A “ruthless” cyber criminal turned to online crime after he was turned down for a college computer course, a court has heard.
Disgruntled student Daniel Kelley, from Llanelli, South Wales, turned to “black hat” hacking when he failed to get the necessary GCSE grades to study at Coleg Sir Gar, a further education college in Carmarthenshire.
He went on to target companies large and small, as far afield as Canada and Australia, and attempted to hold bosses to ransom.
The 22-year-old appeared at the Old Bailey to be sentenced after pleading guilty to 11 hacking-related offences. Prosecutor Peter Ratliff described Kelley as a “prolific, skilled and cynical cybercriminal” who was willing to “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety - behind the screen of a computer”.
Read more: FE sector ‘underinvesting in cybersecurity’
Opinion: How can colleges help keep students safe from cybercrime?
Background: Colleges hit by cyber attacks 12 times a week
Disruption of computer networks
Between September 2013 and November 2015, Kelley engaged in a wide range of activities from the deliberate, damaging disruption of computer networks to blackmailing individuals and companies whose data had been stolen by hacking.
While he largely remained anonymous online, his crimes were revealed in snippets retrieved from chat logs, interest in Bitcoin accounts and downloaded material, the court heard.
In September 2012, he boasted on Skype that he was “involved with black hat activities and I can do ddos [Distributed Denial of Service]”, in reference to malicious hacking.
Motivated by ‘spite or revenge’
The court heard that Kelley was just 16 when he hacked into Coleg Sir Gar out of “spite or revenge”. The DDoS attack caused widespread disruption to students and teachers and also affected the Welsh government public sector network, including schools, councils, hospitals and emergency services.
After he was arrested and bailed in the wake of the chaos, Kelley continued his cyber crime spree for a more “mercenary purpose”.
Mr Ratliff said Kelley had been “utterly ruthless”, adding: “Where confidential and sensitive information had been stolen in the hack - typically the personal and credit card details of the company’s clients - the defendant would threaten the company with the public release of the material, knowing and exploiting the fact that the release would risk the ruin of the company concerned.”
Kelley hacked into TalkTalk and blackmailed Baroness Harding of Winscombe and five other executives for Bitcoin, the court heard. His activities contributed to TalkTalk losses of tens of millions of pounds, while smaller firms he targeted were forced to spend hundreds of thousands of pounds to mitigate the damage.
Derived ‘enjoyment and excitement’
The defendant, who has Asperger’s syndrome and depression, only received £4,400 worth of Bitcoins from his blackmail attempts, having made demands for more than £115,000.
One tactic he used was to threaten to release vulnerabilities in a company’s systems and software and promising DDoS attacks if he was not paid off.
In one instance, he contacted all the customers of a hacked company and demanded they each pay one Bitcoin under threat of their personal data being released.
The prosecutor said: “It is clear from the content of the emails that the defendant sent that he derived enjoyment and excitement from the power he wielded over those he sought to intimidate.”
Kelley sometimes worked with a hacking collective named Team Hans, the court heard.
He did not confine himself to online blackmail and on one occasion made a menacing phone call, Mr Ratliff said. If people refused to pay up, he would offer their details for sale on the dark web.
He was also found to be in possession of computer files containing thousands of credit card details.
In December 2016, Kelley pleaded guilty to 11 charges, including hacking with intent, six counts of blackmail, encouraging hacking, offering to supply data in connection with fraud, and possession of articles for fraud.