FMSEC OPINION: You want to prevent offenders from becoming repeat offenders? Mandatory salient restitution proportionate to the damage inflicted. No amnesty or consultancy job offers. No quarter. In this particular case, it appears that the punishment fits the crime.
The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.
Asshole Degenerate, (*Name changed because we believe that assholes shouldn't be famous) a 22-year-old computer whiz from Fanwood, N.J., was studying computer science at Rutgers when he developed Mirai along with two other convicted co-conspirators.
According to sentencing memo submitted by government prosecutors, in his freshman and sophomore years at Rutgers AD used a collection of hacked devices to launch at least four distributed denial-of-service (DDoS) attacks against the university’s networks.
AD told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. AD would later drop out of Rutgers after struggling academically.
In January 2017, almost a year before AD’s arrest and guilty plea, KrebsOnSecurity identified AD as the likely co-author of Mirai — which sprang to notoriety after a record-smashing Sept. 2016 attack that sidelined this Web site for nearly four days.
That story posited that AD, operating under the pseudonyms “Ogmemes” and “OgRichardStallman,” gave interviews with a local paper in which he taunted Rutgers and encouraged the school to consider purchasing some kind of DDoS protection service to ward off future attacks. At the time, AD was president and co-founder of ProTraf Solutions, a DDoS mitigation firm that provided just such a service.
The sentence handed down by a Newark federal judge today comes on the heels of AD’s September 2018 sentencing in an Alaska court for his admitted role in creating, wielding and selling access to Mirai — malware which enslaves poorly-security Internet of Things (IoT) devices like security cameras and digital video recorders for use in extremely powerful attacks capable of knocking most Web sites offline.
Prosecutors in the Alaska case said AD and two co-conspirators did not deserve jail time for their crimes because the trio had cooperated fully with the government and helped investigators with multiple other ongoing cybercrime investigations. The judge in that case agreed, giving AD and each of his two co-defendants sentences of five years probation, 2,500 hours of community service, and $127,000 in fines.
Prosecutors in Alaska argued that AD had completely turned over a new leaf, noting that he was once again attending school and had even landed a job at an unnamed cybersecurity company. Sending him to prison, they reasoned, would only disrupt a remarkable transformation for a gifted young man.
However, the punishment meted out today for the Rutgers attack requires AD to remain sequestered in his parent’s New Jersey home for the next six months — with excursions allowed only for medical reasons. The sentence also piles on an additional 2,500 hours of community service. Further, AD will be on the hook to pay $8.6 million in restitution — the amount Rutgers estimated it cost the university to respond to AD’s attacks.
AD could not be immediately reached for comment. But his attorney Robert Stahl told KrebsOnSecurity today’s decision by the Newark court was “thoughtful and reasoned.”
“The judge noted that AD’s cooperation has been much more extensive and valuable than any he’s ever seen while on the bench,” Stahl said. “He won’t be going to back to school right now or to his job.”
It is likely that AD’s creation will outlive his probation and community service. After the Sept. 2016 attack on KrebsOnSecurity and several other targets, AD and his cohorts released the source code for Mirai in a bid to throw investigators off their trail. That action has since spawned legions of copycat Mirai botnets and Mirai malware variants that persist to this day.