Three defendants have pleaded guilty to charges involving Mirai, a tool used to throw websites offline that was released to the public and eventually used against Twitter, The New York Times and Netflix.
Paras Jha, Josiah White and Dalton Norman pleaded guilty to charges stemming from Mirai in Alaska last week, according to court documents unsealed on Tuesday.
Mirai launches distributed denial of service (DDoS) attacks, coordinated floods of traffic so large they overwhelm victims’ servers and force them to crash or severely slow. Mirai generated the traffic by creating networks of hacked internet-connected devices, such as security cameras, and having them all contact a target at the same time.
{mosads}
Mirai served as an automated platform for hacking the devices and built networks so big they broke several records for the size of DDoS attacks.
The most famous victims of the Mirai attacks were security journalist Brian Krebs and the internet infrastructure company Dyn. Dyn, which serves as a switchboard that connects users with sites such as Twitter, The New York Times, Netflix, Etsy and others, brought its clients down with it.
The trio later launched a “click fraud” botnet, designed to scam online ad networks through simulating clicks on advertisements. Several ad networks offer a small sum to website owners per ad clicked.
Jha, White and Norman admitted to taking part in the design of Mirai, with Jha also admitting to participating in selling access to the botnet for others to use in attacks and promoting Mirai on criminal web forums. One of the accounts used to promote the service was “Anna-Senpai,” an account that eventually posted the source code for users to download for free.
Jha separately pleaded guilty in a New Jersey court of launching several attacks on Rutgers University, where he was a student. During those attacks, he taunted the Rutgers tech staff. Though prosecutors said damages will be assessed at sentencing, prosecutors said those damages will total between $3.5 million and $9.5 million per the plea agreement.
—Updated at 2:54 p.m.