Mirai botnet hacker behind 2016 web outage pleads guilty

Together, the three created and operated the powerful "Mirai Botnet", which comprised a collection of a computers infected with malware and controlled as a group, officials said, without the knowledge or permission of the computer's owners.

Jha and Norman were additionally charged in the District of Alaska with conspiracy to violate the Computer Fraud & Abuse Act for infecting more than 100,000 primarily USA -based devices, including home Internet routers, with malware that allowed the victims to be utilized in advertising fraud known as "clickfraud".

According to court documents, between November 2014 and September 2016, Paras executed a series of attacks on the networks of Rutgers University.

Prosecutors said Jha had sold the botnet to other criminals online, as well as threatening companies with similar DDoS attacks unless they paid.

Jha and his co-defendants - White, 20, and Normal, 21 - pleaded guilty on December 8 to two separate criminal informations in Alaska District Court related to Mirai and another "clickfraud" botnet they admittedly used for financial gain, the Justice Department said Wednesday. Jha has said that they infected more than 300,000 devices to use them to carry out distributed denial of service (DDoS) attacks and other criminal activities. Each of the charges carries up to five years behind bars, and Jha will also surrender the 13 Bitcoin (currently worth around $214,000) that he made from running the botnet and renting out its services.

However, Krebs claimed that the two students were often either behind the DDoS attacks that they offered to mitigate or used DDoS attacks as a form of extortion against legitimate businesses - or organisations against which they held a grudge.

One of the targets of the Mirai botnet was Dyn, an internet infrastructure company that provides services to companies like Netflix and PayPal. Jha was first identified as a likely suspect by Brian Krebs, a well known security researcher and journalist.

As part of this scheme, victim devices were used to transmit high volumes of requests to view web addresses associated with affiliate advertising content.

Jha posted the source code to "create plausible deniability" in the event law enforcement ever found the Mirai source code on his computer, according to U.S. investigators. Then later in the year, Norman had helped the two to expand the size of their botnet by exploiting even more vulnerabilities in the IoT devices.

The count to which Jha pleaded guilty is punishable by a maximum of 10 years in prison and a fine of United States dollars 250,000, or twice the gross amount of any pecuniary gain or loss derived from the offence, whichever is greater.

  • David Armstrong