From Big Pipes’ inception, some members also went so far as to actively hunt for the identities of booter service operators, using clues from their forum posts and the websites where they advertised their attack services as starting points to try to unmask them. In one instance, a member of the group identified a booter operator by following a trail of online pseudonyms, phone numbers, and email addresses that led him from the hacker’s handle on the website HackForums—“itsfluffy”—to a web page that revealed his day job as a trainer for Pawfect Dog Training, along with his real name, Matthew Gatrel. “The operators of commodity DDOS services are not the most sophisticated actors out there,” says the Big Pipes member who followed those breadcrumbs, and who asked to remain unnamed. “They make mistakes.”

As Big Pipes’ data collection on booter service operators grew, so did the group’s partnership with the FBI. Eventually, that collaboration developed into an intermittent Christmas tradition of rounding up and disrupting as many of the internet’s worst booter services as possible. The timing of these operations, Big Pipes’ members emphasize, wasn’t intended for cruelty but as a response to the hackers’ own targeting of the holiday: For years, nihilistic hacker groups would wait until Christmas Day to launch disruptive DDOS attacks against online gaming services like the Playstation Network and Xbox Live, aiming to knock major gaming services offline on the busiest day of the year, just as kids were trying out their newly gifted games.

So in 2018, Big Pipes’ members worked with the FBI and the US Justice Department to stage their own pre-Christmas intervention, sifting through their data and giving leads to the group’s agents and prosecutors to take out the most active services in the growing booter industry. “We’re figuring out target selection: Which of these booter owners can be identified? Which of these booters are the highest harm in terms of the amount of DDOS traffic they’re pushing?” says Nixon, who today works at the security firm Unit221b. “So we figure out, OK, these are the highest-harm targets, these ones are low-hanging fruit. Who are we actually going to take down?”

In December of 2018, just five days before Christmas, the FBI announced a bust of 15 of the booters Big Pipes had suggested were the worst offenders. They included one called Quantum that the FBI says had launched 80,000 DDOS attacks and another, DownThem, accused of launching no fewer than 200,000. Three men operating those services in Pennsylvania, California, and Illinois—including the dog trainer Matthew Gatrel—were arrested and charged.

In the wake of that operation, Clayton’s Cambridge research team found that attacks from booter services fell by nearly a third for more than two months, and the services’ attacks with US victims were nearly cut in half for that time. So Big Pipes suggested they do it all again, only now going after every major booter service that remained online. “Let’s see what happens if we go after everything that matters,” says Peterson, the FBI agent. “How do they react?”