Three hackers face lengthy sentences for last year’s supercharged DDoS botnet

Federal officials in the US have arrested three hackers who have pleaded guilty to charges relating to the creation and distribution of the infamous Mirai botnet.

On December 8, Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana, were indicted by the District of Alaska with conspiracy to violate the Computer Fraud and Abuse Act.

A press release from the US Justice Department describes how, in the summer and fall of 2016, White, Jha, and Norman created the powerful Mirai botnet, which, at its peak, was used to enslave more than 300,000 IoT devices and launch crippling DDoS attacks against various websites.

The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the malware source code on a criminal forum using the moniker ‘Anna-Senpai’.

Since then, other criminal actors have used Mirai variants in numerous other attacks, including one directed against internet infrastructure firm, Dyn, which subsequently disrupted Twitter, Netflix, PayPal, Reddit, and a host of other sites.

Jha and his business partner White were first implicated in the Mirai controversy by cybersecurity researcher Brian Krebs earlier this year, after his blog was knocked offline by a 620 Gbps DDoS attack using the Mirai botnet.

In addition to the Mirai charges, Jha and Norman also pleaded guilty to their role in a well-orchestrated ‘clickfraud’ scam, which saw them take control of 100,000 computers in order to rack up hundreds of thousands of dollars’ worth of fraudulent online advertising revenues.

Jha also pleaded guilty to executing a series of cyber-attacks against Rutgers University in New Jersey.

“The Mirai and clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm,” said acting assistant attorney, General Cronan.

“The Criminal Division will remain constantly vigilant in combating these sophisticated schemes, prosecuting cybercriminals, and protecting the American people.”

For the conspiracy charges related to their authorship and use of Mirai, Jha and White face up to five years in prison, a $250,000 fine, and three years of supervised release.

For the clickfraud conspiracy charges, Jha, White, and Norman each face up to five years in prison and a $250,000 fine.