Operation Payback

Update: Websites for Dutch prosecutor's office and police attacked after teen arrested

The websites for the Dutch prosecutor's office and police were attacked Friday, likely in retaliation for the arrest of a 16-year-old WikiLeaks supporter, BNO news reported.

Both websites were offline for several hours Friday morning.

"The site of the Prosecutor's Office was offline or difficult to reach for several hours this morning. This website contains only public information and no sensitive data," a statement from the prosecutor's office said.

Original report follows...

A Dutch teenager arrested Thursday morning for participating in cyber attacks against the websites of companies who dropped their support of WikiLeaks could face up to six years in prison if convicted, according to a spokesman for the Netherlands' prosecution service.

The 16-year-old has confessed to participating in a wide-spread cyber attack dubbed "Operation Payback" on MasterCard, Visa and PayPal, in retaliation for the companies' withdrawal of services to WikiLeaks.

Unconfirmed sources told TorrentFreak that the teenager operated an Operation Payback chat room and was known under the nickname "Jeroenz0r."

"Jeroenz0r and his server became delinked Thursday night at around midnight UTC time," a source told TorrentFreak.

"Some of his friends tried calling him yesterday but the phone lead to voicemail. When calling his home number, his dad refused to comment on the situation. Furthermore, his local town newspaper also reported that a local 16 year old boy was arrested."

Using Twitter and Facebook, Operation Payback invited thousands of people to voluntarily install a tool called LOIC (Low Orbit Ion Cannon), which was used to perform denial of service (DDoS) attacks on selected websites. DDoS attacks flood websites with meaningless web traffic to slow them down and can knock websites offline entirely.

"We received information that one or more of the WikiLeaks-related attacks were coordinated from the Netherlands,"Wim de Bruin, spokesman for the Dutch prosecution office, said. "That is the reason the police have been investigating."

Dutch police say the boy, whose computer equipment was seized, "is probably part of a larger group of hackers" and expect to make more arrests. He will appear before a judge in Rotterdam on Friday.

If convicted, he could be sentenced to between four and six years in prison, Wim de Bruin, a spokesman for the Dutch prosecution service, told Telegraph.

Individuals in the United States have been convicted of using DDoS attacks against websites, such as a Nebraska man who pleaded guilty to attacking the Church of Scientology's website.

But these attacks were performed using "botnets," a collection of computers infected with malicious software that can be used to perform coordinated attacks without the computers' owners' consent.

The LOIC, on the other hand, is a voluntary program that requires the participation of a large number of people to be effective.

"At an individual level a person is pushing a button and sending a packet," Robert Gourley, a former cyber-security expert with the Defense Intelligence Agency told Bloomberg. "I don't know what legal precedents there would be that allows you to take a person to court for doing this [in the United States]."

It is unknown whether the teenager used a botnet or just the LOIC.

The US Federal Bureau of Investigation and Swedish law enforcement said they are also investigating the cyber attacks.

"I don't think that their attacks are necessarily illegal or immoral," Evgeny Morozov, a visiting scholar at Stanford University, wrote at Foreign Policy magazine. "As long as they don't break into other people's computers, launching DDoS should not be treated as a crime by default; we have to think about the particular circumstances in which such attacks are launched and their targets."

"I like to think of DDoS as equivalents of sit-ins: both aim at briefly disrupting a service or an institution in order to make a point. As long as we don't criminalize all sit-ins, I don't think we should aim at criminalizing all DDoS," he said.