Citing “extraordinary cooperation” with the government, a court in Alaska on Tuesday sentenced three men to probation, community service and fines for their admitted roles in authoring and using “Mirai,” a potent malware strain used in countless attacks designed to knock Web sites offline — including an enormously powerful attack in 2016 that sidelined this Web site for nearly four days.
The men — 22-year-old Paras Jha Fanwood, New Jersey, Josiah White, 21 of Washington, Pa., and Dalton Norman from Metairie, La. — were each sentenced to five years probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution for the damage caused by their malware.
Mirai enslaves poorly secured “Internet of Things” (IoT) devices like security cameras, digital video recorders (DVRs) and routers for use in large-scale online attacks.
Not long after Mirai first surfaced online in August 2016, White and Jha were questioned by the FBI about their suspected role in developing the malware. At the time, the men were renting out slices of their botnet to other cybercriminals.
Weeks later, the defendants sought to distance themselves from their creation by releasing the Mirai source code online. That action quickly spawned dozens of copycat Mirai botnets, some of which were used in extremely powerful denial-of-service attacks that often caused widespread collateral damage beyond their intended targets.
The source code release also marked a period in which the three men began using their botnet for far more subtle and less noisy criminal moneymaking schemes, including click fraud — a form of online advertising fraud that costs advertisers billions of dollars each year.
In September 2016, KrebsOnSecurity was hit with a record-breaking denial-of-service attack from tens of thousands of Mirai-infected devices, forcing this site offline for several days. Using the pseudonym “Anna_Senpai,” Jha admitted to a friend at the time that the attack on this site was paid for by a customer who rented tens of thousands of Mirai-infected systems from the trio.
In January 2017, KrebsOnSecurity published the results of a four-month investigation into Mirai which named both Jha and White as the likely co-authors of the malware. Eleven months later, the U.S. Justice Department announced guilty pleas by Jha, White and Norman.
Prior to Tuesday’s sentencing, the Justice Department issued a sentencing memorandum that recommended lenient punishments for the three men. FBI investigators argued the defendants deserved light sentences because they had provided the government “extraordinary cooperation” in identifying other cybercriminals engaged in related activity and helping to thwart massive cyberattacks on several companies.
The government said Jha was especially helpful, devoting hundreds of hours of work in helping investigators. According to the sentencing memo, Jha has since landed a part-time job at at a cybersecurity firm, although the government declined to name his employer.
However, Jha is not quite out of the woods yet: He has also admitted to using Mirai to launch a series of punishing cyberattacks against Rutgers University, where he was enrolled as a computer science student at the time. Jha is slated to be sentenced next week in New Jersey for those crimes.
The Mirai case was prosecuted out of Alaska because the lead FBI agent in the investigation, 36-year-old Special Agent Elliott Peterson, is stationed there. Peterson was able to secure jurisdiction for the case after finding multiple DVRs in Alaska infected with Mirai. Last week, Peterson traveled to Washington, D.C. to join several colleagues in accepting the FBI’s Director Award — the bureau’s highest honor — for the Mirai investigation.
Nice, really nice. Sets a shining precedent for consequences for cyber-attacks that effect millions.
Really nice work there Justice Department, I’m sure no other attackers will look at this and think “wow, I should create a botnet and get a high paying job in Silicon Valley”.
+1 Alex B
They were basically kids, and the FBI likely made them work tooth and nail ratting people out, recording conversations, setting up stings, writing software, and investigating suspects. They’ve paid a price.
They probably should’ve served at least a bit of jail time (and Jha still might serve time for his massive and rampant DDoS attacks against his own university), but they’re not just being given a slap on the wrist. They effectively chose slavery to the FBI over jail.
At the very least, I doubt any of them will be DDoSing anyone ever again, and with luck, maybe they’ll help prevent and stop other large DDoSs.
Are you ever in lala land!
Snitches get stitches.
Perhaps one of the pinky rings they ratted out will provide them with an opportunity to get a few.
Fat doughy nerds are passed around like treats in federal penitentiaries.
It’ll do them good though, force them to learn a little humility and regret for making such a monumental and colossal failure of the life they were given.
They’ll come out a little wiser and no worse for the wear. Well, except for one part of their anatomy. That thing’s gonna get wrecked.
Except that these three are on probation. They managed to cut a deal that keeps them out of prison. And I disapprove of this fixation so many of the commenters here have with anal rape. What’s wrong with you people?
The enemy of my enemy is my friend. These individuals appear to be very highly skilled. A better use of their time is to put them to work on the right side of the law. The government has done this many times before. The subject of “Catch Me if You Can” Frank Abagnale comes to mind when I read this.
When their probation is over with , all three of these idiots they will get high paying jobs at some internet security company for doing their misdeeds. Irony ?
Good. Everyone should get the opportunity to use demonstrable skills to improve lives and make a living.
This has got to be so very demoralizing to the people who spent countless hours gathering and tracing evidence. Given how hard it is to investigate cyber-crime, it’s a wonder that many cases get investigated enough to be prosecuted.
Only to have the judge sweep away the seriousness of the crime and give so very little punishment is crushing. I wonder if the judge is aware of the total economic damages?
It was the FBI and Justice Department that argued for the lenient sentences, not the judge. The judge just followed their recommendations.
I don’t agree with it either, but when the investigators themselves do that kind of thing, it probably would boggle the mind how much info they got out of these three.
No honor among thieves, I guess.
Would you have preferred they said nothing and went to jail on the taxpayer’s dime? Wouldn’t you want them to out others engaging in this behavior?
I would have preferred that there be an example of the consequences of doing this kind of thing that we, the security professionals and journalists like Brian, could trumpet from the rooftops to discourage anti-social behavior.
What happens to these three is really irrelevant. We need a deterrent, not a social program.
If you’re basically a kid and an FBI agent and a prosecutor says “you’re going to spend the next 10 to 20 years in federal prison, or you can help us”, it’s usually not a hard decision to make.
Drag kids into a box in Alaska and they’ll plead to whatever you want, even a non-crime.
Are you saying that creating and distributing Mirai was a non-crime?
Yes, that’s exactly what I said.
People like you make the Internet suck.
Perhaps now that these cretins have been convicted (even if they didn’t serve jail time) that will make it easier for persons injured in some way — eg purloined husband/wife sex video put up on the internet — to sue them in civil court into a lifetime of poverty. I certainly hope so.
Why? So they can turn to cybercrime yet again because the other option is poverty? Also, Im not sure what the Mirai botnet has to do with someones sex tape being released online.
Jeff, do you know what DDOS is?
Like the old saying goes “Don’t hate the player, hate the game.”
What about all the hackers that are guilty of similar crimes in other nations that have been weaponized by their governments? How does letting these talented individuals rot in prison help the United States?
Also, these offenses are not as heinous as say… Swatting.
So my question is; why the sour grapes? They rolled the dice, took their chances and put their money on the table and won.
Correction: they put *OUR* money on the table and won.
by “Money” I was referring to their freedom/criminal record.
Personally, Id be willing to bet some of the sour grapes is coming from those they ratted on and criminals pissed that they turned on them. Anyone expressing genuine anger or rage over this seems to me to be more likely involved in cybercrime then someone who was a victim of theirs. I could be wrong though.
There’s no “could” about it. Seriously, you’re suggesting that the folks here (and I’m guessing elsewhere) that are unhappy with the result of the case are all cyber criminals these guys ratted out? Seriously? I mean …
Take a breath, think this through and try again.
Im referring to some of the more angry posts, people wishing harm upon these guys, getting really disproportionately angry. One post above suggests “snitches get stitches”, thats what criminals tell each other. Another suggests they deserve to be anally raped in prison. Combine that with the the fact that the very people Krebs reports on are often found commenting on these articles, and I dont find it at all unlikely that at least some of those posts are from people engaged in cybercrime.
To tell you the truth, I somehow missed the “some” you put in your original post. I have no idea how I managed to do it, but there you are. So … my bad. I think what you’re suggesting is pretty unlikely but do agree it’s absolutely possible. I therefore retract my previous response.
Methinks many react too fast. While I too would love to see these a$$holes spend years in prison, its apparent they rolled over big. Like it or not, that comes with a price.
Meanwhile nothing, I would expect, stops lawsuits seeking damages. They are now for sure guilty, and given the soul sucking behavior of some ambulance chasers, I’m sure lawsuits aplenty will soon appear. Lots of folks damaged, right?
If they have no money to sue for, why would any attorney take the case?
One suggestion. Since they have no money, they can’t afford attorneys to defend themselves. The suing attorney can get a decent judgment with very little effort. If the perps ever make any real money (and the suing attorney and clients keep their liens up to date), that means a stead source of some income down the line.
Meanwhile the corporate criminals who poison and enslave trillions, the bankers who finance it all and load the masses with debt, the politicians who make it all legal, the media who manufactures ignorance and consent…
All go unpunished. But yeah, good thing we caught and punished these monsters, world is clearly a much better place now.
Trillions? of what? Must be dollars or some other currency denomination. Global human population estimates show there are currently 7.5 billion alive now and since the advent of homo sapiens “….108 billion members of our species have ever been born”
So if you are going to debate, try to at least be somewhat accurate in your statements. Otherwise you sound just like the politicians you are angry at.
Suggest you take a debate class where you have to research your arguments in advance of the debate. You’ll learn fun stuff like, “ad hominin attacks, “red herrings,” and “straw man (person?) arguments”.
So, Brian, how you feel about the level of punishment these cretins have received so far? In your opinion, as one of the victims, does the punishment fit the crime?
no jail. lets encourage others to do the same thing. since nothing will happen to them. what a bunch of BS.
I understand being able to offer lesser sentences is a powerful tool for investigators to obtain evidence for further prosecutions. I thought though it was to be able to go after the masterminds of major criminal operations. It seems as though these guys were the masterminds. My best guess is the info the had was leads on downloads and users of the open sourced mirai. So they essentially created their own get out of jail (albeit not free) card. I think they should have been facing potential charges for each documented count of use of the mirai code. Then offer reducing this mountain of charges to just what ddos they effected for eliciting their cooperation.
What happened to being barred from working in the field where one has caused mayhem? Justified here.
I don’t feel justice has been served here. I think it is a slap on the wrist.
“It’s called flipping and it almost ought to be illegal.” Is there a pardon waiting for these two ar$e clowns after they “help out” with the mid-term elections?
Here’s a bit more detail on what they’ve been doing for the govt. since capture.
Thank you! Despite our desires otherwise as we get older LIFE IS COMPLICATED. Catchy slogans and abrupt judgments are entertaining but not much use in dealing with reality.
I’ve gotta disagree why the case was prosecuted out of Alaska. It had nothing to do with the lead investigator, who could be flown around on the government’s dime.
It was all about separating these defenders from their families and legal resources, to pressure them into guilty pleas.
Let’s not pretend that the government’s case was strong. This was a case ripe for jury nullification, as the charges were nonsense non-crimes with no permanent damages, involving writing first amendment protected code.
The only reason it resulted in guilty pleas is that these kids were dragged to Alaska and coerced.
defendants, not defenders
Offcourse they avoid !!
They can get lawers and stay out from the jail
Jail is for uneducated criminals not for sophisficated people
Kudos to you, Brian, for your excellent detective work. I’m sure the FBI was aided in large part by the publishing of your exhaustive investigation.
I think these kids got the appropriate punishment, and further incarceration is not warranted. This should be a big lesson learned.
@readership1, “ …non-crimes….”? You should have a look at 18 USC.1030.
A law forbidding an activity doesn’t make something a crime. It just makes for a bad law.
Why is it a crime? There’s a law….
Why is there a law? It’s criminal…
Actually, violating a (criminal statute) law is the actual definition of the word “crime”. You may disagree with the law, but it is still a crime
This is right in line with the liberal left justice department. Free the foreign born criminal, nail the Americans that have been paying their taxes and building this country for probably generations. What’s not to like?
Shut up and go back to your hidey-hole somewhere in Russia, troll.
“This is right in line with the liberal left justice department.”
Yeah, so liberal that it’s run by Trump-appointed Republicans, that one?
Moron lol. Trump should have colluded with smarter traitors.
Pretty stark contrast with the government’s prosecution of Aaron Swartz, who wasn’t actually a criminal.
Does this mean that folks investigating/prosecuting ‘cyber-crime’ learned something from the bully-to-death approach, or does it more likely point to how federal prosecutors just love *real* criminals, because they understand them. How much money did these folks make with all their fraudulent schemes, botnet rentals, etc etc etc?
I am no fan of sending *anyone* to prison in the US, that institution is over it’s head sunk in a pit of corruption and horror. But that said, , , wtf?
Funny reading these comments. A bunch of old nerds mad because someone who actually was dedicated to learn made it out the easy way and now is about to make 6 figures a year while you guys are still paying off your college debt lul.
Man who shared Deadpool movie on Facebook faces 6 months in jail
20 Sep 2018
by Danny Bradbury
While the real criminal gets an inconvenience.
Neither should’ve faced jail.
I find it curious how so many people who have apparently no information on what the justice department knew have such strong opinions on the justice meted out. Having strong opinions without even close to a full data set is quite illogical
To all the commenters who want these people “taught a lesson.” Hmm, given the recidivism rates it doesn’t seem like prison teaches people much other than how to go back to prison.
To all the commenters who seem to get their jollies by thinking about these criminals being abused by other prisoners, I am not sure that would happen. I could easily imagine they would be seen as important assets to be recruited for any number of nefarious schemes. Not every person in prison is a knuckle-dragging neanderthal.
I do find the FBI and DOJ decision rather odd. But I have to leave it to them as they have the data and the expertise. For me to have an opinion is fine, that is what brain’s tend to do, intelligent or not. But I should have the intelligence to know that my opinion is based on little factual information and less expertise in dealing with criminals, and therefore not fool myself into thinking my opinion is worth anything.
Brian, this article seems to suggest credit freezes are more bad than good. I’m not buying it, but would you care to comment? https://www.fool.com/amp/investing/2018/09/22/why-freezing-your-credit-is-usually-a-bad-idea.aspx
The Scan4you provider of anti-antimalware service just got 14 years in prison though they never attacked anyone themselves. People just used their service. How does that align with Mirai?
Universities (e.g. Rutgers) should each have a mandatory (non-elective) undergraduate ethics class.
Many years ago (in the 80s), my alma mater had a rule: hack and get caught – suspended from *all* university studies for 10 years. Hack and tell them how you did it *before* you get caught – extra credit 🙂 Worked as an incentive for a number of us….
Quote: “Last week, Peterson traveled to Washington, D.C. to join several colleagues in accepting the FBI’s Director Award — the bureau’s highest honor — for the Mirai investigation.”
I hope you got at least an honourable mention for your efforts Brian.
Who is who?
How do you stop a DVR from becoming infected? My DVR has no password.