Botnet bandits drop dimes on cybercrimes

botnet (BeeBright/ 

The story of three American teenagers who banded together to create the devastating Mirai botnet serves as a cautionary tale of young, technically minded youths led astray.

Now, in a twist, a court has sentenced the three men to just five years of probation, with prosecutors citing their "extraordinary assistance and cooperation" with the FBI on other cybercrime investigations over the past year.

Paras Jha, Josiah White and Dalton Norman are apparently so good at tracking and identifying criminal botnet activity that the government would rather they continue their work, with the Department of Justice requesting that the court bump their community service requirements from 200 hours to 2,500 hours and to define community service to include continuing their work with the FBI on cybercrime and cybersecurity cases.

"The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world," said U.S. Attorney Bryan Schroder in a statement announcing the sentence.

In court documents, U.S. lawyers revealed that the trio has spent the past year working closely with the FBI's Anchorage, Alaska, office, applying the same skillset they once used as cyber criminals to find "novel ways" to crack down on botnet crime.

The three men worked "exhaustively" to identify botnet operators and proxy networks used to launch distributed denial-of-service attacks since being arrested and pleading guilty in 2017 to multiple violations of the Computer Fraud and Abuse Act, said Adam Alexander, assistant U.S. attorney for Alaska, where the case was investigated. 

"By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods," Alexander wrote in court documents.

Alexander also credited them with helping to mitigate a new attack vector using memcached servers capable of exponentially amplifying DDoS attacks. The vulnerability, which security researchers at the time characterized as "rare," led to a series of massive DDoS attacks in Europe and the U.S. earlier this year

The three worked with the FBI and security vendors to identify vulnerable servers and communicated with affected companies to quickly and drastically curb the volume and effectiveness of the attack to "mere fractions" in a matter of weeks. The defendants also helped reverse engineer botnet computer code, developed tools to help law enforcement examine cryptocurrencies, participated in briefings with companies and security researchers and reconfigured data seized from another notorious botnet, Kelihos, so that law enforcement could identify and notify victims.

Jha, White and Norman pleaded guilty in December 2017 to hijacking hundreds of thousands of internet-connected devices in order to execute DDoS attacks against businesses and competitors in service of extortion and click-fraud schemes. Their botnet, nicknamed Mirai, was substantially more powerful and sophisticated than others, and investigators characterize its activities against U.S. and European hosting companies in September 2016 as "the largest such [DDoS] attack ever recorded."

While attempting to throw investigators off of his trail, Jha posted the source code for Mirai to the internet in September 2016, a step that prosecutors called "the most damaging and significant acts," noting that the code has since "become the progenitor to countless descendant variations" of botnets worldwide.

In a Sept. 18 post, cybersecurity company Kaspersky Lab said that Mirai code still serves as "cybercriminals preferred option" for downloading malware onto internet-connected devices.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.