front page with ASCII art of their logo.[13] A week after, on December 8, Lizard Squad claimed responsibility for another PlayStation Network DDoS attack.[14][15] On December 22, though not game-related, Internet in North Korea was taken offline by a DDoS attack.[16] Lizard Squad claimed responsibility for the attack and linked to an IP address located in North Korea.[17] North Korean Internet services were restored on 23 December 2014.[18]

Christmas Xbox and PlayStation attacks

[edit]

Lizard Squad had previously threatened to take down gaming services on Christmas.[19]

On December 25, 2014 (Christmas Day), Lizard Squad launched a massive DDoS attack against PlayStation Network and Xbox Live, disrupting gaming services for millions of users worldwide. PlayStation Network, which had approximately 110 million subscribers at the time, and Xbox Live, with roughly 48 million subscribers, were rendered inaccessible during peak holiday gaming hours. Xbox Live was restored within 24 hours, but PlayStation Network struggled with extended outages that prevented both existing subscribers and new console owners from accessing online features or downloading games.[20] Gizmodo reported that the attacks may have ceased after Kim Dotcom offered Lizard Squad 3000 accounts on his upload service MEGA.[21]

The attack gained widespread media attention when Lizard Squad members gave interviews to various news outlets, including BBC Radio 5 Live and Sky News. Julius Kivimäki, using the alias "Ryan," appeared on Sky News and showed no remorse for the impact on users, claiming the attack was meant to embarrass major technology corporations and force people to spend time with their families instead of gaming.[20]

Tor Sybil attack

[edit]

On December 26, 2014, a Sybil attack involving more than 3,000 relays was attempted against the Tor network.[22] Nodes with names beginning with "LizardNSA" began appearing, Lizard Squad claimed responsibility for this attack.[23]

The relevance of the attack was questioned. According to Tor relay node operator Thomas White, the consensus system made that Lizard Squad only managed to control "0.2743% of the network, equivalent to a tiny VPS".[24]

Malaysia Airlines website attack

[edit]

On January 26, 2015, the website of Malaysia Airlines was attacked, apparently by Lizard Squad, calling itself a "cyber caliphate". Users were redirected to another page bearing an image of a tuxedo-wearing lizard, and reading "Hacked by Cyber Caliphate". Underneath this was text reading "follow the cyber caliphate on twitter" after which were the Twitter accounts of the owner of UMG, "@UMGRobert" and CEO of UMG, "@UMG_Chris". The page also carried the headline "404 - Plane Not Found", an apparent reference to the airline's loss of flight MH370 the previous year. Malaysia Airlines assured customers and clients that customer data had not been compromised.[25]

Media reports around the world said versions of the takeover in some regions included the wording "ISIS will prevail", which listed concerns of Lizard Squad's association with the Islamic State.[25]

Daybreak Games DDoS

[edit]

On July 9, 2015, game servers operated by Daybreak Game Company, including those of H1Z1 and PlanetSide 2, were disrupted by a DDoS attack that Lizard Squad claimed responsibility for.[26][27] The attack was performed in retaliation to legal threats John Smedley, the company's CEO, had made after being targeted by the hacking group.[28]

False claims

[edit]

Bomb threats

[edit]

On August 24, 2014, Lizard Squad claimed that a plane on which the president of Sony Online Entertainment, John Smedley, was flying (American Airlines Flight 362), had explosives on board.[29][30] The flight from Dallas to San Diego made an unscheduled landing in Phoenix, Arizona. Sony Online Entertainment announced that the FBI was investigating the incident.[30]

Facebook, Instagram, and Tinder attack

[edit]

On January 26, 2015, several social media services including Facebook and Instagram were unavailable to users. Tinder and HipChat were also affected. Lizard Squad claimed responsibility for the attacks, via a posting on a Twitter account previously used by the group.[31] The outage, originally speculated to be a distributed denial-of-service attack, lasted a little under an hour before services were restored.[32][33]

Facebook later released a statement saying its own engineers were to blame, and that the disruption to its services was not the result of a third-party attack, but instead occurred after they introduced a change that affected their configuration systems.[34]

Explicit celebrity photos

[edit]

On January 27, 2015, Lizard Squad claimed to have compromised Taylor Swift's Twitter and Instagram accounts. Once they claimed to have access, they threatened to release nude photos in exchange for bitcoins. Taylor Swift, however, retorted that "there were no naked pics" and told the offenders to "have fun" finding any.[35]

Conspiracy theory

[edit]

On January 4, 2021, American lawyer and conspiracy theorist L. Lin Wood tweeted out baseless claims that a group of hackers named "the lizard squad" have evidence of a global sex ring involving several high-profile Americans, similar to the discredited conspiracy theory QAnon.[36] There seems to be no relation between the "lizard squad" mentioned by Wood and the black-hat hacking group Lizard Squad, and Vinnie Omari, a member of the Lizard Squad, denies any claim that his group may have information on a global sex-trafficking organization.[37]

Known members

[edit]

Vinnie Omari

[edit]

Vinnie Omari is a member of the Lizard Squad who was arrested and bailed under the alleged offences of "Enter into/concerned in acquisition/retention/use or control criminal property, Fraud by false representation - Fraud Act 2006, Conspire to steal from another, unauthorized computer access with intent to commit other offences". He was used as a public face on television and as a spokesperson for the news to represent LizardSquad.[38][39]

On New Year's Eve 2014, Vinnie Omari was raided by UK authorities in connection to the Christmas Xbox and PlayStation attacks, but was later cleared of any involvement.[20]

Julius Kivimäki

[edit]

Julius Kivimäki (zeekill) is a Finnish member of Lizard Squad convicted in July 2015 on over 50,000 counts of computer crime.[40] In 2022, he was also suspected of the Vastaamo data breach, after having hacked around 50,000 psychotherapy patients' medical records and demanded ransoms for not publishing them.[41]

Zachary Buchta

[edit]

19-year-old Zachary Buchta from Maryland, has been charged with computer crimes associated with a series of distributed denial-of-service (DDoS) attacks, stolen credit cards and selling DDoS-for-hire services. He was one of the members behind LizardSquad and also the Co-Group "PoodleCorp" which launched distributed denial-of-service (DDoS) attacks against multiple networks, YouTubers and gaming services. Buchta was hiding behind the Twitter alias @fbiarelosers, @xotehpoodle, and the online aliases "pein" and "lizard".[42][43][44][45]

He was arrested in 2016 for his involvement with both Lizard Squad and another hacking group called PoodleCorp. Despite being warned by police in 2014 about his minor cybercrime activities, Buchta continued his illegal activities and even taunted law enforcement by changing his Twitter profile to @fbiarelosers.[20]

Bradley Jan Willem van Rooy

[edit]

19-year-old Bradley Jan Willem van Rooy (UchihaLS) from the Netherlands, has been charged with computer crimes associated with a series of distributed denial-of-service (DDoS) attacks, stolen credit cards and selling DDoS-for-hire services. He was one of the members behind LizardSquad who was mainly responsible for launching the DDoS-attacks announced by the group. He was also one of the two managers behind the Twitter account @LizardLands which is the main Twitter account of LizardSquad since January 2015. He was normally hiding behind his Twitter alias @UchihaLS (which stands for Uchiha LizardSquad) and the online aliases "UchihaLS", "Uchiha" and "Dragon".[42][43][44][45]

Jordan Lee-Bevan

[edit]

18-year-old Jordan Lee-Bevan from Southport, Merseyside, was arrested on January 16, 2015, in connection with the Lizard Squad Christmas 2014 attacks on PlayStation Network and Xbox Live. Police raided his semi-detached home and seized computers before taking him away in a police car.[20]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Lizard Squad

View on Grokipedia
from Grokipedia
Lizard Squad was an informal collective of adolescent hackers active primarily in 2014–2016, specializing in distributed denial-of-service (DDoS) attacks launched via self-operated "booter" services that rented computational power to overwhelm target networks. The group claimed responsibility for disrupting major online gaming platforms, including simultaneous outages of Microsoft's Xbox Live and Sony's on December 25, 2014, which prevented millions of users from accessing services during peak holiday demand. Beyond gaming targets, Lizard Squad conducted attacks on entities such as ' website via and collaborated on "swatting" incidents involving false emergency reports to provoke armed police responses. Key members included Finnish national Aleksanteri Kivimäki (also known as Julius Kivimäki or "zeekill"), convicted in 2015 on over 50,000 counts of unauthorized access and data interference related to Lizard Squad operations, receiving a suspended juvenile sentence; Canadian teenager Morgan Pope, who pleaded guilty in 2015 to 23 charges encompassing swatting, extortion, and DDoS facilitation; and Americans Zachary Buchta and Austin Alcala, charged in 2016 for running Lizard Stresser and affiliated sites, with Buchta later sentenced to three months' imprisonment in 2018 after admitting to conspiracy in DDoS-for-hire schemes. These prosecutions, stemming from international investigations by U.S., Finnish, and other authorities, highlighted the group's reliance on rented server networks and public boasts on platforms like Twitter, which aided law enforcement tracing. The collective's activities exemplified early of DDoS tools, enabling low-barrier cyber disruptions for profit or notoriety, though member convictions underscored vulnerabilities in operational among self-taught perpetrators lacking sophisticated . No links the group to state-sponsored motives or advanced persistent threats; instead, attacks aligned with opportunistic, youth-driven disruption patterns observed in contemporaneous scenes. Post-arrests, Lizard Squad fragmented, with some ex-members pivoting to unrelated cybercrimes, reflecting the transient nature of such groups.

Origins and Early Activities

Formation and Initial Claims

Lizard Squad emerged in as a loose collective of black hat hackers focused primarily on distributed denial-of-service (DDoS) attacks against online gaming services. The group gained initial visibility through its account @LizardSquad, which began posting claims of disruptions around August 2014. No precise formation date has been publicly documented, but their activities suggest assembly from individuals experienced in operations and stresser tools, drawing from broader underground hacking communities. The group's earliest documented claims involved DDoS attacks on major gaming platforms, including Sony's (PSN), Blizzard's , and Riot Games' servers. On August 24, 2014, Lizard Squad tweeted responsibility for outages on PSN, warning of further actions and threatening Xbox Live as a potential next target. These claims aligned with reported service interruptions, though attribution relied heavily on the group's self-proclaimed boasts via rather than independent forensic confirmation at the time. Concurrently, Lizard Squad escalated publicity with a bomb threat on August 24, 2014, targeting Flight 395 carrying John Smedley, president of Sony Online Entertainment. The tweet prompted the plane's emergency diversion and landing in , leading to FBI involvement. This incident, while not a cyber disruption, underscored the group's tactic of combining technical attacks with social engineering for maximum attention, though it was later classified as a false threat with no explosives found.

Emergence in Hacking Scene

Lizard Squad emerged publicly in the hacking scene during 2014, when the group began claiming responsibility for distributed denial-of-service (DDoS) attacks against prominent online gaming platforms. Initial targets included Online Entertainment's network, Blizzard Entertainment's , Riot Games' servers, and Twitch. These disruptions, executed using rented botnets and stresser tools to flood servers with traffic, marked the group's shift from obscurity to notoriety, as they leveraged (@LizardSquad) to broadcast claims and mock affected companies. A pivotal early incident occurred on August 24, 2014, when Lizard Squad tweeted a targeting Flight 3950, carrying Sony Online Entertainment president John Smedley from to . The , posted from the group's account, prompted the flight's emergency landing in Phoenix and an FBI investigation into the perpetrators. This escalation from digital sabotage to public safety hoaxes amplified the group's profile, drawing media attention and distinguishing them from routine DDoS actors. The FBI classified the act as a credible at the time, though it was later confirmed as a fabrication intended to provoke. While some reports indicate Lizard Squad formed as early as mid-2013, their pre-2014 activities involved lower-profile operations lacking widespread documentation or verification. Within the broader hacking community, the group was frequently derided by more technically adept actors as "script kiddies" or "skiddies," reliant on off-the-shelf DDoS-for-hire services rather than custom exploits or zero-day vulnerabilities. This perception stemmed from their emphasis on volume-based attacks over sophisticated intrusion techniques, yet their bold claims and media savvy secured a foothold in underground forums and social channels.

Operational Methods

DDoS Techniques and Infrastructure

Lizard Squad employed volumetric distributed denial-of-service (DDoS) attacks, primarily through stresser and booter services that flooded targets with excessive traffic to overwhelm network resources. These attacks utilized flooding mechanisms such as UDP floods, TCP floods, HTTP floods, and junk floods, which generate high-volume packets to exhaust bandwidth and server capacity. Amplification techniques, including DNS and NTP reflection, were supported by the tools they accessed, enabling smaller inputs to produce disproportionately large response traffic via IP spoofing and mapping. The group's infrastructure centered on botnets assembled from compromised Internet-connected devices, particularly small office/home office () routers running with unchanged default credentials like "admin/admin" or "root/12345." variants, documented as early as early 2014, propagated via scans to infect vulnerable routers, including those at universities and businesses, forming a distributed network for sustained attacks capable of peaks exceeding 200 Gbps. Hosting for control panels occurred on bulletproof networks, such as those in Bosnia, providing resilience against takedowns. Additional resources included rented services like vDos and Shenron, which offered scalable attack durations from seconds to hours and guaranteed bandwidth for VIP users. These methods relied on the proliferation of insecure IoT and router devices, allowing low-cost assembly of botnets without sophisticated custom , though the resulting attacks disrupted major targets by saturating ingress pipes rather than exploiting application vulnerabilities.

LizardStresser Service

LizardStresser was a DDoS-for-hire service launched by the Lizard Squad on December 31, 2014, immediately following the group's high-profile disruptions of Xbox Live and over Christmas. The service, hosted at lizardstresser.su, enabled subscribers to initiate DDoS attacks against targeted websites or online services, marketed ostensibly as a network stress-testing tool but primarily facilitating malicious disruptions. Access required payment via subscription models starting at $6 per month, with options for short-term attacks costing as low as $3 to temporarily overwhelm a site's . The service's infrastructure reportedly relied on a comprising thousands of compromised home routers and potentially hijacked webcams, amplifying attack potency through distributed floods that mimicked legitimate user surges to evade basic defenses. Lizard Squad promoted LizardStresser via and underground forums, positioning the earlier gaming network outages as demonstrations of its effectiveness to attract customers seeking retaliatory or competitive takedowns in online gaming communities. User registrations included storage of usernames and hashed passwords, reflecting rudimentary practices that exposed the platform to rapid compromise. On January 19, 2015, LizardStresser itself suffered a breach when an intruder, reportedly from the forum Doxbin and identified as "nachash," accessed and leaked the site's database containing details of over 100 registered users, including their payment information and attack histories. The leak, publicized by security researcher , revealed the service's customer base and prompted backlash within hacking circles, contributing to its swift operational shutdown by late January 2015. This incident underscored the precarious nature of such illicit platforms, where internal rivalries and poor opsec amplified vulnerabilities beyond external law enforcement pressures.

Verified Disruptions

Christmas 2014 Attacks on Xbox Live and PlayStation Network

On December 25, 2014, the Lizard Squad launched distributed denial-of-service (DDoS) attacks targeting Microsoft's Xbox Live and Sony's (PSN), causing extensive outages that prevented millions of users from accessing online gaming features during the Christmas holiday. The group had issued threats earlier in December via , warning of disruptions to both platforms on or Day to maximize impact on peak user activity. The assaults overwhelmed the networks with traffic floods, rendering login, multiplayer, and other services unavailable; Xbox Live reported partial functionality by late afternoon but with persistent issues, while PSN remained largely offline through December 26. Lizard Squad publicly claimed credit through real-time updates, including posts at 6:13 p.m. on December 26 stating "ALL ATTACKS ON PSN AND XBOX HAVE STOPPED," coinciding with observed service recovery. The timing aligned precisely with the group's prior announcements, confirming their role via matching outage patterns reported by affected users and platform status pages. Microsoft and Sony both attributed the incidents to DDoS attempts in official statements, with Microsoft noting efforts to reroute traffic and bolster defenses, and Sony confirming investigations into the external assault. Services began stabilizing by December 27, though full recovery varied by region and feature. The attacks, which potentially impacted over 100 million active users across both ecosystems, were later linked by investigators to Lizard Squad's promotion of their paid LizardStresser DDoS tool, using the high-profile disruption as a demonstration of capability. The cessation of attacks followed an intervention by Mega founder , who publicly offered Lizard Squad members free premium vouchers for his on , after which the group announced the halt—suggesting a transactional motive over ideological disruption. This event marked one of the most notable synchronized takedowns of major gaming networks, verified through contemporaneous platform acknowledgments, user reports, and the group's own documented boasts.

Attacks on Tor Network, Malaysia Airlines, and Daybreak Games

In December 2014, Lizard Squad claimed responsibility for launching distributed denial-of-service (DDoS) attacks against Tor network relays as part of their broader campaign targeting online services during the Christmas period. The group asserted that the assaults rendered parts of the Tor infrastructure unavailable, aligning with their simultaneous disruptions to gaming networks. However, the Tor Project reported that the attacks had only minimal impact on overall network availability, attributing this to Tor's decentralized design and resilience against such volumetric attacks. On January 26, 2015, Lizard Squad, operating under the banner "Lizard Squad - Official ," compromised the website, replacing its homepage with an image of a lizard in a and the message "404 - plane not found," a reference to the airline's earlier tragedies involving missing flights MH370 and MH17. The defacement also included claims of accessing internal email accounts and threats to release passenger data, though no such dump materialized. The site remained offline for at least seven hours, prompting to investigate and restore services while denying any breach of passenger databases. In February 2015, Lizard Squad resumed operations by conducting DDoS attacks on Daybreak Games (formerly Online Entertainment), disrupting access to titles such as and . These strikes, which coincided with assaults on Xbox Live, overwhelmed the company's servers, leading to extended outages and player downtime reported across forums and official channels. Daybreak confirmed the DDoS nature of the interference and implemented mitigation measures, though the group boasted of the attacks' success via .

Unverified Claims and Fabrications

Bomb Threats and Public Safety Hoaxes

In August 2014, the Lizard Squad issued a hoax bomb threat via against Flight 362 en route from Dallas-Fort Worth to , claiming the aircraft carried explosives. The targeted flight carried John Smedley, president of Sony Online Entertainment, amid concurrent DDoS attacks on the . The threat prompted the plane's diversion to Phoenix, where passengers were evacuated and the aircraft searched by authorities; no explosives were discovered, confirming the claim as a fabrication intended to amplify disruption. This incident endangered passengers and diverted resources, exemplifying the group's tactic of leveraging false alarms for publicity and intimidation. Beyond aviation threats, Lizard Squad members engaged in swatting, a form of public safety hoax involving fabricated emergency reports to provoke armed police responses. In 2015, a 17-year-old Canadian identifying as a Lizard Squad affiliate pleaded guilty to 23 counts of such offenses, primarily targeting female players of the online game . These hoax calls falsely alleged shootings, stabbings, or bombs at victims' residences, resulting in team raids that risked lives through unnecessary confrontations. The spree, which included an eight-hour live-streamed swatting incident, highlighted the group's use of deception to harass rivals in gaming communities, with no genuine threats materializing. Such actions strained emergency services and underscored the hoax nature of their public safety manipulations, distinct from verifiable cyber disruptions.

False Attributions to Major Platforms and Celebrities

Lizard Squad asserted responsibility for a global outage on and on January 27, 2015, tweeting "HELLO" alongside images suggesting control over the platforms' infrastructure. The disruption prevented users from accessing the services for about an hour, sparking widespread media coverage and user panic. spokesperson Frederic Wolens refuted the claim, confirming the issue stemmed from an internal configuration change rather than any external . This incident exemplified Lizard Squad's pattern of claiming unverified disruptions to major platforms, which rely heavily on endorsements and from high-profile figures. No direct, substantiated claims by Lizard Squad targeting individual celebrities' personal accounts or services were confirmed, though their boasts often leveraged the platforms' cultural significance to celebrities for notoriety. Investigations into group activities, including U.S. Department of charges against members, focused primarily on DDoS operations rather than targeted intrusions against celebrity assets.

Membership and Identifications

Key Identified Individuals

Julius Kivimäki, a Finnish national born in 1996, was identified as a prominent Lizard Squad member operating under the pseudonym "." In 2015, a Finnish court convicted him on 50,700 counts of unauthorized access to computer systems, stemming from his role in compromising thousands of user accounts on the Finnish site Suomi24 between 2013 and 2014, actions linked to Lizard Squad's broader operations. Despite the volume of charges, Kivimäki received no prison time due to his age at the time (under 18), instead facing a fine and community service; the court noted the offenses' preparatory nature for more severe crimes but emphasized his youth as mitigating. Zachary Buchta, an American from , known online as "@ObscureAnachronism" and "@FBIaReLosers," was charged in connection with Lizard Squad's DDoS-for-hire services and related activities, including operating the Lizard Stresser platform. Arrested in 2016 as part of an international probe, Buchta cooperated with authorities, providing information that aided in identifying other members, which reduced his potential 10-year sentence to three years of probation in March 2018; he was also ordered to pay nearly $350,000 in restitution for damages caused by attacks on victims like gaming networks. His involvement extended to incidents and hoaxes tied to the group, though cooperation mitigated harsher penalties. Austin M. Alcala, a 19-year-old from , was arrested on October 5, 2016, alongside a Dutch minor, for conspiring to operate unauthorized stresser services under Lizard Squad and affiliated PoodleCorp, including LizardStresser and PoodleStresser, which facilitated DDoS attacks worldwide. The U.S. Department of Justice charged Alcala with and abuse, alleging the platforms generated revenue through subscriptions for attack tools used against targets like financial institutions and gaming services; servers hosting these sites were seized during the operation. Alcala's case highlighted Lizard Squad's commercialization of cyber disruptions, with charges carrying potential sentences of up to 10 years. A Canadian juvenile, whose identity was protected due to age, pleaded guilty in May 2015 to 23 counts of related to incidents—false emergency calls prompting armed police responses—explicitly identifying himself as a Lizard Squad member in online communications. These actions targeted individuals in and the U.S., causing significant diversion; the avoided a full , with sentencing details limited by protections for minors.

Internal Dynamics and Pseudonyms

Lizard Squad functioned as a loose, informal of primarily teenage and young adult hackers, driven more by the pursuit of online fame and disruption than by structured organization or profit motives. Members coordinated via anonymous online forums such as Hackforums and real-time social media platforms like , where they boasted about attacks to amass followers rapidly—gaining over 50,000 in 24 to 48 hours during peak activity in late 2014. This ad hoc structure allowed quick mobilization for distributed denial-of-service (DDoS) operations but lacked formal leadership or defined roles, resembling a "stunt hacking" group akin to earlier collectives like , with emphasis on publicity over technical sophistication. Pseudonyms were central to members' and online personas, often shared across hacking communities. Prominent aliases included "Ryan" (linked to Finnish hacker Julius Kivimäki, also known as "Zee," "Zeekill," or "Ry|an"), "Vinnie" (used by UK-based Vinnie Omari on Hackforums), "," "sp3c" (associated with forum administration and core operations), "Komodo," and "" (implicated in specific intrusions like router hacks). Other reported handles, such as "Criminal," "Jordie," "Pain," and "Plague," surfaced in media attributions of group communications. These aliases facilitated collaboration on tools like LizardStresser, a DDoS-for-hire service launched in December 2014, but also exposed rifts when rivals or defectors—using handles like "KMS" or "Starfall"—leaked databases or disrupted operations. Internal tensions manifested in opportunistic behaviors, such as accepting approximately $300,000 in vouchers from founder on December 25, 2014, to halt attacks on Xbox Live and , revealing pragmatic deal-making over ideological commitment. The group's dynamics were further strained by external pressures, including hacks on their own infrastructure—exposing LizardStresser customer data in January 2015—and law enforcement scrutiny, which fragmented cohesion without evident infighting among core members until arrests began in 2015. Overall, Lizard Squad's operations reflected the transient nature of underground hacking crews, where pseudonym fluidity and social media bravado prioritized short-term spectacle over long-term stability.

Investigations and Arrests

Following the distributed denial-of-service (DDoS) attacks attributed to Lizard Squad in December 2014, the (FBI) initiated probes into the group's operations, focusing on their use of booter services to facilitate attacks on gaming networks and other targets. These efforts involved international cooperation with agencies such as the Dutch Prosecutor's Office, targeting the infrastructure behind Lizard Squad's stresser tools that enabled paying customers to launch DDoS floods. In July 2015, Finnish courts convicted 19-year-old Julius Kivimäki, known online as "zeekill" and linked to Lizard Squad's early activities, on more than 50,000 counts of aggravated data and traffic espionage, as well as juvenile offenses related to DDoS attacks conducted via the group's tools against various websites. Kivimäki received a of one year and six months, reflecting his role in high-profile disruptions tied to the group's formation. That August, British police arrested six teenagers aged 17 to 19 in southwest on suspicion of using Lizard Squad's Lizard Stresser service to target websites and online services with DDoS attacks, as part of a broader crackdown on users of the group's for-hire tools; the suspects were released on pending further . The most significant arrests of core members occurred in September 2016, when 19-year-old American Buchta of Fallston, (online as "@fbiarelosers" and "pein"), was detained by U.S. authorities, and 19-year-old Dutch national Bradley Jan Willem van Rooy (online as "@UchihaLS") was taken into custody in the . Both faced federal charges in for conspiring to damage protected computers by operating Lizard Stresser and Stresser platforms—affiliated with Lizard Squad and PoodleCorp—which powered thousands of DDoS incidents, including against gaming and media entities. The investigation uncovered their trafficking of approximately 3,470 stolen records and operation of ancillary services like phonebomber.net for campaigns. A U.S. federal court in authorized the seizure of four domains, including lizardsquad.org and stresser.poodlecorp.org, disrupting the services' online presence. Buchta's cooperation with the FBI following his arrest provided leading to additional detentions within Lizard Squad's network, highlighting internal fractures exploited by law enforcement.

Prosecutions and Sentences

In October 2016, the U.S. Department of Justice charged Zachary Buchta, a 19-year-old from , and Bradley Jan Willem Van Rooy, a 19-year-old from the , with conspiracy to cause damage to protected computers and unauthorized access to computers, stemming from their operation of DDoS-for-hire services under Lizard Squad and the related group PoodleCorp. The charges alleged that the pair maintained websites like lizardsquad.org and stresser.poodlecorp.org, which facilitated thousands of DDoS attacks worldwide for fees as low as $10 per attack. Buchta, identified as a founder of Lizard Squad, pleaded guilty in December 2017 after cooperating with the FBI, providing that aided in identifying and arresting other members. On March 27, 2018, Buchta was sentenced in the U.S. District Court for the Northern District of to three months in , followed by three years of supervised release, and ordered to pay $349,998 in restitution to victims of the attacks. The reduced sentence reflected his substantial assistance to authorities, including testimony against associates, despite facing up to 10 years initially. Van Rooy faced prosecution in the rather than , but no public details on his sentencing outcome have been disclosed in available records. Separately, in July 2015, Finnish authorities convicted Julius Kivimäki, a 17-year-old member of Lizard Squad known online as "zeekill" or "jks," of 50,700 counts of aggravated computer break-ins related to DDoS attacks, including those targeting gaming networks. As a juvenile offender, Kivimäki received a with and , avoiding incarceration despite the scale of the offenses. Other investigations yielded arrests of individuals using Lizard Squad's "Lizard Stresser" tool, such as six teenagers in the UK in August 2015, who were released on pending further proceedings, though these were not core group members. No additional prosecutions of identified Lizard Squad leaders have resulted in public sentences beyond these cases.

Impact and Dissolution

Broader Effects on Cybersecurity

The Lizard Squad's distributed denial-of-service (DDoS) attacks on the and Xbox Live, peaking on December 25, 2014, disrupted online services for hours, affecting over 110 million PSN users and 48 million Xbox Live accounts, and exposed the fragility of high-traffic gaming infrastructures to coordinated volumetric assaults. These incidents, executed via rented booter services amplified by botnets, inflicted estimated multimillion-dollar losses in compensation—such as five-day subscription extensions and discounts from and —and compelled platforms to procure enterprise-grade DDoS scrubbing services for real-time traffic filtering. By commercializing DDoS capabilities through tools like LizardStresser, which leveraged thousands of compromised consumer routers to generate attack traffic, the group lowered for aspiring attackers, enabling a proliferation of similar services that fueled thousands of incidents in gaming and beyond from onward. Honeypot research deployed in early captured over 1.5 million probe attempts, with more than 96% originating from centralized booter sources rather than organic botnets, quantifying how such platforms amplified threat volumes and shifted attack methodologies toward reflection-based amplification. These events catalyzed enforcement actions, including U.S. indictments in October 2016 against Lizard Squad affiliates for operating resold booter like PoodleStresser, and prompted underground forums such as HackForums to restrict advertisements for attack services by late 2016. Industry-wide, the attacks underscored IoT device vulnerabilities in formation, driving investments in upstream filtering by ISPs and heightened scrutiny of reflection protocols, while informing later multinational takedowns of over two dozen booters ahead of seasonal threats.

Legacy in Hacker Culture

Lizard Squad's activities were largely derided within hacker communities as emblematic of "" behavior, characterized by the use of readily available DDoS tools and botnets sourced from compromised home routers rather than developing novel exploits or demonstrating deep technical prowess. Cybersecurity experts and forum discussions emphasized that the group's disruptions, such as the December 25, 2014, attacks on Xbox Live and , relied on rented or controlled stresser services rather than bespoke or zero-day vulnerabilities, positioning them as opportunistic disruptors rather than elite blackhat operatives. The group's commercialization of DDoS capabilities through LizardStresser, a for-hire service launched in late that powered attacks via thousands of hijacked consumer devices, significantly lowered for low-skill actors in underground hacking scenes. This model amplified the proliferation of booter services, enabling "stunt hacking" for publicity or and shifting focus from intricate intrusions to volume-based denial-of-service tactics, a trend that persisted in subsequent groups mimicking their operational style. In broader hacker lore, 's bombastic Twitter announcements and self-proclaimed title as "King of DDoS attacks" fostered a of performative malice, inspiring copycat holiday-season disruptions and highlighting the appeal of viral notoriety over stealth or . Their 2014 exploits, which affected millions of users during peak gaming periods, underscored vulnerabilities in consumer-facing while serving as a cautionary for the risks of adolescent bravado in digital sabotage, often cited in discussions of evolving threat actors from lone wolves to loosely affiliated crews.

References

  1. https://www.justice.gov/usao-ndil/pr/american-and-dutch-teenagers-arrested-criminal-charges-allegedly-operating
  2. https://www.npr.org/sections/thetwo-way/2014/12/26/373241480/possible-hack-of-sony-microsoft-game-console-sites
  3. https://www.itsecurityguru.org/2015/01/26/lizard-squad-hijacks-malaysia-airline-dns/
  4. https://www.wired.com/story/lizard-squad-teen-pleads-guilty/
  5. https://news.sophos.com/en-us/2015/07/08/no-jail-for-lizard-squad-member-guilty-of-50700-cybercrime-charges/
  6. https://www.theguardian.com/technology/2015/may/22/lizard-squad-canadian-pleads-guilty-over-23-counts-related-to-swatting
  7. https://www.welivesecurity.com/2018/03/29/lizard-squad-member-jailed/
  8. https://krebsonsecurity.com/2016/10/feds-charge-two-in-lizard-squad-investigation/
  9. https://www.bleepingcomputer.com/news/security/lizard-squad-and-poodlecorp-hacker-pleads-guilty-to-ddos-attacks/
  10. https://my.rusi.org/events/how-teenage-hackers-hijack-the-internet.html
  11. https://therecord.media/julius-kivimaki-arrested-vastaamo-hack-finland
  12. https://abcnews.go.com/Technology/lizard-squad-group-claiming-responsibility-high-profile-hacks/story?id=25129458
  13. https://www.theguardian.com/technology/2014/aug/25/playstation-network-attacked-hackers-lizard-squad-fame
  14. https://abcnews.go.com/Technology/wireStory/sony-network-hit-attack-execs-flight-diverted-25110315
  15. https://www.scrippsnews.com/science-and-tech/ddos-attacks-bomb-threats-isis---who-is-the-lizard-squad
  16. https://www.theguardian.com/technology/2014/dec/29/playstation-network-back-online-lizard-squad-hacker-group
  17. https://www.theguardian.com/technology/2015/feb/20/lizard-squad-hackers-lulzsec-anonymous-what-will-happen
  18. https://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
  19. https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/blizzard-ddos/
  20. https://www.recordedfuture.com/blog/lizard-squad-analysis
  21. https://www.welivesecurity.com/2014/12/31/xbox-psn-lizard-squad-ddos/
  22. https://news.sophos.com/en-us/2015/01/19/lizard-squads-ddos-service-hacked-buyers-details-revealed/
  23. https://www.pcmag.com/news/lizard-squad-offers-6-ddos-attack-tool
  24. https://fox4kc.com/news/take-down-any-website-for-3/
  25. https://www.theguardian.com/technology/2015/jan/12/lizard-squad-lizardstresser-hacked-home-routers
  26. https://www.extremetech.com/extreme/196583-lizard-squad-now-offering-ddos-attack-tool-for-as-little-as-6-per-month
  27. https://www.welivesecurity.com/2015/01/19/lizard-squad-hacked/
  28. https://www.theguardian.com/technology/2015/jan/19/lizard-squad-lizardstresser-site-hacked
  29. https://www.forbes.com/sites/thomasbrewster/2015/01/20/lizard-squad-backlash/
  30. https://finance.yahoo.com/news/2015-01-17-lizard-stresser-suffers-hack.html
  31. https://www.theguardian.com/technology/2014/dec/26/xbox-live-and-psn-attack-christmas-ruined-for-millions-of-gamers
  32. https://www.cnn.com/2014/12/26/tech/playstation-xbox-problems
  33. https://www.bbc.com/news/uk-30602609
  34. https://krebsonsecurity.com/2014/12/cowards-attack-sony-playstation-microsoft-xbox-networks/
  35. https://krebsonsecurity.com/2014/12/whos-in-the-lizard-squad/
  36. https://thehackernews.com/2014/12/Lizard-Squad-Xbox-playstation.html
  37. https://www.bbc.com/news/world-asia-30978299
  38. https://www.theguardian.com/world/2015/jan/26/malaysia-airlines-website-hacked-by-lizard-squad
  39. https://abcnews.go.com/Technology/malaysia-airlines-hit-lizard-squad-hack-attack/story?id=28489244
  40. https://www.theguardian.com/technology/2015/feb/16/lizard-squad-attacks-xbox-live-daybreak-games
  41. https://news.sophos.com/en-us/2015/02/17/lizard-squad-returns-claims-attack-on-xbox-live-and-daybreak-games/
  42. https://www.cbsnews.com/texas/news/hackers-bomb-threat-tweets-cause-american-airlines-plan-to-be-diverted/
  43. https://www.latimes.com/business/technology/la-fi-tn-sony-smedley-bomb-playstation-network-20140825-story.html
  44. https://arstechnica.com/tech-policy/2015/05/teen-pleads-guilty-to-23-charges-of-swatting-harassing-online-game-rivals/
  45. https://www.bbc.com/news/newsbeat-30306319
  46. https://www.computerworld.com/article/1622424/facebook-down-instagram-offline-lizardsquad-itbwcw.html
  47. https://www.techtrends.co.zm/facebook-and-instagram-outage-was-global/
  48. https://thehackernews.com/2015/07/lizard-squad-hacking.html
  49. https://cyberscoop.com/zachary-buchta-lizard-squad-sentence/
  50. https://www.vox.com/2014/12/23/7443177/lizard-squad-north-korea-sony
  51. https://www.techmonitor.ai/technology/lizard-squad-claim-attack-on-lenovo-days-after-superfish-4520823/
  52. https://krebsonsecurity.com/2015/11/fcc-fines-cox-595k-over-lizard-squad-hack/
  53. https://www.bbc.com/news/technology-33442419
  54. https://www.welivesecurity.com/2015/08/28/lizard-stresser-arrests/
  55. https://www.chicagotribune.com/2018/03/28/lizard-squad-hacker-for-hire-cries-in-court-as-hes-sentenced-to-three-months-in-prison/
  56. https://www.cbsnews.com/chicago/news/lizard-squad-hacker-guilty-plea/
  57. https://www.theguardian.com/technology/2015/aug/28/teenagers-arrested-cyber-attacks-lizard-squad-stresser
  58. https://www.wired.com/story/ctrl-alt-chaos-joe-tidy-book-excerpt/
  59. https://www.nbcnews.com/tech/tech-news/how-christmas-became-one-biggest-days-year-hackers-n1106451
  60. https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
  61. https://cyberscoop.com/lizard-squad-hackers-face-cybercrime-charges-chicago/
  62. https://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/
  63. https://siliconangle.com/2015/01/13/lizard-squad-and-the-ddos-for-hire-ecology-explained-by-nexusguard/
  64. https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/ddos-for-hire-threat-continues/
Add your contribution
Related Hubs
User Avatar
No comments yet.