Satori Botnet Creator Pleads Guilty, Faces Up to 10 Years in Prison

By Riley ThompsonTechnology News

Satori Botnet Creator Pleads Guilty, Faces Up to 10 Years in Prison

Kenneth Currin Schuchman, a 21-year-old creator of several IoT botnets including Satori and also known as Nexus Zeta, has pleaded guilty to creating and operating multiple botnets primarily used for DDoS attacks. Schuchman not only rented out his botnets to other criminals but also used them himself to launch DDoS attacks against various targets.

Schuchman’s arrest was first reported last year. Before his arrest, Nexus Zeta was known for seeking attention and actively communicating with journalists and cybersecurity experts, which ultimately helped authorities identify and apprehend him. Notably, Schuchman used his father’s ID and personal information to register domains later used in his operations and for hire-for-DDoS attacks.

Court documents reveal that Schuchman has been diagnosed with Asperger’s syndrome and an autism spectrum disorder. He was an active user of HackForums, where he is believed to have acquired his hacking skills.

Collaboration with Other Hackers

Although it was initially believed that Schuchman acted alone, court documents now indicate he worked with two other hackers, known as Vamp and Drake. According to investigators, Vamp was the main developer and programmer, Drake handled sales and customer support, and Nexus Zeta was the secondary developer responsible for creating or acquiring new exploits for infecting additional IoT devices.

U.S. authorities have not disclosed whether charges have been filed against Vamp and Drake, but claim that law enforcement is aware of their real identities.

Timeline of Events

  • July–August 2017: Schuchman, Vamp, and Drake create the Satori botnet, based on the source code of the well-known IoT malware Mirai. Authorities state that the initial version of Satori “expanded the capabilities of the Mirai DDoS botnet, targeted devices with Telnet vulnerabilities, and used an improved scanning system borrowed from another botnet known as Remaiten.” In its first month, Satori infected over 100,000 devices, including more than 32,000 belonging to a major Canadian ISP, and was capable of DDoS attacks up to 1 Tbps.
  • September–October 2017: The hackers upgrade Satori to a new version called Okiru, which uses not only Telnet but also exploits to compromise vulnerable devices. Okiru primarily targets Goahead cameras.
  • November 2017: Schuchman, Vamp, and Drake develop new versions of Satori and Okiru, creating a botnet named Masuta to attack GPON routers. Their DDoS-for-hire business thrives. Schuchman also creates a separate botnet to attack ProxyPipe, a DDoS protection company.
  • January 2018: Nexus Zeta and Drake create another botnet combining features of Mirai and Satori, focusing on devices based in Vietnam.
  • March 2018: The trio continues work on this botnet, later known as Tsunami or Fbot, which infects about 30,000 devices, mainly Goahead cameras. By exploiting vulnerabilities in High Silicon DVR systems, the botnet expands to another 35,000 devices. U.S. authorities state this botnet could launch DDoS attacks up to 100 Gbps.
  • April 2018: Schuchman parts ways with Vamp and Drake and independently develops another botnet based on the Qbot malware family, mainly targeting GPON routers in the Mexican Telemax network. Nexus Zeta and Vamp also compete by deploying botnets to disrupt each other’s operations.
  • July 2018: Schuchman reconciles with Vamp, but by this time the FBI has already tracked him down. Later that month, Nexus Zeta is interrogated.
  • August 21, 2018: U.S. authorities officially charge Schuchman but allow him to remain free pending trial.
  • August–October 2018: Schuchman violates his release conditions by accessing the internet and developing a new Qbot-based botnet. He also commits “swatting” (making a false police report) at Drake’s home address.
  • October 2018: Schuchman is arrested again and held in custody.

Legal Consequences

Now that Schuchman has pleaded guilty, he faces up to ten years in prison, a fine of up to $250,000, and three years of supervised release after serving his sentence. The sentencing hearing is scheduled for November of this year.

Leave a Reply