A 21-year-old Washington man has pleaded guilty to charges related to his role in developing and deploying the infamous Satori IoT botnet.
Kenneth Currin Schuchman, of Portland suburb Vancouver, pleaded guilty to one count of aiding and abetting computer intrusions.
Between July 2017 and October 2018, he’s said to have participated with at least two others in a conspiracy to develop the botnet and use it to launch DDoS attacks against a range of targets. The group is said to have monetized these efforts by selling access to the botnet to others.
Court documents claim Schuchman’s speciality was in finding new vulnerabilities in IoT devices which could be exploited to conscript them into the botnet.
Satori was originally developed using the source code for Mirai, which was released online in 2016. However, Schuchman — who went by the moniker “Nexus” and “Nexus-Zeta” — and co-conspirators “Vamp” and “Drake,” built upon that code with new features, eventually compromising 100,000 devices.
Continually improving the botnet, they gave new names to the new iterations, such as “Okiru” and “Masuta” — with the latter eventually infecting as many as 700,000 endpoints.
By around March 2018, the botnet had evolved into Tsunami/Fbot, supported by tens of thousands of compromised Goahead cameras and High Silicon DVR systems.
Schuchman doesn’t seem to have employed particularly effective OpSec during his work: the control server he used was registered in his name.
Even after being indicted in August 2018, he developed another IoT botnet, Qbot, while on supervised release, the court docs claim. He’s also said to have called in a swatting attack on “Vamp’s” home.
Several sources have told journalist Brian Krebs that UK-resident Vamp was involved in the 2015 attack on TalkTalk and the 2016 Mirai DDoS that overwhelmed DNS service provider Dyn, leading to some of the internet’s biggest websites crashing.