Paras Jha, Josiah White, and Dalton Norman admitted to one count of conspiracy in plea agreements filed earlier this month.
Former Rutgers University student Paras Jha, left, leaves the Clarkson S. Fisher Building and U.S. Courthouse after his hearing in Trenton, New Jersey, on December 13, 2017.
He also pleaded guilty on Wednesday in federal court in New Jersey to hacking that repeatedly shut down the Rutgers University computer system between 2014 and 2016, paralyzing the school's networks for days at a time.
Prosecutors said Jha had sold the botnet to other criminals online, as well as threatening companies with similar DDoS attacks unless they paid.
Jha and his co-conspirators also sought financial gain, renting the botnet out to other criminals.
Jha and Norman were additionally charged in the District of Alaska with conspiracy to violate the Computer Fraud & Abuse Act for infecting more than 100,000 primarily USA -based devices, including home Internet routers, with malware that allowed the victims to be utilized in advertising fraud known as "clickfraud".More news: Samsung's Galaxy S9 range gets a mega-leak
While the Federal Bureau of Investigation helped spearhead the campaign, the Mirai Botnet and Clickfraud Botnet cases are now primarily in the hands of prosecutor and Assistant U.S. Attorney Adam Alexander of the District of Alaska, and Trial Attorney C. Alden Pelker of the Computer Crime and Intellectual Property Section of the Criminal Division.
Mirai is best known for the havoc wreaked on online businesses using unsecured IoT devices, but the trio also faced charges for using the botnet for online ad click-fraud. The amount would be worth about $3.4 million today. The attacks had caused at least $5,000 in damages, the district attorney said in Jha's plea agreement.
Jha's attorney, Robert Stahl, said Jha "is a brilliant young man whose intellect far exceeded his emotional maturity" and that he is "extremely remorseful and accepts responsibility for his actions". The three used Mirai, named after an anime series, to conduct denial-of-service (DDoS) attacks in order to flood and in turn disrupt the Internet connection of the targeted devices.
From September to October 2016, Jha made Mirai's source code public on forums for cybercriminals, allowing anyone to use it, using names like "ogmemes" and "Anna Senpai".
In a statement, Rutgers said no data was compromised and that it had made "substantial improvements" to its technology infrastructure.