This article is more than 1 year old

Newb admits he ran Satori botnet that turned thousands of hacked devices into a 100Gbps+ DDoS-for-hire cannon

One moron down, two to go

The script kiddie at the center of the Satori botnet case has pleaded guilty.

Kenneth Schuchman, 21, of Vancouver in Washington state, this week admitted [PDF] to aiding and abetting computer hacking in an Alaskan federal district court. In exchange for only having to confess to a single criminal count, and increasing his chances of a reduced sentence, Schuchman admitted he ran the destructive Satori Internet-of-Things botnets.

From July 2017 to late 2018, Schuchman, along with co-conspirators referred to by prosecutors as "Vamp" and "Drake," built and maintained networks of hijacked devices: these internet-connected gadgets would be infected and controlled by the gang's Satori malware, which was derived from the leaked Mirai source code. Schuchman, who is said to have gone by the handle "Nexus-Zeta," admitted to taking the lead in acquiring exploits to commandeer vulnerable machines and add to them the botnets, while "Drake" apparently wrote the code for the malware, and "Vamp" handled the money.

The money, you ask? Yes, the crew would launch distributed denial-of-service (DDoS) attacks from their armies of malware-infected gear for cash: you could hire them to smash your rivals and other victims offline by overwhelming systems with internet traffic from the Satori-controlled botnets.

"All three individuals and other currently uncharged co-conspirators took an active role in aiding and abetting the criminal development and deployment of DDoS botnets during this period for the purpose of hijacking victim devices and targeting victims with DDoS attacks," Schuchman's plea deal paperwork reads.

The Satori malware preyed on a number of poorly secured IoT devices, including home digital video recorders (DVRs), surveillance cameras, and enterprise networking gear. The slaved units, once infected by Satori, mainly via weak passwords and known vulnerabilities in device firmware, were then put to use as DDoS cannons-for-hire.

Image by rudall30

Fresh botnet recruiting routers with weak credentials


In March 2018, the gang, according to Schuchman, had rechristened the Satori botnet as Tsunami or Fbot, and continued to infect thousands of devices – including 32,000 belonging to a Canadian ISP, and 35,000 High Silicon DVRs – and potentially as many as 700,000 total.

By then, the botnet was primarily being used to cripple the servers of various online games, as well as attacking gaming server provider Nuclear Fallout. Schuchman would at times brag his army of bots could blast out at least 100Gbps, and at one point even 1Tbps, of junk network traffic.

Though he was indicted in August 2018, US prosecutors say Schuchman not only continued his illegal activities, but became even more active and aggressive. Later that year, Schuchman had a brief falling out with his co-conspirator "Drake" and would eventually call a police SWAT on his former buddy – a move that resulted in a "substantial law enforcement response" showing up at the ex-pal's home.

"At all relevant times, Schuchman knew and understood that these botnets were was designed to be used, and was in fact being used, to commit illegal and unauthorized DDoS attacks against computers in the United States and elsewhere," prosecutors said.

"Schuchman acted with the intent and goal of aiding, abetting, and furthering these illegal DDoS attacks and causing them to occur."

Though the plea deal paints Schuchman as playing a key technical role in the gang, reports from around the time of his arrest mid-2018 tell a different story. In those accounts, Schuchman is presented as a hacking novice who was in over his head with the Satori botnet.

Infosec bods working on the case point to a number of posts Schuchman made under his Nexus-Zeta handle asking basic questions about setting up exploits and maintaining botnets.

Prosecutors may have agreed with that assessment, as the plea deal allows Schuchman to avoid a Computer Fraud and Abuse Act charge, and does not include any charges for the swatting attack.

He is due to be sentenced on November 21. ®

More about


Send us news

Other stories you might like