A hacker known as “BestBuy” confessed in German court to using a massive botnet attack last year to disrupt the service of customers of German telecommunications company Deutsche Telekom.

BestBuy, also identified as Daniel K., was arrested in February by the British National Crime Agency by request of the Germany’s Federal Criminal Police Office. The 29-year-old British man pleaded guilty to masterminding malware attacks that hijacked internet connected devices to carry out denial of service attacks.

Read: Smart TVs, Smart Speakers, Other IoT Devices Remain Vulnerable Post Mirai Botnet

BestBuy’s attack made use of malware called Mirai, which is primarily used to infect Internet of Things devices—typically known for having lax security practices and easy to crack login credentials that make them easy to hijack.

With thousands of devices infected, an attacker—in this case, the 29-year-old British hacker—can direct those machines at a singular target using a control server to communicate with the devices. The thousands of requests sent at one or a few addresses all at once can overwhelm a server, causing the site or service to temporarily become unavailable.

BestBuy used the Mirai malware to target DSL routers belonging to Deutsche Telekom customers. His attack, carried out in November 2016, resulted in more than one million people temporarily losing access to the service.

The hacker also hit internet service providers in the United Kingdom, according to authorities involved in his arrest. That attack resulted in another 100,000 people getting knocked offline, though the hacker has not yet been charged for his actions in the UK.

Read: IoT Security: Government Accountability Office Highlights Risks Posed By Internet Of Things

BestBuy’s motives are still unknown for the time being, though German outlets have reported that he was paid around $10,000 by a Liberian telecommunications company to carry out the attack against its competitors.

Security reporter Brian Krebs, whose website was targeted by a Mirai attack, believes the hacker involved in the Deutsche Telekom attack is also behind a remote access trojan called GovRAT, which has been used in espionage campaigns against governments, financial institutions, major corporations and defense contractors.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

When he was arrested in February, a public prosecutor said BestBuy would face charges of attempted computer sabotage. If charged in the UK, the hacker could face up to 10 years of jail time.

BestBuy created a modified version of Mirai to carry out his attack, but the botnet has been associated with a number of major DDoS attacks in recent months that have affected web services.

Perhaps the most noteworthy took place in October 2016, when the botnet was used to target Domain Name System (DNS) provider Dyn. The attack caused major internet outages for a number of web-based sites and services, including Twitter, Netflix, Spotify, Amazon, communications platform Slack, and the New York Times.

The attack lasted for the better part of a day and was disruptive enough to get the attention of the U.S. Department of Homeland Security.