Lizard Squad Fails Hard

Lizard Squad (currently: @LizardMafia), the bane of Sony Playstation and Microsoft XBOX online gaming communities, was the DDoS Grinch that stole Christmas gaming this year. Neither platform was usable for more than thirty minutes, and those brief respites were tied to Twitter account pumping.

@LizardMafia would pick a smaller account from their group to promote, promising the attacks would stop if the account met some goal, such as reaching 5,000 followers. They also ran repeated tweet polls, asking followers to RT the tweet if they wanted Play Station Network attacked, or favorite the tweet to direct their attention to XBOX.

Also read: Lizard Squad Stops PSN and Xbox Live Takedown Possibly Thanks to Mega and Kim Dotcom

Their most recent act has been promoting lizardstresser.su, which offers ‘shell booters’, and in doing so they made a string of mistakes. Security researcher Brian Krebs has had direct, personal conflict with them in the past, and their errors permitted him to characterize them accurately.

Smoke, Mirrors & Lizards

Lizard MafiaThe holiday attacks have been maddening for the members of the predominantly male fifteen to twenty five year old demographic that received either type of game console for Christmas. The practice of promoting multiple Twitter accounts meant any attempt to banhammer them had to hit half a dozen targets in very quick succession. The frontal assault tactics favored by young men were at best of limited use, and more often backfired on innocent bystanders, precisely as the Lizards intended.

@LizardMafia itself had a few particular personas they chose to single out for direct attention. The aush0k mentioned here is Matthew Flannery, an Australian hacker who belatedly and quite incorrectly declared himself the supreme leader of LulzSec last year, during his arrest for vandalizing a tiny Australian village government site.

@LizardMafia Taunts aush0k
@LizardMafia Taunts aush0k

@MeanTXLawyer is Texas attorney Jason Lee Van Dyke, whose twin claims to fame are being dumb enough to try to drag Tor Project into court over the content on the PinkMeth hidden service revenge porn site, and for offering a bounty on doxbin operators nachash (@loldoxbin) and Intangir, then publicly threatening to kill both of them.

@LizardMafia Taunts @MeanTXLawyer
@LizardMafia Taunts @MeanTXLawyer

Seeking Media Attention

Emboldened by their successes and in a manner eerily similar to what happened during the FBI orchestrated fifty day LulzSec rampage of 2011, some of the ringleaders took to the airwaves, and the group’s downfall began.

First was the young man seen below, Julius Kivimaki, a Finnish teen who has been at the center of much mayhem for over two years. Brit Vinnie Omari appeared as well, only to be arrested a few days later on some Paypal fraud charges.

Promoting LizardStresser, Doxing Subscribers

Internet celebrity KimDotCom ransomed both PSN and XBOX for $300,000 worth of his company’s cloud storage product, and the Lizards moved on to a new strategy – offering DDOS as a service via lizardstresser.su. Brian Krebs was quickly on the scene with Lizard Kids: A Long Trail Of Fail.

Krebs’ post and Ode To LizardSquad on Malware Tech are the sort of thing one reads with a copy of Maltego running to collect all of the details for further inspection but the executive summary is found in this pastebin: LizardStresser User Dump. Some details of their 1,700 subscribers are now public, and it is unclear what else their sloppy OPSEC has exposed.

Best of all, Malware Tech performed a simple test, proving that LizardPatrol and Darkode share the same system. Read those detailed studies and you’ll be able to trace the Lizards back to their point of origin.

LizardPatrol & Darkode Hosted Together
LizardPatrol & Darkode Hosted Together

Another FBI Sponsored Hacker Rampage?

If what Lizard Squad is doing were organic, it would follow the same power law distribution seen in insurgencies. A few months ago they hit hard and managed to divert an American Airlines flight in order to inconvenience a Sony exec on his way to a conference, then they slipped away quietly. The Christmas holiday attack doesn’t look odd; it’s the right time in terms of maximum audience, and it doesn’t seem particularly closely correlated with the Sony intrusion. If the next few months bring smaller actions with different methods, or nothing at all, that would be a statistical fit.

But two of the members have been arrested. If there is immediately another big hit involving LizardStresser, or some other very noteworthy move, and then another … and another? A steady or escalating stream of events would be clear signs that the next Sabu is moving among the next herd of victims, setting up the young and unwary.

Images from Lizard Mafia, Malware Tech and Shutterstock.