A US-based man has pleaded guilty to creating a giant botnet that was used to disrupt access to much of the web in October 2016.
The Mirai malware also caused havoc later last year when it was used to stop people’s internet routers working.
Paras Jha has admitted working with others to infect more than 300,000 devices and using them to carry out distributed denial of service (DDoS) attacks and other criminal activity.
He has yet to be sentenced.
Two other people – Josiah White and Dalton Norman – have also agreed to plead guilty to using the botnet for criminal gain.
The details were revealed in documents filed in May but which have only now been unsealed by an Alaskan court.
Security blogger Brian Krebs has published additional information stating that Jha is 21 years old and from New Jersey, while White is 20 years old and from Washington, Pennsylvania. The two used to run a company that marketed itself as a means to mitigate incoming DDoS attacks.
According to the plea agreement, Jha admitted writing Mirai’s code in or about July 2016, before working with others to use it to flood targets against whom he had a grudge with internet traffic.
The papers say he has also acknowledged renting the botnet to others for a fee, as well as using it to extort money from internet hosts and others by demanding payment to halt attacks.
White has admitted adding scanning functionality to the code in August, allowing the malware to identify further vulnerable devices to infect.
And in September, New Orleans-based Norman expanded the size of Mirai to more than 300,000 devices by helping the other two men take advantage of vulnerabilities they had not been aware of.
In September or October, the documents say, Jha posted Mirai’s code online in an effort to create plausible deniability if his equipment was seized by the police.
The botnet then grew further and was subsequently used against Dyn – a company that effectively provides the internet’s address books, making it possible for users to type in a website address and be connected to the computer servers holding the content they want.
The result was that, for a time, many sites – including Reddit, Twitter, Amazon, Netflix and the BBC – became inaccessible to many visitors.
The three men have not been accused of carrying out this attack themselves.
Over the following months the malware was also used to expose a flaw present in millions of routers, preventing homes and businesses from connecting to the net.
“Mirai will be seen in future as the first major botnet that used the growing army of the internet of things [IoT],” commented Prof Alan Woodward, a cyber-security expert at Surrey University.
“It demonstrated just how vulnerable many of the cheap, internet-connected devices were to hackers who wanted to co-opt them to conduct massive attacks.
“Derivatives of Mirai live on today, with new IoT devices often targeted to see if a new variant of the botnet can be recreated, presumably to cause an equal amount of disruption.”
Under the terms of the plea, Jha faces up to 10 years in jail.
That includes time for separate attacks he carried out against Rutgers University’s internet network, which he has also admitted, as detailed by the New Jersey Ledger newspaper.
Norman and White both face up to five years in prison.