Tracking the People Behind Botnets: A List of Top 20 IoT Blackhat Hackers

While most people treat malware as just a piece of code, behind it is a human creating the content, and an entire ecosystem where the malicious code is changed to money. In the context of IoT botnets, we will be discussing Top 20 IoT Blackhat hackers and how they are impacting and shaping this illegal industry.

Threat actors who are still active are represented by 🔴 red color, dormant threat actors by ⚫ black and retired (or forced to retire by law enforcement) have been represented by 🔵 blue.

1. 🔵 DREAD / PARAS — The creator of infamous Mirai botnet, Paras has been the most important figure in the IoT botnet scene and is hard to replace. Not only the Mirai botnet’s attack on Krebs on Security gathered mainstream media attention, but also his leaked Mirai source is the backbone of most IoT botnets created till date. As of now Paras has been imposed with home confinement, a hasty 8.6 million dollars fine and community service. Thanks to law enforcement, Paras is done and dusted from DDoSing botnets. However, the impact he has made on the IoT botnet community is high, with most threat actors looking up to him as the apex predator of the IoT botnet scene.

2. 🔵 NEXUS ZETA / KENNETH — Nexus Zeta has been allegedly associated with Satori botnet, which made the Huawei vulnerability CVE-2017–17215 a household name for most threat actors. Satori and Masuta botnet were one of the first to change the direction of IoT botnets from password guessing (Mirai and QBot) to IoT exploits, which have now become a common thing in IoT botnets. Previously he has been bullied by other threat actors on his autism and Asperger’s’ syndrome. After his dox (leak of personal information), law enforcement indicted him, leading him to exit the scene.

3. ⚫ WICKED — From a humble start as Mirai editor, Wicked was one of the fastest to learn and evolve, producing botnets like OMNI, SORA and OWARI. The botnets enjoyed the best of both worlds, using exploits as well as weak password attacks. Wicked and Scarface duo worked together for a while, with Wicked being the programming brain and Scarface being the one dealing the business part (buying and selling botnets). While WICKED liked fame in the beginning, he became concerned on getting too much attention, and started asking researchers to quote him as anonymous. As of now, WICKED is not active in the IoT scene with unclear reasons. While some say he is just avoiding any attention because of his personal safety, other say he is a drug addict now, and is unable to code well.

4. 🔴 SCARFACE / FARADAY — Scarface is the workhorse of the IoT botnet scene with a high reputation and a strong business model, selling several improved versions of Mirai/QBot botnet source code to other script kiddies. While previously he worked mostly with WICKED, he has now become a separate entity on his own, filling the void created by the top 3 hackers in the list not being active anymore.

Scarface is one of the most social kind, interacting with blackhats and whitehats alike, and usually has a good feedback from his script kiddie customers. Sometimes he takes advantage of his reputation though. For example, he has been observed to occasionally backdoor his scripts, or selling a known ZTE exploit as a zero day to script kiddies.

5. 🔴 SHADOH — Shadoh has been associated with the creation of a prevalent IoT botnet, Hakai. While starting as an associate in the ZoneSec hacking team, Shadoh has improved a lot, including multiple exploits related to D-Link, Huawei, and Realtek routers.

Initially Shadoh was working with ZoneHax, as Hakai was based on ZoneHax’s Thanos build, which itself was based on QBot. However, Hakai has become mature now, integrating parts from Mirai, and some original content as well. Shadoh has become mature as well, seeking less attention in media and working more on making money.

6. ⚫ MRLEDUCK / FRIENDLY SKID — A known and respected member in the community, Duck has been associated with Saikin/Akiru botnets and involvement in weaponization of the Vacron vulnerability. However, duck has semi-retired, focusing mostly on mining and moderating other forums rather than making money via DDoS.

7. 🔴 ROOT.SENPAI — Root.Senpai has been associated with the creation of MIORI botnet, which although might focus mostly on password based attacks, is highly popular and has shown up in honeypot logs of researches worldwide. Rather than using any forums, Root has often boasted about his botnet on Instagram and was a popular figure there before he was banned. Root has worked previously with Daddyl33t, another known figure.

8. 🔴 20K / URHARMFUL — 20K is considered to a troll/distraction in the IoT botnet scene, yet he is tolerated in various channels because of having a considerable amount of knowledge on how things work. He has been associated with creation of Yasaku botnet, which was used to launch DDoS attack on NewSky Security’s homepage.

9. ⚫ ZONEHAX — A mentor to SHADOH and the front man of ZoneSec hacking group, ZoneHax has been accredited with the creation of Thanos, a precursor of Hakai botnet. Instead of looking for fame, ZoneHax has repeatedly mentioned that he is in the scene only for being richer, which sounds like a more mature approach. As of now, ZoneHax remains low profile in the IoT botnet scene.

Both ZoneHax and Shadoh are repeatedly bullied in various channels due to their African-American heritage, which sadly is not a surprise given the amount of toxicity present in Blackhat communication channels.

10. 🔴 J — A relatively newer kid on block, J is attributed for the creation of APEP/APOPHIS and OSIRIS botnets. Instead of weak password attacks, he likes adding as many known IoT exploits in his botnets as he can. He also has been observed adding artistic ASCII images on his C2 servers as a mark indicating the botnet is his work.

11. ⚫ JIHADI — JIHADI has been associated with leakedfiles, a website dedicated to host various IoT botnet sources. Jihadi has provided a lot of leaked exploits and Mirai setups tutorials to other script kiddies for free. However, he has been observed to implant backdoors often in the leaked sources to hack the hacker itself. As of now, JIHADI is dormant in the Blackhat channels.

12. 🔵 ELITELANDS — Elitelands rose into the scene with creation of “DEATH” botnet, which primarily used AVTech vulnerabilities and had and implemented an interesting burner account for trace deletion. Elitelands has confessed to be creator of the HNS botnet, although the claims are not verified. After a dox (leak of his personal information) by rival hackers, Elitelands has left the IoT botnet scene for good.

13. 🔵 DADDYL33T — Daddyl33t made considerable news for creation of an IoT botnet at the age of 13, and making a novice mistake of using the same Skype id for applying for job and malicious purposes. While dismissed in the beginning as script kiddie, Daddyl33t improved himself, giving IoT botnets like Josho, Apollo and Shinto which are still actively used by others. Daddyl33t has reportedly left the IoT botnet scene as of now, however his partner in crime Root.Senpai is still holding good.

14. 🔴 HDGZERO / WANTED — HDGZERO rose into picture when his incomplete DemonBot was observed abusing the Hadoop YARN bug in the wild. After seeing his work exposed, he threatened research firms and media with a DDoS attack but nothing was carried out. HDGZERO is a nemesis of SCARFACE, with both trying their best to keep each other down with verbal attacks.

15. 🔴 SWITCH — Switch has worked on creating Arcane, a fork of QBot botnet as well as bought and used DARK IoT botnet. Switch generally has a positive image in the IoT botnet community, helping other script kiddies.

16. 🔴 ROSES/DROUGHT — Associated with creation of OKANE and VERMELHO botnets, Drought sells most of his work only to a select group of verified customers to not attract any extra attention. Drought, along with Jihadi operated leakedfiles website before but doesn’t have an association with it now. Following a leak of his personal information, he went on a hiatus and came back with a new alias ROSES.

17. 🔴 ANARCHY / SYNARCHY — Anarchy has been associated with the creator of Kaizen botnet. Due to unknown reasons, he is highly unpopular in Blackhat channels, often being trolled and meme’d (A practice where a botnet author tries to spread false rumors that their botnet activity is done by their rival to frame them). Anarchy was made to look responsible for an intense Huawei scan, which was later attributed to wicked.

18. 🔴 XORCISM — Xorcism has worked as an associate with MRLEDUCK for Saikin/Akiru botnets. Xorcism has claimed that he is in the IoT botnet scene for learning purposes. However, assisting in the creation of IoT botnets is still unethical (even if the creator doesn’t use it directly in DDoS), leading Xorcism to get a spot in the list.

19. 🔴 WORD — A member of the KS hacking team, WORD has previously worked along with WICKED, and now focuses on SEFA botnet which uses Linksys and AVTech vulnerabilities. WORD is focusing more on Monero mining nowadays than DDoS, as it is considered to be less risky, as some law enforcements are taking DDoS takedowns seriously.

20. ⚫ CULT — Author of EXTENDO IoT botnet malware and presently associated with DARK botnet, CULT has become considerably inactive recently. CULT himself confesses EXTENDO to be a very novice quality malware and is learning and expanding his knowledge to do more impressive things.

Special Mention: 🔵 Janit0r

Janit0r is known to be creator of Brickerbot, a botnet with no financial motives but simply to brick(disrupt) IoT devices. Before retiring, Janit0r released several detailed statements as part of his project “Internet Chemotherapy”, whose motive was to get rid of all weakly secured IoT devices. Janit0r has been regarded as a knowledgeable attacker, still he is not in the list as he never has been part of a community.

Janit0r has always been a loner, and never was observed using his knowledge for buying or selling botnets. Nevertheless, disrupting IoT devices falls on the unethical side of things as well (even though his motive seemed to be increasing awareness for IoT security).

Ankit Anubhav, Principal Researcher, NewSky Security
Scott Wu, CEO, Newsky Security