Three young men who developed and deployed the original Mirai IoT botnet malware were sentenced on Tuesday in an Alaskan federal court to five years probation – a lenient punishment earned through extensive cooperation with the FBI on other cyber-investigations.
Paras Jha, 22, of Fanwood, N.J.; Josiah White, 21, of Washington, Penn.; and Dalton Norman, 22, of Metairie, La. were also each ordered to pay US$ 127,000 (£96,319) in restitutions and serve 2,500 hours of community service that will require continued collaboration with law enforcement authorities and researchers on cyber-crime and cyber-security matters.
A 18 September Wired article citing additional court documents states the three men have already accumulated more than 1,000 hours of community service by lending their expertise to at least a dozen investigations. This reportedly includes efforts to reduce the impact of high-volume distributed denial of service (DDoS) attacks, counter a nation-state-backed APT group, and perhaps undercover work.
"All three have made efforts at positive professional and educational development with varying degrees of success, and indeed it was their collective lack of success in those fields that provided some of the motive to engage in the criminal conduct" in the first place, stated a sentencing memorandum filed by US prosecutors on 11 September. In recommending a lighter sentence to the court, the document cites "potential grounds for optimism regarding their prospects for rehabilitation and productive engagement in society after being sentenced in these cases. All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity."
Jha could still serve prison time for additional charges filed, in New Jersey, related to a 2016 Mirai-based DDoS attack he launched against Rutgers University, where he had been a student. The three men pleaded guilty in late 2017.
White, Jha, and Norman created the botnet in the summer and fall of 2016, recruiting scores of compromised IoT devices – including wireless cameras, routers, and digital video recorders – and using them to flood targets with DDoS traffic. Jha later released Mirai’s source code to evade identification as an author. This action led to others individuals developing numerous versions of the malware, including one that impacted the Domain Name System provider Dyn and disabled many popular websites on 21 October, 2016. Other versions have focused focus from DDoS attacks to other illegal activities such as cryptomining.
"Cyber-crime is a worldwide epidemic that reaches many Alaskans," said US Attorney Bryan Schroder in a DOJ press release. "The perpetrators count on being technologically one step ahead of law enforcement officials. The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber-criminals around the world."
"The sentences announced today would not have been possible without the cooperation of our partners in international law enforcement and the private sector," Jeffery Peterson, Special Agent in Charge of FBI’s Anchorage field office, also said in the release. "The FBI is committed to strengthening those relationships and finding innovative ways to counter cyber-crime. Cyber-criminals often develop their technical skills at a young age. This case demonstrates our commitment to hold criminals accountable while encouraging offenders to choose a different path to apply their skills."