Three men who operated and controlled the notorious Mirai botnet have been sentenced to five years of probation.
The Mirai botnet notoriously launched a massive distributed denial-of-service (DDoS) attack on DNS service company Dyn in October 2016 and made it impossible for many users to reach popular sites such as Amazon, Reddit, Netflix, Twitter, Soundcloud, Spotify, Etsy and Github.
Paras Jha, Josiah White and Dalton Norman hijacked hundreds of thousands of vulnerable IoT devices without the knowledge or permission of their owners with the intention of:
- launching powerful DDoS attacks,
- renting the botnet to criminal third-parties, and
- using the botnet to extort protection money from companies not wishing to be targeted by a DDoS attack.
As I described at the time of Jha’s guilty plea late last year, he and White ventured into cybercrime via a perhaps unexpected route – Minecraft.
Jha and White co-founded a company called ProTraf Solutions, which provided anti-DDoS services to Minecraft servers. Nothing wrong with that, of course. But in order to create new customers, the pair started targeting websites with DDoS attacks and then either tried to extort money to call off the attacks or offered services which they claimed could defend the sites.
The men subsequently released the source code of Mirai on hacking forums, allowing others to create their own versions of the botnet from their blueprints with variants including versions that engaged in cryptomining and exploited zero-day vulnerabilities to commandeer hundreds of thousands of internet-connected surveillance cameras.
In all likelihood, the reason for the release of Mirai’s source code was not to give a deliberate helping-hand to fellow online criminals. It was rather done in fear that if the code was found only on their own computers, it might be an indication of their guilt.
Well, those three young men have now been sentenced by a federal court in Anchorage to five years probation and 2,500 hours of community service. Jha, White and Norman have also been ordered to pay $127,000 in restitution.
So, why no prison sentence for the three men who unleashed such a devastating attack on large chunks of the internet? Federal sentencing guidelines recommended that White be hit with a sentence of 18-24 months and that Jha and Norman receive a punishment of up to three years behind bars.
According to court filings, prosecutors asked the court to go easy on the three because of their “exceptional and extensive cooperation” in helping investigators bring down other botnets and prevent other cybercriminal activities.
For instance, the trio have reportedly assisted the FBI in the identification of victims of the Kelihos botnet, which was used to spam out phishing emails and distribute ransomware.
Furthermore, the men are said to have assisted businesses in better defending themselves from DDoS attacks last December, a time of year when attacks often peak. According to prosecutor Adam Alexander, the group’s efforts contributed to “significantly fewer large or targeted DDoS attacks during the Christmas 2017 holiday period.”
Considering that none of the three have been sentenced to serve prison time, I have no doubt that they informed on other online criminals, as well.
My hope is that no one will view the Mirai gang’s success in avoiding imprisonment as a green light for their own cybercriminal activities.
It’s good that the trio behind Mirai are now helping the authorities. But what a shame that they had to break the law and cause so much disruption on the internet in the first place.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.