The creator of the proliferate and infamous Mirai botnet, which wreaked havoc across the globe last year, enslaving hundreds of thousands of vulnerable IoT devices to launch large-scale DDoS attacks, has reportedly been revealed. Mirai's creator, who adopted the online identity of Anna Senpai is allegedly the head of a DDoS protection service ProTraf, Paras Jha.
According to security researcher and journalist Brian Krebs, who spent months investigating the attacks in efforts to uncover Mirai's author, Jha and ProTraf's employees were reportedly involved in an elaborate corporate espionage-like scenario. The firm is believed to have been muscling in on its competition, launching targeted attacks intended to ensure that customers of other DDoS protection firms are forced to abandon ship and sign up for ProTraf's services.
"The first clues to Anna Senpai's identity didn't become clear until I understood that Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years," Krebs wrote in his blog.
Krebs explained that a hacker group named "lelddos" was involved in numerous DDoS attacks on firms protecting Minecraft servers, including San Francisco-based ProxyPipe. The firm was hit with a DDoS in 2014 by lelddos.
Muscling out the competition
According to Krebs, "Mirai's ancestors had so many names because each name corresponded to a variant that included new improvements over time. In 2014, a group of internet hooligans operating under the banner 'lelddos' very publicly used the code to launch large, sustained attacks that knocked many Web sites offline. The most frequent targets of the lelddos gang were Web servers used to host Minecraft, a wildly popular computer game sold by Microsoft that can be played from any device and on any internet connection."
ProxyPipe VP Robert Coelho said in 2015 the firm's clients were attacked by an IoT botnet called Qbot. The attacks were allegedly linked to threats made by Christopher "CJ" Sculti, Jr, the owner of a competing DDoS protection firm called Datawagon, which hosted its servers on the same internet space claimed by ProTraf.
"According to Coelho, ProTraf was trying to woo many of his biggest Minecraft server customers away from ProxyPipe," Krebs wrote. "Coelho said he believes the main members of lelddos gang were Sculti and the owners of ProTraf.
"Coelho said the Mirai attacks on ProxyPipe caused many customers to switch to other Minecraft servers, and Coelho estimates the attack cost the company between $400,000 and $500,000."
Krebs' investigation led him to uncover that the massive Mirai attacks against French web hosting firm OVH in September 2016 were also aimed at Minecraft servers hosted by the firm. The attacks coincided with a two-week-long siege that took down Krebs' site.
Krebs' investigation digs deeper into Jha's history as a budding programmer to a more confident and an almost arrogant black-hat hacker, with a penchant for Japanese anime. Jha allegedly named the Mirai malware after the anime series Mirai Nikki.
The long-winding and complex tale of Mirai's exploits and how and why they originated sheds light on the multifaceted nature of cybercrime. Krebs said: "If you've ever wondered why it seems that so few internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who's done what to whom (and why) in the online era is tremendous."