A hacker known as “Spiderman” has pleaded guilty in Germany for a cyberattack that took roughly 900,000 broadband routers offline last year.
This individual is not the Marvel superhero but a 29-year-old man who was arrested by British police at Luton Airport in February at the request of Germany’s Federal Criminal Police Office. Authorities say he was responsible for compromising routers and offering to sell access to a botnet used to launch DDoS attacks.
The defendant used several aliases, including “Spiderman” and the fictional name “Peter Parker,” when registering domains for his command-and-control servers.
Although the attacker did not appear to intend such a wide outage, the intrusion affected mainly German telecom operator Deutsche Telekom and many of its customers. The attacker’s goal was allegedly to discreetly add devices to a botnet to avoid detection, but an exploit he deployed ended up disabling about 900,000 home routers.
According to investigators, the compromised devices included routers supplied by Zyxel and models branded as Speedport. The intrusions used a customized variant of the Mirai malware that targeted vulnerabilities in TR-069 and TR-064—protocols used by ISPs to remotely manage tens or hundreds of thousands of customer devices.
Deutsche Telekom reported the incident cost the company in excess of two million euros, and the outage prompted speculation that the attack may have been politically motivated. Deutsche Telekom’s CEO, Timotheus Höttges, said the incident highlighted broader internet security risks and called for stronger international cooperation to defend critical infrastructure.
Court records and local reporting indicate the accused admitted in a German court that he had taken the job for payment. He told authorities he was hired by a Liberian telecommunications company, receiving $10,000 (about £7,700) because he wanted funds to marry his fiancée and start married life. The hiring party reportedly sought access to a botnet and did not request that routers be disabled.
The defendant has pleaded guilty but had not been sentenced at the time of initial reporting; prosecutors indicated the case carries a potential penalty ranging from six months to ten years in prison.
Update 28/07: The regional court in Cologne issued a suspended sentence of one year and eight months for attempted commercial computer sabotage. Prosecutors had sought a two-year term.
What do you think of the case and its outcome? Share your thoughts in the comments.