Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Satori Botnet Co-Creator Pleads Guilty

Botnet Used to Wage Massive DDoS Attacks Was Also Sold to Others, Prosecutors Say
Satori Botnet Co-Creator Pleads Guilty
Malware developer Kenneth Schuchman pleaded guilty. (Photo: Rapsheets)

Kenneth Currin Schuchman, 21, who authorities charged with co-creating the massive Satori botnet that was used to wage several large-scale distributed denial-of-service attacks, pleaded guilty Tuesday to a single federal charge.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The Vancouver, Washington native has been released from custody pending sentencing, according to a plea agreement filed with the U.S. District Court in Alaska. Schuchman pleaded guilty to a single count of aiding and abetting computer intrusions - a violation of the federal Computer Fraud and Abuse Act. Federal prosecutors agreed to drop one other charge.

A sentencing date has not yet been set.

Under federal law, a violation of the Computer Fraud and Abuse Act is punishable by up to 10 years in prison and a $250,000 fine. In the plea agreement, however, prosecutors note that they will "recommend a sentence at the low end of the guideline range as calculated and adopted by the court."

Plea agreement between federal prosecutors and Kenneth Currin Schuchman

Schuchman’s attorney could not be reached for comment.

The FBI arrested Schuchman in August of 2018, and he was indicted on two counts of violating the federal Computer Fraud and Abuse Act. When he was out on bail in October 2018, Schuchman was re-arrested after federal agents caught him developing a new variant of the botnet. He had remained in federal custody until pleading guilty on Tuesday.

'Nexus Zeta'

Schuchman, who went by the names "Nexus Zeta" and "Nexus," worked with two others in August 2017 to create the supercharged Satori botnet, which was based on a variant of Mirai malware, according to the plea agreement.

The other two Satori developers, who went by the names "Vamp" and "Drake," were not named in the plea agreement, and additional charges apparently have not yet been filed in the case.

Mirai was created in 2016 to take advantage of security flaws built into numerous devices. Eventually, its developers leaked the source code; then the malware was used in numerous attacks (see: Mirai Botnet Code Gets Exploit Refresh).

During 2017 and 2018, Schuchman and the two other hackers developed variants of Satori and added new features. These other botnets went by the names Okiru and Masuta, prosecutors say.

At its height, the Satori botnet encompassed hundreds of thousands of internet of things devices, including vulnerable security cameras and home routers, which the creators used to direct distributed denial-of-service attacks against a wide range of targets, including "large internet service providers, popular online gaming services, prominent internet hosting companies, and hosting companies specializing in DDoS mitigation," according to the plea agreement.

At the same time, Schuchman and his co-creators attempted to make money off these botnets by renting out its capabilities to others, accepting payment in bitcoin or through a PayPal account, prosecutors say.

"While Schuchman and his co-conspirators themselves conducted DDoS attacks using the botnets they developed, their primary focus was monetizing their botnets by selling access to other criminal actors in order to generate illicit proceeds," according to the court documents.

In addition, cybercriminals using different versions of the botnet would target cryptocurrency mining software, giving attackers the ability to make infected systems mine for Ethereum cryptocurrency, according to security researchers (see: Satori Botnet's Alleged Developer Rearrested).

Building a Powerful Botnet

Schuchman does not appear to be a skilled coder, security researchers say. When Check Point Software Technologies first began investigating Satori in 2017, researchers noted that its creators frequented sites for so-called script kiddies and other wannabe hackers.

Despite their lack of coding skills, over the course of 2017 and 2018, Schuchman and the two other hackers began building much more powerful versions of the botnet. At one point, Schuchman bragged that he was able to take over 32,000 devices that belonged to an unnamed Canadian internet service provider that enabled him to target victims with a bandwidth of approximately one terabit per second, according to the plea agreement.

Later, Schuchman and the other two hackers used the Masuta version of the botnet to target fiberoptic devices belonging to Huawei and another networking equipment provider, which enabled them to compromise some 700,000 different nodes that they used as part of further attacks, prosecutors say.

In January 2018, Schuchman and another hacker used some 30,000 vulnerable devices in Vietnam to create yet another version of the botnet that they used to attack servers hosting online games, according to the plea agreement. This attack involved bandwidth speeds of up to 100 gigabits per second and caused massive damage, prosecutors say.

Bad Habits

The plea agreement says that Schuchman had frequent disagreements with his fellow hackers. At one point following an argument, prosecutors say, Schuchman used information to "swat" his partner “Drake.” Swatting refers to calling police and falsely warning that there is a crime in progress at a person's house.

Schuchman apparently did not take much care in protecting his identity, the plea agreement shows. When he was caught scanning the internet for vulnerable devices, he was using his father's name in an attempt to conceal his own identity, prosecutors say.

Other arguments with different hackers resulted in them revealing Schuchman's true identity, according to a post left on Pastebin, prosecutors note.

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.