At the end of last year, hackers took over hundreds of thousands of home routers using a variant of the infamous Internet of Things malware known as Mirai. Then they rented out that massive botnet so that anyone could use it to try to take down websites and servers with crippling distributed denial of service attacks, or DDoS.
That specific botnet is believed to be responsible for intermittent internet outages in the African country of Liberia, in the UK, in Germany, and for a large—but failed—cyberattack on the anti-spam organization Spamhaus.
Now police might have nabbed one of the hackers suspected to be behind that Mirai botnet and those cyberattacks. On Wednesday, UK police arrested an unnamed 29-year-old British man at an airport in London. That man, according to sources, might be a criminal hacker known as BestBuy.
"BestBuy is down."
The arrest is the first to be publicly linked to the long series of cyberattacks carried out with Mirai. Last year, Mirai, which was programmed to automatically spread and take over Internet of Things devices such as DVRs, surveillance cameras and later, routers, became notorious for taking down Reddit, Twitter and several other large websites in an attack against a US internet infrastructure provider in October.
In late November of last year, the German ISP provider Deutsche Telekom blamed a large outage on hackers trying to hijack its customers routers. BestBuy, a cybercriminal who sold hacking services on dark web markets such as The Real Deal, claimed responsibility.
"I would like to say sorry to [Deutsche Telekom] customers—it was not our intention," BestBuy, who claimed to be working with another hacker called Popopret, told Motherboard at the time.
The German Federal Criminal Police Office (BKA) announced the arrest of the 29-year-old man on Thursday, who is suspected of the "computer sabotage" against Deutsche Telekom. The police said the operation was a joint effort between local police, British and Cypriot law enforcement agencies, and help from Europol and Eurojust.
The participation of Cyprus police is particularly relevant given that some of the DDoS attacks against a telecom provider in Liberia were conducted using Cypriot IP addresses, according to data collected by SpoofIT, an organization of internet vigilantes who's been investigating DDoS operators.
"BestBuy is down," Jack B., one of the pseudonymous researchers behind the initiative, who published the findings of his investigation into BestBuy on Thursday, told Motherboard.
The German federal police told Motherboard to refer all questions to the prosecutor's office in Cologne, which did not respond requests for comment or more details in time for publication. The British National Criminal Agency confirmed the arrest in a statement but also declined to provide more details.
Last year, after the source code for the Mirai malware was released publicly, BestBuy took advantage of a newly discovered vulnerability in a protocol used by some modems and routers, called TR-064, to hijack the vulnerable devices and enlist them in their massive Mirai botnet. Their attempts to build the botnet, and create a monopoly over easily hackable Internet of Things devices, caused internet and telephone services outages for one million Deutsche Telekom customers, as well as thousands of subscribers of the British telecom TalkTalk.
Both BestBuy and Popopret could not be reached for comment on Thursday, as their online chat accounts appeared to be offline. A source, who asked to remain anonymous, told me that the two had not been online since the beginning of February. (Motherboard's last contact with BestBuy was in late January.)
The two are also believed to be behind the malware for sale GovRAT. But some believe the two were actually one person. Last year, a different hacker claimed to have broken into BestBuy's private account on the The Real Deal market, showing Motherboard a screenshot to prove it. The hacker said the two aliases were controlled by the same person.
Whether the suspect is BestBuy or not, he is the first person to be publicly accused by law enforcement of launching cyberattacks using Mirai. In the last few months, however, authorities have arrested other hackers who launched similar DDoS attacks and sold DDoS services.
In October of last year, the FBI accused two teenagers of being part of the hacking group Lizard Squad. Then, in January of this year, authorities raided Paras Jha. Jha, 20, is suspected of being the hacker known as Anna-Senpai, the original author of Mirai, according to an investigation by the independent security reporter Brian Krebs. He has yet to be charged.
"Bestbuy/Popopret were an example of the competent [Mirai operators] that could actually achieve numbers capable of doing damage."
If the authorities really have gotten their hands on BestBuy, it "would be a great blow to some of the Mirai operations," according to Marshal Webb, chief technology officer at BackConnect and a researcher who's followed Mirai for months, told Motherboard in an online chat.
"There are only a handful of Mirai operators that actually have an idea of what they are doing," Webb added "Bestbuy/Popopret were an example of the competent ones that could actually achieve numbers capable of doing damage."
German police said the man could face six to ten years of prison.
Joseph Cox and Max Hoppenstedt contributed reporting for this story.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.