On December 13, 2017, federal authorities announced three individuals had entered guilty pleas in connection with multiple cyberattacks that targeted Internet of Things (“IoT”) devices across the world as well as the computer networks of Rutgers University. New Jersey resident Paras Jha, Pennsylvania resident Josiah White, and Louisiana resident Dalton Norman each pled guilty to charges of conspiring to violate the Computer Fraud & Abuse Act (“CFAA”) in U.S. District Court for the District of Alaska in connection with their operation of the so-called Mirai Botnet in 2016. A botnet is a collection of devices infected with malicious software that can then be controlled as a group without the permission of the devices’ owners. According to the criminal information filed in the District of Alaska, Jha, White, and Norman exploited vulnerabilities in hundreds of thousands of IoT devices, and then harnessed the botnet to conduct several distributed denial-of-service (“DDoS”) attacks. The defendants’ alleged involvement with the original Mirai variant reportedly ceased in the fall of 2016 after Jha posted its source code on an online forum for cybercriminals. Jha and Norman also pled guilty to additional CFAA conspiracy charges in the District of Alaska in connection with malware attacks that infected over 100,000 computing devices between December 2016 and February 2017, effectively “hijacking” the devices for use in so-called “clickfraud” schemes used to artificially generate advertising revenue.
Jha also pled guilty to violating the CFAA in U.S. District Court for the District of New Jersey in connection with a series of attacks on the networks of Rutgers University between November 2014 and September 2016. According to federal authorities, Jha’s attacks effectively shut down the university’s central servers multiple times, causing significant disruptions to the school’s operations. In announcing the guilty pleas, Department of Justice officials acknowledged the investigative assistance of U.K. and French government agencies, as well as several private companies. U.S. v. Jha, 17-cr-00164 (D. Alaska); U.S. v. Jha, 17-cr-00163 (D. Alaska); U.S. v. Jha, 17-cr-00529 (D.N.J.); U.S. v. Norman, 17-cr-00167 (D. Alaska); U.S. v. Norman, 17-cr-00166 (D. Alaska); U.S. v. White, 17-cr-00165 (D. Alaska)