Cybercrime , DDoS Protection , Fraud Management & Cybercrime

Mirai Co-Author Gets House Arrest, $8.6 Million Fine

Paras Jha Launched DDoS Attacks Against Rutgers, Ran Click-Fraud Botnets
Mirai Co-Author Gets House Arrest, $8.6 Million Fine

One of the co-authors of the devastating Mirai botnet has been sentenced to home incarceration and community service, and ordered to pay $8.6 million in restitution, for his role in a series of distributed denial-of-service attacks.

See Also: How to Defend Against DDoS, Ransomware and Cryptojacking

On Friday in federal court in Trenton, New Jersey, U.S. District Judge Michael Shipp sentenced Paras Jha, 22, to serve six months of home incarceration, five years of parole as well as 2,500 hours of community service - or the equivalent of more than 300 days of full-time work.

Jha, who's a resident of Fanwood, New Jersey, had previously pleaded guilty before Judge Shipp to violating the Computer Fraud & Abuse Act by launching a series of DDoS attacks from November 2014 to September 2016 against Rutgers University in New Brunswick, New Jersey.

"Jha's attacks effectively shut down Rutgers University's central authentication server, which maintained, among other things, the gateway portal through which staff, faculty and students delivered assignments and assessments," the Department of Justice says.

Jha's attorney, Robert G. Stahl, didn't immediately respond to a request for comment on the sentencing.

Three Mirai Creators Sentenced

The sentencing of Jha follows him and two other defendants - Josiah White, 21, of Washington, Pennsylvania, and Dalton Norman, 22, of Metairie, Louisiana - pleading guilty in a federal court in Alaska on Dec. 8, 2017, to creating and operating the Mirai botnet.

Mirai was malware built to target 64 default or hard-coded credentials built into dozens of internet of things devices, including inexpensive, widely used digital video recorders, wireless cameras and routers (see Can't Stop the Mirai Malware).

"At its peak, Mirai consisted of hundreds of thousands of compromised devices," the Justice Department says. "The defendants used the botnet to conduct a number of other DDoS attacks."

Jha and Norman also pleaded guilty in December 2017 to violating the Computer Fraud & Abuse Act from December 2016 to February 2017 by infecting more than 100,000 internet devices - primarily consumer routers based in the U.S. - and using them to build a botnet, which functioned in part as a gigantic internet traffic routing proxy network.

"The victim devices were used primarily in advertising fraud, including 'clickfraud,' a type of internet-based scheme that utilizes 'clicks,' or the accessing of URLs and similar web content, for the purpose of artificially generating revenue," the Justice Department says (see: Video Ad Fraud Botnet Bags Up to $1.3 Million Daily).

On Sept. 18, 2018, all three defendants were sentenced in Alaska federal court to serve a five-year period of probation, 2,500 hours of community service and ordered to pay $127,000 in restitution. The Justice Department said all had "voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation" as well as actively assisted the FBI.

"The defendants have provided assistance that substantially contributed to active complex cybercrime investigations as well as the broader defensive effort by law enforcement and the cybersecurity research community," the Justice Department said in a news release. Continuing to cooperate with the FBI was a condition of the sentence all three of the men received.

A spokeswoman for the Department of Justice says Jha will serve his two sentences concurrently.

Mirai's Legacy Lives On

An outfit calling itself Poodlecorp originally developed Mirai and used it to disrupt online gaming. But when the heat began to get turned up on the group, Jha in late September 2016 dumped the source code onto a cybercrime forum, giving everyone their plans for building a cheap and effective botnet out of poorly secured internet-connected devices.

After publishing the source code, the Justice Department says that the three men stopped using Mirai "in the fall of 2016."

The malware has been tied to numerous attacks, including a then record-setting DDoS attack against domain name server provider Dyn on Oct. 21, 2016, which resulted in widespread internet outages, preventing users from reaching such websites as Amazon, PayPal, Spotify and Twitter.

Brit Gets Suspended Sentence

Separately, British national Daniel Kaye, aka "BestBuy" and "Spiderman," last year pleaded guilty in German court to infecting 1.25 million Deutsche Telekom routers with his own Mirai botnet - codenamed Mirai #14 by authorities - and received a suspended sentence. Kaye said he'd been paid $10,000 to launch the early November 2016 attack against Lonestar MTN, Liberia's largest internet service provider, by an unnamed individual.

Kaye was then extradited to the U.K., where he was charged with launching DDoS attacks in January 2017 against two British banks: Lloyds Banking Group services, which suffered disruptions, as well as Barclays, which did not (see Mirai Malware Attacker Extradited From Germany to UK).

Meanwhile, the Mirai source code has been adapted to create new strains of malware, including Satori/Okiru, designed to infect many more types of internet-connected devices and use them as launch pads for DDoS and other types of cybercrime attacks (see: Botnets Keep Brute-Forcing Internet of Things Devices).

This story has been updated with comment from the Justice Department, which says Jha will serve his two sentences concurrently.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.