{ "id": "2caba659-cb4c-4aac-a943-d81b79c9f582", "created_at": "2026-04-06T00:16:49.696383Z", "updated_at": "2026-04-10T03:35:28.783515Z", "deleted_at": null, "sha1_hash": "6a1f2f73bb9349e951d3cf2f6282286f3a03ada0", "title": "Who is Anna-Senpai, the Mirai Worm Author?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2907202, "plain_text": "Who is Anna-Senpai, the Mirai Worm Author?\r\nPublished: 2017-02-11 · Archived: 2026-04-05 20:10:23 UTC\r\nOn September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware\r\nstrain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into\r\na botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack\r\n— using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack\r\narmies online.\r\nAfter months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity,\r\nand the identity of at least one co-conspirator who helped to write and modify the malware.\r\nMirai co-author Anna-Senpai leaked the source code for Mirai on Sept. 30, 2016.\r\nBefore we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written\r\non this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken\r\nmonths to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars\r\nthat preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve\r\nincluded a glossary.\r\nThe story you’re reading now is the result of hundreds of hours of research.  At times, I was desperately seeking\r\nthe missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts\r\nof information — much of it intentionally false or misleading — and left to search for kernels of truth hidden\r\namong the dross.  If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can\r\ntell you that the sheer amount of persistence and investigative resources required to piece together who’s done\r\nwhat to whom (and why) in the online era is tremendous.\r\nAs noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses,\r\ngovernmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 1 of 24\n\nwith so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks\r\ntypically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.\r\nA great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are\r\nessentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks.  And as\r\nwe will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those\r\ninvolved down some very strange paths, indeed.\r\nTHE FIRST CLUES\r\nThe first clues to Anna-Senpai’s identity didn’t become clear until I understood that Mirai was just the latest\r\nincarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.\r\nEarlier this summer, my site was hit with several huge attacks from a collection of hacked IoT systems\r\ncompromised by a family of botnet code that served as a precursor to Mirai. The malware went by several names,\r\nincluding “Bashlite,” “Gafgyt,” “Qbot,” “Remaiten,” and “Torlus.”\r\nAll of these related IoT botnet varieties infect new systems in a fashion similar to other well-known Internet\r\nworms — propagating from one infected host to another. And like those earlier Internet worms, sometimes the\r\nInternet scanning these systems perform to identify other candidates for inclusion into the botnet is so aggressive\r\nthat it constitutes an unintended DDoS on the very home routers, Web cameras and DVRs that the bot code is\r\ntrying to subvert and recruit into the botnet. This kind of self-defeating behavior will be familiar to those who\r\nrecall the original Morris Worm, NIMDA, CODE RED, Welchia, Blaster and SQL Slammer disruptions of\r\nyesteryear.\r\nInfected IoT devices constantly scan the Web for other IoT things to compromise, wriggling into devices that are\r\nprotected by little more than insecure factory-default settings and passwords. The infected devices are then forced\r\nto participate in DDoS attacks (ironically, many of the devices most commonly infected by Mirai and similar IoT\r\nworms are security cameras).\r\nMirai’s ancestors had so many names because each name corresponded to a variant that included new\r\nimprovements over time. In 2014, a group of Internet hooligans operating under the banner “lelddos” very\r\npublicly used the code to launch large, sustained attacks that knocked many Web sites offline.\r\nThe most frequent target of the lelddos gang were Web servers used to host Minecraft, a wildly popular computer\r\ngame sold by Microsoft that can be played from any device and on any Internet connection.\r\nThe object of Minecraft is to run around and build stuff, block by large pixelated block. That may sound simplistic\r\nand boring, but an impressive number of people positively adore this game – particularly pre-teen males.\r\nMicrosoft has sold more than a 100 million copies of Minecraft, and at any given time there are over a million\r\npeople playing it online. Players can build their own worlds, or visit a myriad other blocky realms by logging on\r\nto their favorite Minecraft server to play with friends.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 2 of 24\n\nImage: Minecraft.net\r\nA large, successful Minecraft server with more than a thousand players logging on each day can easily earn the\r\nserver’s owners upwards of $50,000 per month, mainly from players renting space on the server to build their\r\nMinecraft worlds, and purchasing in-game items and special abilities.\r\nPerhaps unsurprisingly, the top-earning Minecraft servers eventually attracted the attention of ne’er-do-wells and\r\nextortionists like the lelddos gang. Lelddos would launch a huge DDoS attack against a Minecraft server, knowing\r\nthat the targeted Minecraft server owner was likely losing thousands of dollars for each day his gaming channel\r\nremained offline.\r\nAdding urgency to the ordeal, many of the targeted server’s loyal customers would soon find other Minecraft\r\nservers to patronize if they could not get their Minecraft fix at the usual online spot.\r\nRobert Coelho is vice president of ProxyPipe, Inc., a San Francisco company that specializes in protecting\r\nMinecraft servers from attacks.\r\n“The Minecraft industry is so competitive,” Coelho said. “If you’re a player, and your favorite Minecraft server\r\ngets knocked offline, you can switch to another server. But for the server operators, it’s all about maximizing the\r\nnumber of players and running a large, powerful server. The more players you can hold on the server, the more\r\nmoney you make. But if you go down, you start to lose Minecraft players very fast — maybe for good.”\r\nIn June 2014, ProxyPipe was hit with a 300 gigabit per second DDoS attack launched by lelddos, which had a\r\npenchant for publicly taunting its victims on Twitter just as it began launching DDoS assaults at the taunted.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 3 of 24\n\nThe hacker group “lelddos” tweeted at its victims before launching huge DDoS attacks against them.\r\nAt the time, ProxyPipe was buying DDoS protection from Reston, Va. -based security giant Verisign. In a\r\nquarterly report published in 2014, Verisign called the attack the largest it had ever seen, although it didn’t name\r\nProxyPipe in the report – referring to it only as a customer in the media and entertainment business.\r\nVerisign said the 2014 attack was launched by a botnet of more than 100,000 servers running on SuperMicro IPMI\r\nboards. Days before the huge attack on ProxyPipe, a security researcher published information about a\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 4 of 24\n\nvulnerability in the SuperMicro devices that could allow them to be remotely hacked and commandeered for these\r\nsorts of attacks.\r\nTHE CENTRALITY OF PROTRAF\r\nCoelho recalled that in mid-2015 his company’s Minecraft customers began coming under attack from a botnet\r\nmade up of IoT devices infected with Qbot. He said the attacks were directly preceded by a threat made by a then-17-year-old Christopher “CJ” Sculti, Jr., the owner and sole employee of a competing DDoS protection\r\ncompany called Datawagon.\r\nDatawagon also courted Minecraft servers as customers, and its servers were hosted on Internet space claimed by\r\nyet another Minecraft-focused DDoS protection provider — ProTraf Solutions.\r\nChristopher “CJ” Sculti, Jr.\r\nAccording to Coelho, ProTraf was trying to woo many of his biggest Minecraft server customers away from\r\nProxyPipe. Coelho said in mid-2015, Sculti reached out to him on Skype and said he was getting ready to disable\r\nCoelho’s Skype account. At the time, an exploit for a software weakness in Skype was being traded online, and\r\nthis exploit could be used to remotely and instantaneously disable any Skype account.\r\nSure enough, Coelho recalled, his Skype account and two others used by co-workers were shut off just minutes\r\nafter that threat, effectively severing a main artery of support for ProxyPipe’s customers – many of whom were\r\naccustomed to communicating with ProxyPipe via Skype.\r\n“CJ messaged me about five minutes before the DDoS started, saying he was going to disable my skype,” Coelho\r\nsaid. “The scary thing about when this happens is you don’t know if your Skype account has been hacked and\r\nunder control of someone else or if it just got disabled.”\r\nOnce ProxyPipe’s Skype accounts were disabled, the company’s servers were hit with a massive, constantly\r\nchanging DDoS attack that disrupted ProxyPipe’s service to its Minecraft server customers. Coelho said within a\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 5 of 24\n\nfew days of the attack, many of ProxyPipe’s most lucrative Minecraft servers had moved over to servers protected\r\nby ProTraf Solutions.\r\n“In 2015, the ProTraf guys hit us offline tons, so a lot of our customers moved over to them,” Coelho said. “We\r\ntold our customers that we knew [ProTraf] were the ones doing it, but some of the customers didn’t care and\r\nmoved over to ProTraf anyway because they were losing money from being down.”\r\nI found Coelho’s story fascinating because it eerily echoed the events leading up to my Sept. 2016 record 620\r\nGbps attack. I, too, was contacted via Skype by Sculti — on two occasions. The first was on July 7, 2015, when\r\nSculti reached out apropos of nothing to brag about scanning the Internet for IoT devices running default\r\nusernames and passwords, saying he had uploaded some kind of program to more than a quarter-million systems\r\nthat his scans found.\r\nHere’s a snippet of that conversation:\r\nJuly 7, 2015:\r\n21:37 CJ: http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/\r\n21:37 CJ: vulnerable routers are a HUGE issue\r\n21:37 CJ: a few months ago\r\n21:37 CJ: I scanned the internet with a few sets of defualt logins\r\n21:37 CJ: for telnet\r\n21:37 CJ: and I was able to upload and execute a binary\r\n21:38 CJ: on 250k devices\r\n21:38 CJ: most of which were routers\r\n21:38 Brian Krebs: o_0\r\nThe second time I heard from Sculti on Skype was Sept. 20, 2016 — the day of my 620 Gbps attack. Sculti was\r\nangry over a story I’d just published that mentioned his name, and he began rather saltily maligning the reputation\r\nof a source and friend who had helped me with that story.\r\nIndignant on behalf of my source and annoyed at Sculti’s rant, I simply blocked his Skype account from\r\ncommunicating with mine and went on with my day. Just minutes after that conversation, however, my Skype\r\naccount was flooded with thousands of contact requests from compromised or junk Skype accounts, making it\r\nvirtually impossible to use the software for making phone calls or instant messaging.\r\nSix hours after that Sept. 20 conversation with Sculti, the huge 620 Gbps DDoS attack commenced on this site.\r\nWHO IS LELDDOS?\r\nCoelho said he believes the main members of lelddos gang were Sculti and the owners of ProTraf. Asked why he\r\nwas so sure of this, he recounted a large lelddos attack in early 2015 against ProxyPipe that coincided with a scam\r\nin which large tracts of Internet address space were temporarily stolen from the company.\r\nAccording to ProxyPipe, a swath of Internet addresses was hijacked from the company by FastReturn, a cloud\r\nhosting firm. Dyn, a company that closely tracks which blocks of Internet addresses are assigned to which\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 6 of 24\n\norganizations, confirmed the timing of the Internet address hijack that Coelho described.\r\nA few months after that attack, the owner of FastReturn — a young man named Ammar Zuberi — went to work as\r\na software developer for ProTraf. In the process, Zuberi transferred the majority of Internet addresses assigned to\r\nFastReturn over to ProTraf.\r\nZuberi told KrebsOnSecurity that he was not involved with lelddos, but he acknowledged that he did hijack\r\nProxyPipe’s Internet address space before moving over to ProTraf.\r\n“I was stupid and new to this entire thing and it was interesting to me how insecure the underlying ecosystem of\r\nthe Internet was,” Zuberi said. “I just kept pushing the envelope to see how far I could get with that, I guess. I\r\neventually realized though and got away from it, although that’s not really much of a justification.”\r\nAccording to Zuberi, CJ Sculti Jr. was a member of lelddos, as were the two co-owners of ProTraf. This is\r\ninteresting because not long after the September 2016 Mirai attack took this site offline, several sources who\r\nspecialize in lurking on cybercrime forums shared information suggesting that the principal author of\r\nBashlite/Qbot was a ProTraf employee: A 19-year-old computer whiz from Washington, Penn. named Josiah\r\nWhite.\r\nWhite’s profile on LinkedIn lists him as an “enterprise DDoS mitigation expert” at ProTraf, but for years he was\r\nbetter known to those in the hacker community under the alias “LiteSpeed.”\r\nLiteSpeed is the screen name White used on Hackforums[dot]net – a sprawling English-language marketplace\r\nwhere mostly young, low-skilled hackers can buy and sell cybercrime tools and stolen goods with ease. Until very\r\nrecently, Hackforums also was the definitive place to buy and sell DDoS-for-hire services.\r\nI contacted White to find out if the rumors about his authorship of Qbot/Bashlite were true. White acknowledged\r\nthat he had written some of Qbot/Bashlite’s components — including the code segment that the malware uses to\r\nspread the infection to new machines. But White said he never intended for his code to be sold and traded online.\r\nWhite claims that a onetime friend and Hackforums member nicknamed “Vyp0r” betrayed his trust and forced him\r\nto publish the code online by threatening to post White’s personal details online and to “swat” his home. Swatting\r\nis a potentially deadly hoax in which an attacker calls in a fake hostage situation or bomb threat at a residence or\r\nbusiness with the intention of sending a team of heavily-armed police officers to the target’s address.\r\n“Most of the stuff that I had wrote was for friends, but as I later realized, things on HF [Hackforums] tend to not\r\nremain private,” White wrote in an instant message to KrebsOnSecurity. “Eventually I learned they were reselling\r\nthem in under-the-table deals, and so I just released everything to stop that. I made some mistakes when I was\r\nyounger, and I realize that, but I’m trying to set my path straight and move on.”\r\nWHO IS PARAS JHA?\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 7 of 24\n\nWhite’s employer ProTraf Solutions has only one other employee – 20-year-old President Paras Jha, from\r\nFanwood, NJ. On his LinkedIn profile, Jha states that “Paras is a passionate entrepreneur driven by the want to\r\ncreate.” The profile continues:\r\n“Highly self-motivated, in 7th grade he began to teach himself to program in a variety of languages.\r\nToday, his skillset for software development includes C#, Java, Golang, C, C++, PHP, x86 ASM, not to\r\nmention web ‘browser languages’ such as Javascript and HTML/CSS.”\r\nJha’s LinkedIn page also shows that he has extensive experience running Minecraft servers, and that for several\r\nyears he worked for Minetime, one of the most popular Minecraft servers at the time.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 8 of 24\n\nAfter first reading Jha’s LinkedIn resume, I was haunted by the nagging feeling that I’d seen this rather unique\r\ncombination of computer language skills somewhere else online. Then it dawned on me: The mix of programming\r\nskills that Jha listed in his LinkedIn profile is remarkably similar to the skills listed on Hackforums by none other\r\nthan Mirai’s author — Anna-Senpai.\r\nPrior to leaking the Mirai source code on HackForums at the end of September 2016, the majority of Anna-Senpai’s posts on Hackforums were meant to taunt other hackers on the forum who were using Qbot to build\r\nDDoS attack armies.\r\nThe best example of this is a thread posted to Hackforums on July 10, 2016 titled “Killing All Telnets,” in which\r\nAnna-Senpai boldly warns forum members that the malicious code powering his botnet contains a particularly\r\neffective “bot killer” designed to remove Qbot from infected IoT devices and to prevent systems infected with his\r\nmalware from ever being reinfected with Qbot again.\r\nAnna-Senpai warns Qbot users that his new worm (relatively unknown by its name “Mirai” at the time) was\r\ncapable of killing off IoT devices infected with Qbot.\r\nInitially, forum members dismissed Anna’s threats as idle taunts, but as the thread continues for page after page we\r\ncan see from other forum members that his bot killer is indeed having its intended effect. [Oddly enough, it’s very\r\ncommon for the authors of botnet code to include patching routines to protect their newly-enslaved bots from\r\nbeing compromised by other miscreants.  Just like in any other market, there is a high degree of competition\r\nbetween cybercrooks who are constantly seeking to add more zombies to their DDoS armies, and they often resort\r\nto unorthodox tactics to knock out the competition.  As we’ll see, this kind of internecine warfare is a major\r\nelement in this story.]\r\n“When the owner of this botnet wrote a July 2016 Hackforums thread named ‘Killing all Telnets’, he was right,”\r\nwrote Allison Nixon and Pierre Lamy, threat researchers for New York City-based security firm Flashpoint.\r\n“Our intelligence around that time reflected a massive shift away from the traditional gafgyt infection patterns and\r\ntowards a different pattern that refused to properly execute on analysts’ machines. This new species choked out all\r\nthe others.”\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 9 of 24\n\nIt wasn’t until after I’d spoken with Jha’s business partner Josiah White that I began re-reading every one of Anna-Senpai’s several dozen posts to Hackforums. The one that made Jha’s programming skills seem familiar came on\r\nJuly 12, 2016 — a week after posting his “Killing All Telnets” discussion thread — when Anna-Senpai\r\ncontributed to a Hackforums thread started by a hacker group calling itself “Nightmare.”\r\nSuch groups or hacker cliques are common on Hackforums, and forum members can apply for membership by\r\nstating their skills and answering a few questions. Anna-Senpai posted his application for membership into this\r\nthread among dozens of others, describing himself thusly:\r\n“Age: 18+\r\nLocation and Languages Spoken: English\r\nWhich of the aforementioned categories describe you the best?: Programmer / Development\r\nWhat do you Specialize in? (List only): Systems programming / general low level languages (C +\r\nASM)\r\nWhy should we choose you over other applicants?: I have 8 years of development under my belt, and\r\nI’m very familiar with programming in a variety of languages, including ASM, C, Go, Java, C#, and\r\nPHP. I like to use this knowledge for personal gain.”\r\nThe Hackforums post shows Jha and Anna-Senpai have the exact same programming skills. Additionally,\r\naccording to an analysis of Mirai by security firm Incapsula, the malicious software used to control a botnet\r\npowered by Mirai is coded in Go (a.k.a. “Golang”), a somewhat esoteric programming language developed by\r\nGoogle in 2007 that saw a surge in popularity in 2016. Incapsula also said the malcode that gets installed on IoT\r\nbots is coded in C.\r\nDREADIS[NOT]COOL\r\nI began to dig deeper into Paras Jha’s history and footprint online, and discovered that his father in October 2013\r\nregistered a vanity domain for his son, parasjha.info. That site is no longer online, but a historic version of it\r\ncached by the indispensable Internet Archive includes a resume of Jha’s early work with various popular\r\nMinecraft servers. Here’s a autobiographical snippet from parasjha.info:\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 10 of 24\n\n“My passion is to utilize my skills in programming and drawing to develop entertaining games and\r\nsoftware for the online game ‘Minecraft. Someday, I plan to start my own enterprise focused on the\r\ngaming industry targeted towards game consoles and the mobile platform. To further my ideas and help\r\nthe gaming community, I have released some of my code to open source projects on websites centered\r\non public coding under the handle dreadiscool.”\r\nA Google search for this rather unique username “dreadiscool” turns up accounts by the same name at dozens of\r\nforums dedicated to computer programming and Minecraft. In many of those accounts, the owner is clearly\r\nfrustrated by incessant DDoS attacks targeting his Minecraft servers, and appears eager for advice on how best to\r\ncounter the assaults.\r\nFrom Dreadiscool’s various online postings, it seems clear that at some point Jha decided it might be more\r\nprofitable and less frustrating to defend Minecraft servers from DDoS attacks, as opposed to trying to maintain the\r\nservers themselves.\r\n“My experience in dealing with DDoS attacks led me to start a server hosting company focused on providing\r\nsolutions to clients to mitigate such attacks,” Jha wrote on his vanity site.\r\nSome of the more recent Dreadiscool posts date to November 2016, and many of those posts are lengthy\r\nexplanations of highly technical subjects. The tone of voice in these posts is far more confident and even\r\ncondescending than the Dreadiscool from years earlier, covering a range of subjects from programming to DDoS\r\nattacks.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 11 of 24\n\nDreadiscool’s account on Spigot Minecraft forum since 2013 includes some interesting characters photoshopped\r\ninto this image.\r\nFor example, Dreadiscool has been an active member of the Minecraft forum spigotmc.org since 2013. This\r\nuser’s avatar (pictured above) on spigotmc.org is an altered image taken from the 1994 Quentin Tarantino cult hit\r\n“Pulp Fiction,” specifically from a scene in which the gangster characters Jules and Vincent are pointing their\r\npistols in the same direction. However, the heads of both actors have been digitally altered to include someone\r\nelse’s faces.\r\nPasted over the head of John Travolta’s character (left) is a real-life picture of Vyp0r — the Hackforums nickname\r\nof the guy that ProTraf’s Josiah White said threatened him into releasing the source code for Bashlite. On the\r\nshoulders of Samuel L. Jackson’s body is the face of Tucker Preston, co-founder of BackConnect Security — a\r\ncompeting DDoS mitigation provider that also has a history of hijacking Internet address ranges from other\r\nproviders.\r\nPictured below and to the left of Travolta and Jackson’s characters — seated on the bed behind them — is\r\n“Yamada,” a Japanese animation (“anime”) character featured in the anime movie B Gata H Hei.\r\nTurns out, there is a Dreadiscool user on MyAnimeList.net, a site where members proudly list the various anime\r\nfilms they have watched. Dreadiscool says B Gata H Kei is one of nine anime film series he has watched. Among\r\nthe other eight? The anime series Mirai Nikki, from which the Mirai malware derives its name.\r\nDreadiscool’s Reddit profile also is very interesting, and most of the recent posts there relate to major DDoS\r\nattacks going on at the time, including a series of DDoS attacks on Rutgers University. More on Rutgers later.\r\nA CHAT WITH ANNA-SENPAI\r\nAt around the same time as the record 620 Gbps attack on KrebsOnSecurity, French Web hosting giant OVH\r\nsuffered an even larger attack — launched by the very same Mirai botnet used to attack this site. Although this fact\r\nhas been widely reported in the news media, the reason for the OVH attack may not be so well known.\r\nAccording to a tweet from OVH founder and chief technology officer Octave Klaba, the target of that massive\r\nattack also was a Minecraft server (although Klaba mistakenly called the target “mindcraft servers” in his tweet).\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 12 of 24\n\nA tweet from OVH founder and CTO, stating the intended target of Sept. 2016 Mirai DDoS on his company.\r\nIn the days following the attack on this site and on OVH, Anna-Sempai had trained his Mirai botnet on Coelho’s\r\nProxyPipe, completely knocking his DDoS mitigation service offline for the better part of a day and causing\r\nproblems for many popular Minecraft servers.\r\nUnable to obtain more bandwidth and unwilling to sign an expensive annual contract with a third-party DDoS\r\nmitigation firm, Coelho turned to the only other option available to get out from under the attack: Filing abuse\r\ncomplaints with the Internet hosting firms that were responsible for providing connectivity to the control server\r\nused to orchestrate the activities of the Mirai botnet.\r\n“We did it because we had no other options, and because all of our customers were offline,” Coelho said. “Even\r\nthough no other DDoS mitigation company was able to defend against these attacks [from Mirai], we still needed\r\nto defend against it because our customers were starting to move to other providers that attracted fewer attacks.”\r\nAfter scouring a list of Internet addresses tied to bots used in the attack, Coelho said he was able to trace the\r\ncontrol server for the Mirai botnet back to a hosting provider in Ukraine. That company — BlazingFast[dot]io —\r\nhas a reputation for hosting botnet control networks (even now, Spamhaus is reporting an IoT botnet controller\r\nrunning out of BlazingFast since Jan. 17, 2017).\r\nGetting no love from BlazingFast, Coelho said he escalated his complaint to Voxility, a company that was\r\nproviding DDoS protection to BlazingFast at the time.\r\n“Voxility acknowledged the presence of the control server, and said they null-routed [removed] it, but they\r\ndidn’t,” Coelho said. “They basically lied to us and didn’t reply to any other emails.”\r\nUndeterred, Coelho said he then emailed the ISP that was upstream of BlazingFast, but received little help from\r\nthat company or the next ISP further upstream. Coelho said the fifth ISP upstream of BlazingFast, however —\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 13 of 24\n\nInternet provider Telia Sonera — confirmed his report, and promptly had the Mirai botnet’s control server killed.\r\nAs a result, many of the systems infected with Mirai could no longer connect to the botnet’s control servers,\r\ndrastically reducing the botnet’s overall firepower.\r\n“The action by Telia cut the size of the attacks launched by the botnet down to 80 Gbps,” well within the range of\r\nProxyPipe’s in-house DDoS mitigation capabilities, Coelho said.\r\nIncredibly, on Sept. 28, Anna-Senpai himself would reach out to Coelho via Skype. Coelho shared a copy of that\r\nchat conversation with KrebsOnSecurity. The log shows that Anna correctly guessed ProxyPipe was responsible\r\nfor the abuse complaints that kneecapped Mirai. Anna-Senpai said he guessed ProxyPipe was responsible after\r\nreading a comment on a KrebsOnSecurity blog post from a reader who shared the same username as Coelho’s\r\nbusiness partner.\r\nIn the following chat, Coelho is using the Skype nickname “katie.onis.”\r\n[10:23:08 AM] live:anna-senpai: ^\r\n[10:26:08 AM] katie.onis: hi there.\r\n[10:26:52 AM] katie.onis: How can I help you?\r\n[10:28:06 AM] live:anna-senpai: hi\r\n[10:28:45 AM] live:anna-senpai: you know i had my suspicions, but this one was proof\r\nhttp://imgur.com/E1yFJOp [this is a benign/safe link to a screenshot of some comments on KrebsOnSecurity.com]\r\n[10:28:59 AM] live:anna-senpai: don’t get me wrong, im not even mad, it was pretty funny actually. nobody has\r\never done that to my c2 [Mirai “command and control” server]\r\n[10:29:25 AM] live:anna-senpai: (goldmedal)\r\n[10:29:29 AM] katie.onis: ah you’re mistaken, that’s not us.\r\n[10:29:33 AM] katie.onis: but we know who it is\r\n[10:29:42 AM] live:anna-senpai: eric / 9gigs\r\n[10:29:47 AM] katie.onis: no, 9gigs is erik\r\n[10:29:48 AM] katie.onis: not eric\r\n[10:29:53 AM] katie.onis: different people\r\n[10:30:09 AM] live:anna-senpai: oh?\r\n[10:30:17 AM] katie.onis: yep\r\n[10:30:39 AM] live:anna-senpai: is he someone related to you guys?\r\n[10:30:44 AM] katie.onis: not related to us, we just know him\r\n[10:30:50 AM] katie.onis: anyway, we’re not interested in any harm, we simply don’t want attacks against us.\r\n[10:31:16 AM] live:anna-senpai: yeah i figured, i added you because i wanted to tip my hat if that was actually\r\nyou lol\r\n[10:31:24 AM] katie.onis: we didn’t make that dumb post\r\n[10:31:26 AM] katie.onis: if that is what you are asking\r\n[10:31:30 AM] katie.onis: but yes, we were involved in doing that.\r\n[10:31:47 AM] live:anna-senpai: so you got it nulled, but some other eric is claiming credit for it?\r\n[10:31:52 AM] katie.onis: seems so.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 14 of 24\n\n[10:31:52 AM] live:anna-senpai: eric with a c\r\n[10:31:56 AM] live:anna-senpai: lol\r\n[10:32:17 AM] live:anna-senpai: can’t say im surprised, tons of people take credit for things that they didn’t do if\r\nnobody else takes credit for\r\n[10:32:24 AM] katie.onis: we’re not interested in taking credit\r\n[10:32:30 AM] katie.onis: we just wanted the attacks to get smaller\r\nNOTICE AND TAKEDOWN\r\nOne reason Anna-Senpai may have been enamored of Coelho’s approach to taking down Mirai is that Anna-Senpai had spent the previous month doing exactly the same thing to criminals running IoT botnets powered by\r\nMirai’s top rival — Qbot.\r\nA month before this chat between Coelho and Anna-Senpai, Anna is busy sending abuse complaints to various\r\nhosting firms, warning them that they are hosting huge IoT botnet control channels that needed to be shut down.\r\nThis was clearly just part of an extended campaign by the Mirai botmasters to eliminate other IoT-based DDoS\r\nbotnets that might compete for the same pool of vulnerable IoT devices. Anna confirmed this in his chat with\r\nCoelho:\r\n[10:50:36 AM] live:anna-senpai: i have good killer so nobody else can assemble a large net\r\n[10:50:53 AM] live:anna-senpai: i monitor the devices to see for any new threats\r\n[10:51:33 AM] live:anna-senpai: and when i find any new host, i get them taken down\r\nThe ISPs or hosting providers that received abuse complaints from Anna-Senpai were all encouraged to reply to\r\nthe email address ogmemes123123@gmail.com for questions and/or confirmation of the takedown. ISPs that\r\ndeclined to act promptly on Anna-Senpai’s Qbot email complaints soon found themselves on the receiving end of\r\nenormous DDoS attacks from Mirai.\r\nFrancisco Dias, owner of hosting provider Frantech, found out firsthand what it would cost to ignore one of\r\nAnna’s abuse reports. In mid-September 2016, Francisco accidentally got into an Internet fight with Anna-Senpai.\r\n The Mirai botmaster was using the nickname “jorgemichaels” at the time — and Jorgemichaels was talking trash\r\non LowEndTalk.com, a discussion forum for vendors of low-costing hosting.\r\nSpecifically, Jorgemichaels takes Francisco to task publicly on the forum for ignoring one of his Qbot abuse\r\ncomplaints. Francisco tells Jorgemichaels to file a complaint with the police if it’s so urgent. Jorgemichaels tells\r\nFrancisco to shut up, and when Francisco is silent for a while Jorgemichaels gloats that Francisco learned his\r\nplace. Francisco explains his further silence on the thread by saying he’s busy supporting customers, to which\r\nJorgemichaels replies, “Sounds like you just got a lot more customers to help. Don’t mess with the underworld\r\nfrancisco or it will harm your business.”\r\nShortly thereafter, Frantech is systematically knocked offline after being attacked by Mirai. Below is a fascinating\r\nsnippet from a private conversation between Francisco and Anna-Senpai/Jorgemichaels, in which Francisco kills\r\nthe reported Qbot control server to make Anna/Jorgemichaels call off the attack.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 15 of 24\n\nUsing the nickname “jorgemichaels” on LowEndTalk, Anna-Senpai reaches out to Francisco Dias after Dias\r\nignores Anna’s abuse complaint. Francisco agrees to kill the Qbot control server only after being walloped with\r\nMirai.\r\nBack to the chat between Anna-Senpai and Coelho at the end of Sept 2016.  Anna-Senpai tells Coelho that the\r\nattacks against ProxyPipe aren’t personal; they’re just business. Anna says he has been renting out “net spots” —\r\nsizable chunks of his Mirai botnet — to other hackers who use them in their own attacks for pre-arranged periods\r\nof time.\r\nBy way of example, Anna brags that as he and Coelho are speaking, the owners of a large Minecraft server were\r\npaying him to launch a crippling DDoS against Hypixel, currently the world’s most popular Minecraft server.\r\nKrebsOnSecurity confirmed with Hypixel that they were indeed under a massive attack from Mirai between Sept.\r\n27 and 30.\r\n[12:24:00 PM] live:anna-senpai: right now i just have a script sitting there hitting them for 45s every 20 minutes\r\n[12:24:09 PM] live:anna-senpai: enough to drop all players and make them rage\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 16 of 24\n\nCoelho told KrebsOnSecurity that the on-again, off-again attack DDoS method that Anna described using against\r\nHypixel was designed not just to cost Hypixel money. The purpose of that attack method, he said, was to\r\naggravate and annoy Hypixel’s customers so much that they might take their business to a competing Minecraft\r\nserver.\r\n“It’s not just about taking it down, it’s about making everyone who is playing on that server crazy mad,” Coelho\r\nexplained. “If you launch the attack every 20 minutes for a short period of time, you basically give the players just\r\nenough time to get back on the server and involved in another game before they’re disconnected again.”\r\nAnna-Senpai told Coelho that paying customers also were the reason for the 620 Gbps attack on KrebsOnSecurity.\r\nTwo weeks prior to that attack, I published the results of a months-long investigation revealing that “vDOS” —\r\none of the largest and longest-running DDoS-for-hire services — had been hacked, exposing details about the\r\nservices owners and customers.\r\nThe story noted that vDOS earned its proprietors more than $600,000 and was being run by two 18-year-old\r\nIsraeli men who went by the hacker aliases “applej4ck” and “p1st0”. Hours after that piece ran, Israeli authorities\r\narrested both men, and vDOS — which had been in operation for four years — was shuttered for good.\r\n[10:47:42 AM] live:anna-senpai: i sell net spots, starting at $5k a week\r\n[10:47:50 AM] live:anna-senpai: and one client was upset about applejack arrest\r\n[10:48:01 AM] live:anna-senpai: so while i was gone he was sitting on them for hours with gre and ack\r\n[10:48:14 AM] live:anna-senpai: when i came back i was like oh fuck\r\n[10:48:16 AM] live:anna-senpai: and whitelisted the prefix\r\n[10:48:24 AM] live:anna-senpai: but then krebs tweeted that akamai is kicking them off\r\n[10:48:31 AM] live:anna-senpai: fuck me\r\n[10:48:43 AM] live:anna-senpai: he was a cool guy too, i like his article\r\n[SIDE NOTE: If true, it’s ironic that someone would hire Anna-Senpai to attack my site in retribution for the\r\nvDOS story. That’s because the firepower behind applej4ck’s vDOS service was generated in large part by a\r\nbotnet of IoT systems infected with a Qbot variant — the very same botnet strain that Anna-Senpai and Mirai\r\nwere busy killing and erasing from the Internet.]\r\nCoelho told KrebsOnSecurity that if his side of the conversation reads like he was being too conciliatory to his\r\nassailant, that’s because he was wary of giving Anna a reason to launch another monster attack against ProxyPipe.\r\nAfter all, Coelho said, the Mirai attacks on ProxyPipe caused many customers to switch to other Minecraft\r\nservers, and Coelho estimates the attack cost the company between $400,000 and $500,000.\r\nNevertheless, about halfway through the chat Coelho gently confronts Anna on the consequences of his actions.\r\n[10:54:17 AM] katie.onis: People have a genuine reason to be unhappy though about large attacks like this\r\n[10:54:27 AM] live:anna-senpai: yeah\r\n[10:54:32 AM] katie.onis: There’s really nothing anyone can do lol\r\n[10:54:36 AM] live:anna-senpai: 😛\r\n[10:54:38 AM] katie.onis: And it does affect their lives\r\n[10:55:10 AM] live:anna-senpai: well, i stopped caring about other people a long time ago\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 17 of 24\n\n[10:55:18 AM] live:anna-senpai: my life experience has always been get fucked over or fuck someone else over\r\n[10:55:52 AM] katie.onis: My experience with [ProxyPipe] thus far has been\r\n[10:55:54 AM] katie.onis: Do nothing bad to anyone\r\n[10:55:58 AM] katie.onis: And still get screwed over\r\n[10:55:59 AM] katie.onis: Haha\r\nThe two even discussed anime after Anna-Senpai guessed that Coelho might be a fan of the genre. Anna-Senpai\r\nsays he watched the anime series “Gate,” a reference to the above-mentioned B Gata H Hei that Dreadiscool\r\nincluded in the list of anime film series he’s watched. Anna also confirms that the name for his bot malware was\r\nderived from the anime series Mirai Nikki.\r\n[5:25:12 PM] live:anna-senpai: i rewatched mirai nikki recently\r\n[5:25:22 PM] live:anna-senpai: (it was the reason i named my bot mirai lol)\r\nDREADISCOOL = ANNA = JHA?\r\nCoelho said when Anna-Senpai first reached out to him on Skype, he had no clue about the hacker’s real-life\r\nidentity. But a few weeks after that chat conversation with Anna-Senpai, Coelho’s business partner (the Eric\r\nreferenced in the first chat segment above) said he noticed that some of the code in Mirai looked awfully similar\r\nto code that Dreadiscool had posted to his Github account.\r\n“He started to come to the conclusion that maybe Anna was Paras,” Coelho said. “He gave me a lot of ideas, and\r\nafter I did my own investigation I decided he was probably right.”\r\nCoelho said he’s known Paras Jha for more than four years, having met him online when Jha was working for\r\nMinetime — which ProxyPipe was protecting from DDoS attacks at the time.\r\n“We talked a lot back then and we used to program a lot of projects together,” Coelho said. “He’s really good at\r\nprogramming, but back then he wasn’t. He was a little bit behind, and I was teaching him most everything.”\r\nAccording to Coelho, as Jha became more confident in his coding skills, he also grew more arrogant, belittling\r\nothers online who didn’t have as firm a grasp on subjects such as programming and DDoS mitigation.\r\n“He likes to be recognized for his knowledge, being praised and having other people recognize that,”\r\nCoelho said of Jha. “He brags too much, basically.”\r\n“He likes to be recognized for his knowledge, being praised and having other people recognize that,” Coelho said\r\nof Jha. “He brags too much, basically.”\r\nCoelho said not long after Minetime was hit by a DDoS extortion attack in 2013, Paras joined Hackforums and\r\nfairly soon after stopped responding to his online messages.\r\n“He just kind of dropped off the face of the earth entirely,” he said. “When he started going on Hackforums, I\r\ndidn’t know him anymore. He became a different person.”\r\nCoelho said he doesn’t believe his old friend wished him harm, and that Jha was probably pressured into attacking\r\nProxyPipe.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 18 of 24\n\n“In my opinion he’s still a kid, in that he gets peer-pressured a lot,” Coelho said. “If he didn’t [launch the attack]\r\nnot only would he feel super excluded, but these people wouldn’t be his friends anymore, they could out him and\r\nscrew him over. I think he was pretty much in a really bad position with the people he got involved with.”\r\nTHE RUTGERS DDOS ATTACKS\r\nOn Dec. 16, security vendor Digital Shadows presented a Webinar that focused on clues about the Mirai author’s\r\nreal life identity. According to their analysis, before the Mirai author was known as Anna-Senpai on Hackforums,\r\nhe used the nickname “Ogmemes123123” (this also was the alias of the Skype username that contacted Coelho),\r\nand the email address ogmemes123123@gmail.com (recall this is the same email address Anna-Senpai used in his\r\nalerts to various hosting firms about the urgent need to take down Qbot control servers hosted on their networks).\r\nDigital Shadows noted that the Mirai author appears to have used another nickname: “OG_Richard_Stallman,” a\r\nlikely reference to the founder of the Free Software Foundation. The ogmemes123123@gmail.com account was\r\nused to register a Facebook account in the name of OG_Richard Stallman.\r\nThat Facebook account states that OG_Richard_Stallman began studying computer engineering at New\r\nBrunswick, NJ-based Rutgers University in 2015.\r\nAs it happens, Paras Jha is a student at Rutgers University. This is especially notable because Rutgers has been\r\ndealing with a series of DDoS attacks on its network since the fall semester of 2015 — more than a half dozen\r\nincidents in all. With each DDoS, the attacker would taunt the university in online posts and media interviews,\r\nencouraging the school to spend the money to purchase some kind of DDoS mitigation service.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 19 of 24\n\nUsing the nicknames  “og_richard_stallman,” “exfocus” and “ogexfocus,” the person who attacked Rutgers more\r\nthan a half-dozen times took to Reddit and Twitter to claim credit for the attacks. Exfocus even created his own\r\n“Ask Me Anything” interview on Reddit to discuss the Rutgers attacks.\r\nExfocus also gave an interview to a New Jersey-based blogger, claiming he got paid $500 an hour to DDoS the\r\nuniversity with as many as 170,000 bots. Here are a few snippets from that interview, in which he blames the\r\nattacks on a “client” who is renting his botnet:\r\n“Are you for real? Why would you do an interview with us if you’re getting paid?\r\nNormally I don’t show myself, but the entity paying me has something against the school. They want\r\nme to “make a splash”.\r\nWhy do you have a twitter account where you publically broadcast patronizing messages. Are you\r\nworried that this increases the risk of things getting back to you?\r\nPublic twitter is on clients request. The client hates the school for whatever reason. They told me to say\r\ngeneric things like that I hate the bus system and etc.\r\nHave you ever attacked RU before?\r\nDuring freshman registration the client requested it also – he didn’t want any publicity then though.\r\nWhat are your plans for the future in terms of DDOSing and attacking the Rutgers cyber\r\ninfrastructure?\r\nWhen I stop getting paid – I’ll stop DDosing lol. I’m hoping that RU will sign on some ddos mitigation\r\nprovider. I get paid extra if that happens.\r\nAt some point you said you were at the Livingston student center – outside of Sbarro. In this\r\ninterview you said that you aren’t affiliated directly with Rutgers, did you lie then?\r\nYes”\r\nAn online search for the Gmail address used by Anna-Senpai and OG_Richard_Stallman turns up a Pastebin post\r\nfrom July 1, 2016, in which an anonymous Pastebin user creates a “dox” of OG_Richard_Stallman. Doxing refers\r\nto the act of publishing someone’s personal information online and/or connecting an online alias to a real life\r\nidentity.\r\nThe dox said OG_Richard_Stallman was connected to an address and phone number of an individual living in\r\nTurkey. But this is almost certainly a fake dox intended to confuse cybercrime investigators. Here’s why:\r\nA Google search shows that this same address and phone number showed up in another dox on Pastebin from\r\nalmost three years earlier — June 2013 — intended to expose or confuse the identity of a Hackforums user known\r\nas LiteSpeed. Recall that LiteSpeed is the same alias that ProTraf’s Josiah White acknowledged using on\r\nHackforums.\r\nEXTORTION ATTEMPTS BY OG_RICHARD_STALLMAN\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 20 of 24\n\nThis OG_Richard_Stallman identity is connected to Anna-Senpai by another person we’ve heard from already:\r\nFrancisco Dias, whose Frantech ISP was attacked by Anna-Senpai and Mirai in mid-September. Francisco told\r\nKrebsOnSecurity that in early August 2016 he began receiving extortion emails from a Gmail address associated\r\nwith a OG_Richard_Stallman.\r\n“This guy using the Richard Stallman name added me on Skype and basically said ‘I’m going to knock all of your\r\n[Internet addresses] offline until you pay me’,” Dias recalled. “He told me the up front cost to stop the attack was\r\n10 bitcoins [~USD $5,000 at the time], and if I didn’t pay within four hours after the attack started the fee would\r\ndouble to 20 bitcoins.”\r\nDias said he didn’t pay the demand and eventually OG_Richard_Stallman called off the attack. But he said for a\r\nwhile the attacks were powerful enough to cause problems for Frantech’s Internet provider.\r\n“He was hitting us so hard with Mirai that he was dropping large parts of Hurricane Electric and causing problems\r\nat their Los Angeles point of presence,” Dias said. “I basically threw everything behind [DDoS mitigation\r\nprovider] Voxility, and eventually Stallman buggered off.”\r\nThe OG_Richard_Stallman identity also was tied to similar extortion attacks at the beginning of August against\r\none hosting firm that had briefly been one of ProTraf’s customers in 2016. The company declined to be quoted on\r\nthe record, but said it stopped doing business with Protraf in mid-2016 because they were unhappy with the\r\nquality of service.\r\nThe Internet provider said not long after that it received an extortion demand from the “OG_Richard_Stallman”\r\ncharacter for $5,000 in Bitcoin to avoid a DDoS attack. One of the company’s researchers contacted the\r\nextortionist via the ogmemes123123@gmail.com address supplied in the email, but posing as someone who\r\nwished to hire some DDoS services.\r\nOG_Richard_Stallman told the researcher that he could guarantee 350 Gbps of attack traffic and that the target\r\nwould go down or the customer would receive a full refund. The price for the attack? USD $100 worth of Bitcoin\r\nfor every five minutes of attack time.\r\nMy source at the hosting company said his employer declined to pay the demand, and subsequently got hit with an\r\nattack from Mirai that clocked in at more than 300 Gbps.\r\n“Clearly, the attacker is very technical, as they attacked every single [Internet address] within the subnet, and after\r\nwe brought up protection, he started attacking upstream router interfaces,” the source said on condition of\r\nanonymity.\r\nAsked who they thought might be responsible for the attacks, my source said his employer immediately suspected\r\nProTraf. That’s because the Mirai attack also targeted the Internet address for the company’s home page, but that\r\nInternet address was hidden by DDoS mitigation firm Cloudflare. However, ProTraf knew about the secret address\r\nfrom its previous work with the company, the source explained.\r\n“We believe it’s Protraf’s staff or someone related to Protraf,” my source said.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 21 of 24\n\nA source at an Internet provider agreed to share information about an extortion demand his company received\r\nfrom OG_Richard_Stallman in August 2016. Here he is contacting the Stallman character directly and pretending\r\nto be someone interested in renting a botnet. Notice the source brazenly said he wanted to DDoS ProTraf.\r\nDDOS CONFESSIONS\r\nAfter months of gathering information about the apparent authors of Mirai, I heard from Ammar Zuberi, once a\r\nco-worker of ProTraf President Paras Jha.\r\nZuberi told KrebsOnSecurity that Jha admitted he was responsible for both Mirai and the Rutgers DDoS attacks.\r\nZuberi said when he visited Jha at his Rutgers University dorm in October 2015, Paras bragged to him about\r\nlaunching the DDoS attacks against Rutgers.\r\n“He was laughing and bragging about how he was going to get a security guy at the school fired, and how they\r\nraised school fees because of him,” Zuberi recalled.  “He didn’t really say why he did it, but I think he was just\r\nsort of experimenting with how far he could go with these attacks.”\r\nZuberi said he didn’t realize how far Jha had gone with his DDoS attacks until he confronted him about it late last\r\nyear. Zuberi said he was on his way to see his grandmother in Arizona at the end of November 2016, and he had a\r\nlayover in New York. So he contacted Jha and arranged to spend the night at Jha’s home in Fanwood, New Jersey.\r\nAs I noted in Spreading the DDoS Disease and Selling the Cure, Anna-Senpai leaked the Mirai code on a domain\r\nname (santasbigcandycane[dot]cx) that was registered via Namecentral, an extremely obscure domain name\r\nregistrar which had previously been used to register fewer than three dozen other domains over a three-year\r\nperiod.\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 22 of 24\n\nAccording to Zuberi, only five people knew about the existence of Namecentral: himself, CJ Sculti, Paras Jha,\r\nJosiah White and Namecentral’s owner Jesse Wu (19-year-old Wu features prominently in the DDoS Disease\r\nstory linked in the previous paragraph).\r\n“When I saw that the Mirai code had been leaked on that domain at Namecentral, I straight up asked\r\nParas at that point, ‘Was this you?,’ and he smiled and said yep,” Zuberi recalled.\r\n“When I saw that the Mirai code had been leaked on that domain at Namecentral, I straight up asked Paras at that\r\npoint, ‘Was this you?,’ and he smiled and said yep,” Zuberi recalled. “Then he told me he’d recently heard from an\r\nFBI agent who was investigating Mirai, and he showed me some text messages between him and the agent. He\r\nwas pretty proud of himself, and was bragging that he led the FBI on a wild goose chase.”\r\nZuberi said he hasn’t been in contact with Jha since visiting his home in November. Zuberi said he believes Jha\r\nwrote most of the code that Mirai uses to control the individual bot-infected IoT devices, since it was written in\r\nGolang and Jha’s partner White didn’t code well in this language. Zuberi said he thought White’s role was mainly\r\nin developing the spreading code used to infect new IoT devices with Mirai, since that was written in C — a\r\nlanguage White excelled at.\r\nIn the time since most of the above occurred, the Internet address ranges previously occupied by ProTraf have\r\nbeen withdrawn. ProxyPipe’s Coelho said it could be that the ProTraf simply ran out of money.\r\nProTraf’s Josiah White explained the disappearance of ProTraf’s Internet space as part of an effort to reboot the\r\ncompany.\r\n“We [are] in the process of restructuring and refocusing what we are doing,” White told KrebsOnSecurity.\r\nJha did not respond to requests for comment.\r\nUpdate: Jan. 19, 10:51 a.m. ET: Jha responded to my request for comment. His first comment about this\r\nstory was that I erred in citing the proper anime film listed on one of the dreadiscool profiles mentioned above.\r\nWhen asked directly about his alleged involvement with Mirai, Jha said he did not write Mirai and was not\r\ninvolved in attacking Rutgers.\r\n“The first time it happened, I was a freshman, and living in the dorms,” Jha said. “At the culmination of the\r\nattacks near the end of the year, I was without internet for almost a week, along with the rest of the student body. I\r\ncouldn’t register for classes, and had a host of issues dealing with it. This semester and the previous semester were\r\nthe reasons I moved to commute, because of these problems that I frankly don’t have time to deal with.”\r\nJha said Zuberi did spend the night at his house last year but he denied admitting anything to Zuberi. He\r\nacknowledged hearing from an FBI agent investigating Mirai, but said “no comment” when asked if he’d heard\r\nfrom that FBI agent since then.\r\n“I don’t think there are enough facts to definitively point the finger at me,” Jha said. “Besides this article, I was\r\npretty much a nobody. No history of doing this kind of stuff, nothing that points to any kind of sociopathic\r\nbehavior. Which is what the author is, a sociopath.”\r\nOriginal story:\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 23 of 24\n\nRutgers University did not respond to requests for comment.\r\nFBI officials could not be immediately reached for comment.\r\nA copy of the entire chat between Anna-Senpai and ProxyPipe’s Coelho is available here.\r\nSource: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nhttps://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" ], "report_names": [ "who-is-anna-senpai-the-mirai-worm-author" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434609, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a1f2f73bb9349e951d3cf2f6282286f3a03ada0.pdf", "text": "https://archive.orkl.eu/6a1f2f73bb9349e951d3cf2f6282286f3a03ada0.txt", "img": "https://archive.orkl.eu/6a1f2f73bb9349e951d3cf2f6282286f3a03ada0.jpg" } }