The true cost of white collar crime
Earlier this month, British hacker Daniel Kaye was sentenced to two years and eight months after pleading guilty to computer misuse. The National Crime Agency described Kaye as "perhaps the most significant cyber criminal yet caught in the UK" and described his botnet as "one of the world's largest networks of compromised computers".
Kaye operated under the aliases of BestBuy, and Spiderman. In 2016, an employee of Liberia's mobile phone company, Cellcom, hired Kaye's services to disrupt the operations of rival Liberian phone company, Lonestar, although there is no evidence that Cellcom's senior management or parent company Orange were aware of this plan.
Kaye charged £30,000 for the hit, and used a Mirai-based botnet of IoT devices, typically webcams, to launch distributed denial of service (DDOS) attacks on Lonestar, similar to the Wanncry DDOS attacks which crippled the NHS in 2017. In Liberia, phone users began to see their services going offline. He then intensified the attack using an additional network of hacked machines on Deutsche Telecom's infrastructure.
However, Liberia, a small west African nation ranked as the poorest country in the world in 2017 by USA today, has only very limited bandwidth coming into the country, a single transatlantic cable. Kaye's attack got out of hand and the whole of Liberia's internet connections repeatedly failed, taking the entire country offline. In addition, more than 120,000 Deutsche Telecom customers experienced crashes during the attack.
Lonestar called in security experts and says it has spent an estimated 600,000 dollars fixing the problem. In the year preceding the attack, Lonestar's revenue had been 80 million dollars, a figure that has fallen by ten million as a result of customers leaving the network and switching to competitors, which Lonestar blames on the damage to its image caused by the attack. Rival company Cellcom has told Front Page Africa that it strongly disputes these claims, although it could also be argued that Cellcom needs to minimise the damage which its rogue employee instigated.
In court, Kaye's defence team argued Lonestar's estimates of its losses were unsupported by any evidence, and reasoned that "a relatively slow internet service" simply became slower, that voice calls were unaffected, and it was not a threat to Liberia's national security. The defence also made the extraordinary statement that "Nobody died, nobody's life was imperilled, at worst Lonestar customers suffered slow internet speeds".
Annoyingly we also heard the glorification of the hacker skills. Many newspapers described Kaye as "self-taught", the judge described the 30 year old as "an intelligent, talented and skilful young man" who used his skills for crime, the NCA described him as "operating as a highly skilled and capable hacker-for-hire", and his defence said that Kaye had received interest from major technology firms who wanted to use his skills and added "We will need people like Mr Kaye on the side of the angels".
The old poacher turned gamekeeper excuse, the notion that hackers-for-hire should be lauded and employed by security services is as foolish as saying that, instead of sending hardened criminals to jail, we should be utilising their talents and sociopathy by putting them in police uniforms. Self-taught? So are most burglars and thieves. There is no BSc in how to commit a crime. Skilled? Talented? Make no mistake, Kaye did not develop the Mirai botnet software any more than a burglar develops a crowbar. He simply downloaded the code which other hackers had written. He obviously wasn't skilled enough to understand Liberia's infrastucture and target it just at Lonestar. Neither was he skilled enough to avoid detection and capture. Kaye was also linked to a Miria attack on three banks, Lloyds, Barclays, and Halifax, in January 2016, where the hacker demanded a ransom but failed to breach the defences of the British banks. Prosecutors dropped these charges because Kaye claims he had loaned his botnet to another unnamed hacker who was responsible for that attack.
Kaye wept when sentenced and reportedly told the court that this was the biggest mistake of his life, and that he only took money in order to help start a new life with his fiancee. Presumably he means the biggest mistake of his life was getting caught. For the crime of stealing computing resources from people world wide, running a malicious botnet for hire, disrupting the connectivity of an entire nation plus a large chunk of users in Germany, and causing millions of dollars of expense and financial damage to Loanstar, Kaye was sentenced at Blackfriars Court to a custodial sentence of two years and eight months. He will be eligible for early release after just 16 months, on 14th May 2020. That doesn't seem a lot for someone running one of the world's largest networks of hacked computers.
31st January 2019
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content. If you would like to receive the newsletter direct to your inbox each month, please SUBSCRIBE here. It is free, and you don't get added to any other mailing lists. It uses best-practice confirmed opt-in only, and you may unsubscribe at any time.