The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story

Netflix, Spotify, Twitter, PayPal, Slack. All down for millions of people. How a group of teen friends plunged into an underworld of cybercrime and broke the internet—then went to work for the FBI.
A graphic collage of the three main hackers in the Mirai saga
ILLUSTRATION: JAMES JUNK, MATTHEW MILLER; GETTY IMAGES

Early in the morning on October 21, 2016, Scott Shapiro got out of bed, opened his Dell laptop to read the day’s news, and found that the internet was broken.

Not his internet, though at first it struck Shapiro that way as he checked and double-checked his computer’s Wi-Fi connection and his router. The internet.

This article appears in the December 2023/January 2024 issue. Subscribe to WIRED.Illustration: James Junk and Matthew Miller

The New York Times website was offline, as was Twitter. So too were the websites of The Guardian, The Wall Street Journal, CNN, the BBC, and Fox News. (And WIRED.) When Twitter intermittently sputtered back online, users cataloged an alarming, untold number of other digital services that were also victims of the outage. Amazon, Spotify, Reddit, PayPal, Airbnb, Slack, SoundCloud, HBO, and Netflix were all, to varying degrees, crippled for most of the East Coast of the United States and other patches of the country.

Shapiro, a very online professor at Yale Law School who was teaching a new class on cyber conflict that year, found the blackout deeply disorienting and isolating. A presidential election unlike any other in US history loomed in just under three weeks. “October surprises” seemed to be piling up: Earlier that month, US intelligence agencies had jointly announced that hacker breaches of the Democratic National Committee and Hillary Clinton’s presidential campaign had in fact been carried out by the Russian government. Meanwhile, Julian Assange’s WikiLeaks had been publishing the leaked emails from those hacks, pounding out a drumbeat of scandalous headlines. Spooked cybersecurity analysts feared that a more climactic cyberattack might strike on Election Day itself, throwing the country into chaos.

Listen to the full story here.

Those anxieties had been acutely primed just a month earlier by a blog post written by the famed cryptographer and security guru Bruce Schneier. It was titled “Someone Is Learning How to Take Down the Internet.”

“Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet,” Schneier, one of the most highly respected voices in the cybersecurity community, had warned. He described how an unknown force appeared to be repeatedly barraging this key infrastructure with relentless waves of malicious traffic at a scale that had never been seen before. “These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation-state. China or Russia would be my first guesses.”

Now it seemed to Shapiro that Schneier’s warning was coming to fruition, right on schedule. “This is the attack,” he remembers thinking. Was it “the big one?” he asked himself. Or was it perhaps a test for the true “big one” that would hit on November 8? “Obviously, it has to be a nation-state,” Shapiro thought. “It has to be the Russians.”

For Shapiro, the internet outage was a kind of turning point: In the months and years that followed, he would become obsessed with trying to understand how someone could simply stamp out such a large swath of digital connectivity across the world, who would do such a thing, and why. But meanwhile, a little less than 500 miles west of Shapiro’s Connecticut home, in the town of Washington, Pennsylvania, another sort of observer was watching the attack unfold.

After a typical sleepless night at his keyboard, 19-year-old Josiah White sat staring at the three flatscreen monitors he’d set up on a workbench in a messy basement storage area connected to the bedroom he shared with his brother in their parents’ house. He was surrounded by computer equipment—old hard drives and a friend’s desktop machine he had offered to fix—and boxes of his family’s toys and Christmas tree ornaments.

For weeks, a cyber weapon that he’d built with two of his young friends, Paras Jha and Dalton Norman, had wreaked havoc across the internet, blasting victims offline in one unprecedented attack after another. As the damage mounted, Josiah had grown accustomed to the thrills, the anxiety, the guilt, the sense that it had all gotten so absurdly out of hand—and the thought that he was now probably being hunted by law enforcement agencies around the world.

He’d reached a state of numbness, compartmentalizing his dread even as he read Bruce Schneier’s doomsday post and understood that it was describing his own work—and now, even as a White House press secretary assured reporters in a streamed press conference that the Department of Homeland Security was investigating the mass outage that had resulted directly from his actions.

But what Josiah remembers feeling above all else was simply awe—awe at the scale and chaotic power of the Frankenstein’s monster that he and his friends had unleashed. Awe at how thoroughly it had now escaped their control. Awe that the internet itself was being shaken to its foundations by this thing that three young hackers had built in a flurry of adolescent emotions, whims, rivalries, rationalizations, and mistakes. A thing called Mirai.

Part One

Illustration: Joonho Ko

None of the three young men who built Mirai fit the profile of a cybercriminal, least of all Josiah White, who could lay perhaps the most direct claim to being its inventor. Josiah had grown up in a rural county an hour south of Pittsburgh. He was the youngest of four children in a close-knit Christian family, all homeschooled, as his mom put it, to better “find out how God had created them and what he had created them to pursue.” She describes the thin, dark-haired baby of the family as a stubborn and independent but unusually kind child, who would sit beside the new kid in Sunday school to make them feel welcome.

Josiah’s father was an engineer turned insurance salesman, and the family lived in a fixer-upper surrounded by woods and farmland. As early as he can remember, Josiah followed his father around the house while he tinkered and made repairs. In 2002, when he was 5, Josiah was delighted to receive for Christmas the components of an electrical socket. Later his parents gave him a book called 101 Electronics Projects, and he would beg his mother to drive him to RadioShack, arriving with a shopping list of breadboard componentry. Before he was 10, he was advising his father on how to wire three-way switches.

Josiah’s father would take him along to their church’s “car ministry,” where they’d repair congregants’ cars for free and refurbish donated vehicles for missionaries. Josiah would stand in the corner of the shop, waiting for the foreman to give him a task, like reassembling a car’s broken water pump.

Josiah reveled in impressing the adults with his technical abilities. But he was always drawn to computers, cleaner and more logical than any car component. “You give it an input, you get an output,” he says. “It’s something that gave me more control.” After years of vying for time on his family’s computer, he got his own PC when he was close to his 13th birthday, a tower with a Pentium III processor.

Around the same time, Josiah’s brother, seven years older than him, figured out how to reprogram cell phones so they could be transferred from one telephone carrier to another. Josiah’s brother started to perform this kind of unlocking as a service, and soon it was so in demand that their father used it to launch a computer repair business.

By the time he was 15, Josiah would work in the family’s shop after school, setting up Windows for customers and installing antivirus software on their machines. From there, he got curious about how HTML worked, then began teaching himself to program, then started exploring web-hosting and network protocols and learning Visual Basic.

As wholesome as Josiah’s childhood was, he felt at times that he was being raised “on rails,” as he puts it, shepherded from homeschooling to church to the family computer shop. But the only rules he really chafed against were those set by his mother to limit his computer time or force him to earn internet access through schoolwork and household chores. Eventually, on these points, she gave up. “I sort of wore her out,” he says. She relented in part because a hands-on understanding of the minutiae of computing was quickly becoming essential to the family business. Josiah, now with near-unlimited computer time, dreamed of a day when he’d use his skills to start a business of his own, just as his brother had.

In fact, like most kids his age, much of Josiah’s time at the keyboard was spent on games. One of them was called Uplink. In it, the protagonist is a freelance hacker who can choose between two warring online movements, each of which has built a powerful piece of self-spreading code. One hacker group is bent on using its creation to destroy the internet. The other on stopping them. Josiah, not the sort of kid to do things in half measures, played through the game on both sides.

Illustrations: Joonho Ko

immersing himself in that cyberpunk simulation—and learning about famous hackers like Apple cofounder Steve Wozniak and Kevin Mitnick, who had evaded the FBI in a cat-and-mouse pursuit in the 1990s—cultivated in Josiah’s teenage mind a notion of hacking as a kind of secret, countercultural craft. The challenge of understanding technical systems better than even their designers appealed to him. So did the subversive, exploratory freedom it offered to a teenager with strict Christian parents. When he googled a few hacking terms to learn more, he ended up on a site called Hack Forums, a free-for-all of young digital misfits: innocent explorers, wannabes, and full-blown delinquents, all vying for clout and money.

On the internet of 2011, the most basic trick in the playbook of every unskilled hacker was the denial-of-service attack, a brute-force technique that exploits a kind of eternal, fundamental limitation of the internet: Write a program that can send enough junk data at an internet-connected computer, and you can knock it offline.

The previous year, for instance, the hacker group Anonymous had responded to the refusal by Visa, Mastercard, PayPal, and Bank of America to allow donations to WikiLeaks by urging its plebes to bombard the companies’ servers with data requests, creating so-called distributed denial-of-service attacks that briefly took down the companies’ online services. But most DDoS attacks were less principled: the constant AK-47 cross fire of the cybercriminal internet’s internecine wars and vandalism.

On Hack Forums, many hackers ran their own “booter” services that, for a few dollars a month, would launch denial-of-service attacks against anyone a customer chose—often online gaming services, to troll or sabotage rival players. Users and admins of booters talked casually of “hitting off” targets, or worse, “holding off” a service or a single user’s connection, repeatedly bombarding it to prevent it from coming back online.

Some booters launched attacks from botnets, collections of thousands of unwitting users’ PCs, hijacked with hidden malware to form a lemming-like swarm of machines pummeling a target with data. Other booters used “reflection” or “amplification” attacks: If a hacker could find an online service that would respond to a query by sending back a larger chunk of data than the request itself, they could spoof the origin of their question so the service would send its answer to a victim. By bouncing a stream of thousands of questions off a server, the hacker could bombard the victim with its responses and vastly multiply their attack’s firepower.

Josiah, fascinated by the cleverness of those tricks, was naturally determined to understand them at their deepest level. He stumbled upon a blog post from a cybersecurity blogger describing a reflection attack that used the servers of the online first-person-shooter game Quake III Arena. Ping them with a simple “getinfo” or “getstatus” request, and the servers would send back information that included the usernames of the players on the server and the map of the level they were playing on—an answer that was nearly 10 times as big as the question and could be directed at any spoofed IP address a hacker chose.

The post was intended as a warning. It cautioned that this kind of attack could be used to take down a service with as much as 23 megabits per second of bandwidth, a pipe that seemed enormous to Josiah on his 1.5-megabits-per-second home DSL connection. A competent programmer exploiting the problem, the blog post’s author wrote, “can easily create a full-fledged attack suite in a lazy afternoon.”

Josiah took this as a challenge. He cobbled together a simple script to perform the attack and posted it to Hack Forums under his handle, “Ohnoes1479.” He asked only for anyone who used it to give him an upvote “if its good ✌” to increase the prestige of his forum profile.

Josiah didn’t think too much about the morality of his creation. After all, it took a computer offline only temporarily, right? More of a mischievous hiccup than a crime, he figured. He couldn’t use it himself anyway, because his home internet connection didn’t allow the IP spoofing the attack required. Still, as other hackers on the forum—some of whom he suspected ran their own booter services—asked questions about how to use the program and even requested feature updates, he was happy to help.

Mostly, like the technical wunderkind he’d once been in his church’s auto shop, he aimed to impress. “I wanted to make something cool,” he says. “And I wanted respect.”

in that anarchic Hack Forums scene, Josiah soon found a kindred spirit, a user who called himself “moldjelly.” In the offline world, his name was Dalton Norman. He was a teenage hacker just a year older than Josiah who was far more in touch with his rebellious side.

Like Josiah, Dalton had grown up with an engineer for a father. His dad led the maintenance team for a skyscraper in New Orleans, where the family lived. And like Josiah, Dalton had a natural technical talent. As a preteen, he wrote cheating mods for video games that he presented on his own YouTube channel in a squeaky voice. He and his father would work in their spare time on his dad’s souped-up Chevrolet Monte Carlo, which had so much horsepower that Dalton remembers the feeling of its exterior twisting as it accelerated. He says he inherited that same drive to push technology to its limits.

But far more than Josiah’s, Dalton’s childhood was tinged with adversity. As a small child, he had struggled with a stutter that deeply scarred him. He remembers his family laughing at him at the dinner table as he labored in vain to pronounce his younger sister’s name. “It was awful and kind of contributed to me just being in my room and having low self-esteem and trying to raise it by being super good at something,” Dalton says.

By the end of elementary school, to Dalton’s relief, the stutter had faded away. But just as it seemed like he might enjoy a normal adolescence, his life was disrupted by misfortune on a far larger scale: Hurricane Katrina. Dalton’s family evacuated to Mississippi and didn’t return for more than five years. In exile one state over, Dalton found himself at a “culty” Christian private school, where students prayed before class and, as he remembers it, a math teacher assured him that Barack Obama was the Antichrist. “When I wouldn’t pray or do any of that,” he says, “I would get shit for it.”

Dalton wrote his first program when he was 12. It was a spam tool that he used to torture a teacher he disliked, wrecking her inbox. He says he carried out his first denial-of-service attack not long after, targeting his school’s network from within.

While connected to the school’s Wi-Fi, he flooded its router with junk requests until the entire intranet collapsed. “It’s easy to take down a network when you’re inside of it,” he says. Ironically, as Dalton describes it, he had gotten enough of a reputation for IT know-how that school staff asked for his help fixing the problem. He stopped his attack script, unplugged the router, plugged it back in, and showed the school administrators that it magically worked again. During another attack, however, he says he overheated the router so badly in its poorly ventilated closet that it was fried.

In his early teens, he remembers watching The Social Network and taking exactly the wrong message from the movie: Rather than feeling cautioned by the film’s fictionalized origin story of an icily amoral Mark Zuckerberg, Dalton was profoundly inspired. “That movie basically changed how I viewed the world,” he says. “It’s like, with a laptop and a great idea, you can take control of your life and build something cool.”

After a failed attempt to launch his own social network—he had no idea how to gain users and no budget to advertise it—he returned to hacking: He wrote a keylogger program, designed to snoop on a victim’s keystrokes after infecting their PC via thumb drive. He also found his way onto Hack Forums. Soon he was running his own booter service, hiring other hackers to handle customer service so he could focus on finding new methods to amplify his attack traffic.

It was around this time that Dalton encountered Josiah, who was, he says, the smartest hacker he’d ever met. The two teens soon moved off Hack Forums to talk regularly on Skype and then later TeamSpeak, another internet conferencing service. In those conversations, Dalton eventually used his real name, while Josiah went by “Joey,” a thin veneer of a pseudonym. They enjoyed competing with each other to find new denial-of-service amplification tricks. In a friendly rivalry, they’d stay up into the early morning hours, plumbing the internet for eclectic servers that they could use to multiply their attack traffic dozens and eventually hundreds of times over.

In those late-night cyberattack sessions, the two hackers say, they would typically set up their own website for target practice, or use a friend’s, so that they could measure the size of the traffic they were blasting at it. At times they would clock attacks of more than 100 gigabits a second, they say—more than 4,000 times as big as the 23-megabit attack that had initially amazed Josiah. Very often they would knock their target website offline, along with the server of the hosting service it ran on, causing downtime for an untold number of other websites too.

By this time, Josiah admits, he’d become mildly intoxicated by the power of the tools they’d learned to wield, though he still considered himself a kind of innocent, exploratory hacker. “I was stupid, and I was just angry sometimes, and I wanted to see damage, at points,” he says. “But it wasn’t my primary motivator—for a while.”

Dalton, who was already running a for-profit attack service, had no such illusions of innocence and admits—a little proudly—to using his growing arsenal of booter artillery on any Hack Forums rival who sufficiently annoyed him. In some cases, he boasts, he would “hit people off so hard” that their internet service providers would cut the victim’s connection for 24 hours to avoid further collateral damage. “It was a lot of power,” he says. “If someone was bullying or being an asshole, then yeah, they went offline for a while.”

Illustration: James Junk, Matthew Miller

both teenagers managed to hide these dalliances with illegal hacking from their families. But for Dalton, the consequences soon spilled violently into his physical world.

It began when he discovered that someone who worked for his booter service, an older kid to whom he’d foolishly given his real name, had been stealing their profits. He fired the guy. A few days later, Dalton and his family were sitting around the dinner table when a team of police officers in bulletproof vests burst through the door, screaming at everyone to get on the ground. The cops pointed shotguns at Dalton and his terrified parents and siblings, barking orders and questions.

It turned out that the police had received a spoofed 911 call. The caller had warned that Dalton had shot his mother and was now holding the rest of the family hostage. Dalton had been “swatted,” targeted with the most dangerous retaliatory measure in the toolkit of nihilist teen hackers. When the police realized there was no hostage crisis, Dalton explained to the cops and his parents that an angry kid online had inflicted this situation on them—leaving out the part about his booter service. As a measure of the skewed risk assessments of his teenager’s brain, his biggest fear during the entire incident was how his furious parents would punish him. He was grounded.

Dalton says the real lesson he drew from the incident was to tighten his operational security, no longer telling anyone in the hacking world his real name—except Josiah. “I trusted no one except for Joey,” he says.

In the midst of all this, when Dalton was 15, another kind of calamity struck: His stutter came back. He says it happened when he met another stutterer at his high school. Somehow, the event triggered his brain to start tripping up his speech all over again. And the change seemed to be permanent. All the difficulty he’d had speaking as a small child, along with all the anxiety and shame that came with it, flooded back. It was, he says, “a nightmare.”

Like many stutterers, Dalton found workarounds for the arbitrary lexicon of words that would halt his speech, substituting others to hide his disability. But names, which allowed no substitutions, were particularly tough. At one point, to get out of gym class, he volunteered with his high school’s tech office and found that the job included delivering laptops to students. He remembers standing in front of a classroom trying to say a student’s name as the entire class laughed at him. Even his own name was often impossible to get out. “It broke me,” he says. “But afterward, I was just like, ‘I don’t care what other people think. Fuck it.’”

Dalton’s stutter, he says, drove him into cybercrime with a renewed fervor. He cut ties with real-world friends, retreated to his computer, and focused his energy on hacking. His skewed teenage logic kicked in again, telling him to abandon any hope of a normal life or legitimate career. “I thought, ‘No one’s gonna hire me because I can’t talk. How am I going to get past an interview when I can barely say my name?’” Dalton remembers.

He had, he told himself, no other option. “I have to find a way to make this blackhat thing work out.”

Of the Three young hackers who would go on, together, to be responsible for the biggest DDoS attacks in history, Paras Jha came to that path from the most innocent and childlike place of all: a love of Minecraft.

Born in Mumbai, Paras was less than a year old when his family emigrated to the US, where they eventually settled near central New Jersey. His parents demanded academic perfection, and Paras was gifted enough to easily deliver. Too easily, in fact: For years of elementary and middle school, he would read entire textbooks as soon as he got them, he says, then never study them again and ace every test.

At the same time, Paras was aware that he had a paradoxical problem with focus. He remembers being in third grade and disassociating as a teacher spoke to him, tracing out her face in the air with his finger. That teacher later suggested to Paras’ parents that he be tested for attention deficit disorder. Coming from a culture that stigmatized such a diagnosis, Paras says, his family was skeptical of the teacher’s warning. His mother and father filled out the school’s evaluation for learning disabilities; it came back negative, and he was never treated.

As Paras grew older, his scattered mental state meant he often forgot school assignments, and his strict parents would respond by grounding him. To pass the time, he gravitated to computers. His beloved video games were forbidden on weekdays, so he would spend hours playing with Microsoft’s Visual Studio, teaching himself to program.

By his early years of high school, Paras had become obsessed with Minecraft, an immersive online world that essentially presents a blocky, lo-res, nearly infinite metaverse. More than playing the game, however, Paras was drawn to the possibilities of running his own Minecraft world on an online server. He would host mini-games of tag or capture the flag, endlessly tinkering with his server’s code to modify the rules. He loved to join his own world, turn himself invisible, and then observe how players responded within the universe he controlled and changed at will. It was like watching 8-bit ants with human intelligence move around his very own ant farm.

Paras soon discovered he could make thousands of dollars using his coding skills to build modifications and mini-games for other Minecraft administrators. In fact, it turned out that the Minecraft ecosystem supported its own surprisingly high-stakes industry. Players paid small fees for access to perks and upgrades on their favorite servers, and administrators of the most popular worlds within that decentralized metaverse made as much as six figures a year in revenue. All of that money meant this innocent-seeming industry had developed a surprisingly ruthless dark side. Minecraft servers came under constant barrage from booters’ DDoS attacks, launched by aggrieved players, competitors, and trolls. Many paid thousands of dollars a month to DDoS protection firms that promised to filter or absorb the attack traffic.

One day, Paras found himself in a Skype group chat with an acquaintance who also ran a Minecraft server. This person was determined, for reasons Paras can no longer remember, to take down a particular rival’s world. Paras read along as the acquaintance asked another member of the chat for help—a figure by the name of LiteSpeed, who had attained a certain infamy for his denial-of-service wizardry.

Josiah had changed his handle on Hack Forums from Ohnoes1479 to this less-cute moniker about nine months after he’d joined the site, and these days he carried himself online with significantly more swagger. He was happy to oblige.

Josiah, Paras, and a few friends all entered the target Minecraft world, apparating into its blocky landscape full of hundreds of other players’ lo-res figures. Then, over Skype, now in a voice chat, Josiah told the others that he was launching the attack. Across the internet, Paras could hear the tap of the Enter key on Josiah’s keyboard. And the world stopped.

Instead of going dark or returning an error message, the universe hosted on the server that Josiah had knocked offline simply froze, as each player was suddenly disconnected and confined to their own computer’s splintered version of it. Paras marveled at how he could move through that world and see other players paralyzed where they stood, or floating in midair.

That frozen state lasted for 30 seconds before the world crashed entirely. To Paras, it was a hilarious magic trick. “It felt like a secret superpower almost,” he says. “Even though it wasn’t me who did it, it was cool to just be in the know about what’s going on.”

He became friendly with Josiah and found that this talented hacker was happy to take down practically any target server that Paras asked him to, mostly just for sheer amusement. Josiah also seemed to be surprisingly open to sharing his knowledge. Having moved on from the amplification attacks he and Dalton had experimented with early on, Josiah now carried out his attacks with a botnet of thousands of computers around the internet that he’d infected with his own malware, exploiting a security flaw in the web-hosting software phpMyAdmin to turn the underlying servers into his personal army.

Later Josiah would switch to wielding an even more powerful collection of Supermicro servers that he’d hacked via a vulnerability in their baseboard management controllers, chips meant to allow an administrator to remotely connect to a server and monitor its performance. The attacks he was triggering were soon so powerful that he and his friends had difficulty even gauging their strength: Everything they’d hit with it—the best-protected Minecraft servers, even their own measurement tools—would immediately fall offline.

Paras wanted this superpower too. Josiah was happy to help him troubleshoot his DDoS attack code and even offered thousands of computers from his own botnet for Paras to test it on. “Instead of just pressing the button, I wanted to say I had made the button,” says Paras. Soon he was a relatively sophisticated botnet herder with his own DDoS zombie horde.

By 10th grade, to his parents’ dismay, Paras had begun to struggle in school as subjects became more complex and his disaffected-prodigy tactics reached their limits. But online, where he went by the handle “dreadiscool,” he embraced his new godlike capabilities with roguish abandon, knocking off targets on the slightest whim. He and another friend would even sometimes find the phone number for a company that hosted certain Minecraft servers, call their business line from a burner number, and verbally taunt them as Paras launched a DDoS attack that ripped their machines offline.

Somehow, the rule-following, high-achieving kid from a strict immigrant household had become a rampant online vandal. But at that point, Paras says, it was never quite clear to him—or Josiah, or Dalton—how serious the consequences of their attacks might be. They were, after all, still just taking some computers off the internet, right? “Like, the servers come back online,” Paras says. “You wake up the next day and you go to school.”

At other times he would almost check himself, coming to grips with his spiraling behavior. He remembers sitting in the bathroom of his parents’ house just after taking down one of the biggest Minecraft servers, Hypixel, and realizing that if he kept going, he was bound, sooner or later, to get arrested. “Don’t get sucked into it,” he told himself. “Don’t get sucked into it.”

Illustration: Joonho Ko

paras got sucked into it. They all did. In particular, Josiah, the Christian homeschooler who’d once kidded himself that he was a harmless hacker-explorer or a Wozniak-style prankster, had taken a rapid, step-by-step slide into moneymaking cybercrime. Under his LiteSpeed handle, he’d begun selling his amplification techniques to known booter service operators for a few hundred dollars a customer, spending most of the money to rent servers in remote data centers to further his hacking. He reverse engineered Skype’s code to find ways of extracting users’ IP addresses, the identifiers for their home internet connections that could allow them to be directly DDoSed. Soon he was selling this IP-extraction tool on a per-use basis to his fellow hackers and booters.

When one of his friend’s would-be victims bragged that he couldn’t be hit offline because he had a dynamic IP address that changed every time he rebooted his home router, Josiah figured out he could use a traceroute command to see the IP address of every router between that target and his internet service provider. So he and the friend started hitting the computers farther upstream in that network, going after the bigger arteries that fed data to and from his computer instead of the capillaries that linked to his home machine, until all of those routers were unresponsive too. This indiscriminate tactic, as far as they could tell, took out the internet service for the target’s entire town, all just to prevent him from dodging their attack.

Each step, Josiah says, felt small enough that, like the mythical boiling frog, he barely noticed the change in moral temperature. He’d found something he was very good at—better than perhaps anyone he knew. And he wasn’t, he told himself, carrying out hardcore cybercrime like breaching networks or stealing credit card data. Another Hack Forums user reassured him that the FBI cared only about botnets bigger than 10,000 computers, a story he naively accepted. “I rationalized a lot of it away,” Josiah says. “The pot was boiling.”

in early 2014, when Josiah was still 16 years old, he dialed the temperature up another fateful degree with the creation of a powerful new form of botnet. It began when a friend pointed out to him that home routers, aside from making good targets for DDoS attacks, could themselves be hacked and potentially turned into botnets’ zombie conscripts. In fact, many routers still used an old protocol called telnet that allowed administrators to remotely configure them, sometimes without the need for any authentication or else requiring only default credentials, like the password “admin.” All those routers represented countless thousands of hackable devices, in other words, waiting to be taken over and added into Josiah’s army.

The catch was that the routers were small, simple gadgets that used cheap, low-performance embedded-device chips—not the kind of system that most hackers were accustomed to exploiting. But Josiah was never one to be daunted by the task of learning the arcane details of a new machine. He started from scratch, learned to write the native language of routers’ ARM chips, and built a compact piece of malware that could be installed over telnet onto the relatively dumb devices to make them obey his attack commands.

The routers’ operating systems didn’t normally allow software to be installed on them. But Josiah figured out that they did have an “echo” command that could write out any line of text that you typed into a new file. He used that command to copy his code, line by line, into a file small enough to fit into the routers’ few megabytes of memory. The feat was the equivalent of assembling a model ship inside a 12-ounce bottle. He called the code Qbot.

Qbot was Josiah’s first foray into hacking the so-called internet of things, the vast universe of internet-connected devices beyond traditional computers, from security camera systems to smart appliances, that would turn out to be ripe for exploitation. Even in this first, crude attempt, it was immediately clear that Qbot was a potent new weapon.

Josiah could see the power he’d stumbled into: There seemed to be many thousands of vulnerable routers online that Qbot could commandeer. He was initially more careful with this creation than he’d been with his previous coding projects, keeping Qbot’s code private and sharing it only with his friends: Dalton, Paras, and a few other young hackers who had formed a loose network and hung out on Skype and TeamSpeak. But Josiah made the mistake of also giving the code to one other contact. The guy went by the name “vypor” and, Josiah says, had a reputation for trading in other hackers’ secrets as a means of impressing more talented acquaintances. Vypor immediately began trading Qbot for favors and clout with, it soon seemed, his entire contact list.

When that betrayal became clear, Dalton retaliated on Josiah’s behalf by hiring a rapper through the gig-work service Fiverr to record a profanity-laden track brutally mocking vypor’s lack of coding skills. The diss track was uploaded to YouTube. Vypor immediately responded by threatening to swat all of them: Dalton, Josiah, even Paras, who had only recently joined the group.

All three of the young hackers were terrified of being swatted—or swatted again, in Dalton’s case. They agreed that their best bet to protect themselves was to knock vypor offline and hold him off as long as possible. If he couldn’t reach a VoIP service to spoof a call to the police, their short-term reasoning told them, he couldn’t swat anyone. Maybe they could at least enjoy the weekend before he brought armed police to their doorsteps.

So all of them, together, bombed vypor with every DDoS tool they had. For days, they repeatedly hit not only his home connection but also routers two and three steps upstream, using Qbot and every other botnet and amplification technique they’d learned to wield. The three believe they probably blasted vypor’s entire town off the internet, though they never got confirmation aside from seeing the entire chain of network devices stop responding to their pings.

Regardless, the attack seemed to serve its purpose. Vypor disappeared from the scene and never bothered them again.

Illustration: Joonho Ko

allison nixon, who would become one of the first security researchers in the world to fully understand the dangers posed by weaponized routers and internet-of-things appliances, had no idea who Josiah White was. But she knew LiteSpeed.

At the beginning of her career in New York a few years earlier, Nixon had worked the night shift in the Security Operations Center of Dell’s SecureWorks subsidiary, essentially as the cybersecurity equivalent of a patrolling night watchman. A petite, hoodie-wearing security analyst in her early twenties, she monitored the company’s clients’ networks for attacks in real time and investigated them just enough to know whether to escalate to someone more senior. “Kind of a grind,” she remembers.

But she was curious about where all these daily, wide-ranging hacking attempts were coming from. So in the long stretches of downtime between alerts, she started googling and was amazed to discover Hack Forums, a platform on the open web where young digital deviants were bragging about their attacks and brazenly selling their toolkits. She found booter services especially shocking: how publicly, and cheaply, these miscreants sold a kind of cyberattack that could cost companies millions of dollars a year and often made her and her colleagues’ lives hell. Many of the young hackers doing this damage could even be identified, thanks to their rash public posting, sloppy operational security, and the frequent “doxing” of rivals—digging up and outing another hacker’s real identity. But no one seemed to be doing anything to stop them.

As Nixon lurked longer on the forum, she could see that most hackers on the site weren’t actually developing their own techniques. Instead, almost all of their tools seemed to trickle down from just a few skilled individuals. LiteSpeed was one of them. His attack amplification tricks and bot infection tools had established him as a kind of Hack Forums alpha, an unmistakable standout in the scrum. “Sometimes you kind of get a gut feeling when you’re tracking someone that they’re going to blow up in one way or another,” she says. “I knew I wanted to keep an eye on him.”

Nixon says the more senior researchers on SecureWorks’ counterthreat team had little interest in DDoS attacks, which were considered primitive compared to the cutting-edge intrusion methods that they focused on. But Nixon was fascinated by the anarchic Lord of the Flies world of young hackers building an entire cyberattack industry, seemingly with no repercussions or even notice from law enforcement.

Nixon partnered with a university researcher and began testing out booter services on Hack Forums, barraging a guinea-pig target server with waves of junk traffic. Some of the attacks topped 30 gigabits a second, easily enough to knock someone offline or cripple a website.

By 2014, Nixon had quit the security operations center and taken a job hunting hackers full time, but she couldn’t let go of her DDoS obsession. At a meeting in Pittsburgh of cybercrime fighters, called the National Cyber-Forensics and Training Alliance, she stood before a room of several dozen researchers, academics, and law enforcement officials. With the participation of an internet service provider that had just presented its DDoS protection plan, she demonstrated that she could click a button on a booter website and launch a cyberattack at will—a daring move in front of a crowd of federal agents and prosecutors.

One agent from the FBI’s Pittsburgh field office, named Elliott Peterson—a former Marine from Alaska who’d recently led the landmark takedown of a Russian-origin cybercriminal malware and botnet known as GameOver ZeuS—was particularly impressed. He and Nixon talked about the booter problem. She pointed out how freely the services operated, how many of the culprits were identifiable, and how powerful any intervention in that world might be. And she shared her growing sense that, if the larger problem were left unchecked, it would pose a serious threat to the operation of the internet.

for josiah, the conflict with vypor was a wake-up call. He felt he’d narrowly avoided watching his secret hacking hobby burst into his peaceful family life. For more than a year, he backed away from Hack Forums and let his LiteSpeed handle go dormant. But he continued to chat with his friends Paras and Dalton, and the three of them began sharing a rented server for coding experiments and internet scanning, which they referred to as the Fun Box.

Paras, meanwhile, continued his free fall into hacker nihilism. In the fall of 2014, he started college at Rutgers and found himself alone and unmoored. He had looked forward to delving into the study of computer science and was appalled to learn that he would have to enroll in other kinds of courses that, to him, seemed like months of wasted time and tuition. Even the computer science exams, to his horror, had to be taken with pencil and paper. “I absolutely hate college,” he texted a friend. “There is absolutely nothing for me here.”

He sank into a malaise and gained weight, sometimes eating a large Papa Johns pizza in one sitting. He couldn’t sleep at night and often couldn’t find the motivation to get out of bed, much less go to class. Aside from his roommate, he had little social contact in the real world—certainly nothing that could compare to the rich, battle-tested friendships he’d built online.

Paras was particularly frustrated to find he couldn’t even get into some of the computer science courses he wanted to register for: Third- and fourth-years got first dibs, and only once their registration round was over did second- and first-years get a chance to choose from the leftovers.

But Paras soon realized he had just the superpower to right this injustice: He could use one of his botnets, built mostly of vulnerable home routers, to blast the entire registration system offline until it was his turn.

He took a trollish delight in tormenting the institution that he felt was tormenting him. Under the Twitter handle @ogexfocus, accompanied by a picture of a ghostly mask, Paras publicly taunted his target. “Rutgers IT department is a joke,” he wrote in a public manifesto, bragging, after three attacks in succession, about crushing the university’s network “like a tin can under the heel of my boot … I’m fairly certain I could run circles around all of you with my eyes closed and one leg amputated.”

When dreaded exams rolled around, he tore down Rutgers’ network again to delay them, buying himself a few more days of miserable procrastination. Later, he took the network down to prevent his parents from seeing his increasingly horrendous grades. “I was feeling very frustrated—I guess with myself—and lashing out,” he says.

On one occasion in the spring of 2015, Paras totaled the Rutgers network so thoroughly that he had to text Josiah to ask him to continue the attacks on his behalf. “Admiral can you execute my command?” he wrote in the jokey, naval-themed slang they’d developed. The outages persisted long enough that some Rutgers students later demanded a tuition refund.

Paras enjoyed the sense of control the attacks gave him, watching their cascading effects on the university the same way he’d invisibly watched players respond to his tweaks of Minecraft worlds years earlier. But when the attacks were over, his problems were still there. By his second year, it was clear to Paras that college wasn’t working for him.

Around the same time, he had started batting around an idea with Josiah that seemed like a way out: What if they founded their own startup offering DDoS protection, to defend paying customers from exactly the sort of attacks that they had become so expert at launching?

To Josiah, it made perfect sense. He understood DDoS attacks on a deep technical level—he had, in fact, built or at least used many of the attack tools that other DDoS protection firms were combating daily—and Paras had built a reputation as a skilled programmer, particularly among Minecraft server administrators, who might be a good initial customer base.

Paras borrowed $10,000 from his father, and he and Josiah used it to cofound a company: ProTraf Solutions, short for “protected traffic.” They had seen other firms struggle to defend customers from new forms of DDoS, and they were sure they could do better.

It wasn’t so simple. After launching ProTraf, they realized their potential customers didn’t often shop around for DDoS protection. Typically, they didn’t feel the need to switch providers unless the one they already had was failing to shield them from an attack, which occurred only rarely. Meanwhile, the bandwidth Josiah and Paras had rented on servers around the world—the cushion they would use to absorb attack traffic aimed at customers—was quickly eating through their capital.

Soon they came to an idea. Only when customers were actually knocked offline would they consider switching to ProTraf. Maybe the two young partners just needed to hurry this process along. “We could wait for one of these outages,” Josiah says, “or we could cause one of these outages.”

They agreed: They would use their own DDoS attacks to hit off their competitors’ customers—just enough to get their own fully legitimate business on its feet, of course. “We’ll do it a few times,” Josiah remembers thinking. “We’ll cause trouble for a little bit, and then we’ll just forget about it. We’ll stop.”

Illustration: James Junk, Matthew Miller

josiah and paras began building the new attack botnet they’d use in what would become—whatever story they told themselves—a kind of DDoS protection racket.

The two teenagers used Josiah’s old Qbot code to reinfect a new army of thousands of routers and started wielding it to target their rivals’ clients—all Minecraft servers—easily obliterating their protections. For a while, this veiled extortion scheme actually worked. More than a dozen Minecraft administrators, desperate to get back online, did switch to ProTraf, paying $150 or $200 a month each.

It still wasn’t enough. They’d expanded too quickly, buying infrastructure that was eating up their capital faster than their revenue could replenish it. And they found that when their attacks stopped, some customers switched back to their competitors—perhaps because they sensed that the attacks, timed so closely to the launch of this new startup, had been a little too convenient. “People had their suspicions,” Josiah says.

Josiah was still working at his family’s computer repair business as he struggled to get ProTraf on its feet. When he wasn’t helping customers there, he resorted to making phone calls to drum up sales. He figured if his father and brother could pitch customers and build a business, so could he. But no one who picked up the phone wanted to listen to this fast-talking teenager selling a mission-critical security service. The calls were dead ends, and Josiah came to loathe making them.

Just around a year after launching, in the late spring of 2016, ProTraf was flaming out. For Josiah in particular, the company’s looming death was hard to accept. His parents had been so proud of his business ambitions: He seemed to be making good on his enormous potential, following in his family’s entrepreneurial footsteps. Was he really going to admit that he’d already failed? He felt trapped and ashamed.

So Josiah began to consider other sources of cash flow. A friend from the hacker scene had been impressed with his rebuilt collection of Qbot-infected routers. He asked whether Josiah might be willing to build a new DDoS botnet. If so, he would have customers lined up to pay thousands of dollars in bitcoin for access to it.

Josiah suggested to Paras that they could accept the offer and build a new, even bigger botnet, renting slices of its attack power to the highest bidder in a last-ditch attempt to keep ProTraf alive. It would essentially mean turning the company from a protection racket into a front for their new, real business: selling cyberattacks as a service.

“Sounds ill ey gahl,” Paras joked. Sounds illegal.

“Eh,” Josiah wrote back. “Kinda.”

Illustration: Joonho Ko

to build the chief weapon of their secret DDoS-for-hire sideline, Josiah and Paras started from scratch. A few years had passed since Qbot’s creation, and they both had a few new ideas of how to infect and commandeer a vastly larger collection of internet-of-things devices.

In the time since Josiah’s original Qbot code had leaked—thanks to Josiah’s old friend vypor—the hacker community had been steadily upgrading it. Some versions had now been redesigned into “worms”: Infected routers would automatically scan for other vulnerable devices and try to hack and infect them, too, in a self-spreading cycle. But when Josiah and Paras examined those newer botnet systems, they seemed inefficient and unreliable. Someone else’s hacked router was an unwieldy vantage point from which to find vulnerabilities in new machines. Plus, that decentralized setup made it slow and difficult to upgrade their bot software.

So instead, they designed a more centralized, three-step structure. Their infected machines would scan for other hackable devices—using a new system they say was as much as a hundred times faster than the bootleg Qbot worms they’d previously seen—and then report the vulnerable gadgets they found to a “loader” server, which would hack the machines via telnet to install their malware. Then a separate command-and-control server would shepherd those malware-infected bots, periodically sending new commands for which targets to attack.

Paras and Josiah were surprised to discover just how powerful this new automated zombie recruitment process turned out to be. Josiah remembers leaving the system running overnight and waking up to find 160,000 freshly brainwashed routers ready to do his bidding—far more than he’d ever controlled before.

When he saw the scale of what they were building, Josiah’s plan—raise some money with a few cyberattacks, then return to ProTraf and go straight—began to seem like a wasted opportunity, a waste of his talents. “This is cool,” he remembers thinking. “This is innovative. No one else is doing this.”

As their botnet’s size exploded, Josiah suggested to Paras that they would be able to rent even small fractions of their firepower to attackers for $2,000 or $3,000 a month, easily topping $10,000 in monthly revenue.

“Lol,” Paras wrote back. “And how big does the armada have to be.”

“That wont be a problem,” Josiah responded.

seeing their botnet grow so deliriously large so quickly had now triggered in Josiah an old impulse, purer than any profit motive. “What are the limits here?” he began to ask himself. “How far can we spread this thing?”

Naturally, he turned to his old friend Dalton, who had always shared that urge to push the technological envelope. Josiah and Paras agreed to cut Dalton in on shared control of their growing creation, letting him sell access to a part of it through his own booter service. In return, Dalton would contribute his hacking skills to finding new populations of devices to add to their horde.

To maximize their malware’s footprint, Dalton began to plumb the teeming vulnerabilities of the internet of things. He dug up tens of thousands more gadgets across the world with unpatched flaws, machines that went far beyond home routers: Smart appliances such as online fridges, toasters, and light bulbs all became part of their agglomerated mass of raw computing power. All these eclectic digital objects had the advantage of being relatively greenfield territory. While countless hackers vied for control of traditional computing devices, like PCs and even routers, many of these newer devices remained untouched by malware and uncontested.

Surveillance cameras’ digital video recorder systems, with hardware capable of processing large video files, turned out to be especially strong new recruits. Some scans even turned up more exotic hackable devices, like internet-connected industrial cement mixers and municipal water utilities’ control systems. (The three hackers say they did avoid hacking those industrial devices for fear of being mistaken for cyberterrorists.)

They settled into a workflow. Dalton would scan for new species of exploitable devices and write code to infect them. Josiah would refine Dalton’s code and create software to take control of new additions to their menagerie of networked gadgets.

Paras, meanwhile, focused on the administration software that ran on their command-and-control server—its own complex programming task as their botnet grew to nearly 650,000 devices. He sensed that the scale of their creation would soon draw attention, and he took it upon himself to create a trail of misdirection to hide their identities from public scrutiny. To advertise the botnet, Paras created new sock-puppet accounts with names like OGMemes and Ristorini on Hack Forums, Skype, Reddit, and Jabber. He then created a collection of fake “dox” linked to those handles—the posts that hackers typically use to out rivals’ real identities, but in this case all pointing at people whom Paras had chosen as patsies.

To make their connection to the botnet’s command-and-control server harder to trace, Josiah found a vulnerable server in France that they could hack and use as a jump point, connecting to that hacked machine only through the anonymity software Tor, which made it look like that computer’s owner was the real mastermind. The machine was actually a “seed box,” a server left online to continuously trade in pirated movies over the BitTorrent protocol.

The French server, in fact, was filled with anime videos, a subject Paras knew something about. He was a fan of the psychedelic animated Japanese show Mirai Nikki, in which a teenage outcast discovers he’s part of a battle royal among 12 owners of magical cell phones, and eventually—spoiler alert—uses his phone’s powers to become the god of all space and time. The show, Paras had texted a friend, “literally defines the genre of psychological thrillers.”

Paras knew that the file name for their program, now running on an ever-increasing base of hundreds of thousands of devices worldwide, would soon be a subject of notoriety. So in keeping with their work to pin the botnet’s creation on a random anime collector, he chose a suitable name. All the better that it also evoked a cyberpunk superweapon brought back to the present by a time-traveler, an instrument for which the world was wholly unprepared: Mirai. In Japanese, it meant “the future.”

to allison nixon and any other security researcher observing it from the outside, the advent of Mirai initially looked less like the rise of a new superpower than the start of a world war—one where the battlefield was the internet’s multitudes of insecure gadgets.

In 2014 and 2015, the years leading up to what she would call “the battle of the botnets,” Nixon began noticing that groups of nihilistic young blackhats with names like Lizard Squad and vDOS were picking up LiteSpeed’s leaked Qbot code and then selling access to their own hordes of zombie devices, or using them to terrorize and extort online gaming services. So Nixon, who around this time started working at the security firm Flashpoint, created “honeypots”—internet-connected simulations of vulnerable devices designed to be infected by the hackers’ bot software, acting as her own spies amid the botnets’ ranks. The result was a real-time intelligence feed revealing the booters’ commands and intended targets.

It was in early September 2016, while monitoring those botnet honeypots, that Nixon and some colleagues spotted an intriguing new sample of code that was infecting routers and internet-of-things gadgets: the one the world would come to know as Mirai.

This new code seemed capable of detecting when it was running on a honeypot instead of a real device and would immediately terminate itself when it did. So Nixon and her coworker ordered a cheap DVR machine off of eBay, connected it to the internet, and watched the device—they nicknamed it the “sad DVR” due to its life of victimization—get infected over and over again by Mirai and its competitors.

In fact, unbeknownst to Nixon, Mirai’s creators were by then locked in an escalating turf war with vDOS, a competing botnet crew, which had built an especially large army of hacked machines using an updated version of Qbot. Both the Mirai and vDOS teams had designed their bot software to identify and kill any program that appeared to be their rivals’, and the two botnets began vying for control of hundreds of thousands of vulnerable machines, like warlords repeatedly conquering and reconquering the same strip of no-man’s-land.

Soon the Mirai crew and vDOS resorted to anonymously filing abuse complaints with the companies hosting each other’s command-and-control servers, forcing them to build new infrastructure. At one point, a company called BackConnect, which had been hosting Mirai’s server and was run by acquaintances of the Mirai team, came under a DDoS attack from the vDOS crew. To Nixon’s shock, BackConnect responded by using a so-called BGP hijack—the highly controversial tactic of essentially lying to other internet service providers to misdirect a wide swath of traffic—to effectively pull vDOS’s command-and-control server offline.

Soon, Paras, Josiah, and Dalton got tired of the endless tit for tat. They reprogrammed Mirai, allowing it to sever the telnet connections on the victim devices—thus making them harder to update but shutting out vDOS and any other rival from easily reinfecting those machines. That seemed to do the trick: To the Mirai team, it appeared vDOS had given up. (In reality, their adversaries had been questioned by law enforcement and later arrested.)

Nixon remembers the feeling she and her team of researchers had as they watched Mirai win that war and come to dominate the internet’s mass of vulnerable devices. Once, that messy landscape had been infected with a rich diversity of malware species. Now, for the first time she had ever witnessed, all of that malevolent code seemed to go quiet as Mirai’s superior infection techniques took hold of hundreds of thousands of networked devices across the globe. “From our perspective, it was like this new apex predator was prowling the savanna, and all of the other animals had disappeared,” says Nixon. “From that point forward, we were on the hunt for this monster.”

For much of the cybersecurity research community, the purpose of this gargantuan botnet still remained unclear. They couldn’t know that Josiah, Dalton, and Paras had opened Mirai for business and put its services up for sale—that the monster Nixon was hunting was, itself, on the hunt for its first victims.

From left to right: Bruce Schneier, Elliott Peterson, Allison Nixon, Brian Krebs, and Scott Shapiro.

Illustration: James Junk, Matthew Miller

Part Two

Illustration: Joonho Ko

For brian krebs, September 22, 2016, was an inconvenient day to become the target of the most powerful DDoS botnet in history.

A construction crew had been replacing the siding on Krebs’ rural house in Northern Virginia all morning. The incessant hammering was freaking out his dog, who responded as if barbarians were laying siege to their home. Krebs worked as an independent investigative reporter and security researcher—one of the best known in the cybersecurity industry. He had no workplace to escape to. “I was already losing my mind,” Krebs says.

It was only a little later that day, Krebs says, that it started to become clear that his dog was not wrong. He was, in fact, under siege. And the barbarians were winning.

Two nights before, Prolexic, the service that provided his DDoS protection, had warned him that something was amiss. His website, KrebsonSecurity, had been hit with an attack that peaked at a mind-boggling 623 gigabits a second, according to Prolexic’s measurements. The company had never seen an attack even half that big. But it had heroically managed to absorb the traffic, the Prolexic rep told Krebs, and his site had stayed online.

“Holy moly. Prolexic reports my site was just hit with the largest DDOS the internet has ever seen,” Krebs tweeted that night. “Site’s still up. #FAIL.”

Krebs prided himself on his work hunting cybercriminals, a role in which he was nearly peerless in the world of journalism and one that had made him plenty of enemies. He’d been swatted by a target of his investigations and once had someone ship dark-web heroin to his house in an attempt to frame him. DDoS attacks from aggrieved subjects of his reporting were nothing new. But taunting the source of this particular attack, he now realized, had perhaps been ill-advised.

For two days, he continued to get notices from Prolexic that the massive DDoS was still going. In fact, whoever was barraging his server had persistently switched tactics throughout that time, firing new forms of data designed to be harder for Prolexic to filter out, or targeting machines further upstream. “These guys were real bastards,” Krebs says. “They were throwing the kitchen sink.”

Amid all this, more than 36 hours after the attack had begun, a member of the work crew at Krebs’ house managed to kick his satellite dish, knocking out his home’s internet connection. He tried to tether his computer to his cell phone, but its bandwidth was too spotty. And the attack kept coming, an overwhelming, sustained tsunami of malicious ones and zeros.

Krebs was still struggling to get online on the afternoon of the 22nd when he got another call from Prolexic. This time the company told him, in polite but clear terms, that he’d better find a new source of DDoS protection. They were dropping him. One of the biggest DDoS defense firms in the world could no longer handle the scale of the data torrent barraging his site.

Krebs got in his car and drove to a local business’s parking lot to try to find a stable Wi-Fi connection for his laptop. From there, he called his web-hosting provider to warn that, without Prolexic’s layer of defense, it was about to get hit with an unfathomable wall of digital pain. He suggested that rather than allow all its customers to be taken offline, it should instead configure his website to point to a nonexistent IP address, essentially routing the attack traffic—and anyone trying to visit his site—into “a hole in the ground.”

The hosting company took his advice. KrebsonSecurity.com instantly dropped offline. It would remain that way for days to come, as Mirai loomed, seemingly ready to obliterate the site again the moment it resurfaced.

For Krebs, being successfully censored by cybercriminals was a wholly new experience. “Someone just took my site offline,” Krebs remembers marveling. “And there’s nothing I can do about it.”

josiah, dalton, and Paras had unlocked their superweapon, and already it seemed there was almost nothing on the internet that could withstand it.

When Krebs tweeted that his website had been hit with “the largest DDoS the internet has ever seen,” he was almost right. Mirai had actually struck the French internet provider OVH around the same time with an attack that had reached the even more shocking volume of a terabit per second. The botnet’s hundreds of thousands of hacked devices had also quietly KO’d a web-hosting firm and a Minecraft service in August with attacks that were nearly as large but had gone mostly unnoticed by the security world.

Within just a few months of launching their fully operational Death Star and making it available for hire, the three hackers—all still too young to legally drink alcohol—had assembled a small but devoted collection of clients. A fellow hacker who went by the handle “Drake” allegedly acted as a kind of sales rep: He would periodically hit off arbitrary targets as a form of marketing, to demonstrate Mirai’s bristling firepower to potential paying customers. One such patron, who claimed to be in Russia, had rented Mirai to launch attacks against rivals in the cybercriminal web-hosting world, knocking out his adversaries’ sites. Their most frequent user seemed to be a hacker in Brazil, who repeatedly and inexplicably rented access to Mirai to fire off attacks at the network of the Rio Olympics, at one point bombing it with more than a half-terabit per second of traffic.

Paras himself used Mirai a couple of times against his old whipping boy, the Rutgers IT department, mostly just for vengeful fun. On another occasion he briefly tried using it for straightforward extortion against one of their former ProTraf customers, slamming a Minecraft server with a Mirai attack and then demanding a bitcoin payment. In an attempt to make the connection to ProTraf less suspect, he even copied his own ProTraf email address as a recipient of the ransom note. The company didn’t pay. Josiah disapproved of Paras’ extortion attempt, and they never tried it again.

It was their Brazilian customer, Paras says, who had decided to DDoS Krebs into oblivion. Paras woke up that day, read news stories about the monumental attack on Krebs—by far the most high-profile Mirai victim to date—and instantly felt a mix of excitement and dread in the pit of his stomach. “This had better not have been our botnet,” he remembers thinking. He checked their user logs. “It was our freaking botnet.”

After the Brazilian’s earlier attacks on the Olympics, Paras and Josiah had decided this user was perhaps a little too reckless in his targeting. They’d attempted to limit his access to Mirai, ending his sessions after just 10 minutes. But Paras saw that the nihilistic Brazilian had simply manually restarted the attack on Krebs’ site again and again throughout the night—and he was still going.

Paras messaged Josiah and Dalton, and they jumped onto an emergency call on a private, encrypted VoIP server. They all agreed: Annihilating the website of a very well-known journalist had crossed the line beyond helpful marketing into a kind of attention they didn’t need—the kind that got you arrested. “You don’t want to poke the bear,” says Josiah. “This was a pretty big poke.”

By this point, too, they were all 19 or older. They were adults, carrying out an extremely visible criminal conspiracy. The heat Mirai was now bringing them, they began to realize, wasn’t worth it. And despite all the chaos it had caused in its early months of life, Mirai had made only a small fraction of the money Josiah hoped it would: about $14,000 worth of cryptocurrency in total. Even the biggest DDoS attacks in the world were, for their perpetrators, a relatively cheap commodity.

They had only just launched this world-shaking creation. Now they already needed an exit strategy. It was Paras who, a day or two later, suggested a new idea. Their “Russian” customer had, despite renting occasional access to Mirai, suggested to him that DDoS was a bad business. Not enough money. Far too noisy. He’d advised they instead consider partnering with him to use their botnet-building skills for a much stealthier and more lucrative opportunity: click fraud.

Put all those hijacked machines to use quietly clicking on pay-per-click web ads instead of pummeling victims, Paras explained, and they could make tens of thousands of dollars a month by invisibly defrauding advertisers, a far less disruptive form of cybercrime. Josiah and Dalton agreed they should start to transition away from the cyberattack-for-hire industry and into this more respectable black-market business.

But they couldn’t quite bring themselves to kill their monster just yet. Instead, Paras and Josiah, who held more control of Mirai’s targeting than Dalton, attempted to add the IP address for KrebsonSecurity.com to a block list that would at least end the attack—though they’d find in the days to come that their efforts to restrain their least predictable customer had failed again.

Regardless, by that point it was too late. Josiah was right. They had poked the bear. Now it was wide awake.

elliott peterson was sitting thousands of miles to the northwest in the FBI’s Anchorage, Alaska, office when he read the news that Brian Krebs, a journalist whose work he knew well, had been wiped off the face of the web.

He was shocked to learn that an attack could hit Prolexic—a firm owned by the internet giant Akamai, whose entire business model depended on handling giant flows of traffic—so hard that it could essentially jam one of the biggest digital conduits in the world. And all to silence a journalist. Peterson knew that he’d just witnessed the start of a new era. “All of a sudden, the world woke up to the fact that someone’s throwing around a terabit of traffic,” he says. “No one was ready for that.”

Two years had passed since Peterson had seen Allison Nixon’s live booter demonstration at a Pittsburgh cybercrime conference. He’d since returned to his native Alaska, taken up an assignment at the FBI’s smallest field office, and turned it into an unlikely hub for takedowns of botnet and booter operations. Just days earlier, he’d learned of the detainment in Israel of vDOS’s two administrators, the rival hackers with whom the Mirai crew had recently been at war. Peterson had been involved in the investigation of vDOS for months. The resulting bust was, in fact, the real reason that Mirai had definitively won that rivalry.

Now Peterson was disturbed to see that the takedown had only cleared the field for someone wielding an even bigger weapon. He knew he would need to take on this case, too.

Working from his cubicle in the “cyber atrium”—a glass-roofed enclosure that houses the handful of FBI agents focused on cybercrime inside Anchorage’s brutalist, red-brick federal building—he started digging. He and Nixon had helped create an industry working group called Big Pipes that dealt with DDoS attacks, and he immediately learned from contacts there that Akamai had been hit by a mysterious new botnet called Mirai.

Even in the midst of Krebs’ unfolding crisis, Peterson understood that for the Anchorage office to take on this new monster, he’d first have to get over a legalistic hurdle: He needed to prove that either its victims or creators were in Alaska. Krebs and Akamai were thousands of miles away. So he realized that he would have to somehow find Mirai-infected devices in his own state. Luckily, by this point, there were hundreds of thousands of those infected devices online, a digital pandemic that reached nearly every country in the world.

Meanwhile, Peterson could only watch helplessly as Krebs’ website was held offline by Mirai for more than 48 hours. Only then did Krebs finally manage to get it back up with the help of a new DDoS defender: Google. The web giant had recently expanded a pro bono DDoS protection service called Project Shield to a wider array of users, and it was eager to prove that it could withstand the internet’s biggest attacks.

Within two hours of KrebsonSecurity coming back up, it received another blast from Mirai. The site’s IP address had changed, Paras says, so his and Josiah’s block list didn’t prevent their Brazilian customer from relaunching his attack. But this time the site stayed online.

Google reached out to the FBI, and with Krebs’ permission, the company eventually shared a list of IPs that had been the sources of the Mirai attack traffic. Peterson and his four-person team began to comb through it. Sure enough, he could see in the data that Mirai had infected devices across Alaska, along with practically every other state in the country. He started tracking down the Alaskan device owners, trying to explain to them in phone calls that their routers and security camera systems had been unwittingly turned into cannon fodder. Finally, Peterson got a break: He managed to persuade the owner of a hunting lodge in the town of Ketchikan to unplug its malware-infected security camera DVR and ship it to Anchorage to be dissected and used as evidence.

Peterson had found his Alaska victim. He launched an investigation to hunt for the hackers behind Mirai.

Illustration: Joonho Ko

after serving in the Marines but before joining the FBI, Elliott Peterson had served as a “dean of men” at a college in Michigan. In that job, he had helped kids with emotional problems and substance abuse issues, essentially acting as a guidance counselor and mentor. It was an unusual role for a future federal agent, but the two jobs reflected Peterson’s strange hybrid personality: half by-the-book, buzz-cut G-man, and half well-meaning, friendly Midwestern youth pastor.

Peterson brought that same peculiar cordiality into his Mirai manhunt. He began politely asking around among the Hack Forums crowd and their ilk, a scene he’d become familiar with over his years of tracking booter services: Who might know any of the pseudonymous hackers selling access to Mirai?

Not long after starting the investigation, his team in the Anchorage office got a lead on one good source. They’d managed to obtain a complete sample of the Mirai code from an infected device and found that it phoned home to a command-and-control server hosted by the DDoS mitigation firm BackConnect. Peterson knew that name. He’d been hunting the vDOS crew when BackConnect came under attack from Mirai’s rival; in an apparent act of self-defense, the company had used a BGP hijack to pull vDOS’s infrastructure offline—a rogue move that had nearly derailed Peterson’s vDOS investigation.

So he made a few calls to BackConnect’s management to ask about the company’s BGP hijack and the Mirai server they were hosting—which had since moved elsewhere—and whether they had any contact with whoever controlled it. BackConnect’s staff said they didn’t, but suggested someone who might: One of their acquaintances from a company called ProTraf Solutions, Paras Jha, seemed to have had contact with whoever was behind Mirai.

After all, Paras had received an extortion email from someone launching the Mirai attacks—neither Peterson nor BackConnect knew that Paras had sent that email himself—and they’d heard he’d chatted with a Mirai handler known as Ristorini.

So Peterson called ProTraf’s phone number and left a voicemail. Paras called him back. Peterson remembers that Paras matched his polite, friendly tone and calmly explained that yes, he had been in touch with Ristorini in online chats. But he had no idea of the real identity of the person who’d tried extorting one of his former customers.

Paras kept the conversation short but said he’d be sure to keep asking around and would be in touch soon to help in any way he could when he’d learned more. Then he hung up and immediately called Dalton and Josiah to tell them the FBI was on their trail.

this time, their emergency meeting was steeped in panic: They needed to ditch Mirai, now.

Dalton suggested they simply take down Mirai’s infrastructure, wipe the command-and-control and loader servers, and destroy the hard drive of every computer they’d ever used to manage it. “Lay as low as possible, kill the whole thing, shred our drives,” as he put it. Then they could quietly move on to their more promising click fraud business.

Paras had another idea: How about they release the Mirai source code into the wild? If they posted it publicly on Hack Forums, it would be adopted by every DDoS-happy hacker in the world, just as Qbot had once been. They could disappear into that crowd, making it vastly harder for this nosy Alaskan FBI agent or anyone else to identify the original Mirai amid the flood of copycat attacks.

Dalton vehemently disagreed. He argued that releasing the source code would only draw more attention to Mirai, cause more damage, and make law enforcement all the more intent on finding the botnet’s original creators.

The call devolved into a full-blown shouting match, the first the three friends had ever really had. Dalton screamed at Paras not to release the code. Paras remained unmoved. Josiah, meanwhile, listened impassively, stuck between his friends, unable to break the tie.

When they hung up, they had agreed that their Mirai adventure was over. But they remained split on what to do with its source code.

So Paras acted on his own. A couple of months earlier, he had created a new sock-puppet account on Hack Forums as another potential profile for Mirai’s mastermind: He’d called this one Anna-Senpai, named after the villain of the Japanese animated show Shimoneta, or “Dirty Joke,” in keeping with Mirai’s anime-loving cover persona.

Now, in late September, he logged in again as Anna-Senpai to post a stunning announcement. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO,” he wrote. “So today, I have an amazing release for you.” The post then linked to download pages for Mirai’s source code, along with a tutorial detailing how anyone could use it to create their own massi