A US court has slapped an unusually lenient sentence on three men who’ve pleaded guilty to developing and operating a powerful botnet known as Mirai that in its heyday comprised hundreds of thousands of Internet-of-Things (IoT) devices.

Paras Jha, Josiah White, and Dalton Norman, who are all 21-22 years old, were each sentenced by a court in Alaska to serve five years of probation according to a statement from the US Department of Justice. The three men, all of whom are US citizens, also gave up significant amounts of cryptocurrency seized during the investigation into their activities and were ordered to pay $127,000 in restitution. Additionally, they were given 2,500 hours of community service – which includes continued cooperation with law enforcement and security researchers.

“The Government’s position, as stated in its sentencing memorandum, is that the defendants’ cooperation has been extensive and exceptional and warrants a substantial reduction in sentence of 85%,” according to prosecutors.

Jha, White and Norman all pleaded guilty in December 2017 to creating and running Mirai. The botnet, which burst on the scene in August 2016, was made up of poorly secured “Internet of Things” (IoT) devices such as wireless cameras, digital video recorders (DVRs) and routers and was mainly intended for use in distributed denial-of-service (DDoS) attacks.

Mirai had actually never been intended to be as damaging as it ultimately went on to become, according to Wired citing investigators. Instead, its creators meant it as a way of gaining an advantage in fierce competition surrounding the computer game Minecraft – by preventing players from using competitors’ servers and driving them to their own servers in order to ultimately make money off them.

Meanwhile, Jha and Norman have also admitted to charges in relation to what authorities dubbed the “Clickfraud botnet”, to which the men transitioned from Mirai. Having compromised over 100,000 IoT gadgets between December 2016 and February 2017, the defendants used them in a botnet for click fraud, which is a kind of advertisement fraud that involves generating false clicks on online adverts, thus yielding revenue under pay-per-click (PPC) schemes.

The FBI first questioned Jha and White for their suspected involvement in writing the Mirai code merely weeks after it was discovered. Back then, the men were renting out slices of their botnet to fellow criminals, writes security journalist Brian Krebs, whose site itself was rendered offline by Mirai for almost four days in September 2016. (Jha also used the botnet to launch several powerful DDoS attacks at his then-alma mater, Rutgers University – a court ruling vis-à-vis these crimes is due in a different court next week.)

In the end, the three dumped the Mirai code online in late September 2016 with the aim of creating “plausible deniability” should law enforcement catch up with them and find the code on their devices. As also described by Krebs, this resulted in the creation of several Mirai copycats that competed for the same pool of vulnerable IoT devices. (Krebs identified Jha and White as Mirai’s likely creators in January 2017.) Some of the later botnets were then used to unleash a number of powerful attacks, including a series of DDoS attacks at DNS provider Dyn on October 21, 2016 that knocked out thousands of websites for many internet users especially on the US East Coast. This included some of the biggest online services such as Twitter, Amazon, Netflix, Reddit, or Spotify.

The helping hands

Prosecutors have heaped praise on the trio’s “tremendous dedication” to cooperation efforts with law enforcement, which began even before authorities pressed charges against them.

“By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods,” said the prosecutors. Collectively, Jha, White and Norman are said to have put in well above 1,000 hours of work for the U.S. Government.

The rather long list of instances on which the three helped law enforcement features their assistance with taking down the sprawling Kelihos botnet in April 2017, which coincided with the arrest of its operator. Just days ago, the mastermind, Peter Levashov, pleaded guilty to the charges.

Jha, White and Norman also volunteered to work together with cybersecurity researchers to share their knowledge of the past and current techniques leveraged by threat actors, including an unnamed Advanced Persistent Threat (APT) group in at least one instance. On several occasions, they also helped pinpoint individuals responsible for cyberattacks.

In fact, as the FBI was investigating other groups suspected of orchestrating major DDoS attacks, the trio “offered to travel to meet with and surreptitiously record the activities of known investigative subjects”, according to prosecutors, who lauded the three men’s actions as helpful towards “significant judicial outcomes relative to these criminal groups”. They also contributed to international investigations, having assisted foreign law enforcement “by ensuring a given target was actively utilizing a computer during the execution of a physical search”.

Additionally, Jha, White and Norman leaped into action to foil a new DDoS attack method that we also wrote about in March. The attacks co-opted internet-facing Memcache servers and set new records for the largest-ever DDoS attacks in March of this year. Within weeks, “attacks utilizing Memcache were functionally useless and delivering attack volumes that were mere fractions of the original size,” said the prosecutors.