The three men who created and ran the original Mirai botnet back in 2016 have avoided prison sentences after cooperating with the FBI and providing "substantial assistance in other complex cybercrime investigations," the US Department of Justice (DOJ) said on Tuesday.
The malware would assemble infected systems into a giant botnet, which the trio used to launch DDoS attacks or rent the botnet to other users for the same purpose. Investigators also said the three used the botnet for clickfraud, by using the routers to "click" on ads on websites that earned them revenue.
At the time, the attacks were some of the largest ISPs and DDoS mitigation providers had seen to date, bringing a lot of media attention to the Mirai malware and its botnet, estimated at around 300,000 bots, at the time.
Even if the trio released the source code of the original Mirai malware online in an attempt to muddle their tracks, authorities were eventually successful in tracking down the three suspects.
The FBI questioned Jha in January 2017 and filed charges a few months later in May 2017.
But in a sentencing memorandum filed last week before yesterday's DOJ announcement, US authorities say the three had been collaborating with the FBI since their guilty plea last December.
The DOJ says Jha, White, and Norman had helped the FBI in several cybersecurity matters. The court documents don't give out specific names and dates for the incidents during which the three helped authorities, but any cybersecurity expert reading the document can spot investigations around the wave of Memcached-based DDoS attacks, the DDoS attacks that usually happen on Christmas, and the VPNFilter botnet, which the DOJ mentioned as the work of a foreign nation-state advanced persistent threat (APT) --FBI previously attributed the VPNFilter botnet to Russian intelligence.
For their extensive work with authorities, the DOJ rewarded the three with sentences that don't include any prison time. Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and forfeited "significant amounts" of cryptocurrency seized during the investigation.
As part of the lighter sentence, the three must also continue their work with the FBI and the cyber-security industry.