The 21-year-old creator of several IoT botnets, including Satori, Kenneth Currin Schuchman, also known as Nexus Zeta, has pleaded guilty for creation and operation of several botnets, which were majorly used for DDoS attacks.Schuchman not only leased his botnets to other criminals, but also used them himself, arranging DDoS attacks for various purposes.
Let me remind you that the arrest of the creator of Satori was reported last year. Prior to this, Nexus Zeta liked to attract attention, actively and willingly communicated with journalists and experts, which ultimately helped to establish his identity and led to his detention.
In particular, Schuchman’s arrest was caused by the fact that he used his father’s ID and data to register domains, which he then used for his operations and DDoS attacks.
“Schuchman is diagnosed with Asperger Syndrome and autistic disorder. He was an active user of HackForums, where, as it is believed, he acquired all his hacking skills”, – noted in court documents.
Although it was originally supposed that Schuchman acted alone, court documents now report that he worked with two other hackers who appear in the documents as Vamp and Drake.According to the investigation, Vamp was the main developer and programmer, Drake managed sales and customer support, and Nexus Zeta was the second developer, whose task was to develop or acquire new exploits that the botnet could use to infect new IoT devices.
According to US authorities, they do not report whether they have charged Vamp and Drake, however, it is alleged that law enforcement officers already know their real identities.
The court documents published a very interesting chronology of events that shed light on the activity of hackers and the events that ultimately led to Schuchman’s arrest.
July-August 2017: Schuchman, Vamp and Drake created the Satori botnet, based on the source code of the famous IoT-malware Marai. Law enforcement officials write that the initial version of Satori “expanded the capabilities of the Mirai DDoS botnet, targeted devices with Telnet vulnerabilities, and used an improved scanning system borrowed from another botnet known as Remaiten.” In the first month alone, this botnet infected more than 100,000 devices and was capable of DDoS attacks with a capacity of up to 1 Tbps.
September-October 2017: hackers upgrade the original Satori to a new version called Okiru. This version already uses not only Telnet, but also exploits to compromise vulnerable devices. The main goal of the Okiru botnet is Goahead’s cameras.
November 2017: Schuchman, Vamp and Drake develop Satori and Okiru. They create a new version of the botnet called Masuta, which they use to attack GPON routers. Their hired DDoS attack business is booming. Schuchman creates his own separate botnet, which is used to attack the infrastructure of ProxyPipe, a company involved in prevention of DDoS attacks.
January 2018: Nexus Zeta and Drake create another botnet that combines the functionality of Mirai and Satori, with an emphasis on devices based in Vietnam.
March 2018: three hackers continue to work on this botnet, which later would be known as Tsunami or Fbot. The botnet infects about 30,000 devices, and it’s basically Goahead cameras again. US authorities write that this botnet could carry out DDoS attacks with a capacity of up to 100 Gb/s.
April 2018: Schuchman breaks up with Vamp and Drake, after this he independently develops another botnet, this time based on the Qbot malware family. This botnet mainly attacked GPON routers on the Mexican television network Telemax. In addition, Nexus Zeta began to compete with Vamp, and both deployed botnets that interfere with the work of a competitor.
July 2018: Schuchman puts up with Vamp, but by this time the FBI has already tracked him down, later this month Nexus Zeta is interrogated.
August 21, 2018: U.S. authorities formally indict Schuchman, but allow him be free until trial.
August-October 2018: Schuchman violates the conditions of his release from custody by gaining access to the Internet and developing a new botnet (again based on Qbot). In addition, he arranges “swatting” (swatting – a false call to the police at a specific address) at Drake’s home address.
October 2018: Schuchman was arrested and this time taken into custody.
Now, after Schuchman pleaded guilty, he faces up to ten years in prison, a fine up to $ 250,000, and another three years under the close supervision of law enforcement agencies.
A hacker hearing is scheduled for November this year.