The Invisible Mercenaries: How Anonymous Cyber Hit Men Built a Shadow Industry Law Enforcement Still Cannot Dismantle
In 2017, a federal courtroom in Minneapolis revealed one of the most uncomfortable truths in modern cybercrime. A defense attorney, arguing for her client, a man who hired hackers to attack dozens of websites, pointed out something that stunned the room. The professional cyber hit men her client paid were “named and evidently well known to the government,” yet not one of them had been charged. They had, in her words, been allowed to “skip off merrily into the night.”
That case, United States v. Gammell, exposed a clear problem with cybercrime enforcement. The customer who hired the hackers went to prison for 15 years. The people running entire DDoS-for-hire operations kept working. This pattern, where the buyer gets caught and the seller stays anonymous, has repeated itself across the globe. The result is a shadow industry worth an estimated $12 billion that operates with near-total impunity.
The Gammell Case
John Kelsey Gammell, a 46-year-old from New Mexico, had a long list of grudges. Between 2015 and 2017, he targeted roughly 40 different organizations, including former employers, companies that refused to hire him, law enforcement agencies, financial institutions, and even the Minnesota Judicial Branch.
His main target was Washburn Computer Group, a point-of-sale repair company in Monticello, Minnesota, where he had previously worked. He flooded the company’s website with traffic using distributed denial-of-service attacks, making it inaccessible to customers and costing the business around $15,000.
Gammell was not a skilled hacker. He did not need to be. He simply paid someone else to do it.
According to an FBI affidavit, Gammell used seven different DDoS-for-hire websites and paid monthly subscriptions to at least three of them between July 2015 and September 2016. Fees ranged from $19.99 to $199.99 per month. One of his preferred services was vDOS, at the time the most prolific booter service on the internet. After successfully taking down a network for two days, Gammell wrote to the service’s administrators: “We will do much business. Thank you for your outstanding product.”
He used IP anonymization tools, encrypted his devices, spoofed emails, and paid with cryptocurrency. He even used the names of his victims’ former employees to cast suspicion on innocent people.
He got caught because of his own overconfidence. He sent taunting emails to victims after each attack. He pleaded guilty and received 180 months in prison along with $955,656.77 in restitution. The Eighth Circuit upheld the sentence in August 2019.
His defense attorney, Rachel Paulose, put the real problem on the record: “The government has failed to charge a single one of those cyber hit men services, named and evidently well known to the government. Instead the government’s neglect has allowed the professional cyber hit men for hire to skip off merrily into the night.”
She was right. Not one operator was prosecuted alongside him.
How Booter Services Work
DDoS-for-hire platforms, called booters or stressers, package cyberweapons as consumer software. You type in a target IP address, pick an attack type and duration, pay a fee, and launch. No technical skill required.
These platforms claim to offer legitimate “stress testing” for networks. By not requiring proof of ownership and accepting anonymous payments, operators enable criminal use while maintaining plausible deniability.
They are not hidden on the dark web. They advertise on social media, YouTube, and Facebook. Subscriptions start at $14.99 per month. You pay with credit cards, PayPal, or Bitcoin.
The scale is significant. IPStresser.com accumulated over 2 million users and launched 30 million attacks between 2014 and 2022. Webstresser.org had 136,000 registered users and launched between 4 and 6 million attacks before being seized in 2018. Quantum Stresser had 80,000 subscribers and launched over 50,000 attacks in 2018 alone.
A 2024 Netscout analysis found that modern booter platforms now include pre-attack reconnaissance tools, API integrations for custom attack toolkits, automated scheduling, and AI to optimize attacks in real time. These features once required advanced technical knowledge. Now you need a credit card and an internet connection.
Operation PowerOFF
In 2018, international law enforcement launched Operation PowerOFF, a joint effort involving the FBI, Europol, the Dutch National Police, German Federal Criminal Police, and the UK National Crime Agency.
The operation produced consistent results. In 2018, 15 DDoS domains were seized in the initial wave. In April 2018, Webstresser.org was shut down and four admins were arrested across the UK, Croatia, Canada, and Serbia. In December 2018, Quantum Stresser and 14 other booter sites were seized and three people were charged. In December 2022, 48 domains were seized and six U.S. men were charged. In May 2023, 13 more domains were seized, though 10 were reincarnations of services taken down just five months earlier. In December 2024, 27 additional domains were seized, three admins were arrested in France and Germany, and over 300 users were identified.
In total, Operation PowerOFF has seized over 75 domains and made dozens of arrests across 15 countries.
The problem is that the results also expose a clear limitation. When the FBI seized 13 domains in May 2023, ten of them were services that had already been shut down five months prior. Operators register new domains and resume operations within hours.
The Quantum Stresser operator, 24-year-old David Bukoski of Pennsylvania, ran a platform with 80,000 subscribers that launched over 50,000 attacks in 2018. He was identified only because he used an email address tied to his illegal activities to order a pizza. His sentence: five years of probation and six months of community confinement. No prison time.
The vDOS case is similar. Security journalist Brian Krebs identified the operators as Itay Huri and Yarden Bidani, both 18 years old, from Israel. They had earned over $600,000 in two years. The service had been running since 2012, meaning they likely started it at age 14. After their arrest, their punishment was ten days of house arrest and a 30-day internet ban. Within days of their release, Krebs’ own website was hit with a 140 Gbps attack.
Why Operators Stay Anonymous
Several factors protect booter operators from prosecution. They often live in countries with weak cybercrime laws while their victims are spread across the globe. Cryptocurrency creates a financial layer that is difficult to trace. Proxy servers, VPNs, and bulletproof hosting providers hide both the operators and their attack infrastructure. When a domain is seized, a new one goes up within hours. The “stress testing” framing gives operators a thin legal shield.
FBI Supervisory Special Agent Michael Krause, who led the cyber squad in Minneapolis during the Gammell case, said it plainly: “We have a growing trend where the sophistication of the dark web and the sophistication of certain professional hackers to provide resources is allowing individuals, and not just experienced individuals, to conduct hacks and conduct DDoS.”
Minnesota’s Chief Information Security Officer, Chris Buse, added this: “A lot of people think it’s just a nuisance. But it’s not. If you look at what government does, basic critical services, if those services don’t continue, people can literally die.”
The Bigger Picture
DDoS-for-hire is one part of a much larger market. The cyber mercenary industry was valued at an estimated $12 billion as of 2019. At least 74 national governments have contracted with private cyber mercenary firms for spyware alone. Meta has identified tens of thousands of targets across more than 100 countries who were attacked using these services.
The enforcement problem is structural. Law enforcement catches customers because customers leave traces: taunting emails, personal grudges, traceable payment records. Professional operators build their platforms for anonymity from the start. They are designed to keep the seller invisible while the buyer takes all the risk.
Cybersecurity Ventures estimates that global cybercrime will cost the world $10.5 trillion in 2025, up from $3 trillion in 2015. As AI-powered attack tools become more accessible, the anonymous cyber hit men that Rachel Paulose described in that Minneapolis courtroom are not going away. They are growing in number.
Operation PowerOFF has made real progress. But seizing domains is not enough. A fundamentally different approach is needed, one that targets the financial pipelines, hosting providers, and international safe havens that keep this industry running.
