The three college-age defendants behind the creation of the Mirai botnet—an online tool that wreaked destruction across the internet in the fall of 2016 with unprecedentedly powerful distributed denial of service attacks—will stand in an Alaska courtroom Tuesday and ask for a novel ruling from a federal judge: They hope to be sentenced to work for the FBI.
Josiah White, Paras Jha, and Dalton Norman, who were all between 18 and 20 years old when they built and launched Mirai, pleaded guilty last December to creating the malware that hijacked hundreds of thousands of Internet of Things devices, uniting them as a digital army that began as a way to attack rival Minecraft video game hosts, and evolved into an online tsunami of nefarious traffic that knocked entire web hosting companies offline. At the time, the attacks raised fears amid the presidential election targeted online by Russia that an unknown adversary was preparing to lay waste to the internet.
The original creators, panicking as they realized their invention was more powerful than they had imagined, released the code—a common tactic by hackers to ensure that if and when authorities catch them, they don’t possess any code that isn’t already publicly known that can help finger them as the inventors. That release in turn lead to attacks by others throughout the fall, including one that made much of the internet unusable for the East Coast of the United States on an October Friday.
According to court documents filed in advance of Tuesday’s appearance, the US government is recommending that each of the trio be sentenced to five years probation, and 2,500 hours of community service.
The twist, though, is precisely how the government hopes the three will serve their time: “Furthermore, the United States asks the Court, upon concurrence from Probation, to define community service to include continued work with the FBI on cyber crime and cybersecurity matters,” the sentencing memorandum says.
The trio have contributed to a dozen or more different law enforcement and security research efforts.
In a separate eight-page document, the government lays out how over the 18 months since the FBI first made contact with the trio, they have worked extensively behind the scenes with the agency and the broader cybersecurity community to put their advanced computer skills to non-criminal uses. “Prior to even being charged, the defendants have engaged in extensive, exceptional cooperation with the United States Government,” prosecutors wrote, saying that their cooperation was “noteworthy in both its scale and its impact.”
As it turns out, the trio have contributed to a dozen or more different law enforcement and security research efforts around the country and, indeed, around the globe. They helped private sector researchers chase what they believed was a nation-state “Advanced Persistent Threat” hacking group in one instance, and in another worked with the FBI in advance of last year’s Christmas holiday to help mitigate an onslaught of DDoS attacks. The court documents also hint that the trio have been engaged in undercover work both online and offline, including traveling to “surreptitiously record the activities of known investigative subjects,” and at one point working with a foreign law enforcement agency to “ensur[e] a given target was actively utilizing a computer during the execution of a physical search.”
The government estimates that the trio have already collectively logged more than 1,000 hours of assistance, the equivalent of a half-a-year of full time employment.
Earlier this year, the Mirai defendants worked with FBI agents in Alaska to counter a new evolution of DDoS, known as Memcache, which relies on a legitimate internet protocol aimed at speeding up websites to instead overload them with repeated queries. The obscure protocol was vulnerable, in part, because many such servers lacked authentication controls, leaving them open to abuse.
The Mirai court documents outline how Dalton, Jha, and White jumped into action in March as the attacks propagated online, working alongside the FBI and the security industry to identify vulnerable servers. The FBI then contacted affected companies and vendors to help mitigate the attacks. “Due to the rapid work of the defendants, the size and frequency of Memcache DDoS attacks were quickly reduced such that within a matter of weeks, attacks utilizing Memcache were functionally useless and delivering attack volumes that were mere fractions of the original size,” prosecutors report.
Intriguingly, though, the trio’s government cooperation hasn’t been limited to just DDoS work. Prosecutors outline extensive original coding work they’ve done, including a cryptocurrency program they built that allows investigators to more easily trace cryptocurrency and the associated “private keys” in a variety of currencies. Specifics about the program were scarce in court documents, but according to the prosecutors’ report, the program inputs various data from the blockchains behind cryptocurrencies, and translates it into a graphical interface to help investigators analyze suspicious online wallets. “This program and the features devised by defendants can greatly reduce the time needed by Law Enforcement to do initial cryptocurrency analysis as the program automatically determines a path for a given wallet,” prosecutors report.
According to sources familiar with the case, the Mirai investigation presented a unique opportunity to intercede with young defendants who had demonstrated a uniquely strong aptitude with computers, pushing them away from a life of crime online and instead towards legitimate employment in the computer security field.
The government cites the relative immaturity of the trio in its sentencing recommendations, noting “the divide between their online personas, where they were significant, well-known, and malicious actors in the DDoS criminal milieu and their comparatively mundane ‘real lives’ where they present as socially immature young men living with their parents in relative obscurity.” None of them had been previously charged with a crime, and the government notes how all three had made efforts at “positive professional and educational development with varying degrees of success.” As the government says, “Indeed it was their collective lack of success in those fields that provided some of the motive to engage in the criminal conduct at issue here.”
Writing in a separate sentencing memo, the lawyer for Josiah White, who was home schooled and obtained his high school diploma from the Pennsylvania Cyber School the year he and his cohorts launched Mirai, explains, “He has taken a mistake and lapse in judgment, and turned it into a huge benefit for the government, and a learning experience for himself.”
Now that the Mirai creators have been caught, the government hopes to redirect them to a more productive life path—beginning with the 2,500 hours of work in the years ahead alongside FBI agents, security researchers, and engineers. As prosecutors write, “All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity.” That would amount to more than a year’s worth of full-time work with the FBI, spread, presumably, over the course of their five-year probation.
Notably, the court documents point to ongoing work by the trio on other DDoS cases, saying that the FBI’s Anchorage office continues work “investigat[ing] multiple groups responsible for large-scale DDoS attacks and seeks to continue to work with defendants.”
The small FBI’s Anchorage cyber squad has emerged in recent years as the US government’s primary botnet attack force; just last week, the squad supervisor, William Walton, was in Washington to accept the FBI Director’s Award, one of the bureau’s highest honors, for his team’s work on the Mirai case. That same week, the creator of the Kelihos botnet, a Russian hacker named Peter Levashov, pleaded guilty in a Connecticut courtroom in a separate case, worked jointly by the FBI’s Anchorage squad and its New Haven cyber unit. According to court documents, the Mirai defendants also contributed in that case, helping design computer scripts that identified Kelihos victims following the FBI’s surprise takeover of the botnet and arrest of Levashov in Spain last April.
The Mirai investigation presented a unique opportunity to intercede with young defendants who had demonstrated a uniquely strong aptitude with computers.
The Mirai investigation, which has been led by FBI case agents Elliott Peterson and Doug Klein, has interesting echoes of another Peterson case: In 2014, the agent led the indictment of Evgeny Bogachev, now one of the FBI’s most-wanted cybercriminals, who allegedly perpetrated massive online financial fraud tied to the GameOver Zeus botnet. In that case, investigators identified Bogachev—who lived in Anapa, Russia, near Sochi, on the Black Sea coast—as the sophisticated force behind multiple iterations of a pernicious and dominant piece of malware known as Zeus, which evolved to become the digital underground’s malware of choice. Think of it as the Microsoft Office of online fraud. The FBI had chased Bogachev for years, in multiple cases, as he built increasingly advanced versions. Midway through the pursuit of GameOver Zeus in 2014, investigators realized that Bogachev was cooperating with Russia’s intelligence services to turn the power of the GameOver Zeus botnet towards intelligence gathering, using it to plumb infected computers for classified information and government secrets in countries like Turkey, Ukraine, and Georgia.
The GameOver Zeus case was one of the earliest examples of a now-common trend in which Russian criminals cooperate with its intelligence officers. In a similar case, released last year, the US government outlined how a well-known Russian criminal hacker, Alexsey Belan, worked with two officers Russian intelligence services to hack Yahoo. The blurring of lines between online criminals and Russian intelligence has been a key factor in the country's emergence as an increasingly rogue state online, most recently responsible for launching the devastating NotPetya ransomware attack.
In that Alaska courtroom Tuesday, the FBI will offer a counternarrative, demonstrating how the US government approaches the same issue: It, too, will happily harness the expertise of criminal hackers caught within its borders. But it first forces them to stop their criminal activity, and then turns their computer savvy towards preserving the health and the security of the global internet.
Garrett M. Graff is a contributing editor for WIRED and the author of The Threat Matrix: Inside Robert Mueller's FBI. He can be reached at email@example.com.