Three plead guilty to creating Mirai botnet used to crash web

Three hackers have admitted to building the tools that attackers used to take down many of the internet's most popular websites. 

Paras Jha, 21, pleaded guilty to multiple charges related to creating and operating the Mirai botnet, according to federal indictments unsealed Tuesday. His partners, Dalton Norman, 21, and Josiah White, 20, pleaded guilty to conspiracy to violate the Computer Fraud & Abuse Act.

Jha admitted to writing the source code for Mirai -- malware that created a botnet that took over hundreds of thousands of computers and connected devices like security cameras and DVRs  -- and using it to commit attacks and online fraud. Norman also admitted to helping write the code, as well as directing click fraud and online attacks. 

None of the botnet's creators were responsible for the attack that took down popular websites in October 2016, the FBI told Wired. Their initial motivation was to attack servers running the popular online game Minecraft, according to Wired. Security writer Brian Krebs first identified Jha and White as the programmers behind the botnet -- and their interest in Minecraft -- in January. 

White told prosecutors he created Mirai's scanner in August 2016, which scoured the web for vulnerable devices the malware could hijack. He also hosted the servers on which the malware operated and hijacked a computer in France in an attempt to disguise the source of the attacks.

"The Mirai and Clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm," Acting Assistant Attorney General John Cronan said in a statement. 

The attack that took down Twitter, Netflix, Reddit, Pinterest and several others came in 2016, after the botnet -- Mirai's army of hijacked machines -- set its targets on Dyn, an internet management company based in New Hampshire. The websites relied on Dyn to direct traffic, and the attack sent a massive amount of traffic to Dyn's servers in a Distributed Denial of Service attack, also called a DDoS attack.    

Prosecutors said Jha sold the botnet to other criminals online and threatened companies with similar DDoS attacks unless they paid up. From September to October 2016, Jha made Mirai's source code public on forums for cybercriminals, allowing anyone to use it.

Jha maintained the botnet, which hijacked more than 300,000 devices, while looking for new victims to attack and infect, according to court documents. The attacks caused at least $5,000 in damage. 

New Hampshire Sen. Maggie Hassan, a Democrat who's been vocal about the need for increased cybersecurity regulation, praised Justice Department but also cautioned that more needs to be done.

"I am pleased that justice has been served," she said, "but there is much more work to be done to defend against cyberattacks of this kind and to secure the Internet of Things."

They also plead guilty to creating the Clickfraud botnet, which flooded traffic to websites and raked in cash from online advertising. The scheme netted Jha and his crew nearly 100 bitcoin , which was valued at $180,000 on Jan. 29. It's now worth more than $1.7 million. 

As part of Jha's plea agreement, he'll have to give up 13 bitcoin to the US government, currently valued at about $226,500. White is giving up 33 bitcoin, valued at $571,000. The attackers each face up to five years in prison and a fine of at least $250,000 for their involvement with the Mirai botnet.

Jha also pleaded guilty in New Jersey to violating the Computer Fraud & Abuse Act for launching an attack on Rutgers University's network using the Mirai botnet. Jha, a former student at the New Jersey school, admitted to shutting down servers that students, faculty and staff used to turn in assignments.

The attacks lasted for several days and affected tens of thousands of students, said William Fitzpatrick, acting US attorney for the district of New Jersey, in the release. Jha faces an additional 10 years in prison and a $250,000 fine for his attack on the university.

Correction, 4:26 p.m.: An earlier version of this story gave the impression that the defendants pleaded guilty to the attack that paralyzed much of the internet. That was not part of the plea agreement.
Update, 8:07 a.m. PT: To include details from additional plea agreements.
Update, 11:05 a.m. PT: Adds comment from Acting Assistant Attorney General John Cronan and more details on cases.

It's Complicated: This is dating in the age of apps. Having fun yet?

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.