{
	"id": "9e45f42a-986d-4541-b9bd-c31238c426f0",
	"created_at": "2026-04-06T00:13:05.99112Z",
	"updated_at": "2026-04-10T03:21:45.783096Z",
	"deleted_at": null,
	"sha1_hash": "b79a4933561d634bdb08f056af48beadf5e6e392",
	"title": "BrickerBot Author Claims He Bricked Two Million Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1475881,
	"plain_text": "BrickerBot Author Claims He Bricked Two Million Devices\r\nBy Catalin Cimpanu\r\nPublished: 2017-04-21 · Archived: 2026-04-05 13:03:50 UTC\r\nJust like Wifatch and Hajime, the BrickerBot malware is the work of a vigilante grey-hat, who goes online by the name of\r\nJanit0r, a nickname he chose on the Hack Forums discussion boards.\r\nIf you're unfamiliar, BrickerBot is a new malware family that was first identified at the start of the month by Radware\r\nresearchers. The malware made headlines because it was the first threat of its kind that intentionally bricked IoT and\r\nnetworking devices, by rewriting the flash storage space of affected devices with random data.\r\nSuch actions rendered troves of devices useless, many needing a firmware reinstall, but as many needing to be replaced\r\naltogether.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nDestructive actions like these caught the attention of authorities. In the US, the Department of Homeland Security’s\r\nIndustrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an official alert last week, warning\r\ncompanies to disable Telnet and SSH access to their devices and asking owners to change their devices' default factory\r\npasswords.\r\nAnonymous tip leads us to Hack Forums profile\r\nSince BrickerBot's appearance, law enforcement and the infosec community have been on the hunt for new information\r\nregarding how BrickerBot operates and who's behind it.\r\nNew information surfaced over the Easter weekend when Bleeping Computer received an anonymous tip about the online\r\nidentity of BrickerBot's creator. The tipster pointed us towards the profile of a Hack Forums user named janit0r.\r\nWe ignored the tip at first since Hack Forums is known to attract a crowd of braggadocio hackers, many of whom tend to\r\n\"embellish\" their abilities or knowledge. We expected that that two weeks after BrickerBot's discovery, Hack Forums would\r\nbe abuzz with people trying to take credit for BrickerBot, but it was strangely silent.\r\nOn Monday, feeling bad that we did not follow through with the same dilligence that the tipster had warned us with, we\r\ndecided to have another look over janit0r's profile.\r\nWhat we discovered was a user that registered on January 21, 2017, had the forum boards set up to use the Alaska timezone\r\nand had made four posts.\r\nRight off the bat, his first post was the most interesting one. In a forum topic discussing a decline in the number of active\r\nMirai bots, Janit0r made the following statement. Remind you, this still almost two months and a half before Radware's\r\nBrickerBot discovery.\r\nI have killed over 200K telnet devices since Nov.. you've probably seen a drop in your bot counts by now.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 3 of 7\n\nHis second and third posts also came before BrickerBot became public and attested to his skills as a reverse engineer, in a\r\ntopic he started himself, discussing a security flaw in Dahua 2nd and 3rd generation IP cameras.\r\nThe researcher who discovered and made public the flaw, withheld proof-of-concept exploit code for one month, to give\r\nDahua customers time to apply a firmware update. Janit0r showed dissatisfaction with the researcher's action and published\r\nexploitation details for that particular bug himself.\r\nHis last post was in a topic started by a user who \"heard\" that BrickerBot's source had leaked. Janit0r's response was quick\r\nand to the point.\r\nI'm gonna call bullshit on this rumor.. I'm pretty sure I'd be sitting in jail if someone had managed to snatch the full source\r\noff my desktop :P\r\nAt this point, we had to confirm that Janit0r was indeed BrickerBot's author and not just some guy bragging on Hack\r\nForums. This is how we spent the next two days, scraping through the Dark Web, underground hacking forums, and getting\r\nin contact with a few threat intelligence analysts we knew.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 4 of 7\n\nBy Wednesday, we didn't manage to find any other clue of Janit0r's existence, or anybody else claiming to be BrickerBot's\r\nauthor, with some solid proof on his side. That's when we just gave up, and launched a desperate tweet, asking BrickerBot's\r\nauthor to reach out.\r\nBrickerBot's Author reaches out\r\nLo and behold, this was exactly what happened. The same day, we received an email from a person claiming to be\r\nBrickerBot's creator.\r\nThe email contained lots of details about BrickerBot's operation and internal structure. Nevertheless, at this point, we knew\r\nthat there could be the possibility that someone was pulling a prank.\r\nChance had it that someone else had also seen our tweet. That person was Victor Gevers, a security researcher mostly known\r\nfor tracking the destructive ransom attacks against MongoDB and other databases.\r\nIn the Bleeping Computer article that broke the news of BrickerBot's existence, we asked Victor for his expert opinion on\r\nthis new malware's behavior and repercussions. Victor not only put BrickerBot in perspective for our readers, but also asked\r\nBrickerBot's creator to reach out and discuss an alternative method of dealing with unsecured IoT devices, instead of blindly\r\ndestroying people's property.\r\nUnknown to all was that BrickerBot author had reached out to Victor hours after our article went live. The two had shared\r\nnotes and Victor was acting as an intermediary between Janit0r and various CERTs. All the operational details shared with us\r\non Wednesday were the same Janit0r shared with Victor in the previous three weeks, confirming we were speaking with the\r\nsame person.\r\n\"Yes, I am janit0r\"\r\n\"Yes, I was janit0r on Hackforums,\" the BrickerBot author started his email, which then continued with Janit0r showing his\r\nanger at the sad state of affairs in the realm of IoT security.\r\nLike so many others I was dismayed by the indiscriminate DDoS attacks by IoT botnets in 2016. I thought for sure that the\r\nlarge attacks would force the industry to finally get its act together, but after a few months of record-breaking attacks it\r\nbecame obvious that in spite of all the sincere efforts the problem couldn't be solved quickly enough by conventional means.\r\nThe IoT security mess is a result of companies with insufficient security knowledge developing powerful Internet-connected\r\ndevices for users with no security knowledge. Most of the consumer-oriented IoT devices that I've found on the net appear to\r\nhave been deployed almost exactly as they left the factory.\r\nFor example 9 out of every 10 Avtech IP cameras that I've pulled the user db from were set up with the default login\r\nadmin/admin! Let that statistic sink in for a second.. and then consider that if somebody launched a car or power tool with a\r\nsafety feature that failed 9 times out of 10 it would be pulled off the market immediately. I don't see why dangerously\r\ndesigned IoT devices should be treated any differently and after the Internet-breaking attacks of 2016 nobody can seriously\r\nargue that the security of these devices isn't important.\r\nI hope that regulatory bodies will do more to penalize careless manufacturers since market forces can't fix this problem. The\r\nreality of the market is that technically unskilled consumers will get the cheapest whitelabel DVR they can find at their local\r\nstore, then they'll ask their nephew to plug it into the Internet, and a few minutes later it'll be full of malware. At least with\r\n'BrickerBot' there was some brief hope that such dangerous devices could become the merchant's and manufacturer's\r\nproblem rather than our problem.\r\nBrickerBot allegely wiped over two million devices\r\nI joined Hackforums in January mainly to see if my activities had been noticed by the botnet kids. Back then 200,000\r\nbricked units seemed like a lot and I was sure I was close to the end of it. Now when the count is over 2 million it's clear\r\nthat I had no idea (and still have no idea) how deep the rabbit hole of IoT insecurity is. I'm certain that the worst is still\r\nahead of us.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 5 of 7\n\nI hope the unconventional actions by 'BrickerBot' have helped in buying another year of time for governments, vendors and\r\nthe industry in general to get the current IoT security nightmare under control.\r\nMany other people have also done important things to combat IoT malware (Team White, Hajime author, @packetcop and\r\nhis fellow sinkholers, etc) so I'm by no means claiming credit for Mirai being weak in Q1/2017, but if Imeij and Amnesia\r\nhave suffered a little recently then it's probably mainly my fault ;)\r\nJanit0r's email then goes on to detail a few operational details regarding BrickerBot's infrastructure, also dispelling the\r\nnotion that he's a madman set on the random destruction of IoT devices.\r\nIn reality, Janit0r wants to be considered in the same class as the White Team, the self-proclaimed white-hat hackers behind\r\nthe Wifatch malware, and the author of the Hajime malware, another vigilante who created a new malware family last\r\nOctober that tries to secure IoT devices by force.\r\nThe Radware writeup made 'BrickerBot' sound simplistic, but it actually carries 86 protocol and device-specific payloads\r\nand is relatively successful at mitigating commonly exploited devices. The bot's every action has a statistically determined\r\npurpose and what might've seemed like buggy behavior in the honeypot really isn't.\r\nAs a preference 'BrickerBot' will try to secure units without damaging them and the bricking behavior is a 'plan B' (yes the B\r\nstands for brick :) for units which are unlikely to be securable. A blogger on the net wondered about 'BrickerBot' simply\r\ntrying to change his honeypot's login and this would've been due to the bot assuming the device had a persistent user db.\r\nBecause the honeypots are often quite different from any actual devices the behaviors in them are usually weird.\r\nIf security researchers made their honeypots look more like actual devices (that one could actually find with default\r\ncredentials on the net) and hosted them on dirtier networks they would find even more interesting things going on..\r\nVictor Gevers, who confirmed Janit0r's bricking statistics also believes this person is only misguided, and hopes to convince\r\nhim to abandon his ways. \"The writer of the email does not strike me as a bad person,\" Gevers told Bleeping Computer\r\nbased on his own communications with Janit0r. \"Just some young guy who was too eager to solve a problem.\"\r\nJanit0r wants a change in IoT security standards\r\nFor the time being, Janit0r doesn't seem interested in stopping BrickerBot attacks, or at least not until officials and hardware\r\nvendors take a look at IoT security and start changing things with a hurry.\r\nAuthorities have been talking about IoT security standards for years, but in the meantime, some of the same vendors\r\nparticipating in those discussions have continued to ship out insecure devices with the same ol' default passwords. In a\r\nfollow-up email, Janit0r wrote the following.\r\nI consider my project a form of \"Internet Chemotherapy\" I sometimes jokingly think of myself as The Doctor.\r\nChemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the Internet\r\nwas becoming seriously ill in Q3 and Q4/2016 and the moderate remedies were ineffective. The side effects of the treatment\r\nwere harmful but the alternative (DDoS botnet sizes numbering in the millions) would have been worse. I can only hope\r\nhope that when the IoT relapse comes we'll have better ways to deal with it. Besides getting the number of IoT DDoS bots to\r\na manageable level my other key goal has been to raise awareness. The IoT problem is much worse than most people think,\r\nand I have some alarming stories to tell.\r\nJanit0r is a wanted man\r\nNonetheless, the actions of BrickerBot place this malware in the same category as other destructive e-threats, such as\r\nransomware and banking trojans. Janit0r already knows he's a wanted man and has taken many precautions.\r\nTracking down Janit0r's real life persona may also be a little harder than going after teenagers that rent DDoS botnets with\r\ntheir father's credit card. While he signed his Hack Forums posts with the name \"Rob,\" Janit0r also used different names\r\nwithin each email, said he never intends to log into his Janit0r Hack Forums account again, and has consistently changed\r\nemail addresses every few days.\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 6 of 7\n\nFor what's worth it, Janit0r has been very careful with his OpSec, compared to many of today's hackers, who, according to a\r\nFlashpoint report released yesterday, prefer Skype as their main communications method, an IM service known to give up\r\ndata on its users to law enforcement.\r\nJanit0r: I'm not a security researcher\r\nCurrent clues like Janit0r's reverse engineering skills, in-depth knowledge of the malware scene, and a desire to do good,\r\npoint to the fact that we may be dealing with another security researcher or network engineer that has decided to do\r\nsomething about the ever-increasing number of unsecured network and IoT devices.\r\n\"For what it's worth I'll state that I've never actually worked in networking, systems administration, information security or\r\nanything of the sort, but I have a hobby interest in all of the above. I believe that basic knowledge in such things is good\r\nself-defense in the 21st century,\" Janit0r wrote in an email.\r\nRight now, all users and companies can do is to follow Radware and ICS-CERT's recommendations, and block access to\r\nTelnet and SSH ports, and also change the device's default password. Otherwise, they may get a visit from BrickerBot, and it\r\nmight reach Plan B.\r\nHeadline image credit: Simeon W \u0026 Bleeping Computer\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nhttps://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/"
	],
	"report_names": [
		"brickerbot-author-claims-he-bricked-two-million-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1775434385,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b79a4933561d634bdb08f056af48beadf5e6e392.pdf",
		"text": "https://archive.orkl.eu/b79a4933561d634bdb08f056af48beadf5e6e392.txt",
		"img": "https://archive.orkl.eu/b79a4933561d634bdb08f056af48beadf5e6e392.jpg"
	}
}