Two hackers responsible for creating the massive Mirai botnet that knocked large swathes of the internet offline last year have pleaded guilty. The pair commandeered hundreds of thousands of connected devices that were used to hurl spam traffic at a Rutgers University server that contained a web portal used by faculty and students.
Paras Jha and Josiah White admitted to operating the Mirai botnet in plea agreements unsealed today. The reporter Brian Krebs first revealed their identities in January, after his website was targeted in a Mirai DDoS attack.
Jha wrote the source code for Mirai, according to his plea agreement. He and White used the botnet for click fraud, leased it out to other people for DDoS attacks, and ran extortion schemes in which they would launch DDoS attacks against victims’ websites and then demand payment to call off the attacks.
In October 2016, the botnet was also used to target the DNS service Dyn, which took Reddit, Twitter, and other major websites offline in October 2016. However, neither White nor Jha have been charged in that attack. Ostensibly, it was carried out by a third party who obtained the Mirai code after Jha published it online.
A third man, Dalton Norman, also pleaded guilty to participating in a Mirai-related click fraud scheme. He also helped Jha and White add Internet-of-Things devices to the botnet, which at its peak included more than 300,000 devices.
Update, 4:15pm: A statement from Jha’s attorney was obtained by Reuters:
“Paras Jha is a brilliant young man whose intellect and technical skills far exceeded his emotional maturity. Starting when he was just 19 years old, he made a series of mistakes with significant consequences that he only now fully appreciates. He is extremely remorseful and accepts full responsibility for his actions. He is fortunate to have loving, supportive parents and a bright future ahead. He has pled to charges here in the District of New Jersey, and in the District of Alaska, as the first step in his evolution into adulthood and responsibility.”
Correction: A previous version of this article indicated that Paras Jha and Josiah White were accused of attacking Dyn. While the code published by Jha was used to conduct the attack, neither have been charged with carrying it out. We regret the error.