Three men plead guilty to creating Mirai botnet [Updated]

A New Jersey man was just one of a trio who pled guilty to hacking charges and creating the devastating Mirai botnet, which spread via vulnerabilities in Internet-connected devices to unleash numerous massive distributed-denial-of-service attacks. As recently as last week, new Mirai strains continued to proliferate online.

In addition to Paras Jha of New Jersey, a press release issued by the Department of Justice at approximately 1:30pm ET also identified Josiah White, 20, of Washington, Pennsylvania and Dalton Norman, 21, of Metairie, Louisiana as being co-conspirators who also pled guilty.

As Ars reported in October 2016, the most serious DDoS degraded or completely took down Twitter, GitHub, the PlayStation network, and hundreds of other sites by targeting Dyn, a service that provided domain name services to the affected sites.

Jha admitted to being behind Mirai according to court documents that were unsealed on Tuesday. The Rutgers University computer science student was originally publicly identified as a likely suspect in January 2017 by Brian Krebs, a well-known independent computer security journalist.

Later that month, Jha’s father, Anand Jha, told NJ Advance Media that his son had no connection whatsoever to the attack. "I know what he is capable of," Anand Jha said at the time, noting that the FBI had already been in touch with the family, including his son. "Nothing of the sort of what has been described here has happened."

Jha and Norman also admitted to federal charges filed in Alaska that they infected over 100,000 home routers with malware that helped to generate clickfraud. Jha additionally pled guilty to separate charges filed in New Jersey that accused him of multiple attacks against Rutgers' networks and digital infrastructure in 2014 through 2016.

Jha's Alaska plea agreement also noted that around "September and October 2017," Paras Jha "securely erased the virtual machine used to run Mirai on his device. Jha posted the Mirai code online in order to create plausible deniability if law enforcement found the code on computers controlled by Jha or his co­-conspirators."

Jha could face up to five years in prison but will likely end up serving far less as a result of his cooperation with the government.

In a Wednesday morning tweet, Krebs indicated that federal authorities also caught two additional co-conspirators.

Actually, looks like they caught 3, two of which were named in my January 2017 reporting. https://t.co/PxRxULQOus  new story coming soon.

— briankrebs (@briankrebs) December 13, 2017

UPDATE 1:44pm ET: This story has been updated to include new information provided by the Department of Justice.