Mirai

A 29-year-old man pleaded guilty in court on Friday to hijacking over 900,000 routers from the network of Deutsche Telekom, according to several reports in the German press [1, 2, 3, 4].

The man is the hacker known as BestBuy, also known as Popopret. German authorities have not released the man's name but referenced him under the nickname Spiderman, which the hacker utilized in registering domains names that he used in hijacking and controlling Deutsche Telekom's routers.

BestBuy hijacked Deutsche Telekom's routers with a custom version of the Mirai IoT malware that he modified himself.

Hacker never intended to make routers go offline

The hacker admitted in court that he never intended for the routers to cease functioning. He only wanted to silently control them so he can use them as pawns in a DDoS botnet. Accidentally, the Mirai malware he deployed on the affected routers made them go offline, causing Internet interruptions to thousands of homes and businesses in Germany.

A week later, he did the same thing to over 100,000 routers belonging to multiple UK ISPs, albeit he wasn't officially charged with those crimes.

UK police arrested BestBuy in a London airport at the end of February. He was extradited to face charges pressed by German authorities. German police from the city of Cologne was the one who identified the suspect and issued the international arrest warrant.

Hacker says a Liberian ISP hired his services

On Friday, July 21, BestBuy pleaded guilty. According to German media, the hacker also provided more information about his operations.

In court, BestBuy said he hijacked Deutsche Telekom routers because he needed more firepower for his DDoS botnet. The hacker said he was hired by a Liberian ISP to carry out DDoS attacks on local competitors. He said the Liberian ISP — currently unidentified/unnamed — paid him $10,000 to DDoS its competitors.

At the time, BestBuy was advertising and renting access to his Mirai botnet online. Prior to entering the DDoS business, BestBuy was a well-known figure in the criminal underworld, where he became famous for coding and selling the GovRAT malware that was used to hack several US government agencies, according to an InfoArmor report.

Journalist says he identified BestBuy's real-life persona

Earlier this month, infosec investigative journalist Brian Krebs published an article claiming that BestBuy was a UK man named Daniel Kaye.

BestBuy's sentencing hearing is scheduled for next Friday, July 28. The hacker faces up to ten years in prison.

Below is a reconstruction of events:

Early September 2016 - original Mirai IoT malware spotted online
Late September 2016 - a Mirai botnet was used to DDoS the blog of infosec investigative journalist Brian Krebs and the infrastructure of French hosting provider OVH
Early October 2016 - hacker Anna-senpai releases the source code of the Mirai malware online on HackForums
Early November 2016 - BestBuy starts advertising his DDoS-for-hire services, which utilize a massive botnet of 400,000 Mirai-infected hosts
Early November 2016 - a Mirai botnet attacks some Liberian ISPs
Late November 2016 - a buggy version of the Mirai malware causes 900,000 Deutsche Telekom routers to go offline in Germany
Early December 2016 - another buggy version of Mirai causes over 100,000 routers to go offline in the UK. Routers belonged to UK Postal Office, TalkTalk, and Kcom ISPs.
Late February 2017 - UK police arrest hacker BestBuy
Late July 2017 - BestBuy pleads guilty in a German court <-- You're here

Update July 28: A German judge sentenced BestBuy to a suspended prison sentence of one year and eight months. His identity was also confirmed as Daniel Kaye.