Earlier this month, a district court in Alaska sentenced three college-aged men from Washington state, Pennsylvania and Louisiana in connection with the development and deployment of the Mirai botnet. The botnet was behind an unprecedented October 2016 distributed denial of service (DDoS) attack that crippled a host of popular websites across the United States.

All three defendants, however, received no jail time. Instead, they were sentenced to five years probation, a $127,000 fine and 2,500 hours of community service, which included a requirement that they continue to aid federal cybersecurity investigations.

Such a sentence in a criminal federal trial raised some eyebrows. “I can tell you, based upon my 13 and a half years working in the Department of Justice (DOJ) as a federal prosecutor, that this type of sentence is very unusual,” said Hanley Chew, of counsel at Fenwick & West and former assistant U.S attorney for the Northern District of California.

So what's behind this unusual sentencing? It's difficult to say without prosecutors divulging their exact thinking. But a look at the demands of government cybersecurity operations and the nature of how cybercriminals operate helps shed light on the possible reasoning.

Court filings by government attorneys noted that before the three hackers were sentenced in September 2018, they logged “well over 1,000 hours of work for the U.S. Government,” including working with the FBI office in Anchorage, Alaska, to help identify the perpetrators behind other criminal botnets. Notably, they assisted in taking down a DDoS attack method deemed “Memcache.”

In addition, the cybercriminals wrote code to help FBI investigations, including designing a program to that “allowed law enforcement to examine cryptocurrency private keys in a variety of formats.” What's more, they also offered “to travel to meet with and surreptitiously record the activities of known investigative subjects” for the FBI, potentially acting as undercover informants.

Chew said the sentencing of these three hackers was unique because it took away the incentive for them to cooperate with the government, while still mandating their continued cooperation. “The prosecution has the threat of the sentencing hanging over the [defendants'] heads so that they will be truthful and cooperative… it's very unusual to have post-sentencing cooperation.”

But to be sure, even after sentencing, it is still in the three hackers' best interest to continue their cooperation with federal authorities. After all, sentences can be modified, especially if there are parole violations.

“If those individuals fail to meet the condition of their parole, there would be a reconsidering of what the actual sentence is and there could be stiffer penalties,” said Marcus Christian, a partner at Mayer Brown and a former executive assistant U.S. attorney in the Southern District of Florida.

Still, there are other reasons why sentences generally don't include ongoing cooperation stipulations. “Prior to sentencing, the government can place everything under seal so there is no record of cooperation and that will happen if is the criminal defendant is possibly engaged in covert” activities, Christian said.

The three Mirai botnet hackers however, likely worked as uncovered informants for the government. So why blow their cover?

The answer is simple: In the cyber world, many often operate anonymously through aliases instead of using their real identities. So even though the court disclosed that the hackers are working for the FBI, there is little chance it will compromise some of their online identities.

“You won't necessarily know who is at the other end,” Christian said. “These individuals could be deployed in ways where it wouldn't be possible to determine who they really are.”

But the government's continuous reliance on these hackers does raise questions about why they are needed in the first place. After all, government agencies are likely to have a wide array of in-house cybersecurity expertise to pull from.

Christian, however, noted that while this may be the case, in today's cyberthreat environment, there is always the need for more help. “I don't think anyone would argue with the statement that there is a shortage of qualified people who are employed in government cybersecurity efforts.”

What's more, given the leniency the government showed the three defendants in exchange for their ongoing cooperation, it may be likely that the knowledge and expertise of the hackers also factored into the decision.

“It may very well be that these hackers are really good,” Chew said. “Or that have connections and maybe have other online identities they didn't fully disclose, so they might have specific knowledge that would be particularly helpful in building cases.”

How these three hackers will use their expertise to help the federal government tackle future cyber investigations remains to be seen. But given the furtive nature of such operations, it's likely their work will be kept under wraps.