A couple of years ago Mirai burst on the scene. It used your DVR, your camera, and took them over and went on a criminal rampage of DDoS, click-fraud, DDoS for hire, rental to other criminals. Large infrastructure (like Dyn) went offline. There is a very real chance that people died due to secondary impacts. The economic damage is hard to assess, but would have been millions across the board, across the countries.
They released the code (while they were licensing the bots they already had to other criminals), sparking a wave of script kiddies and others to get in on the act.
Well good news everybody, the perpetrators were caught, and have been given probation. I’m sure they are sorry. And the others that did the follow-on damage are happy that the punishment level was so low it will demoralise the enforcement branches from going after them.
I’m not advocating a life sentence here. But they should have a criminal record and serve a little bit of time as a deterrent. And they should be forbidden from selling their story or services. We don’t catch too many folks, lets not embolden them. The impact here was very high. It took the entire country of Liberia offline.