{
	"id": "29406799-3e2d-4557-8d5f-6abb507beda2",
	"created_at": "2026-04-06T00:10:19.080254Z",
	"updated_at": "2026-04-10T03:33:01.994496Z",
	"deleted_at": null,
	"sha1_hash": "48bd055cb32a4cad45c18dcc319d3f26afb7118f",
	"title": "Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1731049,
	"plain_text": "Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got\r\nIndicted\r\nPublished: 2018-09-03 · Archived: 2026-04-05 20:17:56 UTC\r\nA 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly\r\noperating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless\r\nrouters and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s\r\nalleged alter ego has been relentless in seeking media attention for this global crime machine.\r\nSchuchman, in an undated photo posted online and referenced in a “dox,” which alleged in Feb. 2018 that\r\nSchuchman was Nexus Zeta.\r\nThe Daily Beast‘s Kevin Poulsen broke the news last week that federal authorities in Alaska indicted Kenneth\r\nCurrin Schuchman of Washington on two counts of violating the Computer Fraud and Abuse Act by using\r\nmalware to damage computers between August and November 2017.\r\nThe 3-page indictment (PDF) is incredibly sparse, and includes few details about the meat of the charges against\r\nSchuchman. But according to Poulsen, the charges are related to Schuchman’s alleged authorship and use of the\r\nSatori botnet. Satori, also known as “Masuta,” is a variant of the Mirai botnet, a powerful IoT malware strain that\r\nfirst came online in July 2016.\r\n“Despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable\r\nabout hacking,” Poulsen notes.\r\nSchuchman reportedly went by the handle “Nexus Zeta,” the nickname used by a fairly inexperienced and clumsy\r\nne’er-do-well who has tried on multiple occasions to get KrebsOnSecurity to write about the Satori botnet. In\r\nJanuary 2018, Nexus Zeta changed the login page for his botnet control panel that he used to remotely control his\r\nhacked routers to include a friendly backhanded reference to this author:\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 1 of 8\n\nThe login prompt for Nexus Zeta’s IoT botnet included the message “Masuta is powered and hosted on Brian\r\nKreb’s [sic] 4head.” To be precise, it’s a 5head.\r\nThis wasn’t the first time Nexus Zeta said hello. In late November 2017, he chatted me up on on Twitter and\r\nJabber instant message for several days. Most of the communications came from two accounts:\r\n“9gigs_ProxyPipe” on Twitter, and ogmemes123@jabber.ru (9gigs_ProxyPipe would later change its Twitter\r\nalias to Nexus Zeta, and Nexus Zeta himself admitted that 9gigs_ProxyPipe was his Twitter account.)\r\nIn each case, this person wanted to talk about a new IoT botnet that he was “researching” and that he thought\r\ndeserved special attention for its size and potential disruptive impact should it be used in a massive Distributed\r\nDenial-of-Service (DDoS) attack aimed at knocking a Web site offline — something for which Satori would soon\r\nbecome known.\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 2 of 8\n\nA Jabber instant message conversation with Nexus Zeta on Nov. 29, 2017.\r\nNexus Zeta’s Twitter nickname initially confused me because both 9gigs and ProxyPipe are names claimed by\r\nRobert Coelho, owner of ProxyPipe hosting (9gigs is a bit from one of Coelho’s Skype account names). Coelho’s\r\nsleuthing was quite instrumental in helping to unmask 21-year-old New Jersey resident Paras Jha as the author of\r\nthe original Mirai IoT botnet (Jha later pleaded guilty to co-authoring and using Mirai and is due to be sentenced\r\nthis month in Alaska and New Jersey). “Ogmemes” is from a nickname used by Jha and his Mirai botnet co-author.\r\nOn Nov. 28, 2017, 9gigs_ProxyPipe sent a message to the KrebsOnSecurity Twitter account:\r\n“I have some information in regards to an incredibly dangerous IoT botnet you may find interesting,” the Twitter\r\nmessage read. “Let me know how you would prefer to communicate assuming you are interested.”\r\nWe connected on Jabber instant message. In our chats, Ogmemes123 said he couldn’t understand why nobody had\r\nnoticed a botnet powered by a Mirai variant that had infected hundreds of thousands of IoT devices (he estimated\r\nthe size of the botnet to be about 300,000-500,000 at the time). He also talked a lot about how close he was with\r\nJha. Nexus Zeta’s Twitter account profile photo is a picture of Paras Jha. He also said he knew this new botnet was\r\nbeing used to attack ProxyPipe.\r\nLess than 24 hours after that tweet from Nexus Zeta, I heard from ProxyPipe’s Coelho. They were under attack\r\nfrom a new Mirai variant.\r\n“We’ve been mitigating attacks recently that are about 270 gigabits [in volume],” Coelho wrote in an email.\r\n“Looks like somebody tagged you on Twitter pretending to be from ProxyPipe — likely the attacker? Just wanted\r\nto give you a heads up since that is not us, or anyone that works with ProxyPipe.”\r\nFrom reviewing Nexus Zeta’s myriad postings on the newbie-friendly hacker forum Hackforums-dot-net, it was\r\nclear that Nexus Zeta was an inexperienced, impressionable young man who wanted to associate himself with\r\npeople closely tied to the 2017 whodunnit over the original Mirai IoT botnet variant. He also asked other\r\nHackforums members for assistance in assembling his Mirai botnet:\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 3 of 8\n\nSome of Nexus Zeta’s posts on Hackforums, where he asks for help in setting up a Mirai botnet variant. Click to\r\nenlarge.\r\nIn one conversation with Ogmemes123, I lost my cool and told him to quit running botnets or else go bore\r\nsomebody else with his quest for publicity. He mostly stopped bugging me after that. That same day, Nexus Zeta\r\nspotted a tweet from security researcher Troy Mursch about the rapid growth of a new Mirai-like botnet.\r\n“This is an all-time record for the most new unique IP addresses that I’ve seen added to the botnet in one day,”\r\nMursch tweeted of the speed with which this new Mirai strain was infecting devices.\r\nFor weeks after that tweet, Nexus Zeta exchanged private twitter messages with Mursch and his team of botnet\r\nhunters at Bad Packets LLC in a bid to get them to Tweet or write about Satori/Masuta.\r\nThe following screenshots from their private Twitter discussions, republished with Mursch’s permission, showed\r\nthat Nexus Zeta kept up the fiction about his merely “researching” the activities of Satori. Mursch played along,\r\nand asked gently probing questions about the size, makeup and activities of a rapidly growing Satori botnet.\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 4 of 8\n\n9gigs_ProxyPipe (a.k.a. Nexus Zeta allegedly a.k.a Kenneth Schuchman) reaches out to security researcher Troy\r\nMursch of Bad Packets LLC.\r\nEarly in their conversations, Nexus Zeta says he is merely following the visible daily Internet scanning that Satori\r\ngenerated in a constant search for newly infectable IoT devices. But as their conversations continue over several\r\nweeks, Nexus Zeta intimates that he has much deeper access to Satori.\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 5 of 8\n\nIn this conversation from Nov. 29, 2017 between Nexus Zeta/9gigs_Proxypipe and Troy Mursch, the former says\r\nhe is seeing lots of Satori victims from Argentina, Colombia and Egypt.\r\nAlthough it long ago would have been easy to write a series of stories about this individual and his exploits, I had\r\nzero interest in giving him the attention he clearly craved. But thanks to naivete and apparently zero sense of self-preservation, Nexus Zeta didn’t have to wait long for others to start connecting his online identities to his offline\r\nworld.\r\nOn Dec. 5, Chinese cybersecurity firm Netlab360 released a report on Satori noting that the IoT malware was\r\nspreading rapidly to Chinese-made Huawei routers with the help of two security vulnerabilities, including one\r\n“zero day” flaw that was unknown to researchers at the time. The report said a quarter million infected devices\r\nwere seen scanning for vulnerable systems, and that much of the scanning activity traced back to infected systems\r\nin Argentina, Colombia and Egypt, the same hotspots that Nexus Zeta cited in his Nov. 29 Twitter chat with Troy\r\nMursch (see screen shot directly above).\r\nIn a taunting post published Dec. 29, 2017 titled “Good Zero Day Kiddie,” researchers at Israeli security firm\r\nCheckPoint pointed out that the domain name used as a control server to synchronize the activities of the Satori\r\nbotnet — nexusiotsolutions-dot-net — was registered in 2016 to the email\r\naddress nexuszeta1337@gmail.com. The CheckPoint report noted the name supplied in the original registration\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 6 of 8\n\nrecords for that domain was a “Caleb Wilson,” although the researchers correctly noted that this could be a\r\npseudonym.\r\nPerhaps the CheckPoint folks also knew the following tidbit, but chose not to publish it in their report: The email\r\naddress nexuszeta1337@gmail.com was only ever used to register a single domain name (nexusiotsolutions-dot-net), according to a historic WHOIS record search at Domaintools.com [full disclosure: DomainTools is an\r\nadvertiser on this site.] But the phone number in that original domain name record was used to register one other\r\ndomain: zetastress-dot-net (a “stresser” is another name for a DDoS-for-hire-service). The registrant name listed\r\nin that original record? You guessed it:\r\nRegistrant Name: kenny Schuchman\r\nRegistrant Organization: ZetaSec Inc.\r\nRegistrant Street: 8709 Ne Mason Dr, No. 4\r\nRegistrant City: Vancouver\r\nRegistrant State/Province: Washington\r\nRegistrant Postal Code: 98662\r\nRegistrant Country: US\r\nRegistrant Phone: +1.3607267966\r\nRegistrant Phone Ext:\r\nRegistrant Fax:\r\nRegistrant Fax Ext:\r\nRegistrant Email: kenny.windwmx79@outlook.com\r\nIn April 2018 I heard from a source who said he engaged Nexus Zeta in a chat about his router-ravaging botnet\r\nand asked what kind of router Nexus Zeta trusted. According to my source, Nexus Zeta shared a screen shot of the\r\noutput from his wireless modem’s Web interface, which revealed that he was connecting from an Internet service\r\nprovider in Vancouver, Wash., where Schuchman lives.\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 7 of 8\n\nThe Satori botnet author shared this screen shot of his desktop, which indicated he was using an Internet\r\nconnection in Vancouver, Washington — where Schuchman currently lives with his father.\r\n“During our discussions, I learned we have the same model of router,” the source said. “He asked me my router\r\nmodel, and I told him. He shared that his router was also an ActionTec model, and sent a picture. This picture\r\ncontains his home internet address.”\r\nThis matched a comprehensive “dox” that someone published on Pastebin in Feb. 2018, declaring Nexus Zeta to\r\nbe 20-year-old Kenneth Currin Schuchman from Vancouver, Washington. The dox said Schuchman used the\r\naliases Nexus Zeta and Caleb Wilson, and listed all of the email addresses tied to Nexus Zeta above, plus his\r\nfinancial data and physical address.\r\n“Nexus is known by many to be autistic and a compulsive liar,” the dox begins.\r\n“He refused to acknowledge that he was wrong or apologize, and since he has extremely poor opsec\r\n(uses home IP on everything), we have decided to dox him.\r\nHe was only hung around by few for the servers he had access to.\r\nHe lies about writing exploits that were made before his time, and faking bot counts on botnets he\r\nmade.\r\nHe’s lied about having physical contact with Anna Senpai (Author of Mirai Botnet).”\r\nAs detailed in the Daily Beast story and Nexus Zeta’s dox, Schuchman was diagnosed with Asperger Syndrome\r\nand autism disorder, and at one point when he was 15 Schuchman reportedly wandered off while visiting a friend\r\nin Bend, Ore., briefly prompting a police search before he was found near his mother’s home in Vancouver, Wash.\r\nNexus Zeta clearly had limited hacking skills initially and almost no operational security. Indeed, his efforts to\r\ngain notoriety for his illegal hacking activities eventually earned him just that, as it usually does.\r\nBut it’s clear he was a quick learner; in the span of about a year, Nexus Zeta was able to progress from a relatively\r\nclueless newbie to the helm of an international menace that launched powerful DDoS attacks while ravaging\r\nhundreds of thousands of systems.\r\nSource: https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nhttps://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/"
	],
	"report_names": [
		"alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted"
	],
	"threat_actors": [
		{
			"id": "c90b1108-7555-4e64-9bfe-1ef6bf2caf18",
			"created_at": "2023-01-06T13:46:38.739456Z",
			"updated_at": "2026-04-10T02:00:03.084254Z",
			"deleted_at": null,
			"main_name": "Nexus Zeta",
			"aliases": [],
			"source_name": "MISPGALAXY:Nexus Zeta",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434219,
	"ts_updated_at": 1775791981,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48bd055cb32a4cad45c18dcc319d3f26afb7118f.pdf",
		"text": "https://archive.orkl.eu/48bd055cb32a4cad45c18dcc319d3f26afb7118f.txt",
		"img": "https://archive.orkl.eu/48bd055cb32a4cad45c18dcc319d3f26afb7118f.jpg"
	}
}