Cyber Incident Victim: Anonymous Protection

In January 2015, following distributed denial-of-service (DDoS) attacks that disrupted Sony PlayStation and Microsoft Xbox networks in December 2014, law enforcement arrested at least two individuals linked to the hacking group Lizard Squad. One arrest occurred in the UK on January 16, coinciding with reports that the group’s operational infrastructure had been compromised. Attackers breached Lizard Squad’s customer database for LizardStresser[dot]ru, a DDoS-for-hire service marketed as a network stress-testing tool. The breach exposed records for 14,241 customers, including registered usernames and plaintext passwords. Payment records revealed customers had transferred approximately $11,000 in Bitcoin to fund attacks against thousands of internet targets. Security researcher Brian Krebs confirmed the database leak, highlighting the absence of password encryption as a critical vulnerability. The December attacks on gaming networks were reportedly executed to promote LizardStresser’s capabilities to potential customers.

The exposure of customer data had immediate operational and legal consequences. Compromised credentials enabled rival threat actors or law enforcement agencies to identify individuals who paid for illegal DDoS campaigns. The plaintext passwords heightened risks of account hijacking across other platforms where users employed identical credentials. KrebsOnSecurity’s disclosure of the breach undermined Lizard Squad’s credibility, particularly within underground markets where the service had sought to establish itself. The leaked financial records provided evidence of transactions tied to specific attack targets, potentially aiding ongoing investigations. No remediation efforts by Lizard Squad were documented following the breach, and the incident effectively terminated the service’s promotional momentum generated by the high-profile gaming network attacks.