The Mirai Confessions Three Young Hackers Who Built a WebKilling Monster Finally Tell Their Story WIRED

pTo revist this article visit My Profile then View saved storiesppTo revist this article visit My Profile then View saved storiesppAndy GreenbergppEarly in the morning on October 21 2016 Scott Shapiro got out of bed opened his Dell laptop to read the days news and found that the internet was brokenppNot his internet though at first it struck Shapiro that way as he checked and doublechecked his computers WiFi connection and his router The internetppThe New York Times website was offline as was Twitter So too were the websites of The Guardian The Wall Street Journal CNN the BBC and Fox News And WIRED When Twitter intermittently sputtered back online users cataloged an alarming untold number of other digital services that were also victims of the outage Amazon Spotify Reddit PayPal Airbnb Slack SoundCloud HBO and Netflix were all to varying degrees crippled for most of the East Coast of the United States and other patches of the countryppShapiro a very online professor at Yale Law School who was teaching a new class on cyber conflict that year found the blackout deeply disorienting and isolating A presidential election unlike any other in US history loomed in just under three weeks October surprises seemed to be piling up Earlier that month US intelligence agencies had jointly announced that hacker breaches of the Democratic National Committee and Hillary Clintons presidential campaign had in fact been carried out by the Russian government Meanwhile Julian Assanges WikiLeaks had been publishing the leaked emails from those hacks pounding out a drumbeat of scandalous headlines Spooked cybersecurity analysts feared that a more climactic cyberattack might strike on Election Day itself throwing the country into chaosppThose anxieties had been acutely primed just a month earlier by a blog post written by the famed cryptographer and security guru Bruce Schneier It was titled Someone Is Learning How to Take Down the InternetppOver the past year or two someone has been probing the defenses of the companies that run critical pieces of the internet Schneier one of the most highly respected voices in the cybersecurity community had warned He described how an unknown force appeared to be repeatedly barraging this key infrastructure with relentless waves of malicious traffic at a scale that had never been seen before These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves and what would be required to take them down We dont know who is doing this but it feels like a large nationstate China or Russia would be my first guessesppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppNow it seemed to Shapiro that Schneiers warning was coming to fruition right on schedule This is the attack he remembers thinking Was it the big one he asked himself Or was it perhaps a test for the true big one that would hit on November 8 Obviously it has to be a nationstate Shapiro thought It has to be the RussiansppFor Shapiro the internet outage was a kind of turning point In the months and years that followed he would become obsessed with trying to understand how someone could simply stamp out such a large swath of digital connectivity across the world who would do such a thing and why But meanwhile a little less than 500 miles west of Shapiros Connecticut home in the town of Washington Pennsylvania another sort of observer was watching the attack unfoldppAfter a typical sleepless night at his keyboard 19yearold Josiah White sat staring at the three flatscreen monitors hed set up on a workbench in a messy basement storage area connected to the bedroom he shared with his brother in their parents house He was surrounded by computer equipmentold hard drives and a friends desktop machine he had offered to fixand boxes of his familys toys and Christmas tree ornamentsppFor weeks a cyber weapon that hed built with two of his young friends Paras Jha and Dalton Norman had wreaked havoc across the internet blasting victims offline in one unprecedented attack after another As the damage mounted Josiah had grown accustomed to the thrills the anxiety the guilt the sense that it had all gotten so absurdly out of handand the thought that he was now probably being hunted by law enforcement agencies around the worldppHed reached a state of numbness compartmentalizing his dread even as he read Bruce Schneiers doomsday post and understood that it was describing his own workand now even as a White House press secretary assured reporters in a streamed press conference that the Department of Homeland Security was investigating the mass outage that had resulted directly from his actionsppBut what Josiah remembers feeling above all else was simply aweawe at the scale and chaotic power of the Frankensteins monster that he and his friends had unleashed Awe at how thoroughly it had now escaped their control Awe that the internet itself was being shaken to its foundations by this thing that three young hackers had built in a flurry of adolescent emotions whims rivalries rationalizations and mistakes A thing called MiraippNone of the three young men who built Mirai fit the profile of a cybercriminal least of all Josiah White who could lay perhaps the most direct claim to being its inventor Josiah had grown up in a rural county an hour south of Pittsburgh He was the youngest of four children in a closeknit Christian family all homeschooled as his mom put it to better find out how God had created them and what he had created them to pursue She describes the thin darkhaired baby of the family as a stubborn and independent but unusually kind child who would sit beside the new kid in Sunday school to make them feel welcomeppJosiahs father was an engineer turned insurance salesman and the family lived in a fixerupper surrounded by woods and farmland As early as he can remember Josiah followed his father around the house while he tinkered and made repairs In 2002 when he was 5 Josiah was delighted to receive for Christmas the components of an electrical socket Later his parents gave him a book called 101 Electronics Projects and he would beg his mother to drive him to RadioShack arriving with a shopping list of breadboard componentry Before he was 10 he was advising his father on how to wire threeway switchesppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppJosiahs father would take him along to their churchs car ministry where theyd repair congregants cars for free and refurbish donated vehicles for missionaries Josiah would stand in the corner of the shop waiting for the foreman to give him a task like reassembling a cars broken water pumpppJosiah reveled in impressing the adults with his technical abilities But he was always drawn to computers cleaner and more logical than any car component You give it an input you get an output he says Its something that gave me more control After years of vying for time on his familys computer he got his own PC when he was close to his 13th birthday a tower with a Pentium III processorppAround the same time Josiahs brother seven years older than him figured out how to reprogram cell phones so they could be transferred from one telephone carrier to another Josiahs brother started to perform this kind of unlocking as a service and soon it was so in demand that their father used it to launch a computer repair businessppBy the time he was 15 Josiah would work in the familys shop after school setting up Windows for customers and installing antivirus software on their machines From there he got curious about how HTML worked then began teaching himself to program then started exploring webhosting and network protocols and learning Visual BasicppAs wholesome as Josiahs childhood was he felt at times that he was being raised on rails as he puts it shepherded from homeschooling to church to the family computer shop But the only rules he really chafed against were those set by his mother to limit his computer time or force him to earn internet access through schoolwork and household chores Eventually on these points she gave up I sort of wore her out he says She relented in part because a handson understanding of the minutiae of computing was quickly becoming essential to the family business Josiah now with nearunlimited computer time dreamed of a day when hed use his skills to start a business of his own just as his brother hadppIn fact like most kids his age much of Josiahs time at the keyboard was spent on games One of them was called Uplink In it the protagonist is a freelance hacker who can choose between two warring online movements each of which has built a powerful piece of selfspreading code One hacker group is bent on using its creation to destroy the internet The other on stopping them Josiah not the sort of kid to do things in half measures played through the game on both sidesppimmersing himself in that cyberpunk simulationand learning about famous hackers like Apple cofounder Steve Wozniak and Kevin Mitnick who had evaded the FBI in a catandmouse pursuit in the 1990scultivated in Josiahs teenage mind a notion of hacking as a kind of secret countercultural craft The challenge of understanding technical systems better than even their designers appealed to him So did the subversive exploratory freedom it offered to a teenager with strict Christian parents When he googled a few hacking terms to learn more he ended up on a site called Hack Forums a freeforall of young digital misfits innocent explorers wannabes and fullblown delinquents all vying for clout and moneyppOn the internet of 2011 the most basic trick in the playbook of every unskilled hacker was the denialofservice attack a bruteforce technique that exploits a kind of eternal fundamental limitation of the internet Write a program that can send enough junk data at an internetconnected computer and you can knock it offlineppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppThe previous year for instance the hacker group Anonymous had responded to the refusal by Visa Mastercard PayPal and Bank of America to allow donations to WikiLeaks by urging its plebes to bombard the companies servers with data requests creating socalled distributed denialofservice attacks that briefly took down the companies online services But most DDoS attacks were less principled the constant AK47 cross fire of the cybercriminal internets internecine wars and vandalismppOn Hack Forums many hackers ran their own booter services that for a few dollars a month would launch denialofservice attacks against anyone a customer choseoften online gaming services to troll or sabotage rival players Users and admins of booters talked casually of hitting off targets or worse holding off a service or a single users connection repeatedly bombarding it to prevent it from coming back onlineppSome booters launched attacks from botnets collections of thousands of unwitting users PCs hijacked with hidden malware to form a lemminglike swarm of machines pummeling a target with data Other booters used reflection or amplification attacks If a hacker could find an online service that would respond to a query by sending back a larger chunk of data than the request itself they could spoof the origin of their question so the service would send its answer to a victim By bouncing a stream of thousands of questions off a server the hacker could bombard the victim with its responses and vastly multiply their attacks firepowerppJosiah fascinated by the cleverness of those tricks was naturally determined to understand them at their deepest level He stumbled upon a blog post from a cybersecurity blogger describing a reflection attack that used the servers of the online firstpersonshooter game Quake III Arena Ping them with a simple getinfo or getstatus request and the servers would send back information that included the usernames of the players on the server and the map of the level they were playing onan answer that was nearly 10 times as big as the question and could be directed at any spoofed IP address a hacker choseppThe post was intended as a warning It cautioned that this kind of attack could be used to take down a service with as much as 23 megabits per second of bandwidth a pipe that seemed enormous to Josiah on his 15megabitspersecond home DSL connection A competent programmer exploiting the problem the blog posts author wrote can easily create a fullfledged attack suite in a lazy afternoonppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppJosiah took this as a challenge He cobbled together a simple script to perform the attack and posted it to Hack Forums under his handle Ohnoes1479 He asked only for anyone who used it to give him an upvote if its good to increase the prestige of his forum profileppJosiah didnt think too much about the morality of his creation After all it took a computer offline only temporarily right More of a mischievous hiccup than a crime he figured He couldnt use it himself anyway because his home internet connection didnt allow the IP spoofing the attack required Still as other hackers on the forumsome of whom he suspected ran their own booter servicesasked questions about how to use the program and even requested feature updates he was happy to helpppMostly like the technical wunderkind hed once been in his churchs auto shop he aimed to impress I wanted to make something cool he says And I wanted respectppin that anarchic Hack Forums scene Josiah soon found a kindred spirit a user who called himself moldjelly In the offline world his name was Dalton Norman He was a teenage hacker just a year older than Josiah who was far more in touch with his rebellious sideppLike Josiah Dalton had grown up with an engineer for a father His dad led the maintenance team for a skyscraper in New Orleans where the family lived And like Josiah Dalton had a natural technical talent As a preteen he wrote cheating mods for video games that he presented on his own YouTube channel in a squeaky voice He and his father would work in their spare time on his dads soupedup Chevrolet Monte Carlo which had so much horsepower that Dalton remembers the feeling of its exterior twisting as it accelerated He says he inherited that same drive to push technology to its limitsppBut far more than Josiahs Daltons childhood was tinged with adversity As a small child he had struggled with a stutter that deeply scarred him He remembers his family laughing at him at the dinner table as he labored in vain to pronounce his younger sisters name It was awful and kind of contributed to me just being in my room and having low selfesteem and trying to raise it by being super good at something Dalton saysppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBy the end of elementary school to Daltons relief the stutter had faded away But just as it seemed like he might enjoy a normal adolescence his life was disrupted by misfortune on a far larger scale Hurricane Katrina Daltons family evacuated to Mississippi and didnt return for more than five years In exile one state over Dalton found himself at a culty Christian private school where students prayed before class and as he remembers it a math teacher assured him that Barack Obama was the Antichrist When I wouldnt pray or do any of that he says I would get shit for itppDalton wrote his first program when he was 12 It was a spam tool that he used to torture a teacher he disliked wrecking her inbox He says he carried out his first denialofservice attack not long after targeting his schools network from withinppWhile connected to the schools WiFi he flooded its router with junk requests until the entire intranet collapsed Its easy to take down a network when youre inside of it he says Ironically as Dalton describes it he had gotten enough of a reputation for IT knowhow that school staff asked for his help fixing the problem He stopped his attack script unplugged the router plugged it back in and showed the school administrators that it magically worked again During another attack however he says he overheated the router so badly in its poorly ventilated closet that it was friedppIn his early teens he remembers watching The Social Network and taking exactly the wrong message from the movie Rather than feeling cautioned by the films fictionalized origin story of an icily amoral Mark Zuckerberg Dalton was profoundly inspired That movie basically changed how I viewed the world he says Its like with a laptop and a great idea you can take control of your life and build something coolppAfter a failed attempt to launch his own social networkhe had no idea how to gain users and no budget to advertise ithe returned to hacking He wrote a keylogger program designed to snoop on a victims keystrokes after infecting their PC via thumb drive He also found his way onto Hack Forums Soon he was running his own booter service hiring other hackers to handle customer service so he could focus on finding new methods to amplify his attack trafficppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppIt was around this time that Dalton encountered Josiah who was he says the smartest hacker hed ever met The two teens soon moved off Hack Forums to talk regularly on Skype and then later TeamSpeak another internet conferencing service In those conversations Dalton eventually used his real name while Josiah went by Joey a thin veneer of a pseudonym They enjoyed competing with each other to find new denialofservice amplification tricks In a friendly rivalry theyd stay up into the early morning hours plumbing the internet for eclectic servers that they could use to multiply their attack traffic dozens and eventually hundreds of times overppIn those latenight cyberattack sessions the two hackers say they would typically set up their own website for target practice or use a friends so that they could measure the size of the traffic they were blasting at it At times they would clock attacks of more than 100 gigabits a second they saymore than 4000 times as big as the 23megabit attack that had initially amazed Josiah Very often they would knock their target website offline along with the server of the hosting service it ran on causing downtime for an untold number of other websites tooppBy this time Josiah admits hed become mildly intoxicated by the power of the tools theyd learned to wield though he still considered himself a kind of innocent exploratory hacker I was stupid and I was just angry sometimes and I wanted to see damage at points he says But it wasnt my primary motivatorfor a whileppDalton who was already running a forprofit attack service had no such illusions of innocence and admitsa little proudlyto using his growing arsenal of booter artillery on any Hack Forums rival who sufficiently annoyed him In some cases he boasts he would hit people off so hard that their internet service providers would cut the victims connection for 24 hours to avoid further collateral damage It was a lot of power he says If someone was bullying or being an asshole then yeah they went offline for a whileppboth teenagers managed to hide these dalliances with illegal hacking from their families But for Dalton the consequences soon spilled violently into his physical worldppIt began when he discovered that someone who worked for his booter service an older kid to whom hed foolishly given his real name had been stealing their profits He fired the guy A few days later Dalton and his family were sitting around the dinner table when a team of police officers in bulletproof vests burst through the door screaming at everyone to get on the ground The cops pointed shotguns at Dalton and his terrified parents and siblings barking orders and questionsppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppIt turned out that the police had received a spoofed 911 call The caller had warned that Dalton had shot his mother and was now holding the rest of the family hostage Dalton had been swatted targeted with the most dangerous retaliatory measure in the toolkit of nihilist teen hackers When the police realized there was no hostage crisis Dalton explained to the cops and his parents that an angry kid online had inflicted this situation on themleaving out the part about his booter service As a measure of the skewed risk assessments of his teenagers brain his biggest fear during the entire incident was how his furious parents would punish him He was groundedppDalton says the real lesson he drew from the incident was to tighten his operational security no longer telling anyone in the hacking world his real nameexcept Josiah I trusted no one except for Joey he saysppIn the midst of all this when Dalton was 15 another kind of calamity struck His stutter came back He says it happened when he met another stutterer at his high school Somehow the event triggered his brain to start tripping up his speech all over again And the change seemed to be permanent All the difficulty hed had speaking as a small child along with all the anxiety and shame that came with it flooded back It was he says a nightmareppLike many stutterers Dalton found workarounds for the arbitrary lexicon of words that would halt his speech substituting others to hide his disability But names which allowed no substitutions were particularly tough At one point to get out of gym class he volunteered with his high schools tech office and found that the job included delivering laptops to students He remembers standing in front of a classroom trying to say a students name as the entire class laughed at him Even his own name was often impossible to get out It broke me he says But afterward I was just like I dont care what other people think Fuck itppDaltons stutter he says drove him into cybercrime with a renewed fervor He cut ties with realworld friends retreated to his computer and focused his energy on hacking His skewed teenage logic kicked in again telling him to abandon any hope of a normal life or legitimate career I thought No ones gonna hire me because I cant talk How am I going to get past an interview when I can barely say my name Dalton remembersppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppHe had he told himself no other option I have to find a way to make this blackhat thing work outppOf the Three young hackers who would go on together to be responsible for the biggest DDoS attacks in history Paras Jha came to that path from the most innocent and childlike place of all a love of MinecraftppBorn in Mumbai Paras was less than a year old when his family emigrated to the US where they eventually settled near central New Jersey His parents demanded academic perfection and Paras was gifted enough to easily deliver Too easily in fact For years of elementary and middle school he would read entire textbooks as soon as he got them he says then never study them again and ace every testppAt the same time Paras was aware that he had a paradoxical problem with focus He remembers being in third grade and disassociating as a teacher spoke to him tracing out her face in the air with his finger That teacher later suggested to Paras parents that he be tested for attention deficit disorder Coming from a culture that stigmatized such a diagnosis Paras says his family was skeptical of the teachers warning His mother and father filled out the schools evaluation for learning disabilities it came back negative and he was never treatedppOver Skype Josiah told the others that he was launching the attack Across the internet Paras could hear the tap of the Enter key on Josiahs keyboard And the world stoppedppAs Paras grew older his scattered mental state meant he often forgot school assignments and his strict parents would respond by grounding him To pass the time he gravitated to computers His beloved video games were forbidden on weekdays so he would spend hours playing with Microsofts Visual Studio teaching himself to programppBy his early years of high school Paras had become obsessed with Minecraft an immersive online world that essentially presents a blocky lores nearly infinite metaverse More than playing the game however Paras was drawn to the possibilities of running his own Minecraft world on an online server He would host minigames of tag or capture the flag endlessly tinkering with his servers code to modify the rules He loved to join his own world turn himself invisible and then observe how players responded within the universe he controlled and changed at will It was like watching 8bit ants with human intelligence move around his very own ant farmppParas soon discovered he could make thousands of dollars using his coding skills to build modifications and minigames for other Minecraft administrators In fact it turned out that the Minecraft ecosystem supported its own surprisingly highstakes industry Players paid small fees for access to perks and upgrades on their favorite servers and administrators of the most popular worlds within that decentralized metaverse made as much as six figures a year in revenue All of that money meant this innocentseeming industry had developed a surprisingly ruthless dark side Minecraft servers came under constant barrage from booters DDoS attacks launched by aggrieved players competitors and trolls Many paid thousands of dollars a month to DDoS protection firms that promised to filter or absorb the attack trafficppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppOne day Paras found himself in a Skype group chat with an acquaintance who also ran a Minecraft server This person was determined for reasons Paras can no longer remember to take down a particular rivals world Paras read along as the acquaintance asked another member of the chat for helpa figure by the name of LiteSpeed who had attained a certain infamy for his denialofservice wizardryppJosiah had changed his handle on Hack Forums from Ohnoes1479 to this lesscute moniker about nine months after hed joined the site and these days he carried himself online with significantly more swagger He was happy to obligeppJosiah Paras and a few friends all entered the target Minecraft world apparating into its blocky landscape full of hundreds of other players lores figures Then over Skype now in a voice chat Josiah told the others that he was launching the attack Across the internet Paras could hear the tap of the Enter key on Josiahs keyboard And the world stoppedppInstead of going dark or returning an error message the universe hosted on the server that Josiah had knocked offline simply froze as each player was suddenly disconnected and confined to their own computers splintered version of it Paras marveled at how he could move through that world and see other players paralyzed where they stood or floating in midairppThat frozen state lasted for 30 seconds before the world crashed entirely To Paras it was a hilarious magic trick It felt like a secret superpower almost he says Even though it wasnt me who did it it was cool to just be in the know about whats going onppHe became friendly with Josiah and found that this talented hacker was happy to take down practically any target server that Paras asked him to mostly just for sheer amusement Josiah also seemed to be surprisingly open to sharing his knowledge Having moved on from the amplification attacks he and Dalton had experimented with early on Josiah now carried out his attacks with a botnet of thousands of computers around the internet that hed infected with his own malware exploiting a security flaw in the webhosting software phpMyAdmin to turn the underlying servers into his personal armyppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppLater Josiah would switch to wielding an even more powerful collection of Supermicro servers that hed hacked via a vulnerability in their baseboard management controllers chips meant to allow an administrator to remotely connect to a server and monitor its performance The attacks he was triggering were soon so powerful that he and his friends had difficulty even gauging their strength Everything theyd hit with itthe bestprotected Minecraft servers even their own measurement toolswould immediately fall offlineppParas wanted this superpower too Josiah was happy to help him troubleshoot his DDoS attack code and even offered thousands of computers from his own botnet for Paras to test it on Instead of just pressing the button I wanted to say I had made the button says Paras Soon he was a relatively sophisticated botnet herder with his own DDoS zombie hordeppBy 10th grade to his parents dismay Paras had begun to struggle in school as subjects became more complex and his disaffectedprodigy tactics reached their limits But online where he went by the handle dreadiscool he embraced his new godlike capabilities with roguish abandon knocking off targets on the slightest whim He and another friend would even sometimes find the phone number for a company that hosted certain Minecraft servers call their business line from a burner number and verbally taunt them as Paras launched a DDoS attack that ripped their machines offlineppSomehow the rulefollowing highachieving kid from a strict immigrant household had become a rampant online vandal But at that point Paras says it was never quite clear to himor Josiah or Daltonhow serious the consequences of their attacks might be They were after all still just taking some computers off the internet right Like the servers come back online Paras says You wake up the next day and you go to schoolppAt other times he would almost check himself coming to grips with his spiraling behavior He remembers sitting in the bathroom of his parents house just after taking down one of the biggest Minecraft servers Hypixel and realizing that if he kept going he was bound sooner or later to get arrested Dont get sucked into it he told himself Dont get sucked into itppparas got sucked into it They all did In particular Josiah the Christian homeschooler whod once kidded himself that he was a harmless hackerexplorer or a Wozniakstyle prankster had taken a rapid stepbystep slide into moneymaking cybercrime Under his LiteSpeed handle hed begun selling his amplification techniques to known booter service operators for a few hundred dollars a customer spending most of the money to rent servers in remote data centers to further his hacking He reverse engineered Skypes code to find ways of extracting users IP addresses the identifiers for their home internet connections that could allow them to be directly DDoSed Soon he was selling this IPextraction tool on a peruse basis to his fellow hackers and bootersppWhen one of his friends wouldbe victims bragged that he couldnt be hit offline because he had a dynamic IP address that changed every time he rebooted his home router Josiah figured out he could use a traceroute command to see the IP address of every router between that target and his internet service provider So he and the friend started hitting the computers farther upstream in that network going after the bigger arteries that fed data to and from his computer instead of the capillaries that linked to his home machine until all of those routers were unresponsive too This indiscriminate tactic as far as they could tell took out the internet service for the targets entire town all just to prevent him from dodging their attackppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppEach step Josiah says felt small enough that like the mythical boiling frog he barely noticed the change in moral temperature Hed found something he was very good atbetter than perhaps anyone he knew And he wasnt he told himself carrying out hardcore cybercrime like breaching networks or stealing credit card data Another Hack Forums user reassured him that the FBI cared only about botnets bigger than 10000 computers a story he naively accepted I rationalized a lot of it away Josiah says The pot was boilingppin early 2014 when Josiah was still 16 years old he dialed the temperature up another fateful degree with the creation of a powerful new form of botnet It began when a friend pointed out to him that home routers aside from making good targets for DDoS attacks could themselves be hacked and potentially turned into botnets zombie conscripts In fact many routers still used an old protocol called telnet that allowed administrators to remotely configure them sometimes without the need for any authentication or else requiring only default credentials like the password admin All those routers represented countless thousands of hackable devices in other words waiting to be taken over and added into Josiahs armyppThe catch was that the routers were small simple gadgets that used cheap lowperformance embeddeddevice chipsnot the kind of system that most hackers were accustomed to exploiting But Josiah was never one to be daunted by the task of learning the arcane details of a new machine He started from scratch learned to write the native language of routers ARM chips and built a compact piece of malware that could be installed over telnet onto the relatively dumb devices to make them obey his attack commandsppThe routers operating systems didnt normally allow software to be installed on them But Josiah figured out that they did have an echo command that could write out any line of text that you typed into a new file He used that command to copy his code line by line into a file small enough to fit into the routers few megabytes of memory The feat was the equivalent of assembling a model ship inside a 12ounce bottle He called the code QbotppQbot was Josiahs first foray into hacking the socalled internet of things the vast universe of internetconnected devices beyond traditional computers from security camera systems to smart appliances that would turn out to be ripe for exploitation Even in this first crude attempt it was immediately clear that Qbot was a potent new weaponppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppJosiah could see the power hed stumbled into There seemed to be many thousands of vulnerable routers online that Qbot could commandeer He was initially more careful with this creation than hed been with his previous coding projects keeping Qbots code private and sharing it only with his friends Dalton Paras and a few other young hackers who had formed a loose network and hung out on Skype and TeamSpeak But Josiah made the mistake of also giving the code to one other contact The guy went by the name vypor and Josiah says had a reputation for trading in other hackers secrets as a means of impressing more talented acquaintances Vypor immediately began trading Qbot for favors and clout with it soon seemed his entire contact listppWhen that betrayal became clear Dalton retaliated on Josiahs behalf by hiring a rapper through the gigwork service Fiverr to record a profanityladen track brutally mocking vypors lack of coding skills The diss track was uploaded to YouTube Vypor immediately responded by threatening to swat all of them Dalton Josiah even Paras who had only recently joined the groupppAll three of the young hackers were terrified of being swattedor swatted again in Daltons case They agreed that their best bet to protect themselves was to knock vypor offline and hold him off as long as possible If he couldnt reach a VoIP service to spoof a call to the police their shortterm reasoning told them he couldnt swat anyone Maybe they could at least enjoy the weekend before he brought armed police to their doorstepsppSo all of them together bombed vypor with every DDoS tool they had For days they repeatedly hit not only his home connection but also routers two and three steps upstream using Qbot and every other botnet and amplification technique theyd learned to wield The three believe they probably blasted vypors entire town off the internet though they never got confirmation aside from seeing the entire chain of network devices stop responding to their pingsppRegardless the attack seemed to serve its purpose Vypor disappeared from the scene and never bothered them againppallison nixon who would become one of the first security researchers in the world to fully understand the dangers posed by weaponized routers and internetofthings appliances had no idea who Josiah White was But she knew LiteSpeedppAt the beginning of her career in New York a few years earlier Nixon had worked the night shift in the Security Operations Center of Dells SecureWorks subsidiary essentially as the cybersecurity equivalent of a patrolling night watchman A petite hoodiewearing security analyst in her early twenties she monitored the companys clients networks for attacks in real time and investigated them just enough to know whether to escalate to someone more senior Kind of a grind she remembersppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBut she was curious about where all these daily wideranging hacking attempts were coming from So in the long stretches of downtime between alerts she started googling and was amazed to discover Hack Forums a platform on the open web where young digital deviants were bragging about their attacks and brazenly selling their toolkits She found booter services especially shocking how publicly and cheaply these miscreants sold a kind of cyberattack that could cost companies millions of dollars a year and often made her and her colleagues lives hell Many of the young hackers doing this damage could even be identified thanks to their rash public posting sloppy operational security and the frequent doxing of rivalsdigging up and outing another hackers real identity But no one seemed to be doing anything to stop themppAs Nixon lurked longer on the forum she could see that most hackers on the site werent actually developing their own techniques Instead almost all of their tools seemed to trickle down from just a few skilled individuals LiteSpeed was one of them His attack amplification tricks and bot infection tools had established him as a kind of Hack Forums alpha an unmistakable standout in the scrum Sometimes you kind of get a gut feeling when youre tracking someone that theyre going to blow up in one way or another she says I knew I wanted to keep an eye on himppNixon says the more senior researchers on SecureWorks counterthreat team had little interest in DDoS attacks which were considered primitive compared to the cuttingedge intrusion methods that they focused on But Nixon was fascinated by the anarchic Lord of the Flies world of young hackers building an entire cyberattack industry seemingly with no repercussions or even notice from law enforcementppNixon partnered with a university researcher and began testing out booter services on Hack Forums barraging a guineapig target server with waves of junk traffic Some of the attacks topped 30 gigabits a second easily enough to knock someone offline or cripple a websiteppBy 2014 Nixon had quit the security operations center and taken a job hunting hackers full time but she couldnt let go of her DDoS obsession At a meeting in Pittsburgh of cybercrime fighters called the National CyberForensics and Training Alliance she stood before a room of several dozen researchers academics and law enforcement officials With the participation of an internet service provider that had just presented its DDoS protection plan she demonstrated that she could click a button on a booter website and launch a cyberattack at willa daring move in front of a crowd of federal agents and prosecutorsppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppOne agent from the FBIs Pittsburgh field office named Elliott Petersona former Marine from Alaska whod recently led the landmark takedown of a Russianorigin cybercriminal malware and botnet known as GameOver ZeuSwas particularly impressed He and Nixon talked about the booter problem She pointed out how freely the services operated how many of the culprits were identifiable and how powerful any intervention in that world might be And she shared her growing sense that if the larger problem were left unchecked it would pose a serious threat to the operation of the internetppfor josiah the conflict with vypor was a wakeup call He felt hed narrowly avoided watching his secret hacking hobby burst into his peaceful family life For more than a year he backed away from Hack Forums and let his LiteSpeed handle go dormant But he continued to chat with his friends Paras and Dalton and the three of them began sharing a rented server for coding experiments and internet scanning which they referred to as the Fun BoxppParas meanwhile continued his free fall into hacker nihilism In the fall of 2014 he started college at Rutgers and found himself alone and unmoored He had looked forward to delving into the study of computer science and was appalled to learn that he would have to enroll in other kinds of courses that to him seemed like months of wasted time and tuition Even the computer science exams to his horror had to be taken with pencil and paper I absolutely hate college he texted a friend There is absolutely nothing for me hereppHe sank into a malaise and gained weight sometimes eating a large Papa Johns pizza in one sitting He couldnt sleep at night and often couldnt find the motivation to get out of bed much less go to class Aside from his roommate he had little social contact in the real worldcertainly nothing that could compare to the rich battletested friendships hed built onlineppWell do it a few times Josiah remembers thinking Well cause trouble for a little bit and then well just forget about it Well stopppParas was particularly frustrated to find he couldnt even get into some of the computer science courses he wanted to register for Third and fourthyears got first dibs and only once their registration round was over did second and firstyears get a chance to choose from the leftoversppBut Paras soon realized he had just the superpower to right this injustice He could use one of his botnets built mostly of vulnerable home routers to blast the entire registration system offline until it was his turnppHe took a trollish delight in tormenting the institution that he felt was tormenting him Under the Twitter handle ogexfocus accompanied by a picture of a ghostly mask Paras publicly taunted his target Rutgers IT department is a joke he wrote in a public manifesto bragging after three attacks in succession about crushing the universitys network like a tin can under the heel of my boot Im fairly certain I could run circles around all of you with my eyes closed and one leg amputatedppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppWhen dreaded exams rolled around he tore down Rutgers network again to delay them buying himself a few more days of miserable procrastination Later he took the network down to prevent his parents from seeing his increasingly horrendous grades I was feeling very frustratedI guess with myselfand lashing out he saysppOn one occasion in the spring of 2015 Paras totaled the Rutgers network so thoroughly that he had to text Josiah to ask him to continue the attacks on his behalf Admiral can you execute my command he wrote in the jokey navalthemed slang theyd developed The outages persisted long enough that some Rutgers students later demanded a tuition refundppParas enjoyed the sense of control the attacks gave him watching their cascading effects on the university the same way hed invisibly watched players respond to his tweaks of Minecraft worlds years earlier But when the attacks were over his problems were still there By his second year it was clear to Paras that college wasnt working for himppAround the same time he had started batting around an idea with Josiah that seemed like a way out What if they founded their own startup offering DDoS protection to defend paying customers from exactly the sort of attacks that they had become so expert at launchingppTo Josiah it made perfect sense He understood DDoS attacks on a deep technical levelhe had in fact built or at least used many of the attack tools that other DDoS protection firms were combating dailyand Paras had built a reputation as a skilled programmer particularly among Minecraft server administrators who might be a good initial customer baseppParas borrowed 10000 from his father and he and Josiah used it to cofound a company ProTraf Solutions short for protected traffic They had seen other firms struggle to defend customers from new forms of DDoS and they were sure they could do betterppIt wasnt so simple After launching ProTraf they realized their potential customers didnt often shop around for DDoS protection Typically they didnt feel the need to switch providers unless the one they already had was failing to shield them from an attack which occurred only rarely Meanwhile the bandwidth Josiah and Paras had rented on servers around the worldthe cushion they would use to absorb attack traffic aimed at customerswas quickly eating through their capitalppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppSoon they came to an idea Only when customers were actually knocked offline would they consider switching to ProTraf Maybe the two young partners just needed to hurry this process along We could wait for one of these outages Josiah says or we could cause one of these outagesppThey agreed They would use their own DDoS attacks to hit off their competitors customersjust enough to get their own fully legitimate business on its feet of course Well do it a few times Josiah remembers thinking Well cause trouble for a little bit and then well just forget about it Well stopppjosiah and paras began building the new attack botnet theyd use in what would becomewhatever story they told themselvesa kind of DDoS protection racketppThe two teenagers used Josiahs old Qbot code to reinfect a new army of thousands of routers and started wielding it to target their rivals clientsall Minecraft serverseasily obliterating their protections For a while this veiled extortion scheme actually worked More than a dozen Minecraft administrators desperate to get back online did switch to ProTraf paying 150 or 200 a month eachppIt still wasnt enough Theyd expanded too quickly buying infrastructure that was eating up their capital faster than their revenue could replenish it And they found that when their attacks stopped some customers switched back to their competitorsperhaps because they sensed that the attacks timed so closely to the launch of this new startup had been a little too convenient People had their suspicions Josiah saysppJosiah was still working at his familys computer repair business as he struggled to get ProTraf on its feet When he wasnt helping customers there he resorted to making phone calls to drum up sales He figured if his father and brother could pitch customers and build a business so could he But no one who picked up the phone wanted to listen to this fasttalking teenager selling a missioncritical security service The calls were dead ends and Josiah came to loathe making themppJust around a year after launching in the late spring of 2016 ProTraf was flaming out For Josiah in particular the companys looming death was hard to accept His parents had been so proud of his business ambitions He seemed to be making good on his enormous potential following in his familys entrepreneurial footsteps Was he really going to admit that hed already failed He felt trapped and ashamedppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppSo Josiah began to consider other sources of cash flow A friend from the hacker scene had been impressed with his rebuilt collection of Qbotinfected routers He asked whether Josiah might be willing to build a new DDoS botnet If so he would have customers lined up to pay thousands of dollars in bitcoin for access to itppJosiah suggested to Paras that they could accept the offer and build a new even bigger botnet renting slices of its attack power to the highest bidder in a lastditch attempt to keep ProTraf alive It would essentially mean turning the company from a protection racket into a front for their new real business selling cyberattacks as a serviceppSounds ill ey gahl Paras joked Sounds illegalppEh Josiah wrote back Kindappto build the chief weapon of their secret DDoSforhire sideline Josiah and Paras started from scratch A few years had passed since Qbots creation and they both had a few new ideas of how to infect and commandeer a vastly larger collection of internetofthings devicesppIn the time since Josiahs original Qbot code had leakedthanks to Josiahs old friend vyporthe hacker community had been steadily upgrading it Some versions had now been redesigned into worms Infected routers would automatically scan for other vulnerable devices and try to hack and infect them too in a selfspreading cycle But when Josiah and Paras examined those newer botnet systems they seemed inefficient and unreliable Someone elses hacked router was an unwieldy vantage point from which to find vulnerabilities in new machines Plus that decentralized setup made it slow and difficult to upgrade their bot softwareppSo instead they designed a more centralized threestep structure Their infected machines would scan for other hackable devicesusing a new system they say was as much as a hundred times faster than the bootleg Qbot worms theyd previously seenand then report the vulnerable gadgets they found to a loader server which would hack the machines via telnet to install their malware Then a separate commandandcontrol server would shepherd those malwareinfected bots periodically sending new commands for which targets to attackppParas and Josiah were surprised to discover just how powerful this new automated zombie recruitment process turned out to be Josiah remembers leaving the system running overnight and waking up to find 160000 freshly brainwashed routers ready to do his biddingfar more than hed ever controlled beforeppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppWhen he saw the scale of what they were building Josiahs planraise some money with a few cyberattacks then return to ProTraf and go straightbegan to seem like a wasted opportunity a waste of his talents This is cool he remembers thinking This is innovative No one else is doing thisppAs their botnets size exploded Josiah suggested to Paras that they would be able to rent even small fractions of their firepower to attackers for 2000 or 3000 a month easily topping 10000 in monthly revenueppLol Paras wrote back And how big does the armada have to beppThat wont be a problem Josiah respondedppseeing their botnet grow so deliriously large so quickly had now triggered in Josiah an old impulse purer than any profit motive What are the limits here he began to ask himself How far can we spread this thingppNaturally he turned to his old friend Dalton who had always shared that urge to push the technological envelope Josiah and Paras agreed to cut Dalton in on shared control of their growing creation letting him sell access to a part of it through his own booter service In return Dalton would contribute his hacking skills to finding new populations of devices to add to their hordeppTo maximize their malwares footprint Dalton began to plumb the teeming vulnerabilities of the internet of things He dug up tens of thousands more gadgets across the world with unpatched flaws machines that went far beyond home routers Smart appliances such as online fridges toasters and light bulbs all became part of their agglomerated mass of raw computing power All these eclectic digital objects had the advantage of being relatively greenfield territory While countless hackers vied for control of traditional computing devices like PCs and even routers many of these newer devices remained untouched by malware and uncontestedppSurveillance cameras digital video recorder systems with hardware capable of processing large video files turned out to be especially strong new recruits Some scans even turned up more exotic hackable devices like internetconnected industrial cement mixers and municipal water utilities control systems The three hackers say they did avoid hacking those industrial devices for fear of being mistaken for cyberterroristsppThey settled into a workflow Dalton would scan for new species of exploitable devices and write code to infect them Josiah would refine Daltons code and create software to take control of new additions to their menagerie of networked gadgetsppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppParas meanwhile focused on the administration software that ran on their commandandcontrol serverits own complex programming task as their botnet grew to nearly 650000 devices He sensed that the scale of their creation would soon draw attention and he took it upon himself to create a trail of misdirection to hide their identities from public scrutiny To advertise the botnet Paras created new sockpuppet accounts with names like OGMemes and Ristorini on Hack Forums Skype Reddit and Jabber He then created a collection of fake dox linked to those handlesthe posts that hackers typically use to out rivals real identities but in this case all pointing at people whom Paras had chosen as patsiesppTo make their connection to the botnets commandandcontrol server harder to trace Josiah found a vulnerable server in France that they could hack and use as a jump point connecting to that hacked machine only through the anonymity software Tor which made it look like that computers owner was the real mastermind The machine was actually a seed box a server left online to continuously trade in pirated movies over the BitTorrent protocolppThe French server in fact was filled with anime videos a subject Paras knew something about He was a fan of the psychedelic animated Japanese show Mirai Nikki in which a teenage outcast discovers hes part of a battle royal among 12 owners of magical cell phones and eventuallyspoiler alertuses his phones powers to become the god of all space and time The show Paras had texted a friend literally defines the genre of psychological thrillersppParas knew that the file name for their program now running on an everincreasing base of hundreds of thousands of devices worldwide would soon be a subject of notoriety So in keeping with their work to pin the botnets creation on a random anime collector he chose a suitable name All the better that it also evoked a cyberpunk superweapon brought back to the present by a timetraveler an instrument for which the world was wholly unprepared Mirai In Japanese it meant the futureppto allison nixon and any other security researcher observing it from the outside the advent of Mirai initially looked less like the rise of a new superpower than the start of a world warone where the battlefield was the internets multitudes of insecure gadgetsppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppIn 2014 and 2015 the years leading up to what she would call the battle of the botnets Nixon began noticing that groups of nihilistic young blackhats with names like Lizard Squad and vDOS were picking up LiteSpeeds leaked Qbot code and then selling access to their own hordes of zombie devices or using them to terrorize and extort online gaming services So Nixon who around this time started working at the security firm Flashpoint created honeypotsinternetconnected simulations of vulnerable devices designed to be infected by the hackers bot software acting as her own spies amid the botnets ranks The result was a realtime intelligence feed revealing the booters commands and intended targetsppIt was in early September 2016 while monitoring those botnet honeypots that Nixon and some colleagues spotted an intriguing new sample of code that was infecting routers and internetofthings gadgets the one the world would come to know as MiraippThis new code seemed capable of detecting when it was running on a honeypot instead of a real device and would immediately terminate itself when it did So Nixon and her coworker ordered a cheap DVR machine off of eBay connected it to the internet and watched the devicethey nicknamed it the sad DVR due to its life of victimizationget infected over and over again by Mirai and its competitorsppIn fact unbeknownst to Nixon Mirais creators were by then locked in an escalating turf war with vDOS a competing botnet crew which had built an especially large army of hacked machines using an updated version of Qbot Both the Mirai and vDOS teams had designed their bot software to identify and kill any program that appeared to be their rivals and the two botnets began vying for control of hundreds of thousands of vulnerable machines like warlords repeatedly conquering and reconquering the same strip of nomanslandppSoon the Mirai crew and vDOS resorted to anonymously filing abuse complaints with the companies hosting each others commandandcontrol servers forcing them to build new infrastructure At one point a company called BackConnect which had been hosting Mirais server and was run by acquaintances of the Mirai team came under a DDoS attack from the vDOS crew To Nixons shock BackConnect responded by using a socalled BGP hijackthe highly controversial tactic of essentially lying to other internet service providers to misdirect a wide swath of trafficto effectively pull vDOSs commandandcontrol server offlineppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppSoon Paras Josiah and Dalton got tired of the endless tit for tat They reprogrammed Mirai allowing it to sever the telnet connections on the victim devicesthus making them harder to update but shutting out vDOS and any other rival from easily reinfecting those machines That seemed to do the trick To the Mirai team it appeared vDOS had given up In reality their adversaries had been questioned by law enforcement and later arrestedppNixon remembers the feeling she and her team of researchers had as they watched Mirai win that war and come to dominate the internets mass of vulnerable devices Once that messy landscape had been infected with a rich diversity of malware species Now for the first time she had ever witnessed all of that malevolent code seemed to go quiet as Mirais superior infection techniques took hold of hundreds of thousands of networked devices across the globe From our perspective it was like this new apex predator was prowling the savanna and all of the other animals had disappeared says Nixon From that point forward we were on the hunt for this monsterppFor much of the cybersecurity research community the purpose of this gargantuan botnet still remained unclear They couldnt know that Josiah Dalton and Paras had opened Mirai for business and put its services up for salethat the monster Nixon was hunting was itself on the hunt for its first victimsppFrom left to right Bruce Schneier Elliott Peterson Allison Nixon Brian Krebs and Scott ShapiroppFor brian krebs September 22 2016 was an inconvenient day to become the target of the most powerful DDoS botnet in historyppA construction crew had been replacing the siding on Krebs rural house in Northern Virginia all morning The incessant hammering was freaking out his dog who responded as if barbarians were laying siege to their home Krebs worked as an independent investigative reporter and security researcherone of the best known in the cybersecurity industry He had no workplace to escape to I was already losing my mind Krebs saysppIt was only a little later that day Krebs says that it started to become clear that his dog was not wrong He was in fact under siege And the barbarians were winningppTwo nights before Prolexic the service that provided his DDoS protection had warned him that something was amiss His website KrebsonSecurity had been hit with an attack that peaked at a mindboggling 623 gigabits a second according to Prolexics measurements The company had never seen an attack even half that big But it had heroically managed to absorb the traffic the Prolexic rep told Krebs and his site had stayed onlineppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppHoly moly Prolexic reports my site was just hit with the largest DDOS the internet has ever seen Krebs tweeted that night Sites still up FAILppKrebs prided himself on his work hunting cybercriminals a role in which he was nearly peerless in the world of journalism and one that had made him plenty of enemies Hed been swatted by a target of his investigations and once had someone ship darkweb heroin to his house in an attempt to frame him DDoS attacks from aggrieved subjects of his reporting were nothing new But taunting the source of this particular attack he now realized had perhaps been illadvisedppFor two days he continued to get notices from Prolexic that the massive DDoS was still going In fact whoever was barraging his server had persistently switched tactics throughout that time firing new forms of data designed to be harder for Prolexic to filter out or targeting machines further upstream These guys were real bastards Krebs says They were throwing the kitchen sinkppAmid all this more than 36 hours after the attack had begun a member of the work crew at Krebs house managed to kick his satellite dish knocking out his homes internet connection He tried to tether his computer to his cell phone but its bandwidth was too spotty And the attack kept coming an overwhelming sustained tsunami of malicious ones and zerosppKrebs was still struggling to get online on the afternoon of the 22nd when he got another call from Prolexic This time the company told him in polite but clear terms that hed better find a new source of DDoS protection They were dropping him One of the biggest DDoS defense firms in the world could no longer handle the scale of the data torrent barraging his siteppKrebs got in his car and drove to a local businesss parking lot to try to find a stable WiFi connection for his laptop From there he called his webhosting provider to warn that without Prolexics layer of defense it was about to get hit with an unfathomable wall of digital pain He suggested that rather than allow all its customers to be taken offline it should instead configure his website to point to a nonexistent IP address essentially routing the attack trafficand anyone trying to visit his siteinto a hole in the groundppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppThe hosting company took his advice KrebsonSecuritycom instantly dropped offline It would remain that way for days to come as Mirai loomed seemingly ready to obliterate the site again the moment it resurfacedppFor Krebs being successfully censored by cybercriminals was a wholly new experience Someone just took my site offline Krebs remembers marveling And theres nothing I can do about itppjosiah dalton and Paras had unlocked their superweapon and already it seemed there was almost nothing on the internet that could withstand itppWhen Krebs tweeted that his website had been hit with the largest DDoS the internet has ever seen he was almost right Mirai had actually struck the French internet provider OVH around the same time with an attack that had reached the even more shocking volume of a terabit per second The botnets hundreds of thousands of hacked devices had also quietly KOd a webhosting firm and a Minecraft service in August with attacks that were nearly as large but had gone mostly unnoticed by the security worldppWithin just a few months of launching their fully operational Death Star and making it available for hire the three hackersall still too young to legally drink alcoholhad assembled a small but devoted collection of clients A fellow hacker who went by the handle Drake allegedly acted as a kind of sales rep He would periodically hit off arbitrary targets as a form of marketing to demonstrate Mirais bristling firepower to potential paying customers One such patron who claimed to be in Russia had rented Mirai to launch attacks against rivals in the cybercriminal webhosting world knocking out his adversaries sites Their most frequent user seemed to be a hacker in Brazil who repeatedly and inexplicably rented access to Mirai to fire off attacks at the network of the Rio Olympics at one point bombing it with more than a halfterabit per second of trafficppParas himself used Mirai a couple of times against his old whipping boy the Rutgers IT department mostly just for vengeful fun On another occasion he briefly tried using it for straightforward extortion against one of their former ProTraf customers slamming a Minecraft server with a Mirai attack and then demanding a bitcoin payment In an attempt to make the connection to ProTraf less suspect he even copied his own ProTraf email address as a recipient of the ransom note The company didnt pay Josiah disapproved of Paras extortion attempt and they never tried it againppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppIt was their Brazilian customer Paras says who had decided to DDoS Krebs into oblivion Paras woke up that day read news stories about the monumental attack on Krebsby far the most highprofile Mirai victim to dateand instantly felt a mix of excitement and dread in the pit of his stomach This had better not have been our botnet he remembers thinking He checked their user logs It was our freaking botnetppAfter the Brazilians earlier attacks on the Olympics Paras and Josiah had decided this user was perhaps a little too reckless in his targeting Theyd attempted to limit his access to Mirai ending his sessions after just 10 minutes But Paras saw that the nihilistic Brazilian had simply manually restarted the attack on Krebs site again and again throughout the nightand he was still goingppParas messaged Josiah and Dalton and they jumped onto an emergency call on a private encrypted VoIP server They all agreed Annihilating the website of a very wellknown journalist had crossed the line beyond helpful marketing into a kind of attention they didnt needthe kind that got you arrested You dont want to poke the bear says Josiah This was a pretty big pokeppBy this point too they were all 19 or older They were adults carrying out an extremely visible criminal conspiracy The heat Mirai was now bringing them they began to realize wasnt worth it And despite all the chaos it had caused in its early months of life Mirai had made only a small fraction of the money Josiah hoped it would about 14000 worth of cryptocurrency in total Even the biggest DDoS attacks in the world were for their perpetrators a relatively cheap commodityppThey had only just launched this worldshaking creation Now they already needed an exit strategy It was Paras who a day or two later suggested a new idea Their Russian customer had despite renting occasional access to Mirai suggested to him that DDoS was a bad business Not enough money Far too noisy Hed advised they instead consider partnering with him to use their botnetbuilding skills for a much stealthier and more lucrative opportunity click fraudppPut all those hijacked machines to use quietly clicking on payperclick web ads instead of pummeling victims Paras explained and they could make tens of thousands of dollars a month by invisibly defrauding advertisers a far less disruptive form of cybercrime Josiah and Dalton agreed they should start to transition away from the cyberattackforhire industry and into this more respectable blackmarket businessppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBut they couldnt quite bring themselves to kill their monster just yet Instead Paras and Josiah who held more control of Mirais targeting than Dalton attempted to add the IP address for KrebsonSecuritycom to a block list that would at least end the attackthough theyd find in the days to come that their efforts to restrain their least predictable customer had failed againppRegardless by that point it was too late Josiah was right They had poked the bear Now it was wide awakeppelliott peterson was sitting thousands of miles to the northwest in the FBIs Anchorage Alaska office when he read the news that Brian Krebs a journalist whose work he knew well had been wiped off the face of the webppHe was shocked to learn that an attack could hit Prolexica firm owned by the internet giant Akamai whose entire business model depended on handling giant flows of trafficso hard that it could essentially jam one of the biggest digital conduits in the world And all to silence a journalist Peterson knew that hed just witnessed the start of a new era All of a sudden the world woke up to the fact that someones throwing around a terabit of traffic he says No one was ready for thatppTwo years had passed since Peterson had seen Allison Nixons live booter demonstration at a Pittsburgh cybercrime conference Hed since returned to his native Alaska taken up an assignment at the FBIs smallest field office and turned it into an unlikely hub for takedowns of botnet and booter operations Just days earlier hed learned of the detainment in Israel of vDOSs two administrators the rival hackers with whom the Mirai crew had recently been at war Peterson had been involved in the investigation of vDOS for months The resulting bust was in fact the real reason that Mirai had definitively won that rivalryppNow Peterson was disturbed to see that the takedown had only cleared the field for someone wielding an even bigger weapon He knew he would need to take on this case tooppWorking from his cubicle in the cyber atriuma glassroofed enclosure that houses the handful of FBI agents focused on cybercrime inside Anchorages brutalist redbrick federal buildinghe started digging He and Nixon had helped create an industry working group called Big Pipes that dealt with DDoS attacks and he immediately learned from contacts there that Akamai had been hit by a mysterious new botnet called MiraippAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppEven in the midst of Krebs unfolding crisis Peterson understood that for the Anchorage office to take on this new monster hed first have to get over a legalistic hurdle He needed to prove that either its victims or creators were in Alaska Krebs and Akamai were thousands of miles away So he realized that he would have to somehow find Miraiinfected devices in his own state Luckily by this point there were hundreds of thousands of those infected devices online a digital pandemic that reached nearly every country in the worldppMeanwhile Peterson could only watch helplessly as Krebs website was held offline by Mirai for more than 48 hours Only then did Krebs finally manage to get it back up with the help of a new DDoS defender Google The web giant had recently expanded a pro bono DDoS protection service called Project Shield to a wider array of users and it was eager to prove that it could withstand the internets biggest attacksppWithin two hours of KrebsonSecurity coming back up it received another blast from Mirai The sites IP address had changed Paras says so his and Josiahs block list didnt prevent their Brazilian customer from relaunching his attack But this time the site stayed onlineppGoogle reached out to the FBI and with Krebs permission the company eventually shared a list of IPs that had been the sources of the Mirai attack traffic Peterson and his fourperson team began to comb through it Sure enough he could see in the data that Mirai had infected devices across Alaska along with practically every other state in the country He started tracking down the Alaskan device owners trying to explain to them in phone calls that their routers and security camera systems had been unwittingly turned into cannon fodder Finally Peterson got a break He managed to persuade the owner of a hunting lodge in the town of Ketchikan to unplug its malwareinfected security camera DVR and ship it to Anchorage to be dissected and used as evidenceppPeterson had found his Alaska victim He launched an investigation to hunt for the hackers behind Miraippafter serving in the Marines but before joining the FBI Elliott Peterson had served as a dean of men at a college in Michigan In that job he had helped kids with emotional problems and substance abuse issues essentially acting as a guidance counselor and mentor It was an unusual role for a future federal agent but the two jobs reflected Petersons strange hybrid personality half bythebook buzzcut Gman and half wellmeaning friendly Midwestern youth pastorppPeterson brought that same peculiar cordiality into his Mirai manhunt He began politely asking around among the Hack Forums crowd and their ilk a scene hed become familiar with over his years of tracking booter services Who might know any of the pseudonymous hackers selling access to MiraippAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppNot long after starting the investigation his team in the Anchorage office got a lead on one good source Theyd managed to obtain a complete sample of the Mirai code from an infected device and found that it phoned home to a commandandcontrol server hosted by the DDoS mitigation firm BackConnect Peterson knew that name Hed been hunting the vDOS crew when BackConnect came under attack from Mirais rival in an apparent act of selfdefense the company had used a BGP hijack to pull vDOSs infrastructure offlinea rogue move that had nearly derailed Petersons vDOS investigationppSo he made a few calls to BackConnects management to ask about the companys BGP hijack and the Mirai server they were hostingwhich had since moved elsewhereand whether they had any contact with whoever controlled it BackConnects staff said they didnt but suggested someone who might One of their acquaintances from a company called ProTraf Solutions Paras Jha seemed to have had contact with whoever was behind MiraippAfter all Paras had received an extortion email from someone launching the Mirai attacksneither Peterson nor BackConnect knew that Paras had sent that email himselfand theyd heard hed chatted with a Mirai handler known as RistorinippSo Peterson called ProTrafs phone number and left a voicemail Paras called him back Peterson remembers that Paras matched his polite friendly tone and calmly explained that yes he had been in touch with Ristorini in online chats But he had no idea of the real identity of the person whod tried extorting one of his former customersppParas kept the conversation short but said hed be sure to keep asking around and would be in touch soon to help in any way he could when hed learned more Then he hung up and immediately called Dalton and Josiah to tell them the FBI was on their trailppthis time their emergency meeting was steeped in panic They needed to ditch Mirai nowppDalton suggested they simply take down Mirais infrastructure wipe the commandandcontrol and loader servers and destroy the hard drive of every computer theyd ever used to manage it Lay as low as possible kill the whole thing shred our drives as he put it Then they could quietly move on to their more promising click fraud businessppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppParas had another idea How about they release the Mirai source code into the wild If they posted it publicly on Hack Forums it would be adopted by every DDoShappy hacker in the world just as Qbot had once been They could disappear into that crowd making it vastly harder for this nosy Alaskan FBI agent or anyone else to identify the original Mirai amid the flood of copycat attacksppDalton vehemently disagreed He argued that releasing the source code would only draw more attention to Mirai cause more damage and make law enforcement all the more intent on finding the botnets original creatorsppThe call devolved into a fullblown shouting match the first the three friends had ever really had Dalton screamed at Paras not to release the code Paras remained unmoved Josiah meanwhile listened impassively stuck between his friends unable to break the tieppWhen they hung up they had agreed that their Mirai adventure was over But they remained split on what to do with its source codeppSo Paras acted on his own A couple of months earlier he had created a new sockpuppet account on Hack Forums as another potential profile for Mirais mastermind Hed called this one AnnaSenpai named after the villain of the Japanese animated show Shimoneta or Dirty Joke in keeping with Mirais animeloving cover personappNow in late September he logged in again as AnnaSenpai to post a stunning announcement I made my money theres lots of eyes looking at IOT now so its time to GTFO he wrote So today I have an amazing release for you The post then linked to download pages for Mirais source code along with a tutorial detailing how anyone could use it to create their own massive selfspreading internetofthings attack tool He added in a separate post that AnnaSenpai was now on the run fleeing their home in France for a nonextradition countryppSomeone was using a copycat botnet to troll a video game companyand the collateral damage was the worst internet outage the world had ever seenppParas had just dumped the recipe for a superweapon into a mosh pit Beyond throwing up a smoke screen to ward off the FBI it was also a final epic troll a way to shake the internet ant farm this time on a global scale and watch the ants scrambleppThe Hack Forums community responded accordingly showering him with praise and admiring Mirais polished programming Several users wrote that it had to be the work of professionals not the forums typical teenage wannabes Your a fucking legend one user wrote Leak of the year wrote anotherppWithin days one user responded that theyd successfully used the source code to create their own Mirai botnet of 30000 devices Another chimed in to say theirs had reached 86000 machines The glorious copy paste will happen wrote another appreciative hacker IoT botnets will spread like wildfireppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBest haxoring tool of all time Gonna take down eribody wrote another Hack Forums fan summing up the gleeful mood Ive always wanted a botnet that can DDoS de planetpppeterson was deeply dismayed to see the Mirai code dumped online a move he saw as appallingly reckless But rather than be thrown off as Paras had intended Peterson had the immediate thought Had his poking around inspired this Did his conversation with Paras have something to do with itppNot long after AnnaSenpais Mirai release Peterson got another break in the case Some university researchers working with the antiDDoS group Big Pipes told him theyd found a clue in the logs of their honeypot machines designed to monitor internet scanning Two months earlier on August 1 theyd been able to see that a kind of protoMirai scanning tool perhaps the earliest version of the botnets reconnaissance code had probed their devices from a USbased IP addressppPeterson contacted the IPs hosting company to request the identity behind it and got a subscriber name Josiah White The other cofounder of ProTraf solutionsppThe FBI agent called ProTraf again and this time spoke to Josiah on the phone projecting his same friendly tone Josiah trying to sound professional but caught off guard by Petersons discovery nervously admitted that yes hed done some scanning Scanning the internet after all isnt a crime Then he begged off answering any more questions and hung up the phoneppPeterson had been fascinated and even impressed by the Mirai teams operational security the careful layering of proxies the dead ends he reached as he traced those connections the doxes he found for Mirais handler accounts all of which seemed to lead him astray But now just weeks into his investigation he knew that Josiahs early scanning slipup had allowed him to sidestep all of that obfuscation and misdirection His team began sending a flurry of legal requests to the email and internet service providers for every account associated with the throwaway profiles Paras had created for Mirai as well as those of Paras and Josiah themselves and ProTraf SolutionsppAs Peterson dug through Hack Forums he noticed too that there was another interesting account that sometimes chimed in on AnnaSenpais postssomeone called Fireswap Often they seemed to be defending Mirais creators and taking shots at critics of their source code So Peterson sent a legal request to Hack Forums for Fireswaps email addressfireswap1337gmailcomand then asked Google for that users subscriber metadatappAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppLooking through logins on Fireswaps Google account registered to someone named Bob Jenkins he could see they came from the same VPN or proxy server IP address that had carefully been used to create the fake Mirai doxessometimes just minutes apart But then in some cases Jenkins had a different IP the same one that Paras had used to connect to his ProTraf email accountppParas had never suspected that an investigator would think to look into the burner account hed created solely to cheerlead for himself on Hack Forums and take swipes at detractors Now it had become the missing link tying him to MiraippPeterson still hadnt heard of Dalton Norman But he now believed hed found Mirais two creators The end of their cybercriminal careers was already in sight But the chaos theyd invited onto the internet was just beginningpponce it was fully unleashed and reproducing in the wild Mirai didnt immediately break the internet It took three weeksppOn the morning of October 21 2016 Allison Nixon was just getting down to work in Flashpoints office an old garment factory on the desolate western edge of Midtown Manhattan when a colleague pointed out to her that something was seriously wrong with the internetppSpecifically its phone book was broken The domain name system is the mechanism that translates human readable domain names into the IP addresses that actually route internet traffic to the computers where services are hosted DNS is what allows you to remember Googlecom instead of 20014860400000000 for instance as the way to tell your browser to load up a search engineppOn that morning the DNS of dozens of websites seemed to be crippled Internet users across the US were typing names into browsers that needed to be translated into numbers and the translators had been knocked out cold Something big is happening Nixon remembers a colleague saying to her We need to figure out whats going onppAs Nixons team tried sending DNS requests to some of the affected sitesthe same sprawling collection of news sites social media streaming services banking sites and dozens of other major services that Scott Shapiro and millions of other users were trying in vain to reachthey saw that all the sites used the same New Hampshirebased DNS provider a firm called Dyn Although it wasnt yet clear to Nixon at the time no fewer than 175000 websites were offlineppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppSearching for a root cause for this unfolding internet collapse she checked the attack logs generated by her sad DVRsby now her team had several of them serving as bait Sure enough she could see that a Mirai variant one of the many copycats that had sprouted in the weeks since Paras leaked the source code had been relentlessly bombarding the Dyn DNS server for Sonys PlayStation gaming network The attacks effects had apparently spilled over to take down Dyns entire DNS system Someone was using their copycat botnet to troll a video game companytypical Hack Forums behaviorand the collateral damage was the worst internet outage the world had ever seenppThe nihilistic teenangstfueled megaDDoS that Nixon had always warned about had finally arrived We had worked for such a long time in preparation for that day that it was kind of vindicating Nixon says On another level it was super super stressfulppShortly after the attack on Dyn started Nixon managed to reach someone at Dyn and share the evidence pointing to Mirai a suspect Dyn only had an inkling of until that point Dyn staffers at that moment were anxious but still confident that they could handle the problem and get their servers back onlineppIt was around the same time still before 9 am eastern that Dyn truly began to implodeppDNS records are designed to work like a kind of hierarchical phone tree Major services like Google and Comcast have their own DNS servers ready to answer computers requesting the IP address of a domain and they only periodically check in with an authoritative DNS providerin this case Dynto make sure the addresses theyre handing out havent changed Some services check in multiple times a minute while others refer to their last update of DNS data for hours before refreshing itppWithin minutes of the Mirai attack striking Dyn was already in trouble as DNS servers set to check in every 15 30 or 60 seconds for new DNS records pounded the companys overwhelmed authoritative servers When they didnt get an answer theyd ask againand again and again They were designed to expect answers after all An authoritative DNS provider as large as Dyn had never gone down beforeppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBut as time passed and Dyns servers stayed down the chorus of DNS requests began to include major services that check in only every hour And then the ones that check in every two hours And three All now joining the mob incessantly hammering on Dyns doors Some internet services had even designed their DNS systems to automatically spin up new DNS servers to ask for answers when their existing ones didnt get a response multiplying the barrage of queriesppOnce the cascading failure started thats when everyone got very very nervous says one person who was working at Dyn on the day of the attack Before that the graphs looked awkward but they didnt look catastrophic But then they tipped over an edge as major services couldnt get responses and the numbers started shooting up to the rightppThe Mirai attack in other words had set off a chain reaction The internets IP address directory system was DDoSing itselfppAt the same time Dyn began to experience a kind of parallel human DDoS attack as people began demanding answers in almost the same cascading structure Angry corporate customers with comatose websites started bombarding Dyns phone lines When management couldnt answer their questions they echoed them down the org chart to engineers who were already entirely overwhelmed When the ratio of management and client services people looking for answers versus the number of people who can provide any answers starts to explode the Dyn staffer remembers thats when it really starts to feel like chaosppCompounding the problem was a coincidence of almost comic timing A team of Dyn staffers was on that very day waiting for Oracle to sign the paperwork to close a deal to acquire their company reportedly for more than 600 million No one wanted to be remembered as the middle manager who failed to keep the internet online on this momentous occasionthe first day that the new bosses were watching And through all of this corporate panic ran an undercurrent of rumors that China or Russia was responsible that they were up against an allpowerful statesponsored hacking operationppJosiah was walking through a dark hallway still trying to get a shirt over his head when he found a flashlightand a gunpointing at his faceppThose rumors were shortlived So by some measures was the outage By that afternoon Dyn had managed to get the attack under control and had started sending DNS responses piecemeal to its clients quieting the different networks clamoring for answers from its servers one by oneppBut the damage left in the wake of the Dyn outage lasted longer The total economic cost of a major fraction of the global internet falling offline for half a day is difficult to measure Sony whose PlayStation Network was the attacks original target reported an estimated net revenue loss of 27 million Following the attack there were projections that for a time Dyn lost roughly 8 percent of its contracted web domainsmore than 14000 totaland millions in future revenueppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppAs Paras Dalton and Josiah watched a botnet built with their code break the internets backbone they had an array of reactions Paras remembers being shocked that it was so easy The Mirai clone that had carried out the attack had hit Dyn with fewer than 100000 devices just a fraction of the size of their original botnet Dalton felt a grim I told you so sense of confirmation that hed been right about the hazards of releasing the source code along with the stress of knowing it was sure to draw more heatbut he also noted with a hint of pride that whoever carried out this internetshaking attack hadnt even updated their code There was no innovation at all he saysppJosiah who had already had the closest brush with the FBI among the three young men was perhaps the most troubled By then his family had moved out of the Pennsylvania countryside into a threestory house in the nearby town of Washington Thats where from the basementlevel storage room he now used as his work area he read about the Dyn disaster silent with dread and amazementppAs for Elliott Peterson he spent the day in the FBIs Anchorage office fielding calls from every agency and official imaginable Over the course of a month his case had grown from a cybersecurity industry curiosity into an international clusterfuck a subject of urgent interest for the Department of Homeland Security and for reporters asking questions in a White House press conferenceppNo one yet knew who had made the copycat Mirai that had attacked Dyn But Peterson was confident he already knew who had created Mirai and handed the code to those attackers It was time to pay Josiah and Paras a visitppit was just before 6 am long before the sun would rise on that midJanuary morning when Josiah heard the banging on his front doorppFor two months he had been waiting for the raid He was now keeping a nocturnal schedule working at his computer with Paras and Dalton until 3 or 4 in the morning before sleeping until 8 am and then heading into his fathers computer repair shop But that night having finally gone to bed after 4 am he still lay awake his mind racing with anxietyppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppAs the banging started and his older brother hurried upstairs from their shared basementlevel bedroom Josiah went into the storage room and quickly switched off his computers All three of the Mirai creators had been careful to do their hacking on remote servers and to connect to them only from ephemeral virtual machines that ran on their own PCs So he figured that switching the computers off would erase any lingering data in memory Then before turning off his phone he sent a message to Paras using the encrypted messaging app Signal 911ppJosiah slipped on a pair of sweatpants and grabbed a Tshirt He climbed the stairs and was walking through a dark hallway still trying to get the shirt over his head when he found a flashlightor rather hed later learn a gun with a flashlight attached to itpointing at his face Drop the shirt he remembers an agent sayingppJosiah was herded onto his front porch still shirtless in the cold Western Pennsylvania winter air where the rest of his family was already being held Black Suburbans filled the street And there was Elliott Peterson on the porch greeting Josiah in his weirdly gregarious tone Oh hi Josiah I was hoping we wouldnt meet under these circumstances Josiah remembers him saying But here I amppAfter leaving Josiahs flabbergasted family shivering in the cold for several long minutes the agents brought them all back inside As they searched the house Josiah managed to get fully dressed and sat in the living room But even once hed warmed up he still couldnt stop shaking As his secret life finally came crashing into his family life he remembers feeling especially embarrassed that hed left the storage room the FBI was searching so untidyppAside from Peterson Josiah could see that local Pittsburgh FBI officials had joined the raidas had French special intelligence officers Hed later learn that French law enforcement had also raided the home of a certain innocent patsy in France with a server filled with animeppAfter a couple hours of searching the agents hauled away Josiahs computers hard drives and phone and Peterson asked Josiah and his parents to come into the dining room to talk You probably know why Im here Peterson said Josiah responded that he could guessppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppThe conversation lasted about half an hour Peterson brought up the Mirai scanning server and Josiah deflected again confessing to nothing The FBI agent warned Josiah not to tell anyone about the searchnot knowing that Josiah had already sent his 911 warning to Paras Then he leftppIn the silence that followed Josiahs parents told him it was time to come clean During an excruciating 30minute car ride to their computer repair shop to start the workday Josiah confessed everything His parents listened stonefaced too scared for their sons future to even be angryppFinally his father responded They would have to entrust Josiahs fate to Godppthe raid on Paras home came the next day Peterson had hoped for simultaneous searches but decided he should be present at both so he spent the hours after leaving Josiahs house driving more than 350 miles across Pennsylvania into New JerseyppAt 6 am Paras heard the same banging on the front door of his familys house where he was home from Rutgers for winter break Thanks to Josiahs warning this second raid had far less of an intimidating effect than the first Paras had carefully cleaned up any evidence on his computers and turned them off long before the FBI agents arrived In an attempt to find any storage devices Paras had hidden the agents brought along an electronicssniffing dogtrained to smell the glue used in computer hardware components Paras remembers it wanted to play with his familys dog a comical moment that helped dispel any shock and aweppWhen Paras saw Peterson in person his first response was annoyance that this chipper FBI agent had come all the way from Alaska to turn his home upside down Peterson asked Paras whether Josiah had told him about his search of Josiahs house the previous day Peterson assumed Josiah had stayed silent as instructed and he hoped to plant a sense of betrayal in Paras that his friend hadnt given him a headsupppBut Paras instead smiled and said that yes Josiah had warned him surprising Peterson And like his friend the day before Paras refused to confess to anything related to MiraippParas family was deeply shaken by the intrusion But when the agents left he assured his parents that it was all a misunderstanding that he had no idea why this Alaskan FBI agent seemed so fixated on him He hadnt done anything wrongppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne Soppparas josiah and Dalton discussed the raids and they came to an extremely optimistic conclusion that the feds didnt seem to have anything on them The searches had been a scare tactic they agreed and they had failedppOn the same day the FBI searched Paras home Brian Krebs had published a bombshell article suggesting that Paras potentially with Josiahs help was the most likely identity behind AnnaSenpai Krebs was working his own sources to piece together many of the same connections the FBI had drawn But Paras had denied the accusation in a response to Krebs and the three hackers armed with the incredible hubris of youth blew off the article as circumstantial evidence After all the FBI had already taken their shot and seemed to have gotten nothing that could prove their guiltppAs the months passed and they remained free they made a brazen decision They would continue their pivot into the click fraud schemeppThis new venture was turning out to be far more lucrative than Mirai to a degree that even they had never imagined To avoid ties to their overexposed botnet they had begun building a new one this time focused on devices primarily in the US given that they could make the most money selling access to American computers to generate clicks on American ads By the spring of 2017 they were quietly pulling in 50000 a month in revenue paid out in cryptocurrency by a business partner who seemed to be Eastern EuropeanppParas and Josiah mostly socked away the money waiting for an opportunity to try to launder it through a legitimate businessthough by then theyd finally given up and killed ProTraf Dalton was less careful He spent tens of thousands of dollars on splurges like a 70inch flatscreen TV for his parentshe told them hed made the money trading cryptoand upgrades to his home computer a gaming desktop surrounded by transparent tubes of red coolant to prevent it from overheating as he supercharged its performanceppEven as the three hackers left Mirai behind their code continued to plague the global internet Mirai attacks hit the UK banks Lloyds Banking Group and Barclays intermittently tearing Lloyds offline while Barclays repelled the onslaught Another struck the primary mobile telecom provider for Liberia with about 500 gigabits a second of traffic taking down much of the West African countrys connectivityppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBut Mirai and its many malicious progeny were no longer its creators problem The three young men had now finally hit their stride with a truly profitable and stealthy form of cybercrime Dalton made a prediction to himself In a year well either be rich he thought or well be in jailpponly months later did Josiah hear from Elliott Peterson again The FBI agent asked him to come to Anchorage to talk Prosecutors were suggesting a reverse proffer session where they would lay out the evidence against him By this point Josiah had a lawyer who recommended that he take the meetingand not tell his friends This time he didntppIn the summer of 2017 Josiah and his mother flew to Anchorage The 10hour flight was only the second time hed ever been on a plane On the morning of the meeting with prosecutors he arrived at the Anchorage Department of Justice building in a suit his mind nearly paralyzed with anxiety Peterson was there and he greeted Josiah and his mother suggesting fun activities they should check out while they were in town as if this were a family vacationppThe Alaskan assistant US attorney who had taken on the Mirai case a young prosecutor named Adam Alexander with a background in charging violent crimes and child exploitation launched into a PowerPoint presentation projected on a screen in the front of the conference room He began by displaying the sentencing guidelines for violations of the Computer Fraud and Abuse Act showing how the prison time scaled up based on the amount of damage causedppFor the millions of dollars in damage Josiah might be held responsible for Alexander suggested he was facing as much as six or seven years in prison for his first offenseppAlexander began to detail the evidence they had against him First they had his connection to the early Mirai scanning server Then it went further On occasion it turned out Josiah had let his guard down in small but revealing ways checking on the IP address of another Mirai server directly from his home computer rather than using a remote virtual machine that would leave no trace on his PCppAnd then there were text messages he and Paras had exchanged during his preMirai DDoS takedowns of Rutgers networkppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppWere you still smashing Josiah had written to Paras at one pointppNo Phone is insecure Paras had wisely responded But then minutes later he had asked for Josiahs help in launching another attack the barely coded Admiral can you execute my command messageppAfter more than an hour they took a break Josiahs lawyer told him and his mother that he strongly advised they seek a plea deal and that Josiah cooperate with the FBIthat he shouldnt push his luck Josiah terrified by the looming threat of years in prison that had been slowly materializing since his first call with Peterson immediately agreedppWhen they reconvened in a different much smaller conference room Josiah told Peterson and Alexander he was ready to negotiate a deal They responded that hed first need to tell them the full true story of his crimes To their relief he began to detail the entire Mirai conspiracy The FBI agent and prosecutor were intrigued to learn more about the key role played by Dalton who hadnt until then been a target of their investigation And they were amazed to hear that the Mirai crew was now even after their raids engaged in an entirely new click fraud botnet scheme They had known nothing about itppPeterson and Alexander told Josiah that if he wanted any chance of a plea dealstill without any promise of avoiding prisonhed have to fully cooperate That meant helping to collect evidence on his friendsppJosiah now in survival mode was ready to do what it took to stay out of prison By the time he flew back to Pennsylvania he was a federal informantppdalton and paras could tell Josiah was acting strangely Hed never been aloof or a step behind on any technical questions before Now on their group calls he was quieter and would inexplicably ask them to break down how their criminal enterprise worked in unusual detailppThey had their suspicions and did their best to discuss their conspiracy using only convoluted code words and hypotheticals But they couldnt bring themselves to violate the unspoken terms of their friendship by confronting Josiah or cutting him out of their deal We both knew something was up Dalton says But we didnt have any proof I didnt want to fuck him over just because I was sketched out After all this was their old friend the legendary LiteSpeed the one to whom they owed so much for advancing their careers as botnet mastersppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppAs for Josiah he says his years of working in his familys computer repair shop had helped prepare him for his new role as a double agent When you work in retail youre used to putting on a face he says talking to people how they want to be talked toppWhen the feds finally arrived before dawn Dalton was relieved They found him in his boxer shorts wrapped in a pink blanket on a beanbag watching Star WarsppA few weeks later Paras got his own call from Peterson with his own offer of a meeting in Anchorage Paras told Dalton about the invitationbut not Josiah whom hed begun to distrust They agreed that it made sense for Paras to meet with this FBI agent and see exactly what the feds had on themppOver the six months since the raid of his home Paras had remained in denial putting on a defiant face but quietly living in a state of latent terror His family had never again discussed the traumatic violation of their home by federal agents instead pretending it had never happened They were going through the motions of being a family as Paras puts it but theres this cloud hanging over everyones headppThe cloud of silence remained in place as Paras and his father flew to Anchorage Along with Paras lawyer they met with Peterson and Alexander in the same Department of Justice conference room and got the same cheery hiking tips from Peterson Paras tried to maintain an implacable expression as the prosecutor threw one damning piece of evidence after another onto the screen laying out his crimes in front of his father They showed Paras connections to the Mirai handles and to AnnaSenpai and his Fireswap burner accountppStill Paras told himself that the case was far from clearcut Then Alexander played for the room a series of audio recordings of the three hackers explicitly discussing their new click fraud venture One conversation from a night when Paras and Dalton had been drinking and let down their guard was particularly incriminating For Paras it was the first confirmation of Josiahs betrayalppJust as with Josiah the meeting paused for a break after an hour Paras his father and his lawyer walked across the street from the prosecutors office into a small park of paper birch trees in front of the Anchorage Museum It was a dismally cold cloudy day though Paras says his anxiety had reached a degree where he was disassociating barely aware of his surroundingsppParas lawyer leveled with him It sounded very much like he was guilty of the crimes that he had until then denied even to his own attorney Standing there in the park Paras finally broke Huddling with his father and lawyer he confessed tears flowing as he unlocked the shame guilt and fear that hed kept bottled for monthsppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppHe asked his father to cut ties with him begged him to let him face whatever punishment he had brought on himself alone His father responded in a voice as broken as Paras own He could never do thatppInstead he and the lawyer both told Paras that there was no other way out now His only chance to save himself was to do whatever the FBI and the prosecutors asked of himppUnbeknownst to them Peterson and Alexander had watched the three men speaking from the window across the street From Paras body language they could tell theyd made a breakthroughppWhen Paras came back inside he was a different person his defenses down Youre in a hole Paras Peterson told him Its time to stop digging He was ready to cooperateppAlexander asked him whether he had told anyone that he was coming to Alaska and he admitted that hed told Dalton So Alexander and Peterson asked Paras to call Dalton now on the spot on speakerphone and tell him that he had nothing to worry aboutppParas did as he was told Dalton picked up the call And as the FBI and prosecutors sat around the table intently listening Paras assured Dalton that it was just as theyd thought The feds had nothing on themppwhen it was Daltons turn to be raided Peterson practically scheduled it with him A few weeks before the bang on the door Yahoo had mistakenly sent Dalton a letter stating that his old email address had been the subject of a legal request For more information it read he should contact FBI special agent Elliott PetersonppSo Dalton preemptively called the FBI agent whod now been stalking them for nearly a year Josiah and Paras playing their roles as supportive friends listened in Peterson picked up the phone said hello and immediately apologized I wasnt planning on us talking for a couple weeks he explainedppWhen Dalton claimed not to know who Peterson was or why his emails were being read the FBI agent laughed out loud Were going to have a great opportunity to have a chat he said in the most aggressive version of his usual genial tone He ended the call by confirming with Dalton that he was still living at home despite having now started college implying he didnt want to search Daltons parents house if he had moved into a dormitory We try to be minimally invasiveppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppDalton hung up with Peterson What the fuck was that he said to Josiah and Paras who were still on the group callppYour ass Paras respondedppFor the next three weeks Dalton was stricken with nauseainducing anxiety and a sense of impending doom When the feds finally arrived before dawn he says he was actually relieved They found him in his boxer shorts wrapped in a pink blanket on a beanbag watching Star WarsppDuring the search Dalton says his anxiety evaporatedthanks to his early swatting experience it wasnt his first time having law enforcement point a gun at himand he did his best to show the feds that he wasnt impressed He napped on a couch during the FBIs search When Peterson tried to interview him he gave him nothingppIn fact with plenty of time to prepare before they arrived Dalton had physically destroyed all his most sensitive hard drives The agents found his beloved watercooled PC torn apart its red coolant spilled across his bedroom floor like blood Hed carefully cached another drive that stored all the bitcoins earned from their click fraud scheme inside a cat food container fully hidden by kibble Since the container was transparent the searching agents didnt think to look insideppJust as with Paras and Josiah Peterson told Dalton not to tell anyone about the search But Dalton loyal to the end tried to send a coded message to Paras that hed been raided too He repeatedly toggled the status of his account on the Steam video game network on and off in Morse code spelling FBIppParas saw Daltons account blinking But he never got the message Of course even if he had hed already been working with the FBI for months to collect evidence on his friendppdalton soon took his own trip to Anchorage where he and his parents sat through Peterson and Alexanders third and final Mirai reverse proffer presentation Through an hour of damning chat logs and audio recordings Dalton showed no emotion But when it was over he knew there was no use resisting They had everythingppWhen Dalton reluctantly agreed to cooperate Peterson didnt ask him to keep their arrangement secret from Josiah and Paras This time he phoned the other two All four of them joined the callppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppAfter months of paranoia Peterson wanted to clear the air to tell them that they were no longer cooperating against one another They would now all be working together Josiah remembers it almost like a reunion meeting each other again now that they were all on the other sideppIn the call Josiah and Paras seemed relieved to finally be able to speak honestly to each other and Dalton after months of subterfuge Dalton agreed in a defeated tone that yes he was on board They would give up all their hacking tools and dismantle the click fraud botnet and Dalton would forfeit the hidden hard drive full of their bitcoins But Peterson remembers that Dalton remained quiet and formal seemingly still processing his anger and shame at having been cornered by the FBI and surveilled by his friendsppIt was only late one night a few days after Dalton got home to New Orleans that he allowed the full reality of his situation to catch up with him He was facing a felony conviction He was going to have to work as a federal informant And he was still likely to end up in prison It felt hopelessppThe person he chose to call to talk this over with strangely wasnt Josiah or Paras but Peterson He was trapped he told the FBI agent in tears His life was overppFor the next hour Peterson sitting in his living room in Anchorage found himself back in his dean of men role comforting and counseling the young cybercriminal whod so recently been the target of his investigationppPeterson asked Dalton about his hopes for the futurethe where do you see yourself in five years question of every guidance counselor Dalton confessed that beneath his old secret belief that cybercrime could be his only path in life he still hoped that someday he might be able to have a normal successful job in technology Peterson told him that was still possibleppHe was super nice Dalton says Far nicer than he ever needed to beppPeterson said he couldnt promise Dalton that it would all be OK There was still the possibility of spending years in prison Regardless Peterson reassured Dalton he could still go to college He could still do something rewarding with his talents His life was not overppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne Soppthe young mens lawyers had each warned them that to have any hope of avoiding prison they would need to go above and beyond in their cooperation with the FBI and prosecutors So once they found themselves on the same team again Josiah Dalton and Paras threw themselves into working with law enforcement with the same obsessive energy that theyd once put into conquering the internet of thingsppAll three were still deeply embedded in the cybercriminal communityin fact Mirai had turned the personae that Paras had created into celebrities So to start they began helping the FBI target their old associates It was Paras the Mirai creator who had opened Pandoras box by publishing the botnets source code who found himself most actively working undercover to take down Mirais copycatsppBecause he still controlled the AnnaSenpai handle Paras was tasked with reaching out to the creator of one especially prolific Mirai knockoff The copycat botnet was controlled by a hacker who lived near Portland Oregon Hed been brash enough to reveal his location to AnnaSenpai in their chats and even to invite Mirais creator to hang out if he were ever in town Paras took him up on the offerppAt that point Peterson and Alexander had been tracking the suspect and believed they knew his identity But he appeared to have no fixed addresshe seemed to have developed a serious drug problem and had admitted to using meth in his chats with AnnaSenpaiand instead roamed around the city from house to house with little more than a backpack and the laptop he used to manage his botnetppAfter Paras flew to Portland he suggested to the target of their sting that they meet at his hotel Sure enough the hacker turned up and the two botnet admins spent a few hours in Paras room there swapping stories and hacking tricks and even inviting other hacker associates to join the conversation via Skype Meanwhile Peterson and other FBI agents recorded the meetingwith eavesdropping techniques they declined to describefrom another room across the hallwayppEventually the young Portland hacker suggested they head to a nearby Little Caesars to eat When he and Paras walked out of the room he carelessly left his laptop open and didnt even bother to close the video chat session with his hacker friends Those friends were still watching through the laptops webcam when Peterson and another agent came into the room and seized the computer as evidence Less than an hour later the agents stepped out of a black van in the hotel parking lot and arrested their target as he and Paras returned from their lunchppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppAfter that Portland sting some of the hackers who had just watched the accidental livestream of the hotel raid accused Paras of acting as the FBIs snitch But Paras pointed out that it hadnt been his idea to meet upor even to conveniently go out for pizzaarguing that maybe he was in fact the one who had been set upppThe explanation was convincing enough that Paras managed to pull off subsequent undercover operations against multiple other cybercriminal suspects across the country He says he hardly relished his role in those stings But nor did he feel much guilt I mean honestly it was exhilarating he says It felt like something out of a movieppThe FBI and the Justice Department declined to share all of the details of the investigations that Paras and the other two Mirai creators helped them pursue But Peterson summarizes them We arrested people and we worked other cases against IoT botnets and we shut down other botnets where arrests werent feasible he says We just did really interesting workppafter a few months when they had run out of undercover cases Peterson began to give the team different kinds of tasks many of them with no direct relationship to Mirai or their old contacts They were grateful to find they were no longer acting as informants so much as Petersons new group of technical analystsppThey started helping the FBI agent with jobs like reverse engineering malware and analyzing logs to identify botnet victims They built a software tool that parsed the blockchain to trace cybercriminal cryptocurrency In early 2018 when hackers began to exploit server software known as Memcached to amplify their DDoS attacks the Mirai team figured out how to scan for vulnerable servers that enabled those attacks so that the FBI could warn the servers owners and help remove a new kind of DDoS ammunition from the internetppJosiah says that in this new role he couldnt help but apply the same technical perfectionism he had always prided himself on I enjoy being the best at this sort of stuff he says I thought If were going to work on this it damn well better work rightppParas says that at first he had immersed himself in Petersons assignmentseven the harrowing undercover onesmostly on his lawyers advice and as a distraction from his lingering guilt and shameTo prevent myself from feeling things as Paras puts it But over time he found that he was able to look at the work more squarelyand to even get some gratification from the good he felt he was now doing Petersons comment to him in Alaska that he should stop digging the hole he was in had stuck The work for Peterson felt like the opposite of digging as he puts it I wanted to put as much distance as possible between who I am now and who I was then he saysppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppEventually when the Mirai crew talked among themselves about their motivation to work with Peterson Paras says it went beyond selfinterested survival to a sense of actual atonement for the harm theyd done It was like OK what is our path to redemption he says Maybe this is the startppThe FBI of course has a long unsavory record of exploiting informants and cooperating defendantsmany of whom are put in dangerous situations made to entrap innocent associates or end up feeling abandoned or used by their handlers The three Mirai hackers felt they were an exceptionppAs the months passed they say they came to see Peterson as a kind of mentor He seemed to show real concern for their futures The strange friendliness hed displayed while hunting them they felt was not an aggressive front but an actual expression of his humanity We were very lucky that we got Elliott says Dalton He literally saved my lifeppthe us criminal justice system has a history of notoriously harsh sentences for hackers In 2010 Albert Gonzalez was sentenced to 20 years in prison for stealing tens of millions of debit and credit card numbers from retailer networks when he was in his midtwenties In 2017 Russian cybercriminal Roman Seleznev arrested on vacation at the Maldives airport was sentenced to 27 years for his own massive theft of credit card data Even Hector Monsegur a front man for the rampaging hacktivist group LulzSec who flipped on his friends and served as a federal informant for more than two years was jailed for seven monthslonger than some other members of LulzSec in the United Kingdom he had informed onppSo it was almost a radical act when the prosecutors in the case of Mirai the botnet behind several of the biggest cyberattacks in history asked the judge to sentence its creators to a total of zero days in prisonppAdam Alexander the Alaskan assistant US attorney who had flipped each of the three hackers with PowerPoint presentations full of evidence against them explains that his decision was based in part on the fact that none of them had prior criminal history or substance abuse problems that might have led them to fall back into old habits Unlike many defendants they had strong family support networks holding them accountable Most importantly by the time their sentencing was approaching in the fall of 2018 they had done more than a thousand hours of work for Peterson what Alexander described in a letter to the judge as extensive and exceptional cooperation They were kind of gleefully willing to break the internet Alexander says But would putting any of the three of these young men in prison for 18 to 36 months and then wiping our hands of them have more meaningfully assured that we could prevent future criminal conduct I didnt actually think so then and I still dont think so todayppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppInstead he asked the court to sentence Josiah Dalton and Paras to 2500 hours of community service each over the following five years They would carry out that work with the same FBI agent who had supervised their presentence cooperation period Elliott PetersonppIn an Anchorage courtroom roughly two years after Mirai had obliterated Brian Krebs website a judge handed down that sentencecommunity service no prison timeto the three 21 and 22yearolds along with debts of between 115000 and 127000 each in restitution Youre young you have a lot to give to society and you have a lot of talent and skill a judge told the three men in his Anchorage courtroom that fall day I hope you use it for good Paras would face separate charges in New Jersey for his attacks on Rutgers where prosecutors vehemently argued that he deserved prison time Alexander intervened countering that Paras cooperation with prosecutors and the FBI in Alaska should be factored into his sentencing in that case too The New Jersey judge ultimately agreed sentencing Paras to nearly 9 million more in restitution and six months of confinement at his parents home but no jail timeppOn this visit to Alaska when Peterson again suggested local activities the Mirai crew actually took him up on it That evening they ate together at a local indie theater restaurant the Bear Tooth Grill where they also caught a screening of a documentary about Googles Goplaying AIjust some notorious hackers and the FBI agent who hunted them down out for dinner and a movieppnot long into their fiveyear community service stint Peterson says he began to sense that his three unlikely protégés were beginning to outgrow himthat he couldnt find enough technical tasks worthy of their talents So he asked the Big Pipes antiDDoS group hed helped create with Allison Nixon if anyone there had work for them to do Nixon raised her handppWhen Peterson had first started overseeing the kidsas they came to be known within Big PipesNixon had wanted nothing to do with them Shed spent long enough lurking in the Hack Forums cesspool to be familiar with the toxicity that flowed freely there and had even been personally harassed by some of the Mirai teams old associates Theyre not nice people she says of that scene You dont want them to know your nameppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppBut after seeing that Peterson had worked with Paras Josiah and Dalton for more than a year and was still willing to vouch for them she decided to take a chance and met them on a video call She found the three young hackersincluding the notorious Josiah LiteSpeed White whom shed tracked for nearly his entire careerpolite and eager to pleaseppShe did in fact need their programming help She had an idea for a new kind of honeypot that would be far more versatile than her sad DVR She wanted to create a system where security researchers or analysts could load up any internetofthing devices firmware in a virtual environment to catch new malware variantsppThe tool they built together was called Watchtower It used a newer technology called QEMU containerization to spin up quarantined fullfledged simulations of DVRs waiting to be infected The Mirai team had designed their internetofthings malware to detect when it loaded on a software simulation of a gadget rather than the real thing and to kill its processes rather than give a researcher any information But WatchTowers honeypot was designed to look like a real device in every way that malware could checka seamless virtual panopticon in which to observe malware and intercept its masters commandsppIt was brilliantly done says Larry Cashdollar a security researcher at Akamai who says the company used Watchtower to obtain and analyze countless new samples of IoT malware Eventually Nixon and her Mirai team added in data contributed from other researchers and members of her Big Pipes DDoS working group including machines that acted as honeypots for reflection attacks and DNS data to identify targeted domains integrating it all into a realtime DDoS analysis dashboard By 2020 they had added a list of domain keywords to identify attacks on political or voting system targets and the tools results were used to monitor for DDoS attacks throughout that years electionhelping them prepare for any democracydisrupting big one that many in the security community still fearedppAs for Brian Krebs when he found out that the three Mirai creators had escaped jail time and were now essentially working as whitehat security researchers he was initially perturbed by what he saw as a lack of accountabilityppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppTrust the process he remembers Nixon telling himppWhat process Krebs says he responded This doesnt look like justice to meppBut as time passed and he continued to learn from Nixon and others about the good work Paras Josiah and Dalton were doing he says he slowly changed his mind When I was able to hear about some of the things they came up with it was encouraging he says I guess that its the best of all possible outcomesppWhen Nixon moved from Flashpoint to a job at a new security firm Unit 221B she lobbied the company to hire her Watchtower team By that time Paras had gotten a job writing code for a semiconductor company But Josiah and Dalton both began working for Nixon full time as security researchers on contract on top of their community service workppOf course even as the Mirai crew joined the legitimate security industry many of the new botnets that they were now monitoring with Watchtower were in fact variants of their own monstrous creation Like Josiahs Qbot code before it Mirai had become the best cleanest code base for anyone trying to build their own massive collection of hacked machines and all manner of digital miscreants proceeded to pick it apart repurposing its components to wreak havoc There are pieces of Mirai everywhere now says Chad Seaman a security researcher at Akamai and an early member of the Big Pipes working groupppCompanies still face nearconstant attacks from Mirai descendants Seaman says Because those botnets are generally still fighting over the same vast but splintered collection of vulnerable internetofthings devices none of them is nearly as big as the original Mirai Nor has any of Mirais progeny ever again managed to surprise defenders to the degree Mirai didppBut their attacks still plague the internet adding to the millions of dollars a year that companies pay in DDoS protection The arsonists have turned over a new leaf Akamais Seaman summarizes The wildfires continue to rageppin the years after he sat in his Connecticut home and watched his digital life implode Scott Shapiro became a kind of Mirai fanatic The Yale Law professor eventually read the source code that Paras published on Hack Forums printing it out poring over its mechanics and marveling at its wellpolished design Years later he would write a case study of Mirai in his book Fancy Bear Goes Phishing which tells a history of the internet through a series of extraordinary hacking eventsppAmong other things Shapiro now sees the Mirai case as a rare model of actual restorative justice in cybercriminal law It shows he argues a positive alternative to putting young hackers in prison when in many cases their online behavior contrasts so sharply with their realworld selves Yes the internet can seduce good people into doing bad things But perhaps the split personalities it creates also leaves more room for redemption in the offline world Perhaps it even means more cybercriminals like the Mirai crew can be reformed and put to work fixing the problems they caused This was an experiment It worked out really well Shapiro says I would like to see more of itppAngela WatercutterppMatt JancerppTristan KennedyppAdrienne SoppOne afternoon in early December of 2021 three years into the Mirai creators five years of probation Shapiro invited Josiah Paras Dalton and Elliott Peterson to speak to his Yale cybersecurity law class over Zoom It would be the first time the four of them had appeared together in a semipublic setting other than a courtroomppAt first Peterson did most of the talking telling the story of the case and his investigation in a 45minute presentation Then he finished and the group took questions from the studentsppOne asked how this group of young adults with no criminal records had justified to themselves carrying out such epic acts of digital disruption Paras answered for all of them explaining how incremental it had all felt how easy it had been to graduate from commandeering hundreds of hacked computers to thousands to hundreds of thousands with no one to tell them where to draw the line There was never a leap he says Just one step after anotherppAnother student asked how they had kept going for so longhow they believed they could evade the FBI even after they had been raided This time it was Dalton who answered overcoming his anxiety at speaking in front of crowds in part thanks to better treatments that have helped to alleviate his stutter He explained to the class that they had simply never faced an obstacle to their hacking careers that they hadnt been able to surmountthat like teenagers who have no experience of aging or death and therefore believe theyll live forever they had come to feel almost invincibleppThroughout the presentation Shapiro says he was struck by the youthful nervousness of the three Mirai creators and the fact that even as they spoke they never turned on their webcams The hacker threat that hed once been sure must be the Russians that had felt so large and powerful was just these young boys he realized Young boys who dont want to show their facesppParas would later explain to me that he wasnt exactly trying to hide He just doesnt want to associate his face with Mirai anymore Hes since lost more than 30 pounds ditched his glasses grown a trim beard hed prefer to let his old image the pudgy bespectacled kid pictured in Brian Krebs story about AnnaSenpai be the one tied to MiraippAs of the end of October all three of the Mirai hackers periods of probation have ended Paras Jha and Josiah White work together for a highfrequency financial trading company Dalton Norman still holds his job working for Allison Nixon at Unit 221B But they all plan to continue maintaining and updating Watchtower perhaps their most lasting contribution to undoing some of the damage theyve doneppIm grateful for the chance to try to put the genie back in the bottle Josiah saysppHe also admits thats probably impossible Even now he and Dalton and Paras know that fragments of the monster they built still haunt the internet Mirai no longer comes from the future Instead it stubbornly hangs on from the past Someday they hope to leave it thereppThis article appears in the December 2023January 2024 issue Subscribe nowppLet us know what you think about this article Submit a letter to the editor at mailwiredcompp Make the most of chatbots with our AI Unlocked newsletterppTaylor Swift Star Wars Stranger Things and Deadpool have one man in commonppGenerative AI is playing a surprising role in IsraelHamas disinformationppThe new era of social media looks as bad for privacy as the last oneppJohnny Cashs Taylor Swift cover predicts the boring future of AI musicppYour internet browser does not belong to youpp Charge right into summer with the best travel adapters power banks and USB hubsppLindsay JonesppBrendan I KoernerppLauren SmileyppSteven LevyppAngela WatercutterppMore From WIREDppContactpp 2023 Condé Nast All rights reserved Use of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Your California Privacy Rights WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers The material on this site may not be reproduced distributed transmitted cached or otherwise used except with the prior written permission of Condé Nast Ad Choicesp