💾 Archived View for gmi.noulin.net › mobileNews › 6681.gmi captured on 2024-03-21 at 17:57:11. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2024-05-10)

-=-=-=-=-=-=-

The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster

1970-01-01 02:00:00

rlp

https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How

a group of teen friends plunged into an underworld of cybercrime and broke the

internet then went to work for the FBI.

Early in the morning on October 21, 2016, Scott Shapiro got out of bed, opened

his Dell laptop to read the day s news, and found that the internet was broken.

Not his internet, though at first it struck Shapiro that way as he checked and

double-checked his computer s Wi-Fi connection and his router. The internet.

WIRED 31.1232.01 Oops

This article appears in the December 2023/January 2024 issue. Subscribe to

WIRED.Illustration: James Junk and Matthew Miller

The New York Times website was offline, as was Twitter. So too were the

websites of The Guardian, The Wall Street Journal, CNN, the BBC, and Fox News.

(And WIRED.) When Twitter intermittently sputtered back online, users cataloged

an alarming, untold number of other digital services that were also victims of

the outage. Amazon, Spotify, Reddit, PayPal, Airbnb, Slack, SoundCloud, HBO,

and Netflix were all, to varying degrees, crippled for most of the East Coast

of the United States and other patches of the country.

Shapiro, a very online professor at Yale Law School who was teaching a new

class on cyber conflict that year, found the blackout deeply disorienting and

isolating. A presidential election unlike any other in US history loomed in

just under three weeks. October surprises seemed to be piling up: Earlier

that month, US intelligence agencies had jointly announced that hacker breaches

of the Democratic National Committee and Hillary Clinton s presidential

campaign had in fact been carried out by the Russian government. Meanwhile,

Julian Assange s WikiLeaks had been publishing the leaked emails from those

hacks, pounding out a drumbeat of scandalous headlines. Spooked cybersecurity

analysts feared that a more climactic cyberattack might strike on Election Day

itself, throwing the country into chaos.

Listen to the full story here.

Those anxieties had been acutely primed just a month earlier by a blog post

written by the famed cryptographer and security guru Bruce Schneier. It was

titled Someone Is Learning How to Take Down the Internet.

Over the past year or two, someone has been probing the defenses of the

companies that run critical pieces of the internet, Schneier, one of the most

highly respected voices in the cybersecurity community, had warned. He

described how an unknown force appeared to be repeatedly barraging this key

infrastructure with relentless waves of malicious traffic at a scale that had

never been seen before. These probes take the form of precisely calibrated

attacks designed to determine exactly how well these companies can defend

themselves, and what would be required to take them down. We don t know who is

doing this, but it feels like a large nation-state. China or Russia would be my

first guesses.

Now it seemed to Shapiro that Schneier s warning was coming to fruition, right

on schedule. This is the attack, he remembers thinking. Was it the big one?

he asked himself. Or was it perhaps a test for the true big one that would

hit on November 8? Obviously, it has to be a nation-state, Shapiro thought.

It has to be the Russians.

For Shapiro, the internet outage was a kind of turning point: In the months and

years that followed, he would become obsessed with trying to understand how

someone could simply stamp out such a large swath of digital connectivity

across the world, who would do such a thing, and why. But meanwhile, a little

less than 500 miles west of Shapiro s Connecticut home, in the town of

Washington, Pennsylvania, another sort of observer was watching the attack

unfold.

After a typical sleepless night at his keyboard, 19-year-old Josiah White sat

staring at the three flatscreen monitors he d set up on a workbench in a messy

basement storage area connected to the bedroom he shared with his brother in

their parents house. He was surrounded by computer equipment old hard drives

and a friend s desktop machine he had offered to fix and boxes of his family s

toys and Christmas tree ornaments.

For weeks, a cyber weapon that he d built with two of his young friends, Paras

Jha and Dalton Norman, had wreaked havoc across the internet, blasting victims

offline in one unprecedented attack after another. As the damage mounted,

Josiah had grown accustomed to the thrills, the anxiety, the guilt, the sense

that it had all gotten so absurdly out of hand and the thought that he was now

probably being hunted by law enforcement agencies around the world.

He d reached a state of numbness, compartmentalizing his dread even as he read

Bruce Schneier s doomsday post and understood that it was describing his own

work and now, even as a White House press secretary assured reporters in a

streamed press conference that the Department of Homeland Security was

investigating the mass outage that had resulted directly from his actions.

But what Josiah remembers feeling above all else was simply awe awe at the

scale and chaotic power of the Frankenstein s monster that he and his friends

had unleashed. Awe at how thoroughly it had now escaped their control. Awe that

the internet itself was being shaken to its foundations by this thing that

three young hackers had built in a flurry of adolescent emotions, whims,

rivalries, rationalizations, and mistakes. A thing called Mirai.

Part One

Image of person sitting in front of a monitor

Illustration: Joonho Ko

None of the three young men who built Mirai fit the profile of a cybercriminal,

least of all Josiah White, who could lay perhaps the most direct claim to being

its inventor. Josiah had grown up in a rural county an hour south of

Pittsburgh. He was the youngest of four children in a close-knit Christian

family, all homeschooled, as his mom put it, to better find out how God had

created them and what he had created them to pursue. She describes the thin,

dark-haired baby of the family as a stubborn and independent but unusually kind

child, who would sit beside the new kid in Sunday school to make them feel

welcome.

Josiah s father was an engineer turned insurance salesman, and the family lived

in a fixer-upper surrounded by woods and farmland. As early as he can remember,

Josiah followed his father around the house while he tinkered and made repairs.

In 2002, when he was 5, Josiah was delighted to receive for Christmas the

components of an electrical socket. Later his parents gave him a book called

101 Electronics Projects, and he would beg his mother to drive him to

RadioShack, arriving with a shopping list of breadboard componentry. Before he

was 10, he was advising his father on how to wire three-way switches.

Josiah s father would take him along to their church s car ministry, where

they d repair congregants cars for free and refurbish donated vehicles for

missionaries. Josiah would stand in the corner of the shop, waiting for the

foreman to give him a task, like reassembling a car s broken water pump.

Josiah reveled in impressing the adults with his technical abilities. But he

was always drawn to computers, cleaner and more logical than any car component.

You give it an input, you get an output, he says. It s something that gave

me more control. After years of vying for time on his family s computer, he

got his own PC when he was close to his 13th birthday, a tower with a Pentium

III processor.

Around the same time, Josiah s brother, seven years older than him, figured out

how to reprogram cell phones so they could be transferred from one telephone

carrier to another. Josiah s brother started to perform this kind of unlocking

as a service, and soon it was so in demand that their father used it to launch

a computer repair business.

By the time he was 15, Josiah would work in the family s shop after school,

setting up Windows for customers and installing antivirus software on their

machines. From there, he got curious about how HTML worked, then began teaching

himself to program, then started exploring web-hosting and network protocols

and learning Visual Basic.

As wholesome as Josiah s childhood was, he felt at times that he was being

raised on rails, as he puts it, shepherded from homeschooling to church to

the family computer shop. But the only rules he really chafed against were

those set by his mother to limit his computer time or force him to earn

internet access through schoolwork and household chores. Eventually, on these

points, she gave up. I sort of wore her out, he says. She relented in part

because a hands-on understanding of the minutiae of computing was quickly

becoming essential to the family business. Josiah, now with near-unlimited

computer time, dreamed of a day when he d use his skills to start a business of

his own, just as his brother had.

In fact, like most kids his age, much of Josiah s time at the keyboard was

spent on games. One of them was called Uplink. In it, the protagonist is a

freelance hacker who can choose between two warring online movements, each of

which has built a powerful piece of self-spreading code. One hacker group is

bent on using its creation to destroy the internet. The other on stopping them.

Josiah, not the sort of kid to do things in half measures, played through the

game on both sides.

Young person holding an octopus object

Illustrations: Joonho Ko

immersing himself in that cyberpunk simulation and learning about famous

hackers like Apple cofounder Steve Wozniak and Kevin Mitnick, who had evaded

the FBI in a cat-and-mouse pursuit in the 1990s cultivated in Josiah s teenage

mind a notion of hacking as a kind of secret, countercultural craft. The

challenge of understanding technical systems better than even their designers

appealed to him. So did the subversive, exploratory freedom it offered to a

teenager with strict Christian parents. When he googled a few hacking terms to

learn more, he ended up on a site called Hack Forums, a free-for-all of young

digital misfits: innocent explorers, wannabes, and full-blown delinquents, all

vying for clout and money.

On the internet of 2011, the most basic trick in the playbook of every

unskilled hacker was the denial-of-service attack, a brute-force technique that

exploits a kind of eternal, fundamental limitation of the internet: Write a

program that can send enough junk data at an internet-connected computer, and

you can knock it offline.

The previous year, for instance, the hacker group Anonymous had responded to

the refusal by Visa, Mastercard, PayPal, and Bank of America to allow donations

to WikiLeaks by urging its plebes to bombard the companies servers with data

requests, creating so-called distributed denial-of-service attacks that briefly

took down the companies online services. But most DDoS attacks were less

principled: the constant AK-47 cross fire of the cybercriminal internet s

internecine wars and vandalism.

On Hack Forums, many hackers ran their own booter services that, for a few

dollars a month, would launch denial-of-service attacks against anyone a

customer chose often online gaming services, to troll or sabotage rival

players. Users and admins of booters talked casually of hitting off targets,

or worse, holding off a service or a single user s connection, repeatedly

bombarding it to prevent it from coming back online.

Some booters launched attacks from botnets, collections of thousands of

unwitting users PCs, hijacked with hidden malware to form a lemming-like swarm

of machines pummeling a target with data. Other booters used reflection or

amplification attacks: If a hacker could find an online service that would

respond to a query by sending back a larger chunk of data than the request

itself, they could spoof the origin of their question so the service would send

its answer to a victim. By bouncing a stream of thousands of questions off a

server, the hacker could bombard the victim with its responses and vastly

multiply their attack s firepower.

Josiah, fascinated by the cleverness of those tricks, was naturally determined

to understand them at their deepest level. He stumbled upon a blog post from a

cybersecurity blogger describing a reflection attack that used the servers of

the online first-person-shooter game Quake III Arena. Ping them with a simple

getinfo or getstatus request, and the servers would send back information

that included the usernames of the players on the server and the map of the

level they were playing on an answer that was nearly 10 times as big as the

question and could be directed at any spoofed IP address a hacker chose.

The post was intended as a warning. It cautioned that this kind of attack could

be used to take down a service with as much as 23 megabits per second of

bandwidth, a pipe that seemed enormous to Josiah on his 1.5-megabits-per-second

home DSL connection. A competent programmer exploiting the problem, the blog

post s author wrote, can easily create a full-fledged attack suite in a lazy

afternoon.

Josiah took this as a challenge. He cobbled together a simple script to perform

the attack and posted it to Hack Forums under his handle, Ohnoes1479. He

asked only for anyone who used it to give him an upvote if its good ✌ to

increase the prestige of his forum profile.

Josiah didn t think too much about the morality of his creation. After all, it

took a computer offline only temporarily, right? More of a mischievous hiccup

than a crime, he figured. He couldn t use it himself anyway, because his home

internet connection didn t allow the IP spoofing the attack required. Still, as

other hackers on the forum some of whom he suspected ran their own booter

services asked questions about how to use the program and even requested

feature updates, he was happy to help.

Mostly, like the technical wunderkind he d once been in his church s auto shop,

he aimed to impress. I wanted to make something cool, he says. And I wanted

respect.

in that anarchic Hack Forums scene, Josiah soon found a kindred spirit, a user

who called himself moldjelly. In the offline world, his name was Dalton

Norman. He was a teenage hacker just a year older than Josiah who was far more

in touch with his rebellious side.

Like Josiah, Dalton had grown up with an engineer for a father. His dad led the

maintenance team for a skyscraper in New Orleans, where the family lived. And

like Josiah, Dalton had a natural technical talent. As a preteen, he wrote

cheating mods for video games that he presented on his own YouTube channel in a

squeaky voice. He and his father would work in their spare time on his dad s

souped-up Chevrolet Monte Carlo, which had so much horsepower that Dalton

remembers the feeling of its exterior twisting as it accelerated. He says he

inherited that same drive to push technology to its limits.

But far more than Josiah s, Dalton s childhood was tinged with adversity. As a

small child, he had struggled with a stutter that deeply scarred him. He

remembers his family laughing at him at the dinner table as he labored in vain

to pronounce his younger sister s name. It was awful and kind of contributed

to me just being in my room and having low self-esteem and trying to raise it

by being super good at something, Dalton says.

By the end of elementary school, to Dalton s relief, the stutter had faded

away. But just as it seemed like he might enjoy a normal adolescence, his life

was disrupted by misfortune on a far larger scale: Hurricane Katrina. Dalton s

family evacuated to Mississippi and didn t return for more than five years. In

exile one state over, Dalton found himself at a culty Christian private

school, where students prayed before class and, as he remembers it, a math

teacher assured him that Barack Obama was the Antichrist. When I wouldn t pray

or do any of that, he says, I would get shit for it.

Dalton wrote his first program when he was 12. It was a spam tool that he used

to torture a teacher he disliked, wrecking her inbox. He says he carried out

his first denial-of-service attack not long after, targeting his school s

network from within.

While connected to the school s Wi-Fi, he flooded its router with junk requests

until the entire intranet collapsed. It s easy to take down a network when you

re inside of it, he says. Ironically, as Dalton describes it, he had gotten

enough of a reputation for IT know-how that school staff asked for his help

fixing the problem. He stopped his attack script, unplugged the router, plugged

it back in, and showed the school administrators that it magically worked

again. During another attack, however, he says he overheated the router so

badly in its poorly ventilated closet that it was fried.

In his early teens, he remembers watching The Social Network and taking exactly

the wrong message from the movie: Rather than feeling cautioned by the film s

fictionalized origin story of an icily amoral Mark Zuckerberg, Dalton was

profoundly inspired. That movie basically changed how I viewed the world, he

says. It s like, with a laptop and a great idea, you can take control of your

life and build something cool.

After a failed attempt to launch his own social network he had no idea how to

gain users and no budget to advertise it he returned to hacking: He wrote a

keylogger program, designed to snoop on a victim s keystrokes after infecting

their PC via thumb drive. He also found his way onto Hack Forums. Soon he was

running his own booter service, hiring other hackers to handle customer service

so he could focus on finding new methods to amplify his attack traffic.

It was around this time that Dalton encountered Josiah, who was, he says, the

smartest hacker he d ever met. The two teens soon moved off Hack Forums to talk

regularly on Skype and then later TeamSpeak, another internet conferencing

service. In those conversations, Dalton eventually used his real name, while

Josiah went by Joey, a thin veneer of a pseudonym. They enjoyed competing

with each other to find new denial-of-service amplification tricks. In a

friendly rivalry, they d stay up into the early morning hours, plumbing the

internet for eclectic servers that they could use to multiply their attack

traffic dozens and eventually hundreds of times over.

In those late-night cyberattack sessions, the two hackers say, they would

typically set up their own website for target practice, or use a friend s, so

that they could measure the size of the traffic they were blasting at it. At

times they would clock attacks of more than 100 gigabits a second, they say

more than 4,000 times as big as the 23-megabit attack that had initially amazed

Josiah. Very often they would knock their target website offline, along with

the server of the hosting service it ran on, causing downtime for an untold

number of other websites too.

By this time, Josiah admits, he d become mildly intoxicated by the power of the

tools they d learned to wield, though he still considered himself a kind of

innocent, exploratory hacker. I was stupid, and I was just angry sometimes,

and I wanted to see damage, at points, he says. But it wasn t my primary

motivator for a while.

Dalton, who was already running a for-profit attack service, had no such

illusions of innocence and admits a little proudly to using his growing arsenal

of booter artillery on any Hack Forums rival who sufficiently annoyed him. In

some cases, he boasts, he would hit people off so hard that their internet

service providers would cut the victim s connection for 24 hours to avoid

further collateral damage. It was a lot of power, he says. If someone was

bullying or being an asshole, then yeah, they went offline for a while.

Colorful illustration

Illustration: James Junk, Matthew Miller

both teenagers managed to hide these dalliances with illegal hacking from their

families. But for Dalton, the consequences soon spilled violently into his

physical world.

It began when he discovered that someone who worked for his booter service, an

older kid to whom he d foolishly given his real name, had been stealing their

profits. He fired the guy. A few days later, Dalton and his family were sitting

around the dinner table when a team of police officers in bulletproof vests

burst through the door, screaming at everyone to get on the ground. The cops

pointed shotguns at Dalton and his terrified parents and siblings, barking

orders and questions.

It turned out that the police had received a spoofed 911 call. The caller had

warned that Dalton had shot his mother and was now holding the rest of the

family hostage. Dalton had been swatted, targeted with the most dangerous

retaliatory measure in the toolkit of nihilist teen hackers. When the police

realized there was no hostage crisis, Dalton explained to the cops and his

parents that an angry kid online had inflicted this situation on them leaving

out the part about his booter service. As a measure of the skewed risk

assessments of his teenager s brain, his biggest fear during the entire

incident was how his furious parents would punish him. He was grounded.

Dalton says the real lesson he drew from the incident was to tighten his

operational security, no longer telling anyone in the hacking world his real

name except Josiah. I trusted no one except for Joey, he says.

In the midst of all this, when Dalton was 15, another kind of calamity struck:

His stutter came back. He says it happened when he met another stutterer at his

high school. Somehow, the event triggered his brain to start tripping up his

speech all over again. And the change seemed to be permanent. All the

difficulty he d had speaking as a small child, along with all the anxiety and

shame that came with it, flooded back. It was, he says, a nightmare.

Like many stutterers, Dalton found workarounds for the arbitrary lexicon of

words that would halt his speech, substituting others to hide his disability.

But names, which allowed no substitutions, were particularly tough. At one

point, to get out of gym class, he volunteered with his high school s tech

office and found that the job included delivering laptops to students. He

remembers standing in front of a classroom trying to say a student s name as

the entire class laughed at him. Even his own name was often impossible to get

out. It broke me, he says. But afterward, I was just like, I don t care

what other people think. Fuck it.

Dalton s stutter, he says, drove him into cybercrime with a renewed fervor. He

cut ties with real-world friends, retreated to his computer, and focused his

energy on hacking. His skewed teenage logic kicked in again, telling him to

abandon any hope of a normal life or legitimate career. I thought, No one s

gonna hire me because I can t talk. How am I going to get past an interview

when I can barely say my name? Dalton remembers.

He had, he told himself, no other option. I have to find a way to make this

blackhat thing work out.

Of the Three young hackers who would go on, together, to be responsible for the

biggest DDoS attacks in history, Paras Jha came to that path from the most

innocent and childlike place of all: a love of Minecraft.

Born in Mumbai, Paras was less than a year old when his family emigrated to the

US, where they eventually settled near central New Jersey. His parents demanded

academic perfection, and Paras was gifted enough to easily deliver. Too easily,

in fact: For years of elementary and middle school, he would read entire

textbooks as soon as he got them, he says, then never study them again and ace

every test.

At the same time, Paras was aware that he had a paradoxical problem with focus.

He remembers being in third grade and disassociating as a teacher spoke to him,

tracing out her face in the air with his finger. That teacher later suggested

to Paras parents that he be tested for attention deficit disorder. Coming from

a culture that stigmatized such a diagnosis, Paras says, his family was

skeptical of the teacher s warning. His mother and father filled out the school

s evaluation for learning disabilities; it came back negative, and he was

never treated.

Over Skype, Josiah told the others that he was launching the attack. Across the

internet, Paras could hear the tap of the Enter key on Josiah s keyboard. And

the world stopped.

As Paras grew older, his scattered mental state meant he often forgot school

assignments, and his strict parents would respond by grounding him. To pass the

time, he gravitated to computers. His beloved video games were forbidden on

weekdays, so he would spend hours playing with Microsoft s Visual Studio,

teaching himself to program.

By his early years of high school, Paras had become obsessed with Minecraft, an

immersive online world that essentially presents a blocky, lo-res, nearly

infinite metaverse. More than playing the game, however, Paras was drawn to the

possibilities of running his own Minecraft world on an online server. He would

host mini-games of tag or capture the flag, endlessly tinkering with his server

s code to modify the rules. He loved to join his own world, turn himself

invisible, and then observe how players responded within the universe he

controlled and changed at will. It was like watching 8-bit ants with human

intelligence move around his very own ant farm.

Paras soon discovered he could make thousands of dollars using his coding

skills to build modifications and mini-games for other Minecraft

administrators. In fact, it turned out that the Minecraft ecosystem supported

its own surprisingly high-stakes industry. Players paid small fees for access

to perks and upgrades on their favorite servers, and administrators of the most

popular worlds within that decentralized metaverse made as much as six figures

a year in revenue. All of that money meant this innocent-seeming industry had

developed a surprisingly ruthless dark side. Minecraft servers came under

constant barrage from booters DDoS attacks, launched by aggrieved players,

competitors, and trolls. Many paid thousands of dollars a month to DDoS

protection firms that promised to filter or absorb the attack traffic.

One day, Paras found himself in a Skype group chat with an acquaintance who

also ran a Minecraft server. This person was determined, for reasons Paras can

no longer remember, to take down a particular rival s world. Paras read along

as the acquaintance asked another member of the chat for help a figure by the

name of LiteSpeed, who had attained a certain infamy for his denial-of-service

wizardry.

Josiah had changed his handle on Hack Forums from Ohnoes1479 to this less-cute

moniker about nine months after he d joined the site, and these days he carried

himself online with significantly more swagger. He was happy to oblige.

Josiah, Paras, and a few friends all entered the target Minecraft world,

apparating into its blocky landscape full of hundreds of other players lo-res

figures. Then, over Skype, now in a voice chat, Josiah told the others that he

was launching the attack. Across the internet, Paras could hear the tap of the

Enter key on Josiah s keyboard. And the world stopped.

Instead of going dark or returning an error message, the universe hosted on the

server that Josiah had knocked offline simply froze, as each player was

suddenly disconnected and confined to their own computer s splintered version

of it. Paras marveled at how he could move through that world and see other

players paralyzed where they stood, or floating in midair.

That frozen state lasted for 30 seconds before the world crashed entirely. To

Paras, it was a hilarious magic trick. It felt like a secret superpower

almost, he says. Even though it wasn t me who did it, it was cool to just be

in the know about what s going on.

He became friendly with Josiah and found that this talented hacker was happy to

take down practically any target server that Paras asked him to, mostly just

for sheer amusement. Josiah also seemed to be surprisingly open to sharing his

knowledge. Having moved on from the amplification attacks he and Dalton had

experimented with early on, Josiah now carried out his attacks with a botnet of

thousands of computers around the internet that he d infected with his own

malware, exploiting a security flaw in the web-hosting software phpMyAdmin to

turn the underlying servers into his personal army.

Later Josiah would switch to wielding an even more powerful collection of

Supermicro servers that he d hacked via a vulnerability in their baseboard

management controllers, chips meant to allow an administrator to remotely

connect to a server and monitor its performance. The attacks he was triggering

were soon so powerful that he and his friends had difficulty even gauging their

strength: Everything they d hit with it the best-protected Minecraft servers,

even their own measurement tools would immediately fall offline.

Paras wanted this superpower too. Josiah was happy to help him troubleshoot his

DDoS attack code and even offered thousands of computers from his own botnet

for Paras to test it on. Instead of just pressing the button, I wanted to say

I had made the button, says Paras. Soon he was a relatively sophisticated

botnet herder with his own DDoS zombie horde.

By 10th grade, to his parents dismay, Paras had begun to struggle in school as

subjects became more complex and his disaffected-prodigy tactics reached their

limits. But online, where he went by the handle dreadiscool, he embraced his

new godlike capabilities with roguish abandon, knocking off targets on the

slightest whim. He and another friend would even sometimes find the phone

number for a company that hosted certain Minecraft servers, call their business

line from a burner number, and verbally taunt them as Paras launched a DDoS

attack that ripped their machines offline.

Somehow, the rule-following, high-achieving kid from a strict immigrant

household had become a rampant online vandal. But at that point, Paras says, it

was never quite clear to him or Josiah, or Dalton how serious the consequences

of their attacks might be. They were, after all, still just taking some

computers off the internet, right? Like, the servers come back online, Paras

says. You wake up the next day and you go to school.

At other times he would almost check himself, coming to grips with his

spiraling behavior. He remembers sitting in the bathroom of his parents house

just after taking down one of the biggest Minecraft servers, Hypixel, and

realizing that if he kept going, he was bound, sooner or later, to get

arrested. Don t get sucked into it, he told himself. Don t get sucked into

it.

Illustration of a person sitting behind a statue

Illustration: Joonho Ko

paras got sucked into it. They all did. In particular, Josiah, the Christian

homeschooler who d once kidded himself that he was a harmless hacker-explorer

or a Wozniak-style prankster, had taken a rapid, step-by-step slide into

moneymaking cybercrime. Under his LiteSpeed handle, he d begun selling his

amplification techniques to known booter service operators for a few hundred

dollars a customer, spending most of the money to rent servers in remote data

centers to further his hacking. He reverse engineered Skype s code to find ways

of extracting users IP addresses, the identifiers for their home internet

connections that could allow them to be directly DDoSed. Soon he was selling

this IP-extraction tool on a per-use basis to his fellow hackers and booters.

When one of his friend s would-be victims bragged that he couldn t be hit

offline because he had a dynamic IP address that changed every time he rebooted

his home router, Josiah figured out he could use a traceroute command to see

the IP address of every router between that target and his internet service

provider. So he and the friend started hitting the computers farther upstream

in that network, going after the bigger arteries that fed data to and from his

computer instead of the capillaries that linked to his home machine, until all

of those routers were unresponsive too. This indiscriminate tactic, as far as

they could tell, took out the internet service for the target s entire town,

all just to prevent him from dodging their attack.

Each step, Josiah says, felt small enough that, like the mythical boiling frog,

he barely noticed the change in moral temperature. He d found something he was

very good at better than perhaps anyone he knew. And he wasn t, he told

himself, carrying out hardcore cybercrime like breaching networks or stealing

credit card data. Another Hack Forums user reassured him that the FBI cared

only about botnets bigger than 10,000 computers, a story he naively accepted.

I rationalized a lot of it away, Josiah says. The pot was boiling.

in early 2014, when Josiah was still 16 years old, he dialed the temperature up

another fateful degree with the creation of a powerful new form of botnet. It

began when a friend pointed out to him that home routers, aside from making

good targets for DDoS attacks, could themselves be hacked and potentially

turned into botnets zombie conscripts. In fact, many routers still used an old

protocol called telnet that allowed administrators to remotely configure them,

sometimes without the need for any authentication or else requiring only

default credentials, like the password admin. All those routers represented

countless thousands of hackable devices, in other words, waiting to be taken

over and added into Josiah s army.

The catch was that the routers were small, simple gadgets that used cheap,

low-performance embedded-device chips not the kind of system that most hackers

were accustomed to exploiting. But Josiah was never one to be daunted by the

task of learning the arcane details of a new machine. He started from scratch,

learned to write the native language of routers ARM chips, and built a compact

piece of malware that could be installed over telnet onto the relatively dumb

devices to make them obey his attack commands.

The routers operating systems didn t normally allow software to be installed

on them. But Josiah figured out that they did have an echo command that could

write out any line of text that you typed into a new file. He used that command

to copy his code, line by line, into a file small enough to fit into the

routers few megabytes of memory. The feat was the equivalent of assembling a

model ship inside a 12-ounce bottle. He called the code Qbot.

Qbot was Josiah s first foray into hacking the so-called internet of things,

the vast universe of internet-connected devices beyond traditional computers,

from security camera systems to smart appliances, that would turn out to be

ripe for exploitation. Even in this first, crude attempt, it was immediately

clear that Qbot was a potent new weapon.

Josiah could see the power he d stumbled into: There seemed to be many

thousands of vulnerable routers online that Qbot could commandeer. He was

initially more careful with this creation than he d been with his previous

coding projects, keeping Qbot s code private and sharing it only with his

friends: Dalton, Paras, and a few other young hackers who had formed a loose

network and hung out on Skype and TeamSpeak. But Josiah made the mistake of

also giving the code to one other contact. The guy went by the name vypor

and, Josiah says, had a reputation for trading in other hackers secrets as a

means of impressing more talented acquaintances. Vypor immediately began

trading Qbot for favors and clout with, it soon seemed, his entire contact

list.

When that betrayal became clear, Dalton retaliated on Josiah s behalf by hiring

a rapper through the gig-work service Fiverr to record a profanity-laden track

brutally mocking vypor s lack of coding skills. The diss track was uploaded to

YouTube. Vypor immediately responded by threatening to swat all of them:

Dalton, Josiah, even Paras, who had only recently joined the group.

All three of the young hackers were terrified of being swatted or swatted

again, in Dalton s case. They agreed that their best bet to protect themselves

was to knock vypor offline and hold him off as long as possible. If he couldn t

reach a VoIP service to spoof a call to the police, their short-term reasoning

told them, he couldn t swat anyone. Maybe they could at least enjoy the weekend

before he brought armed police to their doorsteps.

So all of them, together, bombed vypor with every DDoS tool they had. For days,

they repeatedly hit not only his home connection but also routers two and three

steps upstream, using Qbot and every other botnet and amplification technique

they d learned to wield. The three believe they probably blasted vypor s entire

town off the internet, though they never got confirmation aside from seeing the

entire chain of network devices stop responding to their pings.

Regardless, the attack seemed to serve its purpose. Vypor disappeared from the

scene and never bothered them again.

Illustration of eyes behind blue tinted glasses

Illustration: Joonho Ko

allison nixon, who would become one of the first security researchers in the

world to fully understand the dangers posed by weaponized routers and

internet-of-things appliances, had no idea who Josiah White was. But she knew

LiteSpeed.

At the beginning of her career in New York a few years earlier, Nixon had

worked the night shift in the Security Operations Center of Dell s SecureWorks

subsidiary, essentially as the cybersecurity equivalent of a patrolling night

watchman. A petite, hoodie-wearing security analyst in her early twenties, she

monitored the company s clients networks for attacks in real time and

investigated them just enough to know whether to escalate to someone more

senior. Kind of a grind, she remembers.

But she was curious about where all these daily, wide-ranging hacking attempts

were coming from. So in the long stretches of downtime between alerts, she

started googling and was amazed to discover Hack Forums, a platform on the open

web where young digital deviants were bragging about their attacks and brazenly

selling their toolkits. She found booter services especially shocking: how

publicly, and cheaply, these miscreants sold a kind of cyberattack that could

cost companies millions of dollars a year and often made her and her colleagues

lives hell. Many of the young hackers doing this damage could even be

identified, thanks to their rash public posting, sloppy operational security,

and the frequent doxing of rivals digging up and outing another hacker s real

identity. But no one seemed to be doing anything to stop them.

As Nixon lurked longer on the forum, she could see that most hackers on the

site weren t actually developing their own techniques. Instead, almost all of

their tools seemed to trickle down from just a few skilled individuals.

LiteSpeed was one of them. His attack amplification tricks and bot infection

tools had established him as a kind of Hack Forums alpha, an unmistakable

standout in the scrum. Sometimes you kind of get a gut feeling when you re

tracking someone that they re going to blow up in one way or another, she

says. I knew I wanted to keep an eye on him.

Nixon says the more senior researchers on SecureWorks counterthreat team had

little interest in DDoS attacks, which were considered primitive compared to

the cutting-edge intrusion methods that they focused on. But Nixon was

fascinated by the anarchic Lord of the Flies world of young hackers building an

entire cyberattack industry, seemingly with no repercussions or even notice

from law enforcement.

Nixon partnered with a university researcher and began testing out booter

services on Hack Forums, barraging a guinea-pig target server with waves of

junk traffic. Some of the attacks topped 30 gigabits a second, easily enough to

knock someone offline or cripple a website.

By 2014, Nixon had quit the security operations center and taken a job hunting

hackers full time, but she couldn t let go of her DDoS obsession. At a meeting

in Pittsburgh of cybercrime fighters, called the National Cyber-Forensics and

Training Alliance, she stood before a room of several dozen researchers,

academics, and law enforcement officials. With the participation of an internet

service provider that had just presented its DDoS protection plan, she

demonstrated that she could click a button on a booter website and launch a

cyberattack at will a daring move in front of a crowd of federal agents and

prosecutors.

One agent from the FBI s Pittsburgh field office, named Elliott Peterson a

former Marine from Alaska who d recently led the landmark takedown of a

Russian-origin cybercriminal malware and botnet known as GameOver ZeuS was

particularly impressed. He and Nixon talked about the booter problem. She

pointed out how freely the services operated, how many of the culprits were

identifiable, and how powerful any intervention in that world might be. And she

shared her growing sense that, if the larger problem were left unchecked, it

would pose a serious threat to the operation of the internet.

for josiah, the conflict with vypor was a wake-up call. He felt he d narrowly

avoided watching his secret hacking hobby burst into his peaceful family life.

For more than a year, he backed away from Hack Forums and let his LiteSpeed

handle go dormant. But he continued to chat with his friends Paras and Dalton,

and the three of them began sharing a rented server for coding experiments and

internet scanning, which they referred to as the Fun Box.

Paras, meanwhile, continued his free fall into hacker nihilism. In the fall of

2014, he started college at Rutgers and found himself alone and unmoored. He

had looked forward to delving into the study of computer science and was

appalled to learn that he would have to enroll in other kinds of courses that,

to him, seemed like months of wasted time and tuition. Even the computer

science exams, to his horror, had to be taken with pencil and paper. I

absolutely hate college, he texted a friend. There is absolutely nothing for

me here.

He sank into a malaise and gained weight, sometimes eating a large Papa Johns

pizza in one sitting. He couldn t sleep at night and often couldn t find the

motivation to get out of bed, much less go to class. Aside from his roommate,

he had little social contact in the real world certainly nothing that could

compare to the rich, battle-tested friendships he d built online.

We ll do it a few times, Josiah remembers thinking. We ll cause trouble for

a little bit, and then we ll just forget about it. We ll stop.

Paras was particularly frustrated to find he couldn t even get into some of the

computer science courses he wanted to register for: Third- and fourth-years got

first dibs, and only once their registration round was over did second- and

first-years get a chance to choose from the leftovers.

But Paras soon realized he had just the superpower to right this injustice: He

could use one of his botnets, built mostly of vulnerable home routers, to blast

the entire registration system offline until it was his turn.

He took a trollish delight in tormenting the institution that he felt was

tormenting him. Under the Twitter handle @ogexfocus, accompanied by a picture

of a ghostly mask, Paras publicly taunted his target. Rutgers IT department is

a joke, he wrote in a public manifesto, bragging, after three attacks in

succession, about crushing the university s network like a tin can under the

heel of my boot I m fairly certain I could run circles around all of you with

my eyes closed and one leg amputated.

When dreaded exams rolled around, he tore down Rutgers network again to delay

them, buying himself a few more days of miserable procrastination. Later, he

took the network down to prevent his parents from seeing his increasingly

horrendous grades. I was feeling very frustrated I guess with myself and

lashing out, he says.

On one occasion in the spring of 2015, Paras totaled the Rutgers network so

thoroughly that he had to text Josiah to ask him to continue the attacks on his

behalf. Admiral can you execute my command? he wrote in the jokey,

naval-themed slang they d developed. The outages persisted long enough that

some Rutgers students later demanded a tuition refund.

Paras enjoyed the sense of control the attacks gave him, watching their

cascading effects on the university the same way he d invisibly watched players

respond to his tweaks of Minecraft worlds years earlier. But when the attacks

were over, his problems were still there. By his second year, it was clear to

Paras that college wasn t working for him.

Around the same time, he had started batting around an idea with Josiah that

seemed like a way out: What if they founded their own startup offering DDoS

protection, to defend paying customers from exactly the sort of attacks that

they had become so expert at launching?

To Josiah, it made perfect sense. He understood DDoS attacks on a deep

technical level he had, in fact, built or at least used many of the attack

tools that other DDoS protection firms were combating daily and Paras had built

a reputation as a skilled programmer, particularly among Minecraft server

administrators, who might be a good initial customer base.

Paras borrowed $10,000 from his father, and he and Josiah used it to cofound a

company: ProTraf Solutions, short for protected traffic. They had seen other

firms struggle to defend customers from new forms of DDoS, and they were sure

they could do better.

It wasn t so simple. After launching ProTraf, they realized their potential

customers didn t often shop around for DDoS protection. Typically, they didn t

feel the need to switch providers unless the one they already had was failing

to shield them from an attack, which occurred only rarely. Meanwhile, the

bandwidth Josiah and Paras had rented on servers around the world the cushion

they would use to absorb attack traffic aimed at customers was quickly eating

through their capital.

Soon they came to an idea. Only when customers were actually knocked offline

would they consider switching to ProTraf. Maybe the two young partners just

needed to hurry this process along. We could wait for one of these outages,

Josiah says, or we could cause one of these outages.

They agreed: They would use their own DDoS attacks to hit off their competitors

customers just enough to get their own fully legitimate business on its feet,

of course. We ll do it a few times, Josiah remembers thinking. We ll cause

trouble for a little bit, and then we ll just forget about it. We ll stop.

Illustration of a colorful keyboard grenade

Illustration: James Junk, Matthew Miller

josiah and paras began building the new attack botnet they d use in what would

become whatever story they told themselves a kind of DDoS protection racket.

The two teenagers used Josiah s old Qbot code to reinfect a new army of

thousands of routers and started wielding it to target their rivals clients

all Minecraft servers easily obliterating their protections. For a while, this

veiled extortion scheme actually worked. More than a dozen Minecraft

administrators, desperate to get back online, did switch to ProTraf, paying

$150 or $200 a month each.

It still wasn t enough. They d expanded too quickly, buying infrastructure that

was eating up their capital faster than their revenue could replenish it. And

they found that when their attacks stopped, some customers switched back to

their competitors perhaps because they sensed that the attacks, timed so

closely to the launch of this new startup, had been a little too convenient.

People had their suspicions, Josiah says.

Josiah was still working at his family s computer repair business as he

struggled to get ProTraf on its feet. When he wasn t helping customers there,

he resorted to making phone calls to drum up sales. He figured if his father

and brother could pitch customers and build a business, so could he. But no one

who picked up the phone wanted to listen to this fast-talking teenager selling

a mission-critical security service. The calls were dead ends, and Josiah came

to loathe making them.

Just around a year after launching, in the late spring of 2016, ProTraf was

flaming out. For Josiah in particular, the company s looming death was hard to

accept. His parents had been so proud of his business ambitions: He seemed to

be making good on his enormous potential, following in his family s

entrepreneurial footsteps. Was he really going to admit that he d already

failed? He felt trapped and ashamed.

So Josiah began to consider other sources of cash flow. A friend from the

hacker scene had been impressed with his rebuilt collection of Qbot-infected

routers. He asked whether Josiah might be willing to build a new DDoS botnet.

If so, he would have customers lined up to pay thousands of dollars in bitcoin

for access to it.

Josiah suggested to Paras that they could accept the offer and build a new,

even bigger botnet, renting slices of its attack power to the highest bidder in

a last-ditch attempt to keep ProTraf alive. It would essentially mean turning

the company from a protection racket into a front for their new, real business:

selling cyberattacks as a service.

Sounds ill ey gahl, Paras joked. Sounds illegal.

Eh, Josiah wrote back. Kinda.

Octopus computer illustration

Illustration: Joonho Ko

to build the chief weapon of their secret DDoS-for-hire sideline, Josiah and

Paras started from scratch. A few years had passed since Qbot s creation, and

they both had a few new ideas of how to infect and commandeer a vastly larger

collection of internet-of-things devices.

In the time since Josiah s original Qbot code had leaked thanks to Josiah s old

friend vypor the hacker community had been steadily upgrading it. Some versions

had now been redesigned into worms : Infected routers would automatically scan

for other vulnerable devices and try to hack and infect them, too, in a

self-spreading cycle. But when Josiah and Paras examined those newer botnet

systems, they seemed inefficient and unreliable. Someone else s hacked router

was an unwieldy vantage point from which to find vulnerabilities in new

machines. Plus, that decentralized setup made it slow and difficult to upgrade

their bot software.

So instead, they designed a more centralized, three-step structure. Their

infected machines would scan for other hackable devices using a new system they

say was as much as a hundred times faster than the bootleg Qbot worms they d

previously seen and then report the vulnerable gadgets they found to a loader

server, which would hack the machines via telnet to install their malware. Then

a separate command-and-control server would shepherd those malware-infected

bots, periodically sending new commands for which targets to attack.

Paras and Josiah were surprised to discover just how powerful this new

automated zombie recruitment process turned out to be. Josiah remembers leaving

the system running overnight and waking up to find 160,000 freshly brainwashed

routers ready to do his bidding far more than he d ever controlled before.

When he saw the scale of what they were building, Josiah s plan raise some

money with a few cyberattacks, then return to ProTraf and go straight began to

seem like a wasted opportunity, a waste of his talents. This is cool, he

remembers thinking. This is innovative. No one else is doing this.

As their botnet s size exploded, Josiah suggested to Paras that they would be

able to rent even small fractions of their firepower to attackers for $2,000 or

$3,000 a month, easily topping $10,000 in monthly revenue.

Lol, Paras wrote back. And how big does the armada have to be.

That wont be a problem, Josiah responded.

seeing their botnet grow so deliriously large so quickly had now triggered in

Josiah an old impulse, purer than any profit motive. What are the limits here?

he began to ask himself. How far can we spread this thing?

Naturally, he turned to his old friend Dalton, who had always shared that urge

to push the technological envelope. Josiah and Paras agreed to cut Dalton in on

shared control of their growing creation, letting him sell access to a part of

it through his own booter service. In return, Dalton would contribute his

hacking skills to finding new populations of devices to add to their horde.

To maximize their malware s footprint, Dalton began to plumb the teeming

vulnerabilities of the internet of things. He dug up tens of thousands more

gadgets across the world with unpatched flaws, machines that went far beyond

home routers: Smart appliances such as online fridges, toasters, and light

bulbs all became part of their agglomerated mass of raw computing power. All

these eclectic digital objects had the advantage of being relatively greenfield

territory. While countless hackers vied for control of traditional computing

devices, like PCs and even routers, many of these newer devices remained

untouched by malware and uncontested.

Surveillance cameras digital video recorder systems, with hardware capable of

processing large video files, turned out to be especially strong new recruits.

Some scans even turned up more exotic hackable devices, like internet-connected

industrial cement mixers and municipal water utilities control systems. (The

three hackers say they did avoid hacking those industrial devices for fear of

being mistaken for cyberterrorists.)

They settled into a workflow. Dalton would scan for new species of exploitable

devices and write code to infect them. Josiah would refine Dalton s code and

create software to take control of new additions to their menagerie of

networked gadgets.

Paras, meanwhile, focused on the administration software that ran on their

command-and-control server its own complex programming task as their botnet

grew to nearly 650,000 devices. He sensed that the scale of their creation

would soon draw attention, and he took it upon himself to create a trail of

misdirection to hide their identities from public scrutiny. To advertise the

botnet, Paras created new sock-puppet accounts with names like OGMemes and

Ristorini on Hack Forums, Skype, Reddit, and Jabber. He then created a

collection of fake dox linked to those handles the posts that hackers

typically use to out rivals real identities, but in this case all pointing at

people whom Paras had chosen as patsies.

To make their connection to the botnet s command-and-control server harder to

trace, Josiah found a vulnerable server in France that they could hack and use

as a jump point, connecting to that hacked machine only through the anonymity

software Tor, which made it look like that computer s owner was the real

mastermind. The machine was actually a seed box, a server left online to

continuously trade in pirated movies over the BitTorrent protocol.

The French server, in fact, was filled with anime videos, a subject Paras knew

something about. He was a fan of the psychedelic animated Japanese show Mirai

Nikki, in which a teenage outcast discovers he s part of a battle royal among

12 owners of magical cell phones, and eventually spoiler alert uses his phone s

powers to become the god of all space and time. The show, Paras had texted a

friend, literally defines the genre of psychological thrillers.

Paras knew that the file name for their program, now running on an

ever-increasing base of hundreds of thousands of devices worldwide, would soon

be a subject of notoriety. So in keeping with their work to pin the botnet s

creation on a random anime collector, he chose a suitable name. All the better

that it also evoked a cyberpunk superweapon brought back to the present by a

time-traveler, an instrument for which the world was wholly unprepared: Mirai.

In Japanese, it meant the future.

to allison nixon and any other security researcher observing it from the

outside, the advent of Mirai initially looked less like the rise of a new

superpower than the start of a world war one where the battlefield was the

internet s multitudes of insecure gadgets.

In 2014 and 2015, the years leading up to what she would call the battle of

the botnets, Nixon began noticing that groups of nihilistic young blackhats

with names like Lizard Squad and vDOS were picking up LiteSpeed s leaked Qbot

code and then selling access to their own hordes of zombie devices, or using

them to terrorize and extort online gaming services. So Nixon, who around this

time started working at the security firm Flashpoint, created honeypots

internet-connected simulations of vulnerable devices designed to be infected by

the hackers bot software, acting as her own spies amid the botnets ranks. The

result was a real-time intelligence feed revealing the booters commands and

intended targets.

It was in early September 2016, while monitoring those botnet honeypots, that

Nixon and some colleagues spotted an intriguing new sample of code that was

infecting routers and internet-of-things gadgets: the one the world would come

to know as Mirai.

This new code seemed capable of detecting when it was running on a honeypot

instead of a real device and would immediately terminate itself when it did. So

Nixon and her coworker ordered a cheap DVR machine off of eBay, connected it to

the internet, and watched the device they nicknamed it the sad DVR due to its

life of victimization get infected over and over again by Mirai and its

competitors.

In fact, unbeknownst to Nixon, Mirai s creators were by then locked in an

escalating turf war with vDOS, a competing botnet crew, which had built an

especially large army of hacked machines using an updated version of Qbot. Both

the Mirai and vDOS teams had designed their bot software to identify and kill

any program that appeared to be their rivals , and the two botnets began vying

for control of hundreds of thousands of vulnerable machines, like warlords

repeatedly conquering and reconquering the same strip of no-man s-land.

Soon the Mirai crew and vDOS resorted to anonymously filing abuse complaints

with the companies hosting each other s command-and-control servers, forcing

them to build new infrastructure. At one point, a company called BackConnect,

which had been hosting Mirai s server and was run by acquaintances of the Mirai

team, came under a DDoS attack from the vDOS crew. To Nixon s shock,

BackConnect responded by using a so-called BGP hijack the highly controversial

tactic of essentially lying to other internet service providers to misdirect a

wide swath of traffic to effectively pull vDOS s command-and-control server

offline.

Soon, Paras, Josiah, and Dalton got tired of the endless tit for tat. They

reprogrammed Mirai, allowing it to sever the telnet connections on the victim

devices thus making them harder to update but shutting out vDOS and any other

rival from easily reinfecting those machines. That seemed to do the trick: To

the Mirai team, it appeared vDOS had given up. (In reality, their adversaries

had been questioned by law enforcement and later arrested.)

Nixon remembers the feeling she and her team of researchers had as they watched

Mirai win that war and come to dominate the internet s mass of vulnerable

devices. Once, that messy landscape had been infected with a rich diversity of

malware species. Now, for the first time she had ever witnessed, all of that

malevolent code seemed to go quiet as Mirai s superior infection techniques

took hold of hundreds of thousands of networked devices across the globe. From

our perspective, it was like this new apex predator was prowling the savanna,

and all of the other animals had disappeared, says Nixon. From that point

forward, we were on the hunt for this monster.

For much of the cybersecurity research community, the purpose of this

gargantuan botnet still remained unclear. They couldn t know that Josiah,

Dalton, and Paras had opened Mirai for business and put its services up for

sale that the monster Nixon was hunting was, itself, on the hunt for its first

victims.

Illustration of 5 people and crime scene tape

From left to right: Bruce Schneier, Elliott Peterson, Allison Nixon, Brian

Krebs, and Scott Shapiro. Illustration: James Junk, Matthew Miller

Part Two

Monster tenticles working on an ominous moon.

Illustration: Joonho Ko

For brian krebs, September 22, 2016, was an inconvenient day to become the

target of the most powerful DDoS botnet in history.

A construction crew had been replacing the siding on Krebs rural house in

Northern Virginia all morning. The incessant hammering was freaking out his

dog, who responded as if barbarians were laying siege to their home. Krebs

worked as an independent investigative reporter and security researcher one of

the best known in the cybersecurity industry. He had no workplace to escape to.

I was already losing my mind, Krebs says.

It was only a little later that day, Krebs says, that it started to become

clear that his dog was not wrong. He was, in fact, under siege. And the

barbarians were winning.

Two nights before, Prolexic, the service that provided his DDoS protection, had

warned him that something was amiss. His website, KrebsonSecurity, had been hit

with an attack that peaked at a mind-boggling 623 gigabits a second, according

to Prolexic s measurements. The company had never seen an attack even half that

big. But it had heroically managed to absorb the traffic, the Prolexic rep told

Krebs, and his site had stayed online.

Holy moly. Prolexic reports my site was just hit with the largest DDOS the

internet has ever seen, Krebs tweeted that night. Site s still up. #FAIL.

Krebs prided himself on his work hunting cybercriminals, a role in which he was

nearly peerless in the world of journalism and one that had made him plenty of

enemies. He d been swatted by a target of his investigations and once had

someone ship dark-web heroin to his house in an attempt to frame him. DDoS

attacks from aggrieved subjects of his reporting were nothing new. But taunting

the source of this particular attack, he now realized, had perhaps been

ill-advised.

For two days, he continued to get notices from Prolexic that the massive DDoS

was still going. In fact, whoever was barraging his server had persistently

switched tactics throughout that time, firing new forms of data designed to be

harder for Prolexic to filter out, or targeting machines further upstream.

These guys were real bastards, Krebs says. They were throwing the kitchen

sink.

Amid all this, more than 36 hours after the attack had begun, a member of the

work crew at Krebs house managed to kick his satellite dish, knocking out his

home s internet connection. He tried to tether his computer to his cell phone,

but its bandwidth was too spotty. And the attack kept coming, an overwhelming,

sustained tsunami of malicious ones and zeros.

Krebs was still struggling to get online on the afternoon of the 22nd when he

got another call from Prolexic. This time the company told him, in polite but

clear terms, that he d better find a new source of DDoS protection. They were

dropping him. One of the biggest DDoS defense firms in the world could no

longer handle the scale of the data torrent barraging his site.

Krebs got in his car and drove to a local business s parking lot to try to find

a stable Wi-Fi connection for his laptop. From there, he called his web-hosting

provider to warn that, without Prolexic s layer of defense, it was about to get

hit with an unfathomable wall of digital pain. He suggested that rather than

allow all its customers to be taken offline, it should instead configure his

website to point to a nonexistent IP address, essentially routing the attack

traffic and anyone trying to visit his site into a hole in the ground.

The hosting company took his advice. KrebsonSecurity.com instantly dropped

offline. It would remain that way for days to come, as Mirai loomed, seemingly

ready to obliterate the site again the moment it resurfaced.

For Krebs, being successfully censored by cybercriminals was a wholly new

experience. Someone just took my site offline, Krebs remembers marveling.

And there s nothing I can do about it.

josiah, dalton, and Paras had unlocked their superweapon, and already it seemed

there was almost nothing on the internet that could withstand it.

When Krebs tweeted that his website had been hit with the largest DDoS the

internet has ever seen, he was almost right. Mirai had actually struck the

French internet provider OVH around the same time with an attack that had

reached the even more shocking volume of a terabit per second. The botnet s

hundreds of thousands of hacked devices had also quietly KO d a web-hosting

firm and a Minecraft service in August with attacks that were nearly as large

but had gone mostly unnoticed by the security world.

Within just a few months of launching their fully operational Death Star and

making it available for hire, the three hackers all still too young to legally

drink alcohol had assembled a small but devoted collection of clients. A fellow

hacker who went by the handle Drake allegedly acted as a kind of sales rep:

He would periodically hit off arbitrary targets as a form of marketing, to

demonstrate Mirai s bristling firepower to potential paying customers. One such

patron, who claimed to be in Russia, had rented Mirai to launch attacks against

rivals in the cybercriminal web-hosting world, knocking out his adversaries

sites. Their most frequent user seemed to be a hacker in Brazil, who repeatedly

and inexplicably rented access to Mirai to fire off attacks at the network of

the Rio Olympics, at one point bombing it with more than a half-terabit per

second of traffic.

Paras himself used Mirai a couple of times against his old whipping boy, the

Rutgers IT department, mostly just for vengeful fun. On another occasion he

briefly tried using it for straightforward extortion against one of their

former ProTraf customers, slamming a Minecraft server with a Mirai attack and

then demanding a bitcoin payment. In an attempt to make the connection to

ProTraf less suspect, he even copied his own ProTraf email address as a

recipient of the ransom note. The company didn t pay. Josiah disapproved of

Paras extortion attempt, and they never tried it again.

It was their Brazilian customer, Paras says, who had decided to DDoS Krebs into

oblivion. Paras woke up that day, read news stories about the monumental attack

on Krebs by far the most high-profile Mirai victim to date and instantly felt a

mix of excitement and dread in the pit of his stomach. This had better not

have been our botnet, he remembers thinking. He checked their user logs. It

was our freaking botnet.

After the Brazilian s earlier attacks on the Olympics, Paras and Josiah had

decided this user was perhaps a little too reckless in his targeting. They d

attempted to limit his access to Mirai, ending his sessions after just 10

minutes. But Paras saw that the nihilistic Brazilian had simply manually

restarted the attack on Krebs site again and again throughout the night and he

was still going.

Paras messaged Josiah and Dalton, and they jumped onto an emergency call on a

private, encrypted VoIP server. They all agreed: Annihilating the website of a

very well-known journalist had crossed the line beyond helpful marketing into a

kind of attention they didn t need the kind that got you arrested. You don t

want to poke the bear, says Josiah. This was a pretty big poke.

By this point, too, they were all 19 or older. They were adults, carrying out

an extremely visible criminal conspiracy. The heat Mirai was now bringing them,

they began to realize, wasn t worth it. And despite all the chaos it had caused

in its early months of life, Mirai had made only a small fraction of the money

Josiah hoped it would: about $14,000 worth of cryptocurrency in total. Even the

biggest DDoS attacks in the world were, for their perpetrators, a relatively

cheap commodity.

They had only just launched this world-shaking creation. Now they already

needed an exit strategy. It was Paras who, a day or two later, suggested a new

idea. Their Russian customer had, despite renting occasional access to Mirai,

suggested to him that DDoS was a bad business. Not enough money. Far too noisy.

He d advised they instead consider partnering with him to use their

botnet-building skills for a much stealthier and more lucrative opportunity:

click fraud.

Put all those hijacked machines to use quietly clicking on pay-per-click web

ads instead of pummeling victims, Paras explained, and they could make tens of

thousands of dollars a month by invisibly defrauding advertisers, a far less

disruptive form of cybercrime. Josiah and Dalton agreed they should start to

transition away from the cyberattack-for-hire industry and into this more

respectable black-market business.

But they couldn t quite bring themselves to kill their monster just yet.

Instead, Paras and Josiah, who held more control of Mirai s targeting than

Dalton, attempted to add the IP address for KrebsonSecurity.com to a block list

that would at least end the attack though they d find in the days to come that

their efforts to restrain their least predictable customer had failed again.

Regardless, by that point it was too late. Josiah was right. They had poked the

bear. Now it was wide awake.

elliott peterson was sitting thousands of miles to the northwest in the FBI s

Anchorage, Alaska, office when he read the news that Brian Krebs, a journalist

whose work he knew well, had been wiped off the face of the web.

He was shocked to learn that an attack could hit Prolexic a firm owned by the

internet giant Akamai, whose entire business model depended on handling giant

flows of traffic so hard that it could essentially jam one of the biggest

digital conduits in the world. And all to silence a journalist. Peterson knew

that he d just witnessed the start of a new era. All of a sudden, the world

woke up to the fact that someone s throwing around a terabit of traffic, he

says. No one was ready for that.

Two years had passed since Peterson had seen Allison Nixon s live booter

demonstration at a Pittsburgh cybercrime conference. He d since returned to his

native Alaska, taken up an assignment at the FBI s smallest field office, and

turned it into an unlikely hub for takedowns of botnet and booter operations.

Just days earlier, he d learned of the detainment in Israel of vDOS s two

administrators, the rival hackers with whom the Mirai crew had recently been at

war. Peterson had been involved in the investigation of vDOS for months. The

resulting bust was, in fact, the real reason that Mirai had definitively won

that rivalry.

Now Peterson was disturbed to see that the takedown had only cleared the field

for someone wielding an even bigger weapon. He knew he would need to take on

this case, too.

Working from his cubicle in the cyber atrium a glass-roofed enclosure that

houses the handful of FBI agents focused on cybercrime inside Anchorage s

brutalist, red-brick federal building he started digging. He and Nixon had

helped create an industry working group called Big Pipes that dealt with DDoS

attacks, and he immediately learned from contacts there that Akamai had been

hit by a mysterious new botnet called Mirai.

Even in the midst of Krebs unfolding crisis, Peterson understood that for the

Anchorage office to take on this new monster, he d first have to get over a

legalistic hurdle: He needed to prove that either its victims or creators were

in Alaska. Krebs and Akamai were thousands of miles away. So he realized that

he would have to somehow find Mirai-infected devices in his own state. Luckily,

by this point, there were hundreds of thousands of those infected devices

online, a digital pandemic that reached nearly every country in the world.

Meanwhile, Peterson could only watch helplessly as Krebs website was held

offline by Mirai for more than 48 hours. Only then did Krebs finally manage to

get it back up with the help of a new DDoS defender: Google. The web giant had

recently expanded a pro bono DDoS protection service called Project Shield to a

wider array of users, and it was eager to prove that it could withstand the

internet s biggest attacks.

Within two hours of KrebsonSecurity coming back up, it received another blast

from Mirai. The site s IP address had changed, Paras says, so his and Josiah s

block list didn t prevent their Brazilian customer from relaunching his attack.

But this time the site stayed online.

Google reached out to the FBI, and with Krebs permission, the company

eventually shared a list of IPs that had been the sources of the Mirai attack

traffic. Peterson and his four-person team began to comb through it. Sure

enough, he could see in the data that Mirai had infected devices across Alaska,

along with practically every other state in the country. He started tracking

down the Alaskan device owners, trying to explain to them in phone calls that

their routers and security camera systems had been unwittingly turned into

cannon fodder. Finally, Peterson got a break: He managed to persuade the owner

of a hunting lodge in the town of Ketchikan to unplug its malware-infected

security camera DVR and ship it to Anchorage to be dissected and used as

evidence.

Peterson had found his Alaska victim. He launched an investigation to hunt for

the hackers behind Mirai.

Peterson working at a desk looking at all of the ominous research.

Illustration: Joonho Ko

after serving in the Marines but before joining the FBI, Elliott Peterson had

served as a dean of men at a college in Michigan. In that job, he had helped

kids with emotional problems and substance abuse issues, essentially acting as

a guidance counselor and mentor. It was an unusual role for a future federal

agent, but the two jobs reflected Peterson s strange hybrid personality: half

by-the-book, buzz-cut G-man, and half well-meaning, friendly Midwestern youth

pastor.

Peterson brought that same peculiar cordiality into his Mirai manhunt. He began

politely asking around among the Hack Forums crowd and their ilk, a scene he d

become familiar with over his years of tracking booter services: Who might know

any of the pseudonymous hackers selling access to Mirai?

Not long after starting the investigation, his team in the Anchorage office got

a lead on one good source. They d managed to obtain a complete sample of the

Mirai code from an infected device and found that it phoned home to a

command-and-control server hosted by the DDoS mitigation firm BackConnect.

Peterson knew that name. He d been hunting the vDOS crew when BackConnect came

under attack from Mirai s rival; in an apparent act of self-defense, the

company had used a BGP hijack to pull vDOS s infrastructure offline a rogue

move that had nearly derailed Peterson s vDOS investigation.

So he made a few calls to BackConnect s management to ask about the company s

BGP hijack and the Mirai server they were hosting which had since moved

elsewhere and whether they had any contact with whoever controlled it.

BackConnect s staff said they didn t, but suggested someone who might: One of

their acquaintances from a company called ProTraf Solutions, Paras Jha, seemed

to have had contact with whoever was behind Mirai.

After all, Paras had received an extortion email from someone launching the

Mirai attacks neither Peterson nor BackConnect knew that Paras had sent that

email himself and they d heard he d chatted with a Mirai handler known as

Ristorini.

So Peterson called ProTraf s phone number and left a voicemail. Paras called

him back. Peterson remembers that Paras matched his polite, friendly tone and

calmly explained that yes, he had been in touch with Ristorini in online chats.

But he had no idea of the real identity of the person who d tried extorting one

of his former customers.

Paras kept the conversation short but said he d be sure to keep asking around

and would be in touch soon to help in any way he could when he d learned more.

Then he hung up and immediately called Dalton and Josiah to tell them the FBI

was on their trail.

this time, their emergency meeting was steeped in panic: They needed to ditch

Mirai, now.

Dalton suggested they simply take down Mirai s infrastructure, wipe the

command-and-control and loader servers, and destroy the hard drive of every

computer they d ever used to manage it. Lay as low as possible, kill the whole

thing, shred our drives, as he put it. Then they could quietly move on to

their more promising click fraud business.

Paras had another idea: How about they release the Mirai source code into the

wild? If they posted it publicly on Hack Forums, it would be adopted by every

DDoS-happy hacker in the world, just as Qbot had once been. They could

disappear into that crowd, making it vastly harder for this nosy Alaskan FBI

agent or anyone else to identify the original Mirai amid the flood of copycat

attacks.

Dalton vehemently disagreed. He argued that releasing the source code would

only draw more attention to Mirai, cause more damage, and make law enforcement

all the more intent on finding the botnet s original creators.

The call devolved into a full-blown shouting match, the first the three friends

had ever really had. Dalton screamed at Paras not to release the code. Paras

remained unmoved. Josiah, meanwhile, listened impassively, stuck between his

friends, unable to break the tie.

When they hung up, they had agreed that their Mirai adventure was over. But

they remained split on what to do with its source code.

So Paras acted on his own. A couple of months earlier, he had created a new

sock-puppet account on Hack Forums as another potential profile for Mirai s

mastermind: He d called this one Anna-Senpai, named after the villain of the

Japanese animated show Shimoneta, or Dirty Joke, in keeping with Mirai s

anime-loving cover persona.

Now, in late September, he logged in again as Anna-Senpai to post a stunning

announcement. I made my money, there s lots of eyes looking at IOT now, so it

s time to GTFO, he wrote. So today, I have an amazing release for you. The

post then linked to download pages for Mirai s source code, along with a

tutorial detailing how anyone could use it to create their own massive,

self-spreading, internet-of-things attack tool. He added in a separate post

that Anna-Senpai was now on the run, fleeing their home in France for a

non-extradition country.

Someone was using a copycat botnet to troll a video game company and the

collateral damage was the worst internet outage the world had ever seen.

Paras had just dumped the recipe for a superweapon into a mosh pit. Beyond

throwing up a smoke screen to ward off the FBI, it was also a final, epic

troll: a way to shake the internet ant farm, this time on a global scale, and

watch the ants scramble.

The Hack Forums community responded accordingly, showering him with praise and

admiring Mirai s polished programming. Several users wrote that it had to be

the work of professionals, not the forum s typical teenage wannabes. Your a

fucking legend, one user wrote. Leak of the year, wrote another.

Within days, one user responded that they d successfully used the source code

to create their own Mirai botnet of 30,000 devices. Another chimed in to say

theirs had reached 86,000 machines. The glorious copy paste will happen,

wrote another appreciative hacker. IoT botnets will spread like wildfire.

Best haxoring tool of all time! Gonna take down eribody! wrote another Hack

Forums fan, summing up the gleeful mood. I ve always wanted a botnet that can

DDoS de planet!

peterson was deeply dismayed to see the Mirai code dumped online, a move he saw

as appallingly reckless. But rather than be thrown off, as Paras had intended,

Peterson had the immediate thought: Had his poking around inspired this? Did

his conversation with Paras have something to do with it?

Not long after Anna-Senpai s Mirai release, Peterson got another break in the

case: Some university researchers working with the anti-DDoS group Big Pipes

told him they d found a clue in the logs of their honeypot machines, designed

to monitor internet scanning. Two months earlier, on August 1, they d been able

to see that a kind of proto-Mirai scanning tool, perhaps the earliest version

of the botnet s reconnaissance code, had probed their devices from a US-based

IP address.

Peterson contacted the IP s hosting company to request the identity behind it

and got a subscriber name: Josiah White. The other cofounder of ProTraf

solutions.

The FBI agent called ProTraf again and this time spoke to Josiah on the phone,

projecting his same friendly tone. Josiah, trying to sound professional but

caught off guard by Peterson s discovery, nervously admitted that yes, he d

done some scanning. Scanning the internet, after all, isn t a crime. Then he

begged off answering any more questions and hung up the phone.

Peterson had been fascinated and even impressed by the Mirai team s operational

security: the careful layering of proxies, the dead ends he reached as he

traced those connections, the doxes he found for Mirai s handler accounts,

all of which seemed to lead him astray. But now, just weeks into his

investigation, he knew that Josiah s early scanning slipup had allowed him to

sidestep all of that obfuscation and misdirection. His team began sending a

flurry of legal requests to the email and internet service providers for every

account associated with the throwaway profiles Paras had created for Mirai, as

well as those of Paras and Josiah themselves and ProTraf Solutions.

As Peterson dug through Hack Forums, he noticed, too, that there was another

interesting account that sometimes chimed in on Anna-Senpai s posts someone

called Fireswap. Often they seemed to be defending Mirai s creators and taking

shots at critics of their source code. So Peterson sent a legal request to Hack

Forums for Fireswap s email address fireswap1337@gmail.com and then asked

Google for that user s subscriber metadata.

Looking through logins on Fireswap s Google account, registered to someone

named Bob Jenkins, he could see they came from the same VPN or proxy server IP

address that had carefully been used to create the fake Mirai doxes sometimes

just minutes apart. But then, in some cases, Jenkins had a different IP: the

same one that Paras had used to connect to his ProTraf email account.

Paras had never suspected that an investigator would think to look into the

burner account he d created solely to cheerlead for himself on Hack Forums and

take swipes at detractors. Now it had become the missing link tying him to

Mirai.

Peterson still hadn t heard of Dalton Norman. But he now believed he d found

Mirai s two creators. The end of their cybercriminal careers was already in

sight. But the chaos they d invited onto the internet was just beginning.

Illustration of rows of robots a hand pointing and upside down human

silhouettes

Illustration: James Junk, Matthew Miller

once it was fully unleashed and reproducing in the wild, Mirai didn t

immediately break the internet. It took three weeks.

On the morning of October 21, 2016, Allison Nixon was just getting down to work

in Flashpoint s office, an old garment factory on the desolate western edge of

Midtown Manhattan, when a colleague pointed out to her that something was

seriously wrong with the internet.

Specifically, its phone book was broken. The domain name system is the

mechanism that translates human readable domain names into the IP addresses

that actually route internet traffic to the computers where services are

hosted. DNS is what allows you to remember Google.com instead of

2001:4860:4000:0:0:0:0:0, for instance, as the way to tell your browser to load

up a search engine.

On that morning, the DNS of dozens of websites seemed to be crippled. Internet

users across the US were typing names into browsers that needed to be

translated into numbers, and the translators had been knocked out cold.

Something big is happening, Nixon remembers a colleague saying to her. We

need to figure out what s going on.

As Nixon s team tried sending DNS requests to some of the affected sites the

same sprawling collection of news sites, social media, streaming services,

banking sites, and dozens of other major services that Scott Shapiro and

millions of other users were trying in vain to reach they saw that all the

sites used the same New Hampshire based DNS provider, a firm called Dyn.

Although it wasn t yet clear to Nixon at the time, no fewer than 175,000

websites were offline.

Searching for a root cause for this unfolding internet collapse, she checked

the attack logs generated by her sad DVRs by now her team had several of them

serving as bait. Sure enough, she could see that a Mirai variant, one of the

many copycats that had sprouted in the weeks since Paras leaked the source

code, had been relentlessly bombarding the Dyn DNS server for Sony s

PlayStation gaming network. The attack s effects had apparently spilled over to

take down Dyn s entire DNS system. Someone was using their copycat botnet to

troll a video game company typical Hack Forums behavior and the collateral

damage was the worst internet outage the world had ever seen.

The nihilistic, teen-angst-fueled, mega-DDoS that Nixon had always warned about

had finally arrived. We had worked for such a long time in preparation for

that day that it was kind of vindicating, Nixon says. On another level, it

was super, super stressful.

Shortly after the attack on Dyn started, Nixon managed to reach someone at Dyn

and share the evidence pointing to Mirai, a suspect Dyn only had an inkling of

until that point. Dyn staffers, at that moment, were anxious but still

confident that they could handle the problem and get their servers back online.

It was around the same time, still before 9 am eastern, that Dyn truly began to

implode.

DNS records are designed to work like a kind of hierarchical phone tree. Major

services like Google and Comcast have their own DNS servers ready to answer

computers requesting the IP address of a domain, and they only periodically

check in with an authoritative DNS provider in this case, Dyn to make sure

the addresses they re handing out haven t changed. Some services check in

multiple times a minute, while others refer to their last update of DNS data

for hours before refreshing it.

Within minutes of the Mirai attack striking, Dyn was already in trouble, as DNS

servers set to check in every 15, 30, or 60 seconds for new DNS records pounded

the company s overwhelmed authoritative servers. When they didn t get an

answer, they d ask again and again and again. They were designed to expect

answers, after all: An authoritative DNS provider as large as Dyn had never

gone down before.

But as time passed and Dyn s servers stayed down, the chorus of DNS requests

began to include major services that check in only every hour. And then the

ones that check in every two hours. And three. All now joining the mob

incessantly hammering on Dyn s doors. Some internet services had even designed

their DNS systems to automatically spin up new DNS servers to ask for answers

when their existing ones didn t get a response, multiplying the barrage of

queries.

Once the cascading failure started, that s when everyone got very, very

nervous, says one person who was working at Dyn on the day of the attack.

Before that, the graphs looked awkward, but they didn t look catastrophic. But

then they tipped over an edge as major services couldn t get responses, and the

numbers started shooting up to the right.

The Mirai attack, in other words, had set off a chain reaction. The internet s

IP address directory system was DDoSing itself.

At the same time, Dyn began to experience a kind of parallel, human DDoS

attack, as people began demanding answers in almost the same cascading

structure. Angry corporate customers with comatose websites started bombarding

Dyn s phone lines. When management couldn t answer their questions, they echoed

them down the org chart to engineers who were already entirely overwhelmed.

When the ratio of management and client services people looking for answers

versus the number of people who can provide any answers starts to explode, the

Dyn staffer remembers, that s when it really starts to feel like chaos.

Compounding the problem was a coincidence of almost comic timing: A team of Dyn

staffers was, on that very day, waiting for Oracle to sign the paperwork to

close a deal to acquire their company, reportedly for more than $600 million.

No one wanted to be remembered as the middle manager who failed to keep the

internet online on this momentous occasion the first day that the new bosses

were watching. And through all of this corporate panic ran an undercurrent of

rumors that China or Russia was responsible, that they were up against an

all-powerful state-sponsored hacking operation.

Josiah was walking through a dark hallway, still trying to get a shirt over his

head, when he found a flashlight and a gun pointing at his face.

Those rumors were short-lived. So, by some measures, was the outage. By that

afternoon, Dyn had managed to get the attack under control and had started

sending DNS responses piecemeal to its clients, quieting the different networks

clamoring for answers from its servers, one by one.

But the damage left in the wake of the Dyn outage lasted longer. The total

economic cost of a major fraction of the global internet falling offline for

half a day is difficult to measure. Sony, whose PlayStation Network was the

attack s original target, reported an estimated net revenue loss of $2.7

million. Following the attack, there were projections that, for a time, Dyn

lost roughly 8 percent of its contracted web domains more than 14,000 total and

millions in future revenue.

As Paras, Dalton, and Josiah watched a botnet built with their code break the

internet s backbone, they had an array of reactions. Paras remembers being

shocked that it was so easy: The Mirai clone that had carried out the attack

had hit Dyn with fewer than 100,000 devices, just a fraction of the size of

their original botnet. Dalton felt a grim I told you so sense of confirmation

that he d been right about the hazards of releasing the source code, along with

the stress of knowing it was sure to draw more heat but he also noted, with a

hint of pride, that whoever carried out this internet-shaking attack hadn t

even updated their code. There was no innovation at all, he says.

Josiah, who had already had the closest brush with the FBI among the three

young men, was perhaps the most troubled. By then, his family had moved out of

the Pennsylvania countryside into a three-story house in the nearby town of

Washington. That s where, from the basement-level storage room he now used as

his work area, he read about the Dyn disaster, silent with dread and amazement.

As for Elliott Peterson, he spent the day in the FBI s Anchorage office,

fielding calls from every agency and official imaginable. Over the course of a

month, his case had grown from a cybersecurity industry curiosity into an

international clusterfuck, a subject of urgent interest for the Department of

Homeland Security and for reporters asking questions in a White House press

conference.

No one yet knew who had made the copycat Mirai that had attacked Dyn. But

Peterson was confident he already knew who had created Mirai and handed the

code to those attackers. It was time to pay Josiah and Paras a visit.

it was just before 6 am, long before the sun would rise on that mid-January

morning, when Josiah heard the banging on his front door.

For two months, he had been waiting for the raid. He was now keeping a

nocturnal schedule, working at his computer with Paras and Dalton until 3 or 4

in the morning before sleeping until 8 am and then heading into his father s

computer repair shop. But that night, having finally gone to bed after 4 am, he

still lay awake, his mind racing with anxiety.

As the banging started and his older brother hurried upstairs from their shared

basement-level bedroom, Josiah went into the storage room and quickly switched

off his computers. All three of the Mirai creators had been careful to do their

hacking on remote servers and to connect to them only from ephemeral virtual

machines that ran on their own PCs. So he figured that switching the computers

off would erase any lingering data in memory. Then, before turning off his

phone, he sent a message to Paras using the encrypted messaging app Signal:

911.

Josiah slipped on a pair of sweatpants and grabbed a T-shirt. He climbed the

stairs and was walking through a dark hallway, still trying to get the shirt

over his head, when he found a flashlight or rather, he d later learn, a gun

with a flashlight attached to it pointing at his face. Drop the shirt, he

remembers an agent saying.

Josiah was herded onto his front porch, still shirtless, in the cold Western

Pennsylvania winter air, where the rest of his family was already being held.

Black Suburbans filled the street. And there was Elliott Peterson, on the

porch, greeting Josiah in his weirdly gregarious tone. Oh hi, Josiah. I was

hoping we wouldn t meet under these circumstances, Josiah remembers him

saying. But here I am.

After leaving Josiah s flabbergasted family shivering in the cold for several

long minutes, the agents brought them all back inside. As they searched the

house, Josiah managed to get fully dressed and sat in the living room. But even

once he d warmed up, he still couldn t stop shaking. As his secret life finally

came crashing into his family life, he remembers feeling especially embarrassed

that he d left the storage room the FBI was searching so untidy.

Aside from Peterson, Josiah could see that local Pittsburgh FBI officials had

joined the raid as had French special intelligence officers. He d later learn

that French law enforcement had also raided the home of a certain innocent

patsy in France with a server filled with anime.

After a couple hours of searching, the agents hauled away Josiah s computers,

hard drives, and phone, and Peterson asked Josiah and his parents to come into

the dining room to talk. You probably know why I m here, Peterson said.

Josiah responded that he could guess.

The conversation lasted about half an hour. Peterson brought up the Mirai

scanning server, and Josiah deflected again, confessing to nothing. The FBI

agent warned Josiah not to tell anyone about the search not knowing that Josiah

had already sent his 911 warning to Paras. Then he left.

In the silence that followed, Josiah s parents told him it was time to come

clean. During an excruciating 30-minute car ride to their computer repair shop

to start the workday, Josiah confessed everything. His parents listened,

stone-faced, too scared for their son s future to even be angry.

Finally, his father responded: They would have to entrust Josiah s fate to God.

One of the young boys texting 911 to his friend warning him about the FBI raid

Illustration: Joonho Ko

the raid on Paras home came the next day. Peterson had hoped for simultaneous

searches but decided he should be present at both, so he spent the hours after

leaving Josiah s house driving more than 350 miles across Pennsylvania into New

Jersey.

At 6 am, Paras heard the same banging on the front door of his family s house,

where he was home from Rutgers for winter break. Thanks to Josiah s warning,

this second raid had far less of an intimidating effect than the first: Paras

had carefully cleaned up any evidence on his computers and turned them off long

before the FBI agents arrived. In an attempt to find any storage devices Paras

had hidden, the agents brought along an electronics-sniffing dog trained to

smell the glue used in computer hardware components. Paras remembers it wanted

to play with his family s dog, a comical moment that helped dispel any shock

and awe.

When Paras saw Peterson in person, his first response was annoyance that this

chipper FBI agent had come all the way from Alaska to turn his home upside

down. Peterson asked Paras whether Josiah had told him about his search of

Josiah s house the previous day. Peterson assumed Josiah had stayed silent, as

instructed, and he hoped to plant a sense of betrayal in Paras that his friend

hadn t given him a heads-up.

But Paras instead smiled and said that yes, Josiah had warned him, surprising

Peterson. And like his friend the day before, Paras refused to confess to

anything related to Mirai.

Paras family was deeply shaken by the intrusion. But when the agents left, he

assured his parents that it was all a misunderstanding, that he had no idea why

this Alaskan FBI agent seemed so fixated on him. He hadn t done anything wrong.

paras, josiah, and Dalton discussed the raids, and they came to an extremely

optimistic conclusion: that the feds didn t seem to have anything on them. The

searches had been a scare tactic, they agreed, and they had failed.

On the same day the FBI searched Paras home, Brian Krebs had published a

bombshell article suggesting that Paras, potentially with Josiah s help, was

the most likely identity behind Anna-Senpai. Krebs was working his own sources

to piece together many of the same connections the FBI had drawn. But Paras had

denied the accusation in a response to Krebs, and the three hackers, armed with

the incredible hubris of youth, blew off the article as circumstantial

evidence. After all, the FBI had already taken their shot and seemed to have

gotten nothing that could prove their guilt.

As the months passed and they remained free, they made a brazen decision: They

would continue their pivot into the click fraud scheme.

This new venture was turning out to be far more lucrative than Mirai, to a

degree that even they had never imagined. To avoid ties to their overexposed

botnet, they had begun building a new one, this time focused on devices

primarily in the US, given that they could make the most money selling access

to American computers to generate clicks on American ads. By the spring of

2017, they were quietly pulling in $50,000 a month in revenue, paid out in

cryptocurrency by a business partner who seemed to be Eastern European.

Paras and Josiah mostly socked away the money, waiting for an opportunity to

try to launder it through a legitimate business though by then they d finally

given up and killed ProTraf. Dalton was less careful. He spent tens of

thousands of dollars on splurges like a 70-inch flatscreen TV for his parents

he told them he d made the money trading crypto and upgrades to his home

computer, a gaming desktop surrounded by transparent tubes of red coolant to

prevent it from overheating as he supercharged its performance.

Even as the three hackers left Mirai behind, their code continued to plague the

global internet. Mirai attacks hit the UK banks Lloyds Banking Group and

Barclays, intermittently tearing Lloyds offline while Barclays repelled the

onslaught. Another struck the primary mobile telecom provider for Liberia with

about 500 gigabits a second of traffic, taking down much of the West African

country s connectivity.

But Mirai, and its many malicious progeny, were no longer its creators

problem. The three young men had now, finally, hit their stride with a truly

profitable and stealthy form of cybercrime. Dalton made a prediction to

himself: In a year, we ll either be rich, he thought, or we ll be in jail.

One of the young men sitting in the interrogation room with their monster.

Illustration: Joonho Ko

only months later did Josiah hear from Elliott Peterson again. The FBI agent

asked him to come to Anchorage to talk. Prosecutors were suggesting a reverse

proffer session, where they would lay out the evidence against him. By this

point Josiah had a lawyer, who recommended that he take the meeting and not

tell his friends. This time he didn t.

In the summer of 2017, Josiah and his mother flew to Anchorage. The 10-hour

flight was only the second time he d ever been on a plane. On the morning of

the meeting with prosecutors, he arrived at the Anchorage Department of Justice

building in a suit, his mind nearly paralyzed with anxiety. Peterson was there,

and he greeted Josiah and his mother, suggesting fun activities they should

check out while they were in town, as if this were a family vacation.

The Alaskan assistant US attorney who had taken on the Mirai case, a young

prosecutor named Adam Alexander with a background in charging violent crimes

and child exploitation, launched into a PowerPoint presentation projected on a

screen in the front of the conference room. He began by displaying the

sentencing guidelines for violations of the Computer Fraud and Abuse Act,

showing how the prison time scaled up based on the amount of damage caused.

For the millions of dollars in damage Josiah might be held responsible for,

Alexander suggested, he was facing as much as six or seven years in prison for

his first offense.

Alexander began to detail the evidence they had against him. First, they had

his connection to the early Mirai scanning server. Then it went further: On

occasion, it turned out, Josiah had let his guard down in small but revealing

ways, checking on the IP address of another Mirai server directly from his home

computer rather than using a remote virtual machine that would leave no trace

on his PC.

And then there were text messages he and Paras had exchanged during his

pre-Mirai DDoS takedowns of Rutgers network.

Were you still smashing? Josiah had written to Paras at one point.

No. Phone is insecure, Paras had wisely responded. But then, minutes later,

he had asked for Josiah s help in launching another attack: the barely coded

Admiral can you execute my command? message.

After more than an hour, they took a break. Josiah s lawyer told him and his

mother that he strongly advised they seek a plea deal and that Josiah cooperate

with the FBI that he shouldn t push his luck. Josiah, terrified by the

looming threat of years in prison that had been slowly materializing since his

first call with Peterson, immediately agreed.

When they reconvened in a different, much smaller conference room, Josiah told

Peterson and Alexander he was ready to negotiate a deal. They responded that he

d first need to tell them the full, true story of his crimes. To their relief,

he began to detail the entire Mirai conspiracy. The FBI agent and prosecutor

were intrigued to learn more about the key role played by Dalton, who hadn t

until then been a target of their investigation. And they were amazed to hear

that the Mirai crew was now, even after their raids, engaged in an entirely new

click fraud botnet scheme. They had known nothing about it.

Peterson and Alexander told Josiah that if he wanted any chance of a plea deal

still without any promise of avoiding prison he d have to fully cooperate. That

meant helping to collect evidence on his friends.

Josiah, now in survival mode, was ready to do what it took to stay out of

prison. By the time he flew back to Pennsylvania, he was a federal informant.

dalton and paras could tell Josiah was acting strangely. He d never been aloof

or a step behind on any technical questions before. Now, on their group calls,

he was quieter and would inexplicably ask them to break down how their criminal

enterprise worked in unusual detail.

They had their suspicions and did their best to discuss their conspiracy using

only convoluted code words and hypotheticals. But they couldn t bring

themselves to violate the unspoken terms of their friendship by confronting

Josiah or cutting him out of their deal. We both knew something was up,

Dalton says. But we didn t have any proof. I didn t want to fuck him over just

because I was sketched out. After all, this was their old friend, the

legendary LiteSpeed, the one to whom they owed so much for advancing their

careers as botnet masters.

As for Josiah, he says his years of working in his family s computer repair

shop had helped prepare him for his new role as a double agent. When you work

in retail, you re used to putting on a face, he says, talking to people how

they want to be talked to.

When the feds finally arrived before dawn, Dalton was relieved. They found him

in his boxer shorts, wrapped in a pink blanket on a beanbag, watching Star

Wars.

A few weeks later, Paras got his own call from Peterson, with his own offer of

a meeting in Anchorage. Paras told Dalton about the invitation but not Josiah,

whom he d begun to distrust. They agreed that it made sense for Paras to meet

with this FBI agent and see exactly what the feds had on them.

Over the six months since the raid of his home, Paras had remained in denial,

putting on a defiant face but quietly living in a state of latent terror. His

family had never again discussed the traumatic violation of their home by

federal agents, instead pretending it had never happened. They were going

through the motions of being a family, as Paras puts it, but there s this

cloud hanging over everyone s head.

The cloud of silence remained in place as Paras and his father flew to

Anchorage. Along with Paras lawyer, they met with Peterson and Alexander in

the same Department of Justice conference room and got the same cheery hiking

tips from Peterson. Paras tried to maintain an implacable expression as the

prosecutor threw one damning piece of evidence after another onto the screen,

laying out his crimes in front of his father. They showed Paras connections to

the Mirai handles and to Anna-Senpai, and his Fireswap burner account.

Still, Paras told himself that the case was far from clear-cut. Then Alexander

played for the room a series of audio recordings of the three hackers

explicitly discussing their new click fraud venture. One conversation, from a

night when Paras and Dalton had been drinking and let down their guard, was

particularly incriminating. For Paras, it was the first confirmation of Josiah

s betrayal.

Just as with Josiah, the meeting paused for a break after an hour. Paras, his

father, and his lawyer walked across the street from the prosecutor s office

into a small park of paper birch trees in front of the Anchorage Museum. It was

a dismally cold, cloudy day, though Paras says his anxiety had reached a degree

where he was disassociating, barely aware of his surroundings.

Paras lawyer leveled with him: It sounded very much like he was guilty of the

crimes that he had, until then, denied even to his own attorney. Standing there

in the park, Paras finally broke. Huddling with his father and lawyer, he

confessed, tears flowing as he unlocked the shame, guilt, and fear that he d

kept bottled for months.

He asked his father to cut ties with him, begged him to let him face whatever

punishment he had brought on himself alone. His father responded in a voice as

broken as Paras own: He could never do that.

Instead, he and the lawyer both told Paras that there was no other way out now.

His only chance to save himself was to do whatever the FBI and the prosecutors

asked of him.

Unbeknownst to them, Peterson and Alexander had watched the three men speaking

from the window across the street. From Paras body language, they could tell

they d made a breakthrough.

When Paras came back inside, he was a different person, his defenses down. You

re in a hole, Paras, Peterson told him. It s time to stop digging. He was

ready to cooperate.

Alexander asked him whether he had told anyone that he was coming to Alaska,

and he admitted that he d told Dalton. So Alexander and Peterson asked Paras to

call Dalton now, on the spot, on speakerphone, and tell him that he had nothing

to worry about.

Paras did as he was told. Dalton picked up the call. And as the FBI and

prosecutors sat around the table intently listening, Paras assured Dalton that

it was just as they d thought: The feds had nothing on them.

when it was Dalton s turn to be raided, Peterson practically scheduled it with

him. A few weeks before the bang on the door, Yahoo had mistakenly sent Dalton

a letter stating that his old email address had been the subject of a legal

request. For more information, it read, he should contact FBI special agent

Elliott Peterson.

So Dalton preemptively called the FBI agent who d now been stalking them for

nearly a year. Josiah and Paras, playing their roles as supportive friends,

listened in. Peterson picked up the phone, said hello, and immediately

apologized. I wasn t planning on us talking for a couple weeks, he explained.

When Dalton claimed not to know who Peterson was or why his emails were being

read, the FBI agent laughed out loud. We re going to have a great opportunity

to have a chat, he said in the most aggressive version of his usual genial

tone. He ended the call by confirming with Dalton that he was still living at

home, despite having now started college, implying he didn t want to search

Dalton s parents house if he had moved into a dormitory. We try to be

minimally invasive.

Dalton hung up with Peterson. What the fuck was that? he said to Josiah and

Paras, who were still on the group call.

Your ass, Paras responded.

For the next three weeks, Dalton was stricken with nausea-inducing anxiety and

a sense of impending doom. When the feds finally arrived before dawn, he

says, he was actually relieved. They found him in his boxer shorts, wrapped in

a pink blanket on a beanbag, watching Star Wars.

During the search, Dalton says, his anxiety evaporated thanks to his early

swatting experience, it wasn t his first time having law enforcement point a

gun at him and he did his best to show the feds that he wasn t impressed. He

napped on a couch during the FBI s search. When Peterson tried to interview

him, he gave him nothing.

In fact, with plenty of time to prepare before they arrived, Dalton had

physically destroyed all his most sensitive hard drives. The agents found his

beloved water-cooled PC torn apart, its red coolant spilled across his bedroom

floor like blood. He d carefully cached another drive that stored all the

bitcoins earned from their click fraud scheme inside a cat food container,

fully hidden by kibble. Since the container was transparent, the searching

agents didn t think to look inside.

Just as with Paras and Josiah, Peterson told Dalton not to tell anyone about

the search. But Dalton, loyal to the end, tried to send a coded message to

Paras that he d been raided, too: He repeatedly toggled the status of his

account on the Steam video game network on and off in Morse code, spelling

FBI.

Paras saw Dalton s account blinking. But he never got the message. Of course,

even if he had, he d already been working with the FBI for months to collect

evidence on his friend.

dalton soon took his own trip to Anchorage, where he and his parents sat

through Peterson and Alexander s third and final Mirai reverse proffer

presentation. Through an hour of damning chat logs and audio recordings, Dalton

showed no emotion. But when it was over, he knew there was no use resisting.

They had everything.

When Dalton reluctantly agreed to cooperate, Peterson didn t ask him to keep

their arrangement secret from Josiah and Paras. This time, he phoned the other

two. All four of them joined the call.

After months of paranoia, Peterson wanted to clear the air, to tell them that

they were no longer cooperating against one another. They would now all be

working together. Josiah remembers it almost like a reunion: meeting each other

again now that they were all on the other side.

In the call, Josiah and Paras seemed relieved to finally be able to speak

honestly to each other and Dalton after months of subterfuge. Dalton agreed, in

a defeated tone, that yes, he was on board. They would give up all their

hacking tools and dismantle the click fraud botnet, and Dalton would forfeit

the hidden hard drive full of their bitcoins. But Peterson remembers that

Dalton remained quiet and formal, seemingly still processing his anger and

shame at having been cornered by the FBI and surveilled by his friends.

It was only late one night, a few days after Dalton got home to New Orleans,

that he allowed the full reality of his situation to catch up with him. He was

facing a felony conviction. He was going to have to work as a federal

informant. And he was still likely to end up in prison. It felt hopeless.

The person he chose to call to talk this over with, strangely, wasn t Josiah or

Paras, but Peterson. He was trapped, he told the FBI agent in tears. His life

was over.

For the next hour, Peterson, sitting in his living room in Anchorage, found

himself back in his dean of men role, comforting and counseling the young

cybercriminal who d so recently been the target of his investigation.

Peterson asked Dalton about his hopes for the future the where do you see

yourself in five years question of every guidance counselor. Dalton confessed

that beneath his old, secret belief that cybercrime could be his only path in

life, he still hoped that someday he might be able to have a normal, successful

job in technology. Peterson told him that was still possible.

He was super nice, Dalton says. Far nicer than he ever needed to be.

Peterson said he couldn t promise Dalton that it would all be OK. There was

still the possibility of spending years in prison. Regardless, Peterson

reassured Dalton, he could still go to college. He could still do something

rewarding with his talents. His life was not over.

the young men s lawyers had each warned them that, to have any hope of avoiding

prison, they would need to go above and beyond in their cooperation with the

FBI and prosecutors. So once they found themselves on the same team again,

Josiah, Dalton, and Paras threw themselves into working with law enforcement

with the same obsessive energy that they d once put into conquering the

internet of things.

All three were still deeply embedded in the cybercriminal community in fact,

Mirai had turned the personae that Paras had created into celebrities. So to

start, they began helping the FBI target their old associates. It was Paras,

the Mirai creator who had opened Pandora s box by publishing the botnet s

source code, who found himself most actively working undercover to take down

Mirai s copycats.

Because he still controlled the Anna-Senpai handle, Paras was tasked with

reaching out to the creator of one especially prolific Mirai knockoff. The

copycat botnet was controlled by a hacker who lived near Portland, Oregon. He d

been brash enough to reveal his location to Anna-Senpai in their chats, and

even to invite Mirai s creator to hang out if he were ever in town. Paras took

him up on the offer.

At that point, Peterson and Alexander had been tracking the suspect and

believed they knew his identity. But he appeared to have no fixed address he

seemed to have developed a serious drug problem and had admitted to using meth

in his chats with Anna-Senpai and instead roamed around the city from house to

house with little more than a backpack and the laptop he used to manage his

botnet.

After Paras flew to Portland, he suggested to the target of their sting that

they meet at his hotel. Sure enough, the hacker turned up, and the two botnet

admins spent a few hours in Paras room there, swapping stories and hacking

tricks, and even inviting other hacker associates to join the conversation via

Skype. Meanwhile, Peterson and other FBI agents recorded the meeting with

eavesdropping techniques they declined to describe from another room across the

hallway.

Eventually the young Portland hacker suggested they head to a nearby Little

Caesars to eat. When he and Paras walked out of the room, he carelessly left

his laptop open and didn t even bother to close the video chat session with his

hacker friends. Those friends were still watching through the laptop s webcam

when Peterson and another agent came into the room and seized the computer as

evidence. Less than an hour later, the agents stepped out of a black van in the

hotel parking lot and arrested their target as he and Paras returned from their

lunch.

After that Portland sting, some of the hackers who had just watched the

accidental livestream of the hotel raid accused Paras of acting as the FBI s

snitch. But Paras pointed out that it hadn t been his idea to meet up or even

to conveniently go out for pizza arguing that maybe he was in fact the one who

had been set up.

The explanation was convincing enough that Paras managed to pull off subsequent

undercover operations against multiple other cybercriminal suspects across the

country. He says he hardly relished his role in those stings. But nor did he

feel much guilt. I mean, honestly, it was exhilarating, he says. It felt

like something out of a movie.

The FBI and the Justice Department declined to share all of the details of the

investigations that Paras and the other two Mirai creators helped them pursue.

But Peterson summarizes them: We arrested people, and we worked other cases

against IoT botnets, and we shut down other botnets where arrests weren t

feasible, he says. We just did really interesting work.

A zoom screen where the monster is weaving through the views.

Illustration: Joonho Ko

after a few months, when they had run out of undercover cases, Peterson began

to give the team different kinds of tasks, many of them with no direct

relationship to Mirai or their old contacts. They were grateful to find they

were no longer acting as informants, so much as Peterson s new group of

technical analysts.

They started helping the FBI agent with jobs like reverse engineering malware

and analyzing logs to identify botnet victims. They built a software tool that

parsed the blockchain to trace cybercriminal cryptocurrency. In early 2018,

when hackers began to exploit server software known as Memcached to amplify

their DDoS attacks, the Mirai team figured out how to scan for vulnerable

servers that enabled those attacks so that the FBI could warn the servers

owners and help remove a new kind of DDoS ammunition from the internet.

Josiah says that, in this new role, he couldn t help but apply the same

technical perfectionism he had always prided himself on. I enjoy being the

best at this sort of stuff, he says. I thought, If we re going to work on

this, it damn well better work right.

Paras says that, at first, he had immersed himself in Peterson s assignments

even the harrowing undercover ones mostly on his lawyer s advice and as a

distraction from his lingering guilt and shame. To prevent myself from feeling

things, as Paras puts it. But over time, he found that he was able to look at

the work more squarely and to even get some gratification from the good he felt

he was now doing. Peterson s comment to him in Alaska, that he should stop

digging the hole he was in, had stuck. The work for Peterson felt like the

opposite of digging, as he puts it. I wanted to put as much distance as

possible between who I am now and who I was then, he says.

Eventually, when the Mirai crew talked among themselves about their motivation

to work with Peterson, Paras says, it went beyond self-interested survival to a

sense of actual atonement for the harm they d done. It was like, OK, what is

our path to redemption? he says. Maybe this is the start.

The FBI, of course, has a long, unsavory record of exploiting informants and

cooperating defendants many of whom are put in dangerous situations, made to

entrap innocent associates, or end up feeling abandoned or used by their

handlers. The three Mirai hackers felt they were an exception.

As the months passed, they say, they came to see Peterson as a kind of mentor.

He seemed to show real concern for their futures. The strange friendliness he d

displayed while hunting them, they felt, was not an aggressive front but an

actual expression of his humanity. We were very lucky that we got Elliott,

says Dalton. He literally saved my life.

the us criminal justice system has a history of notoriously harsh sentences for

hackers. In 2010, Albert Gonzalez was sentenced to 20 years in prison for

stealing tens of millions of debit and credit card numbers from retailer

networks when he was in his mid-twenties. In 2017, Russian cybercriminal Roman

Seleznev, arrested on vacation at the Maldives airport, was sentenced to 27

years for his own massive theft of credit card data. Even Hector Monsegur, a

front man for the rampaging hacktivist group LulzSec who flipped on his friends

and served as a federal informant for more than two years, was jailed for seven

months longer than some other members of LulzSec in the United Kingdom he had

informed on.

So it was almost a radical act when the prosecutors in the case of Mirai, the

botnet behind several of the biggest cyberattacks in history, asked the judge

to sentence its creators to a total of zero days in prison.

Adam Alexander, the Alaskan assistant US attorney who had flipped each of the

three hackers with PowerPoint presentations full of evidence against them,

explains that his decision was based in part on the fact that none of them had

prior criminal history or substance abuse problems that might have led them to

fall back into old habits. Unlike many defendants, they had strong family

support networks holding them accountable. Most importantly, by the time their

sentencing was approaching in the fall of 2018, they had done more than a

thousand hours of work for Peterson, what Alexander described in a letter to

the judge as extensive and exceptional cooperation. They were kind of

gleefully willing to break the internet, Alexander says. But would putting

any of the three of these young men in prison for 18 to 36 months, and then

wiping our hands of them, have more meaningfully assured that we could prevent

future criminal conduct? I didn t actually think so then, and I still don t

think so today.

Instead, he asked the court to sentence Josiah, Dalton, and Paras to 2,500

hours of community service each over the following five years. They would carry

out that work with the same FBI agent who had supervised their presentence

cooperation period: Elliott Peterson.

In an Anchorage courtroom roughly two years after Mirai had obliterated Brian

Krebs website, a judge handed down that sentence community service, no prison

time to the three 21- and 22-year-olds, along with debts of between $115,000

and $127,000 each in restitution. You re young, you have a lot to give to

society and you have a lot of talent and skill, a judge told the three men

in his Anchorage courtroom that fall day. I hope you use it for good. (Paras

would face separate charges in New Jersey for his attacks on Rutgers, where

prosecutors vehemently argued that he deserved prison time. Alexander

intervened, countering that Paras cooperation with prosecutors and the FBI in

Alaska should be factored into his sentencing in that case, too. The New Jersey

judge ultimately agreed, sentencing Paras to nearly $9 million more in

restitution and six months of confinement at his parents home, but no jail

time.)

On this visit to Alaska, when Peterson again suggested local activities, the

Mirai crew actually took him up on it. That evening they ate together at a

local indie theater restaurant, the Bear Tooth Grill, where they also caught a

screening of a documentary about Google s Go-playing AI just some notorious

hackers and the FBI agent who hunted them down, out for dinner and a movie.

Illustration of three silhouetted humans standing on a watchtower

Illustration: James Junk, Matthew Miller

not long into their five-year community service stint, Peterson says he began

to sense that his three unlikely prot g s were beginning to outgrow him that he

couldn t find enough technical tasks worthy of their talents. So he asked the

Big Pipes anti-DDoS group he d helped create with Allison Nixon if anyone there

had work for them to do. Nixon raised her hand.

When Peterson had first started overseeing the kids as they came to be known

within Big Pipes Nixon had wanted nothing to do with them. She d spent long

enough lurking in the Hack Forums cesspool to be familiar with the toxicity

that flowed freely there and had even been personally harassed by some of the

Mirai team s old associates. They re not nice people, she says of that scene.

You don t want them to know your name.

But after seeing that Peterson had worked with Paras, Josiah, and Dalton for

more than a year and was still willing to vouch for them, she decided to take a

chance and met them on a video call. She found the three young hackers

including the notorious Josiah LiteSpeed White, whom she d tracked for nearly

his entire career polite and eager to please.

She did, in fact, need their programming help: She had an idea for a new kind

of honeypot that would be far more versatile than her sad DVR. She wanted to

create a system where security researchers or analysts could load up any

internet-of-thing device s firmware in a virtual environment to catch new

malware variants.

The tool they built together was called Watchtower. It used a newer technology

called QEMU containerization to spin up quarantined, full-fledged simulations

of DVRs, waiting to be infected. The Mirai team had designed their

internet-of-things malware to detect when it loaded on a software simulation of

a gadget rather than the real thing and to kill its processes rather than give

a researcher any information. But WatchTower s honeypot was designed to look

like a real device in every way that malware could check a seamless, virtual

panopticon in which to observe malware and intercept its master s commands.

It was brilliantly done, says Larry Cashdollar, a security researcher at

Akamai who says the company used Watchtower to obtain and analyze countless new

samples of IoT malware. Eventually Nixon and her Mirai team added in data

contributed from other researchers and members of her Big Pipes DDoS working

group, including machines that acted as honeypots for reflection attacks and

DNS data to identify targeted domains, integrating it all into a real-time DDoS

analysis dashboard. By 2020, they had added a list of domain keywords to

identify attacks on political or voting system targets, and the tool s results

were used to monitor for DDoS attacks throughout that year s election helping

them prepare for any democracy-disrupting big one that many in the security

community still feared.

As for Brian Krebs, when he found out that the three Mirai creators had escaped

jail time and were now essentially working as whitehat security researchers, he

was initially perturbed by what he saw as a lack of accountability.

Trust the process, he remembers Nixon telling him.

What process? Krebs says he responded. This doesn t look like justice to me.

But as time passed and he continued to learn from Nixon and others about the

good work Paras, Josiah, and Dalton were doing, he says he slowly changed his

mind. When I was able to hear about some of the things they came up with, it

was encouraging, he says. I guess that it s the best of all possible

outcomes.

When Nixon moved from Flashpoint to a job at a new security firm, Unit 221B,

she lobbied the company to hire her Watchtower team. By that time, Paras had

gotten a job writing code for a semiconductor company. But Josiah and Dalton

both began working for Nixon full time as security researchers on contract, on

top of their community service work.

Of course, even as the Mirai crew joined the legitimate security industry, many

of the new botnets that they were now monitoring with Watchtower were, in fact,

variants of their own monstrous creation. Like Josiah s Qbot code before it,

Mirai had become the best, cleanest code base for anyone trying to build their

own massive collection of hacked machines, and all manner of digital miscreants

proceeded to pick it apart, repurposing its components to wreak havoc. There

are pieces of Mirai everywhere now, says Chad Seaman, a security researcher at

Akamai and an early member of the Big Pipes working group.

Companies still face near-constant attacks from Mirai descendants, Seaman says.

Because those botnets are generally still fighting over the same vast but

splintered collection of vulnerable internet-of-things devices, none of them is

nearly as big as the original Mirai. Nor has any of Mirai s progeny ever again

managed to surprise defenders to the degree Mirai did.

But their attacks still plague the internet, adding to the millions of dollars

a year that companies pay in DDoS protection. The arsonists have turned over a

new leaf, Akamai s Seaman summarizes. The wildfires continue to rage.

Epilogue

in the years after he sat in his Connecticut home and watched his digital life

implode, Scott Shapiro became a kind of Mirai fanatic. The Yale Law professor

eventually read the source code that Paras published on Hack Forums, printing

it out, poring over its mechanics, and marveling at its well-polished design.

Years later, he would write a case study of Mirai in his book Fancy Bear Goes

Phishing, which tells a history of the internet through a series of

extraordinary hacking events.

Among other things, Shapiro now sees the Mirai case as a rare model of actual

restorative justice in cybercriminal law. It shows, he argues, a positive

alternative to putting young hackers in prison when, in many cases, their

online behavior contrasts so sharply with their real-world selves. Yes, the

internet can seduce good people into doing bad things. But perhaps the split

personalities it creates also leaves more room for redemption in the offline

world. Perhaps it even means more cybercriminals like the Mirai crew can be

reformed and put to work fixing the problems they caused. This was an

experiment. It worked out really well, Shapiro says. I would like to see more

of it.

One afternoon in early December of 2021, three years into the Mirai creators

five years of probation, Shapiro invited Josiah, Paras, Dalton, and Elliott

Peterson to speak to his Yale cybersecurity law class over Zoom. It would be

the first time the four of them had appeared together in a semipublic setting

other than a courtroom.

At first, Peterson did most of the talking, telling the story of the case and

his investigation in a 45-minute presentation. Then he finished and the group

took questions from the students.

One asked how this group of young adults with no criminal records had justified

to themselves carrying out such epic acts of digital disruption. Paras answered

for all of them, explaining how incremental it had all felt, how easy it had

been to graduate from commandeering hundreds of hacked computers to thousands

to hundreds of thousands, with no one to tell them where to draw the line.

There was never a leap, he says. Just one step after another.

Another student asked how they had kept going for so long how they believed

they could evade the FBI even after they had been raided. This time it was

Dalton who answered, overcoming his anxiety at speaking in front of crowds, in

part thanks to better treatments that have helped to alleviate his stutter. He

explained to the class that they had simply never faced an obstacle to their

hacking careers that they hadn t been able to surmount that, like teenagers who

have no experience of aging or death and therefore believe they ll live

forever, they had come to feel almost invincible.

Throughout the presentation, Shapiro says, he was struck by the youthful

nervousness of the three Mirai creators and the fact that, even as they spoke,

they never turned on their webcams. The hacker threat that he d once been sure

must be the Russians, that had felt so large and powerful, was just these

young boys, he realized. Young boys who don t want to show their faces.

Paras would later explain to me that he wasn t exactly trying to hide. He just

doesn t want to associate his face with Mirai anymore. He s since lost more

than 30 pounds, ditched his glasses, grown a trim beard; he d prefer to let his

old image, the pudgy bespectacled kid pictured in Brian Krebs story about

Anna-Senpai, be the one tied to Mirai.

As of the end of October, all three of the Mirai hackers periods of probation

have ended. Paras Jha and Josiah White work together for a high-frequency

financial trading company. Dalton Norman still holds his job working for

Allison Nixon at Unit 221B. But they all plan to continue maintaining and

updating Watchtower, perhaps their most lasting contribution to undoing some of

the damage they ve done.

I m grateful for the chance to try to put the genie back in the bottle,

Josiah says.

He also admits that s probably impossible. Even now, he and Dalton and Paras

know that fragments of the monster they built still haunt the internet. Mirai

no longer comes from the future. Instead, it stubbornly hangs on from the past.

Someday, they hope to leave it there.

This article appears in the December 2023/January 2024 issue.