{
	"id": "65dad630-bdb7-4131-9c4b-aec20704ec5c",
	"created_at": "2026-04-06T00:13:52.428385Z",
	"updated_at": "2026-04-10T13:12:48.677224Z",
	"deleted_at": null,
	"sha1_hash": "76ffff3af752e1a12b914622d0c17c3d46e15959",
	"title": "Mirai IoT Botnet Co-Authors Plead Guilty",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 989527,
	"plain_text": "Mirai IoT Botnet Co-Authors Plead Guilty\r\nPublished: 2017-12-13 · Archived: 2026-04-05 22:04:52 UTC\r\nThe U.S. Justice Department on Tuesday unsealed the guilty pleas of two men first identified in January 2017 by\r\nKrebsOnSecurity as the likely co-authors of Mirai, a malware strain that remotely enslaves so-called “Internet of\r\nThings” devices such as security cameras, routers, and digital video recorders for use in large scale attacks\r\ndesigned to knock Web sites and entire networks offline (including multiple major attacks against this site).\r\nEntering guilty pleas for their roles in developing and using Mirai are 21-year-old Paras Jha from Fanwood, N.J.\r\nand Josiah White, 20, from Washington, Pennsylvania.\r\nJha and White were co-founders of Protraf Solutions LLC, a company that specialized in mitigating large-scale\r\nDDoS attacks. Like firemen getting paid to put out the fires they started, Jha and White would target organizations\r\nwith DDoS attacks and then either extort them for money to call off the attacks, or try to sell those companies\r\nservices they claimed could uniquely help fend off the attacks.\r\nCLICK FRAUD BOTNET\r\nIn addition, the Mirai co-creators pleaded guilty to charges of using their botnet to conduct click fraud — a form\r\nof online advertising fraud that will cost Internet advertisers more than $16 billion this year, according to\r\nestimates from ad verification company Adloox. \r\nThe plea agreements state that Jha, White and another person who also pleaded guilty to click fraud conspiracy\r\ncharges — a 21-year-old from Metairie, Louisiana named Dalton Norman — leased access to their botnet for the\r\npurposes of earning fraudulent advertising revenue through click fraud activity and renting out their botnet to\r\nother cybercriminals.\r\nhttps://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/\r\nPage 1 of 5\n\nAs part of this scheme, victim devices were used to transmit high volumes of requests to view web addresses\r\nassociated with affiliate advertising content. Because the victim activity resembled legitimate views of these\r\nwebsites, the activity generated fraudulent profits through the sites hosting the advertising content, at the expense\r\nof online advertising companies.\r\nJha and his co-conspirators admitted receiving as part of the click fraud scheme approximately two hundred\r\nbitcoin, valued on January 29, 2017 at over $180,000.\r\nProsecutors say Norman personally earned over 30 bitcoin, valued on January 29, 2017 at approximately $27,000.\r\nThe documents show that Norman helped Jha and White discover new, previously unknown vulnerabilities in IoT\r\ndevices that could be used to beef up their Mirai botnet, which at its height grew to more than 300,000 hacked\r\ndevices.\r\nMASSIVE ATTACKS\r\nThe Mirai malware is responsible for coordinating some of the largest and most disruptive online attacks the\r\nInternet has ever witnessed. The biggest and first to gain widespread media attention began on Sept. 20, 2016,\r\nwhen KrebsOnSecurity came under a sustained distributed denial-of-service attack from more than 175,000 IoT\r\ndevices (the size estimates come from this Usenix paper (PDF) on the Mirai botnet evolution).\r\nThat September 2016 digital siege maxed out at 620 Gbps, almost twice the size of the next-largest attack that\r\nAkamai — my DDoS mitigation provider at the time — had ever seen.\r\nThe attack continued for several days, prompting Akamai to force my site off of their network (they were\r\nproviding the service pro bono, and the attack was starting to cause real problems for their paying customers). For\r\nseveral frustrating days this Web site went dark, until it was brought under the auspices of Google’s Project\r\nShield, a program that protects journalists, dissidents and others who might face withering DDoS attacks and other\r\nforms of digital censorship because of their publications.\r\nAt the end of September 2016, just days after the attack on this site, the authors of Mirai — who collectively used\r\nthe nickname “Anna Senpai” — released the source code for their botnet. Within days of its release there were\r\nmultiple Mirai botnets all competing for the same pool of vulnerable IoT devices.\r\nThe Hackforums post that includes links to the Mirai source code.\r\nhttps://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/\r\nPage 2 of 5\n\nSome of those Mirai botnets grew quite large and were used to launch hugely damaging attacks, including the Oct.\r\n21, 2016 assault against Internet infrastructure firm Dyn that disrupted Twitter, Netflix, Reddit and a host of\r\nother sites for much of that day.\r\nA depiction of the outages caused by the Mirai attacks on Dyn, an Internet infrastructure company. Source:\r\nDowndetector.com.\r\nThe leak of the Mirai source code led to the creation of dozens of copycat Mirai botnets, all of which were\r\ncompeting to commandeer the same finite number of vulnerable IoT devices. One particularly disruptive Mirai\r\nvariant was used in extortion attacks against a number of banks and Internet service providers in the United\r\nKingdom and Germany.\r\nIn July 2017, KrebsOnSecurity published a story following digital clues that pointed to a U.K. man named Daniel\r\nKaye as the apparent perpetrator of those Mirai attacks. Kaye, who went by the hacker nickname “Bestbuy,” was\r\nfound guilty in Germany of launching failed Mirai attacks that nevertheless knocked out Internet service for\r\nalmost a million Deutsche Telekom customers, for which he was given a suspended sentence. Kaye is now on trial\r\nin the U.K. for allegedly extorting banks in exchange for calling off targeted DDoS attacks against them.\r\nNot long after the Mirai source code was leaked, I began scouring cybercrime forums and interviewing people to\r\nsee if there were any clues that might point to the real-life identities of Mirai’s creators.\r\nOn Jan 18, 2017, KrebsOnSecurity published the results of that four-month inquiry, Who is Anna Senpai, the\r\nMirai Worm Author? The story is easily the longest in this site’s history, and it cited a bounty of clues pointing\r\nback to Jha and White — two of the men whose guilty pleas were announced today.\r\nhttps://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/\r\nPage 3 of 5\n\nA tweet from the founder and CTO of French hosting firm OVH, stating the intended target of the Sept. 2016\r\nMirai DDoS on his company.\r\nAccording to my reporting, Jha and White primarily used their botnet to target online gaming servers —\r\nparticularly those tied to the hugely popular game Minecraft. Around the same time as the attack on my site,\r\nFrench hosting provider OVH was hit with a much larger attack from the same Mirai botnet (see image above),\r\nand the CTO of OVH confirmed that the target of that attack was a Minecraft server hosted on his company’s\r\nnetwork.\r\nMy January 2017 investigation also cited evidence and quotes from associates of Jha who said they suspected he\r\nwas responsible for a series of DDoS attacks against Rutgers University: During the same year that Jha began\r\nstudying at the university for a bachelor’s degree in computer science, the school’s servers came under repeated,\r\nmassive attacks from Mirai.\r\nWith each DDoS against Rutgers, the attacker — using the nicknames “og_richard_stallman,” “exfocus” and\r\n“ogexfocus,” — would taunt the university in online posts and media interviews, encouraging the school to spend\r\nthe money to purchase some kind of DDoS mitigation service.\r\nIt remains unclear if Jha (and possibly others) may face separate charges in New Jersey related to his apparent\r\nMirai attacks on Rutgers. According to a sparsely-detailed press release issued Tuesday afternoon, the Justice\r\nDepartment is slated to hold a media conference at 2 p.m. today with officials from Alaska (where these cases\r\noriginate) to “discuss significant cybercrime cases.”\r\nUpdate: 11:43 a.m. ET: The New Jersey Star Ledger just published a story confirming that Jha also has pleaded\r\nguilty to the Rutgers DDoS attacks, as part of a separate case lodged by prosecutors in New Jersey.\r\nPAYBACK\r\nhttps://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/\r\nPage 4 of 5\n\nUnder the terms of his guilty plea in the click fraud conspiracy, Jha agreed to give up 13 bitcoin, which at current\r\nmarket value of bitcoin (~$17,000 apiece) is nearly USD $225,000.\r\nJha will also waive all rights to appeal the conviction and whatever sentence gets imposed as a result of the plea.\r\nFor the click fraud conspiracy charges, Jha, White and Norman each face up to five years in prison and a $250,000\r\nfine.\r\nIn connection with their roles in creating and ultimately unleashing the Mirai botnet code, Jha and White each\r\npleaded guilty to one count of conspiracy to violate 18 U.S.C. 1030(a)(5)(A). That is, to “causing intentional\r\ndamage to a protected computer, to knowingly causing the transmission of a program, code, or command to a\r\ncomputer with the intention of impairing without authorization the integrity or availability of data, a program,\r\nsystem, or information.”\r\nFor the conspiracy charges related to their authorship and use of Mirai, Jha and White likewise face up to five\r\nyears in prison, a $250,000 fine, and three years of supervised release.\r\nThis is a developing story. Check back later in the day for updates from the DOJ press conference, and later in the\r\nweek for a follow-up piece on some of the lesser-known details of these investigations.\r\nThe Justice Department unsealed the documents related to these cases late in the day on Tuesday. Here they are:\r\nJha click fraud complaint (PDF)\r\nJha click fraud plea (PDF)\r\nJha DDoS/Mirai complaint (PDF)\r\nJha DDoS/Mirai plea (PDF)\r\nWhite DDoS complaint (PDF)\r\nWhite DDoS/Mirai Plea (PDF)\r\nNorman click fraud complaint (PDF)\r\nNorman click fraud plea (PDF)\r\nSource: https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/\r\nhttps://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/"
	],
	"report_names": [
		"mirai-iot-botnet-co-authors-plead-guilty"
	],
	"threat_actors": [],
	"ts_created_at": 1775434432,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76ffff3af752e1a12b914622d0c17c3d46e15959.pdf",
		"text": "https://archive.orkl.eu/76ffff3af752e1a12b914622d0c17c3d46e15959.txt",
		"img": "https://archive.orkl.eu/76ffff3af752e1a12b914622d0c17c3d46e15959.jpg"
	}
}