A 29-year-old man pleaded guilty in court on Friday to hijacking over 900,000 routers from the network of Deutsche Telekom, according to several reports in the German press [1, 2, 3, 4].
The man is the hacker known as BestBuy, also known as Popopret. German authorities have not released the man’s name but referenced him under the nickname Spiderman, which the hacker utilized in registering domains names that he used in hijacking and controlling Deutsche Telekom’s routers.
BestBuy hijacked Deutsche Telekom’s routers with a custom version of the Mirai IoT malware that he modified himself.
Hacker never intended to make routers go offline
The hacker admitted in court that he never intended for the routers to cease functioning. He only wanted to silently control them so he can use them as pawns in a DDoS botnet. Accidentally, the Mirai malware he deployed on the affected routers made them go offline, causing Internet interruptions to thousands of homes and businesses in Germany.
A week later, he did the same thing to over 100,000 routers belonging to multiple UK ISPs, albeit he wasn’t officially charged with those crimes.
UK police arrested BestBuy in a London airport at the end of February. He was extradited to face charges pressed by German authorities. German police from the city of Cologne was the one who identified the suspect and issued the international arrest warrant.
Hacker says a Liberian ISP hired his services
On Friday, July 21, BestBuy pleaded guilty. According to German media, the hacker also provided more information about his operations.
In court, BestBuy said he hijacked Deutsche Telekom routers because he needed more firepower for his DDoS botnet. The hacker said he was hired by a Liberian ISP to carry out DDoS attacks on local competitors. He said the Liberian ISP — currently unidentified/unnamed — paid him $10,000 to DDoS its competitors.
At the time, BestBuy was advertising and renting access to his Mirai botnet online. Prior to entering the DDoS business, BestBuy was a well-known figure in the criminal underworld, where he became famous for coding and selling the GovRAT malware that was used to hack several US government agencies, according to an InfoArmor report.
Journalist says he identified BestBuy’s real-life persona
Earlier this month, infosec investigative journalist Brian Krebs published an article claiming that BestBuy was a UK man named Daniel Kaye.
BestBuy’s sentencing hearing is scheduled for next Friday, July 28. The hacker faces up to ten years in prison.
Below is a reconstruction of events: