The three brains behind the Mirai malware, which infects and pressgangs Internet-of-Things devices into a botnet army, have avoided jail.
In December, Paras Jha, 22, Josiah White, 21, and Dalton Norman, 22, pleaded guilty in the US to breaking the Computer Fraud and Abuse Act after developing and masterminding the Mirai malware, as well as the Clickfraud botnet.
This week, Alaska's chief district judge Timothy Burgess sentenced them to five years of probation, 2,500 hours of community service, and $127,000 in damages to their victims.
Such light sentences are uncommon in America for computer crime, however, there is one clear reason in this case: the trio became cyber-crimefighters for the FBI, and have already helped taking down other botnets. Couple that to a guilty plea agreement, thus avoiding a pointless trial, and jail time is taken off the table.
For instance, let's take Jha. “Special Agent Elliott Peterson ... who is recognized as one of the FBI’s top investigators for cybercrime, has described Paras’ cooperation not only as substantial, but extraordinary in its scope, breadth, results, and amount of time expended,” Jha's lawyers told the Alaskan district court.
“Paras worked tirelessly to uncover identities, information, methods and timing of attacks, and other information that lead to the identity and location of individuals later charged with computer crimes. His cooperation has been more than substantial, it has been outstanding. We wholeheartedly agree with the government’s motion for an 85% reduction in the sentence, combined with continued education, and community service that includes continuing cooperation with the FBI.”
Jha was already known to the authorities as a hacker before Mirai burst on the scene: he was known for launching botnet-powered distributed denial-of-service (DDoS) attacks. Specifically, he began his botnet-herding career by taking down Minecraft players. He also unleashed a couple of network tsunamis to knock down his own university, including one to delay one of his examinations.
Internet of Things botnets: You ain’t seen nothing yetREAD MORE
After dropping out of Rutgers, Jha worked at a DDoS mitigation firm called Protraf, but carried on his own DDoS tool development in his spare time. The Feds claim he used these tools to take down organizations so that they could be approached and offered Protraf’s anti-DDoS services.
Jha said that the idea for the Mirai code came after he was challenged by a Dutch Minecraft player to build a better botnet. The code was highly successful, and Jha and his two mates charged fees to carry out DDoS attacks using their malware-infected army, before publishing the source code online to cover their tracks.
Since his arrest, Jha has become a reformed character, we're told. He was treated for an undiagnosed case of ADHD, has scored a part-time job with a security company, and still helps out the FBI and police with computer crime cases – think Frank Abagnale with a keyboard.
“The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world,” US Attorney for Alaska Bryan Schroder said this week in announcing the sentencing.
"After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.
"As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.
"According to court documents, the defendants have provided assistance that substantially contributed to active complex cybercrime investigations as well as the broader defensive effort by law enforcement and the cybersecurity research community."
The trio began working for the Feds even before being charged with the Mirai case. Given the problems faced by the FBI in recruiting hackers, flipping botnet masters is an interesting new way to swell the ranks of defenders in US law enforcement. ®