The creators of the Mirai malware are facing up to ten years behind bars after pleading guilty to writing and distributing it, as well as a series of distributed denial of service (DDoS) attacks.
The two men, Paras Jha, 21, a former student at Rutgers University, and Josiah White, 21, were identified by security journalist Brian Krebs as the creators of the malware following an online investigation.
Mirai exploited security flaws in poorly designed connected devices, such as the hard-drive recorders used in cheap CCTV systems. Self-propagating, it enabled the two men to build a network of compromised devices that could be exploited, either to launch DDoS attacks or to penetrate host networks.
The co-founders of a company called Protraf Solutions LLC, Jha and White ostensibly offered distributed denial of service (DDoS) mitigation services.
However, Krebs claimed that the two students were often either behind the DDoS attacks that they offered to mitigate or used DDoS attacks as a form of extortion against legitimate businesses - or organisations against which they held a grudge.
The two also pleaded guilty to running an internet advertising click-fraud scheme, which netted them more than $180,000 in bitcoin, as of 29 January 2017. Jha had been outed by Krebs on 18 January 2017 following an investigation.
Dalton Norman, a New Orleans man who hired the pair's botnet for the click-fraud scheme, also helped them to identify vulnerabilities in IoT devices, which they would use to devise the Mirai malware.
This was first used in autumn 2016 to launch a string of major DDoS attacks - including one against Brian Krebs' own KrebsOnSecurity website. Jha released the Mirai source code shortly afterwards, thereby encouraging others to build their own Mirai botnets and launch even bigger DDoS attacks.
Jha now lives at home with his parents, but according to a local newspaper report, he also admitted repeatedly crashing the University's computer network between 2014 and 2016, and anonymously taunting University staff about the attacks.
"Jha admitted to timing his attacks on Rutgers' websites when they would cause the most disruption to students, faculty and staff.
"‘In fact, you timed your attacks because you wanted to overload the central authentication server when it would be the most devastating to Rutgers, right?' assistant US attorney Shana Chen asked Jha in court," a charge to which he admitted, according to NJ.com.
It reveals that Jha has waived his right to appeal, except in particular circumstances, but could still be facing up to ten years in prison and is facing fines of up to $250,000 in addition to his voluntary surrender of 13 bitcoin, which at the time of writing are worth around $220,000.
Just take my money. Now, where do I sign?
Connected cars need built-in IT security - especially self-driving cars, claims Blackberry
Chinese authorities considering even harsher crackdown on cryptocurrencies
Tavis Ormandy claims that Transmission developers ignored Google Project Zero security warnings