Satori Botnet Creator Sentenced to 13 Months in Prison

mirai variant operator prison

The creator of the Satori/Okiru, Masuta and Tsunami/Fbot botnets has been sentenced to prison for compromising hundreds of thousands of devices.

A 22-year-old man has been sentenced to more than a year in prison for developing Mirai botnet variants that compromised hundreds of thousands of devices worldwide.

The man, Kenneth Currin Schuchman, of Vancouver, Wash., was sentenced to 13 months in prison after pleading guilty to creating and operating the Satori/Okiru, Masuta and Tsunami/Fbot botnets. The botnets are considered “successors” to Mirai, as they use the same source code as the infamous botnet.

Schuchman added additional features to the botnets over time, so that they grew more “complex and effective,” according to the Department of Justice (DoJ) on Thursday: “The defendant used the botnets to facilitate DDoS attacks, which occur when multiple computers acting in unison flood targeted computers with information to prevent them from being able to access the internet,” according to the DoJ’s press release.

Two of Schuchman’s criminal associates have also been charged for their roles in developing and operating these botnets to conduct distributed denial of service (DDoS) attacks, according to the DoJ. These associates are Aaron Sterritt, (also known by the alias “Vamp” or “Viktor”), who is a U.K. national, and Logan Shwydiuk, (known as “Drake”), a Canadian national.

Schuchman engaged in criminal botnet activity since at least August 2017, during which he both rented out the internet-of-things (IoT) botnets and operated them himself. Following his arrest in August 2018, Schuchman continued to engage in criminal botnet activity, and violated several other conditions of his pretrial release, the DoJ said.

Satori/Okiku was first identified by Check Point researchers in November 2017. In December 2017, researchers at Qihoo 360 Netlab said Satori had infected more than 280,000 IP addresses in a 12-hour period and had gained control over 500,000 to 700,000 IoT devices. Then in December 2017, researchers identified a vulnerability in a Huawei home-router model that was being exploited to spread Satori/ Mirai Okiru. In 2018, researchers then linked the hacker behind Satori as the same one behind another botnet family, Masuta and PureMasuta.

All these botnets are variants to Mirai, which was used in the 2016 DDoS attacks that targeted DNS provider Dyn and caused several well-known websites – including Twitter, Spotify and Netflix – to go dark for hours. New Mirai variants continue to pop up, taking down technology such as routers, internet-based companies such as DNS providers, business sectors such as financial services, and horizontal players such as enterprise companies, to name a few.

The botnet activity continues as more insecure IoT devices hit the market, and as DDoS attacks grow. On June 21, in fact, Akamai said it mitigated the largest packet per second (PPS) DDoS attack ever recorded on its platform. The attack generated 809 million packets per second (Mpps), targeting a large European bank.

As part of his trial, Schuchman previously pleaded guilty to one count of fraud and related activity in connection with computers, in violation of the Computer Fraud and Abuse Act.  As part of his sentence, he has also been ordered to serve a term of 18 months of community confinement following his release from prison and a three year term of supervised release.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles