Paras Jha has been ordered to pay $8.6 million for his part in the creation of the Mirai botnet malware. The computer science graduate took down internet services at his former university, Rutgers.
As well as the payments, Jha will have to complete 2,500 hours of community service and will be confined to his home for six months.
According to KrebsonSecurity, a victim of the attack, Jha told investigators he carried out the attacks for personal reasons. According to his sentencing memo, the second attack was used to delay his calculus exam. Jha was also the co-founder of anti-DDoS provider ProTraf solutions.
Jha created the malware with two known co-conspirators. The purpose was to infect insecure IoT devices to perform a denial-of-service attack. This led to the Dyn cyberattack in October 2016, when services such as Amazon, Airbnb, HBO, and Spotify became unavailable across North America.
A Lenient Sentence?
Many will be asking why Jha and his friends didn't get harsher sentences. The answer is that they collaborated with the FBI in several cybercrime investigations, providing ‘substantial assistance'.
The trio were previously hit with five years of probation, 2,500 hours of community service, and $127,00 in fines. However, this decision was handed out by an Alaska court, while today's comes from a New Jersey court for Jha's Rutgers attacks.
It's unlikely Jha will ever pay back the damages, but his actions are likely to burden him with debt for the rest of his life. However, the consequences of the source code release are also ongoing.
The creators released the Mirai source code online to throw investigators, allowing variants to appear. Last February, a variant of the Mirai botnet was found that uses Windows PCs to find new targets. Unlike IoT devices, PCs have the power to try default usernames and passwords much more quickly.
It's likely that variants of the malware will appear way into the future as other hackers implement it in new ways.