Three men plead guilty to crimes tied to 2016 botnet attacks

(Reuters) – A former Rutgers University student and two other men pleaded guilty to computer crimes related to the creation, sale and use of the Mirai botnet, a network of infected electronics equipment used to knock major websites offline in massive 2016 cyber attacks, according to court documents.

Rutgers University student Paras Jha is seen as he leaves the Clarkson S. Fisher Building and U.S. Courthouse after his hearing in Trenton, New Jersey, U.S., December 13, 2017. REUTERS/Dominick Reuter

Paras Jha pleaded guilty during an appearance in federal court in New Jersey on Tuesday to charges involving writing code that allowed him to infect and control devices with Mirai.

Two other individuals, Josiah White and Dalton Norman, have also pleaded guilty to charges related to the development and use of Mirai for criminal gain, according to charging papers unsealed on Tuesday in Alaska.

The Mirai botnet was used to infect hundreds of thousands of internet-connected devices including webcams and video records, which its creators then turned into a digital army of bots that attacked websites and internet infrastructure in “denial of service” attacks that knocked them offline.

Those attacks included one in October 2016 on an internet infrastructure firm known as Dyn that disrupted access to dozens of websites across the United States and Europe including ones run by Twitter Inc, PayPal Holdings Inc and Spotify. The court records do not accuse Jha or the others of carrying out that specific attack.

Jha began to create the Mirai botnet in August 2016 to launch powerful denial of service attacks targeting business competitors and others against whom the attackers “held grudges,” prosecutors said in court documents. Jha owned a service denial mitigation company called ProTraf Solutions, according to his LinkedIn page.

He and his co-conspirators also sought financial gain, renting the botnet out to other criminals. Jha attempted to destroy or conceal evidence of his crimes by erasing the virtual machine used to run Mirai and posting the code online to create “plausible deniability,” prosecutors said.

Jha, a New Jersey resident, has been charged with conspiring to cause intentional damage on a protected computer and other offenses.

In August 2016 White created the scanner that was part of the Mirai code, which helped the botnet identify devices that could be accessed through a series of login credentials in order to infect it, charging documents said.

The exterior of the Clarkson S. Fisher Building and U.S. Courthouse, where Rutgers University student Paras Jha had a hearing, is seen in Trenton, New Jersey, U.S., December 13, 2017. REUTERS/Dominick Reuter

In September 2016, Norman worked with his accomplices to expand the size of Mirai, allowing it to grow to infect more than 300,000 devices, prosecutors said. Court documents did not charge Norman with creating Mirai, but said he helped monetize its use.

Also in September, White placed a Mirai server on the hosting provider BackConnect, authorities said. The botnet activity was observed by BackConnect, which was able to disrupt it and notify law enforcement, company founder Marshal Webb told Reuters.

In a separate case unsealed on Tuesday, Jha was charged with leveraging a later Mirai variant for a different scheme to generate online ad revenue through fraudulent clicks, which is known as clickfraud.

Rutgers University student Paras Jha is seen as he leaves the Clarkson S. Fisher Building and U.S. Courthouse after his hearing in Trenton, New Jersey, U.S., December 13, 2017. REUTERS/Dominick Reuter

Jha and his co-conspirators earned about 200 bitcoin, which was valued at $180,000 on Jan. 29, as a result of clickfraud, prosecutors said. The amount would be worth about $3.4 million today.

Robert Stahl, Jha’s attorney, said his client had been released pending sentencing and has not been a student at New Jersey’s Rutgers University since December 2016. Stahl declined to comment further pending sentencing proceedings.

Rutgers and attorneys for White and Norman did not immediately respond to requests for comment.

Jha’s name surfaced in January, when the cyber website Krebs On Security reported that he may have been behind the online persona Anna-Senpai, who claimed to be the original author of the Mirai worm.

Anna-Senpai released the source code of the Mirai botnet online in September 2016, which gave other hackers the opportunity to use it. A month later the massive assault on infrastructure firm Dyn took place, causing swaths of the internet to be temporarily unavailable.

U.S. officials were scheduled to speak to reporters later on Wednesday to discuss the cases.

Reporting by Dustin Volz in Washington and Nate Raymond in Boston; Editing by David Gregorio and Richard Chang