{ "id": "b9066910-36c0-404c-9ffa-675125ed0eaa", "created_at": "2026-04-06T00:13:29.726773Z", "updated_at": "2026-04-10T03:38:06.311699Z", "deleted_at": null, "sha1_hash": "b6bf610e4bf25c1479358a1971d81b66b126c5dd", "title": "BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1430893, "plain_text": "BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT\r\nDevices\r\nBy Catalin Cimpanu\r\nPublished: 2017-12-12 · Archived: 2026-04-05 18:27:47 UTC\r\nThe author of the BrickerBot malware has announced his retirement in an email to Bleeping Computer, also claiming to\r\nhave bricked over 10 million devices since he started the \"Internet Chemotherapy\" project in November 2016.\r\nKnown as The Doctor (self-given name) and The Janit0r (HackForums nickname), this individual (or group) is the author of\r\nBrickerBot, a malware strain that was purposely created to brick IoT devices.\r\nFirst spotted in April this year, BrickerBot operates by scanning the Internet for vulnerable devices and then using exploit\r\ncode to gain a foothold on the exposed equipment to rewrite the device's flash storage with random data.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nDevices infected with BrickerBot often need to be reinstalled, or in some cases, replaced altogether, as the malware\r\nsometimes rewrites their firmware.\r\nBrickerBot is a controversial project\r\nFollowing BrickerBot's public disclosure, The Janit0r reached out to Bleeping Computer and explained why he created\r\nBrickerBot. In an interview this spring, the Janitor explained that he refers internally to BrickerBot as \"Internet\r\nChemotherapy\" and that he created the malware as a way to sabotage vulnerable devices before they were infected with the\r\nMirai malware, which a hacker had used in the autumn of 2016 to launch some of the biggest DDoS attacks known to date.\r\nThat Mirai author also leaked the malware's source code online, in an attempt to hide his tracks by allowing other crooks to\r\nset up their very own Mirai botnet variations. His plan succeeded, and a free-for-all ensued with several Mirai botnets\r\npopping up everywhere online, powering on-demand DDoS cannons.\r\nThe Janit0r said this onslaught on the IoT scene determined him to create BrickerBot as a way to take vulnerable devices\r\noffline, force owners to install updated firmware, and take them out of the reach of Mirai botnets.\r\nIn all conversations, the Janit0r seemed an individual who believed he was fighting the good fight, albeit many users and\r\nexperts have not seen his actions as neither \"good\" or even \"legal.\"\r\nBrickerBot continued to operate all year\r\nDespite criticism, BrickerBot did not stop and Bleeping Computer reported on other attacks over the summer, such as the\r\nones against a US ISP and several Indian Internet providers.\r\nThese were only the documented cases, and the BrickerBot author claimed in many emails to have been behind many other\r\nattacks and downtimes all over the world.\r\nBrickerBot explains why he retired\r\nIn an email sent today to Bleeping Computer, The Janit0r announced his sudden retirement and explained why he reached\r\nthis decision.\r\nI believe that the project has been a technical success, but I am now starting to worry that it is also having a deleterious\r\neffect on the public's perception of the overall IoT threat. Researchers keep issuing high profile warnings about genuinely\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nPage 3 of 6\n\ndangerous new botnets, and a few weeks or even days later they are all but gone. Sooner or later people are going to start\r\nquestioning the credibility of the research and the seriousness of the situation.\r\nThe Janit0r cites the cases of Persirai, Hajime, or Reaper botnets that have been advertised as \"the next big thing\" in terms of\r\nIoT botnets, but have never lived up to the hype.\r\nHe now fears that because of his work in the shadows, people are not taking IoT devices to be a credible threat anymore. He\r\nbelieves that he needs to stop, so people truly understand how many vulnerable devices are out there.\r\nIt was rational to take action in an attempt to buy everyone time to get their affairs in order and there has been some progress\r\nover the past year in the form of new security standard proposals and so on. I however believe that people, organizations and\r\ngoverments aren't doing enough nor moving quickly enough and we're running out of time. Because of this I've decided to\r\nmake a public appeal regarding the severity of the situation. Taking credit for all the carnage of the past year has serious\r\ndownsides for me and my mission. [...] However I also recognize that if I keep doing what I'm doing then people of\r\ninfluence may simply perceive the IoT security disaster as less urgent when in reality they should consider it an emergency\r\nrequiring immediate action.\r\nThe Janit0r then adds that once his efforts became public, the operators of IoT DDoS botnets also started taking precautions\r\nagainst BrickerBot, making his work even harder.\r\nBut Janit0r is also afraid of legal repercussions from authorities. The malware dev is fully aware that what he's been doing is\r\nhighly illegal, as it might have caused financial losses to companies around the world. The DHS surely noticed his actions,\r\nbecause it issued an official alert after BrickerBot's public disclosure.\r\nThere's also only so long that I can keep doing something like this before the government types are able to correlate my\r\nlikely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario\r\nhasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out\r\nwho I am.\r\nJanit0r dumps some of BrickerBot's source code\r\nThese are the reasons the BrickerBot author invoked in the email Bleeping Computer received earlier today. Besides the\r\nemail, Janit0r also published a manifesto on several compromised devices.\r\nBleeping Computer is not going to link to this manifesto since it also contains the source code for some of BrickerBot's\r\nattack (bricking) modules. We are also not publishing snippets from this manifesto, since a basic Google search could reveal\r\ncopies of this file online.\r\nWe are doing this as a favor for industry experts who said the leaked code contains at least one zero-day that could be\r\nabused by other malware authors.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nPage 4 of 6\n\nBut Janit0r did not publish all his code.\r\nMy ssh crawler is too dangerous to publish. It contains various levels of automation for the purpose of moving laterally\r\nthrough poorly designed ISP networks and taking them over through only a single breached router. My ability to\r\ncommandeer and secure hundreds of thousands of ISP routers was the foundation of my anti-IoT botnet project as it gave me\r\ngreat visibility of what was happening on the Internet and it gave me an endless supply of nodes for hacking back.\r\nJanit0r behind long list of security incidents\r\nAll in all, the Janit0r quitting announcement focuses on trying to raise awareness to the fact that ISPs and device vendors\r\nplay a major role in today's sad state of IoT security.\r\nThe BrickerBot author goes on to detail a case where he breached an ISP's network, disrupted devices for months, yet ISP\r\nemployees failed to understand what was happening, let alone take precautionary actions.\r\nHe also lists a long list of incidents he claimed to have been behind, from events affecting Deutsche Telekom in Germany to\r\nRogers in Canada, and various countries across Africa, Asia, and South America.\r\nBy far the most interesting incident is the one that has been previously classified as a \"ransomware\" attack, albeit it did not\r\nmake any sense now or at the time.\r\nThe incident refers to a ransomware infection reported by the Washington Post that affected 70% of storage devices that\r\nrecord data from Washington DC's police surveillance cameras. The incident took place eight days before President Trump's\r\ninauguration, and caused some panic at the time.\r\nAccording to the Janit0r, the incident can be attributed to BrickerBot running amok in some DC police-owned DVRs, which\r\nare typically the place where you find IoT malware and not ransomware.\r\nThe Janit0r preaches IoT security before going in the shadows\r\nJanit0r's farewell message also includes some advice. For starters, he recommends that ISPs use basic tools like Shodan to\r\naudit their own networks and isolate ports and services that do not need to be exposed online.\r\nSecond, he advises users to sanction IoT vendors that do not deliver security updates in a timeline manner and refuse to\r\npurchase devices from a known offender.\r\nThird, lobbying politicians about IoT security standards is also a good way to push IoT security forward.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nPage 5 of 6\n\nFourth, Janit0r advises security researchers to volunteer their free time to organizations such as GDI Foundation or the\r\nShadowserver Foundation, which have been working to secure some of these vulnerable devices.\r\nLast but not least, he advises that some of us that have too much time and money on our hands to start legal actions against\r\nthe owners of some of these vulnerable devices. Janit0r believes that a constant legal threat could force companies and ISPs\r\nto install security updates and isolate equipment on private networks in a timely manner.\r\nWe'll end this article with a message from The Janit0r —original text preserved.\r\nYOU SHOULD WAKE UP TO THE FACT THAT THE INTERNET IS ONLY ONE OR TWO SERIOUS IOT\r\nEXPLOITS AWAY FROM BEING SEVERELY DISRUPTED.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/" ], "report_names": [ "brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434409, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6bf610e4bf25c1479358a1971d81b66b126c5dd.pdf", "text": "https://archive.orkl.eu/b6bf610e4bf25c1479358a1971d81b66b126c5dd.txt", "img": "https://archive.orkl.eu/b6bf610e4bf25c1479358a1971d81b66b126c5dd.jpg" } }