On September 30, 2016, Mirai’s alleged author, nicknamed “Anna-senpai” (who we now know was Paras Jha from Farnwood, N.J.) released the Mirai source code on Hackforums, an infamous online hacking forum. Along with it, he wrote a post, announcing his retirement. The motivation was apparently in response to heightened scrutiny from the security industry, the hacker aiming to deflect attention of caught. Even if he were tracked down and shown to have the source code in his possession, authorities wouldn’t necessarily be able to identify Anna-senpai as the original author.
“When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
The release of the Mirai source code inspired an explosion of copycats who started to run their own botnets based on Mirai. From then on, it was not possible to tie the Mirai attacks to a single actor or hacking group, which made it much more difficult for the government and security industries to discern the motive behind them and identify the attackers, including the original Anna-senpai of course.
In Google researcher Elie Burzstein’s detailed blog post on Mirai, he describes the way in which he used infrastructure clustering to map all the Mirai variants that were proliferating following the release of the source code. This led him to identify various IP addresses and domains, leading him to posit, “The existence of many distinct infrastructures with different characteristics confirms that multiple groups ran Mirai independently after the source code was leaked.”
Indeed, it’s now believed that between September 2016 to February 2017, Mirai variants were responsible for over 15,000 DDoS attacks, according to an after-action report published by Burzstein and the rest of the large research term. The primary reason it was able to proliferate so widely was due to “the absence of security best practices in the IoT space, which resulted in a fragile environment ripe for abuse”.