Wales

Daniel Kelley: The teen behind the cybercrime screen

Daniel Kelley Image copyright Metropolitan Police
Image caption Daniel Kelley appeared to at first be motivated by spite against his former college

When Daniel Kelley failed to pass certain GCSEs in the summer of 2013, a chain of events began that led him to the heart of the British justice system at the Old Bailey.

Kelley, then a 16-year-old schoolboy from Llanelli, in Carmarthenshire, would come to be described as a "prolific, skilled and cynical cyber-criminal" responsible for hacking and blackmail, who targeted companies all over the world, including the British telecoms giant TalkTalk.

He has now been sentenced to four years in a young offenders institution after pleading guilty to 11 hacking-related offences.

The underperforming teen had not achieved the right grades to get onto the Level 3 BTEC in computing course at his local college, Coleg Sir Gar.

Instead, while friends he described as "thick" started his chosen course, he had to make do with the lower Level 2 option. He is reported as having poor attendance on the course, even while claiming he "knew more about computers than everyone in the college."

Image copyright Coleg Sir Gar
Image caption Kelley's attacks on his college cost hundreds of hours of teaching time

Perhaps to prove this point, or for revenge against those who had refused him entry, Kelley used distributed denial of service (DDoS) methods to disrupt the college's website.

He carried out more than 40 cyber attacks between September 2013 and April 2014, costing hundreds of hours of teaching time and IT defence work, while some students left because of exam disruption.

But the wider implications were felt beyond the college, and could have had deadly results. The college's network was linked to the Welsh Government's public sector network (PBSA) and the attacks affected hospitals, councils, emergency services, and other schools and colleges.

Radiologists at Hywel Dda health board in west Wales lost access to diagnostic image services, with communication affected between hospital sites.

The care of critically ill patients at Prince Philip Hospital in Llanelli and Withybush hospital in Haverfordwest, Pembrokeshire, was affected and the loss of access to images meant "a serious clinical risk of a catastrophic outcome". It cost nearly £400,000 in security work to combat the risks posed by the attacks.

Image caption Kelley masterminded his life of crime from his family home in Llanelli

Malicious as these attacks were, they appeared to be motivated by spite.

Kelley's motivation then became financial.

Working alone or with a group of hacking mentors known as Team Hans, Kelley targeted companies around the world.

After compromising their security to access clients' personal and credit card details, he was "utterly ruthless" in threatening to make the information public unless money - in the form of the Bitcoin crypto-currency - was paid.

Photographs of son

One target was Rogers Communications in Canada. He and Team Hans accessed company contracts, employee records and other sensitive data.

But chillingly, they then contacted an employee by phone and email, making reference to his son by name and claimed they were looking at photographs of him.

The cost of the hack was estimated by the company as between £400,000 and £580,000.

Kelley then attempted to blackmail 15 Bitcoins (£2,938 at the time), from an Australian business, RC Hobbies, in March and April 2015.

They did not pay though another Australian company - For the Record (FTR) which provides digital recording tools for court evidence worldwide - did pay 10.5 Bitcoins (£1,731 at the time) after he threatened the company's vice-president.

'Your security is not good'

However that was not the end. Kelley got back in touch with the company the same day, bizarrely with an offer of help.

He wrote: "I am not trying to be rude but really, your security is not very good."

For a fee of 5.2 Bitcoins (£861), he said he would show them every vulnerability he could find. It was a glimpse of the positive way he could have used his skills.

They agreed to pay, only for Kelley to up the ante. Having failed to provide the details as promised, he wrote back: "I have come to conclusion of my leverage in this situation [sic] and have decided I want another 10.5 Bitcoins [£1,706] as a final payment.

"Please keep in mind the content I have, I could annihilate your business in days."

Image copyright Getty Images
Image caption TalkTalk was hit by a data breach which affected thousands of customers in October 2015

The company paid once again but when it received a demand for 25 Bitcoins [£4,206] from a person later identified to be Kelley, it contacted police and cyber crime detectives.

Demands then became increasingly abusive, until the vice-president received an email threatening his one-year-old son with a picture of him attached: "I am sure [son's name] wouldn't be able to withstand mental abuse, nor your lovely partner...

"How fun would it be to find your son's background ruined online before he had even hit 10? Anything is possible with a little editing and modification."

The vice-president felt clear the implication was the image of his son would be modified for a sexual purpose. Although this email was not proven to come from Kelley, the prosecution say it was plainly someone known to him because of evidence from online communications.

In a later email, Kelley attempted to justify his actions, saying they had never been intended to damage the business. "Why didn't you just make a deal with us? At the end of the day.... we are the real experts here as demonstrated."

But Kelley's time was running out. On 2 July 2015 the Welsh Cyber Crime Unit arrested Kelley at his home in Llanelli and seized his digital devices during an investigation into his attack on Coleg Sir Gar the previous year.

Unbelievably though, this did not put a stop to Kelley's criminal activities.

He contacted FTR once more in October 2015 saying he had cracked passwords to court recordings, threatening to release them if they did not reply.

He tried to blackmail a national research education network, JISC, asking for nearly £2,000 in Bitcoin, and attempted the same on a cigar business, JJ Fox Ltd, both based in the UK. Neither paid up, but Kelley later tried to sell JJ Fox's compromised data.

Image caption Former TalkTalk chief executive Dido Harding was personally targeted by Kelley

But Kelley's biggest target was the one which would lead to the unmasking of much of his other criminality. While still on police bail over the college attacks, he was one of up to 10 hackers who took part in an attack on TalkTalk, one of the four biggest telecoms companies in the UK, taking its website out of service.

Using stolen data obtained from TalkTalk either by himself or another source, he attempted to blackmail TalkTalk's then chief executive officer, Dido Harding, demanding the Bitcoin equivalent of £80,000 not to leak the data in a series of emails sent to her and other TalkTalk staff.

TalkTalk went public with the news it was under attack from hackers on 23 October, advising customers to change passwords and watch bank accounts for suspicious activity.

It did not pay the demand, but estimated the cost from the hack at £77m.

Analysis of the IP addresses of the computers involved with the attack led the Metropolitan Police's Cyber Crimes Unit to Kelley's door in Llanelli where he was arrested on 24 November 2015. On his computer they found files containing thousands of records of credit cards, which if sold could have netted £105,000.

On 13 December 2016, Kelley pleaded guilty to 11 counts including hacking with intent, hacking, possessing computing equipment for the purpose of fraud, and blackmail.

More on this story