Five years ago this Christmas, some people who woke up to a new Xbox or PlayStation hoping to play the latest video games might as well have received a lump of coal. It turned out to be a harbinger of holiday computer grief to come.
A hacking group called the Lizard Squad picked Dec. 24, 2014, to launch an attack against the computer networks of the two gaming systems, and they succeeded in knocking the networks offline for much of the next two days — temporarily turning $350 gaming consoles into pieces of junk.
"It's really like the Grinch," said Patrick Sullivan, senior director of security at Akamai Technologies, a security firm that specializes in stopping attacks.
"Everyone gets this present and they're excited to play it and they're deprived of that opportunity," Sullivan said. "They have to talk to their family, I guess."
Every year since, Christmas Day has become notorious in the cybersecurity industry. While presents are getting unwrapped under trees, computer systems — and some unfortunate security professionals — are guarding against deluges of fake traffic.
For hackers, Christmas Day is now a peak time to demonstrate their skills, purposefully anger people or try to extort money from companies or businesses that might be understaffed and vulnerable. For online retailers or video game networks, the attacks may hit when consumers have the highest expectations that computer systems will work — and tie many computer professionals to their desks on the holiday.
The idea of ruining Christmas morning by downing a corporate or government computer network is so tempting to some hackers that there may not be another day on the calendar that compares, with the possible exception of the Black Friday shopping bonanza after Thanksgiving, security experts said.
"It's going to be much more effective than if you do it on some random day in April. They're much more likely to be able to get somebody to pay up," said Andrew Shoemaker, CEO of NimbusDDOS, a company that helps companies test their cyberdefenses.
The type of attack that hackers often deploy on Christmas — including during the Xbox and PlayStation outages — is called a distributed denial-of-service attack, or DDoS, in which the attackers try to overload a network's servers with artificial traffic. The attacks have become more sophisticated over time, with new ways to flood corporate servers.
Law enforcement authorities stepped up their attention to Christmastime attacks a year ago, pre-emptively seizing the domains of 15 DDoS-for-hire services and announcing criminal charges against three people less than a week before the holiday.
The motive for an attack isn't always known, but at least some of the time, hacking groups may be trying to market abilities that they plan to sell as services later on, Shoemaker said.
"People in the black-hat community, a lot of times they'll showcase their abilities within the community by picking a target and showing off for a few hours," he said.
One such hacker was a Utah man who, according to the Justice Department, would use Twitter to announce his attacks and post screenshots as evidence. In July, he was sentenced to more than two years in prison. Prosecutors said his attacks included the first high-profile Christmas DDoS attack against gaming companies in late 2013.
After the Lizard Squad's turn in the spotlight in late 2014, the group claimed responsibility for other attacks, including one against the website of Malaysia Airlines and another targeting Taylor Swift's Twitter account.
Some members of the Lizard Squad have since been arrested. One of them, Zachary Buchta of Maryland, was sentenced last year to three months in prison after he pleaded guilty, and the judge scolded him for crimes that had real-world consequences, "not a fantasy."
Sony, which makes the PlayStation, and Microsoft, owner of the Xbox system, did not respond to requests for comment on the lasting impact of the 2014 attacks.
There's no comprehensive public data for how much of a spike occurs in late December, because digital attacks often aren't reported, even when they're successful.
And it's not just video game platforms. In 2015, a Christmas Day DDoS attack targeted Linode, a cloud computing company, knocking its services intermittently offline for days. The private intelligence group Stratfor Global Intelligence was the target of an attack on Christmas Eve 2011 in which attackers said they had obtained access to a huge cache of emails.
Security companies have raced to keep up. Lawrence Orans, an analyst at the research firm Gartner, said DDoS mitigation firms have invested heavily in their infrastructure to add capacity in the past five years, rerouting suspicious internet traffic through "scrubbing" servers before the traffic can knock a system offline.
Much of the preparation for Christmas security takes place in the months before the holiday, as corporate security staff run drills and test their defenses, experts said. But for some information technology workers, Christmas will mean a day at the office.
"The big organizations do have 24/7 coverage of trained personnel — similar to the way that police departments, hospitals and the military don't stop their services just because it's Christmas," said Gene Spafford, a Purdue University computer scientist who studies security.