The legality of taking on the scammers has been discussed there before, quite a few times. (Here is one instance of it occuring: http://forum.419eater.com/forum/viewtopic.php?t=126475&highlight=).

When one member asked a policeman here in Australia about the chances of a baiter being prosecuted if a scammer complained, he basially said “no difference to a drug dealer being sold fake drugs…would be laughed out of the police station if he even tried”, to quote a member there. Whilst we obviously can’t take it as professional legal advice, and it isn’t technically the same thing as aa419 is involved in, I’d be prepared to bet that the situation would be very similar. I seriously doubt that any scammers operating these fake banks have ever complained (as they would have to answer some very embarassing questions about being 419 scammers), and I would be extremely surprised if the police really wanted to do anytihng about it.

As far as I know, nobody involved in fighting fake banks with aa419 has ever wound up in any actual legal trouble for doing what they do, and I somehow doubt that law enforcement bodies are about to shut them down any time soon.

(Note: I am neither a cop nor a lawyer, and none of this is real legal advice, just a series of observations)

What the flashmobbers are doing may be technically on the wrong side of American law but I still approve. It is not done out of malice or for profit, but for a sense of mischevious benevolence. If it does take hundreds of participants to be effective, and given that there is virtually no chance of any of the owners of these sites bringing a complaint to the US authorities, then the flashmobbers are pretty safe from prosecution.

Perhaps its American law that needs to catch up?

If you care to read the above sources from aa419, you will hopefully understand why the Mugu Marauder does not constitute anything close to a DDoS attack. To put it short, aa419 flashmobs are bandwidth hogging instead of “overwhelming a system”. The idea and the corresponding implementation do not target the host or the hoster, they do not intend to and do not actually disrupt services, overload servers and such. Quite the contrary is true. As soon as the targeted fraudulent site goes down, the load stops immediately. The targeted (fraudulent, illegal) site goes down as soon as the purchased monthly bandwidth will be exceeded or when the hoster, who was previously notified at least twice and who ignored the complaints, eventually decides to take it down, respectively.

If the intent of the project is to take down websites by overloading them with traffic, well, I’d say that constitutes a denial-of-service attack. Even if not, someone on the “dark side” (if you’ll excuse the pun) could easily argue the point and file charges or a civil lawsuit.

If DOSing the bad guys is legal in your jurisdiction, that’s great. DOS away. But it’s not legal here, and cases like Charles Booher (arrested for making death threats to a spammer, later killed himself) make it clear that even with spammer, breaking the law to stop them is risky. Some people are willing to take the risk. Others are not.

The big mistake, of course, is assuming there’s only one solution to the problem.