Darknet Diaries - 117: Daniel the Paladin
Episode Date: May 17, 2022Daniel Kelley (https://twitter.com/danielmakelley) was equal parts mischievousness and clever when it came to computers. Until the day his mischief overtook his cleverness.SponsorsSupport for... this show comes from Keeper Security. Keeper Security’s is an enterprise password management system. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization. Get started by visiting keepersecurity.com/darknet.Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.
Transcript
Discussion (0)
In 2014, a five-year-old hacked Xbox Live.
A five-year-old!
Yeah, here's what happened.
The family got an Xbox for Christmas.
The five-year-old was having fun playing games,
and Dad set it up with parental controls,
so the kid could only play a few games that were set aside for him.
But the kid saw some of the other games that Dad was playing
and wanted to play those too.
He tried to get to those other games, but he couldn't.
It was locked by Dad.
But the kid didn't stop trying.
He understood that there were two different accounts,
one for kids and one for Dad.
So he clicked on his dad's account,
which prompted the kid for a password.
The kid didn't know the password.
Heck, he was five years old,
so he didn't even know how to spell,
even if he knew the password.
But when he got to the password screen, the kid just hit spacebar a bunch of times.
Tap, tap, tap, tap, tap, tap, tap, tap, tap, then enter.
And magically, it worked.
Apparently, there was a vulnerability in the Xbox parental controls that allowed someone to just type in all spaces to get out of the kid's account.
And the kid got into his dad's games and played them.
And when the kid could play his dad's games,
this is what he said.
I was like, yeah!
He played them, wasn't very good at it,
but then shut them off and went and did something else.
Without his dad knowing.
The little sneaker.
And then he did it again another day.
He bypassed parental controls, played the
game he wasn't supposed to, and then shut it off before his dad found out. But then his dad noticed
someone was playing his games and was like, that's odd. And so he asked the kid, hey, were you playing
my stuff? And the kid started to worry a little. I got nervous. He was going to find out.
His dad realized the kid must be breaking out of the parental controls and asked him to demonstrate how he did it.
So the kid showed dad how you can just mash the space key a whole bunch of times
to get to the other games.
His dad was dumbfounded.
And they reported this bug to Microsoft, who fixed it.
And they even credited the kid in the bug report as a security researcher involved with identifying it.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com
slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn
things like penetration testing, securing the cloud, breaching the cloud, digital forensics,
and so much more. But get this, the whole thing is pay what you can. Black Hills believes that
great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
This is the wild and strange story of Mr. Daniel Kelly. So I think it's important to go back to 2013, 2014, because
that's when a lot of this started that led up to the events that took place. I had a normal
childhood. I really disliked school, had really low attendance, and my life pretty much resolved
around online games. So I'd go to school, I'd come home,
I'd play online games,
and I'd basically do the same thing for months on end.
I used to be obsessed with a certain game
called World of Warcraft.
And World of Warcraft essentially had a PvP system.
And I used to take this game really serious.
I picture you as a rogue.
When you were telling me this story,
I was like, this guy's definitely a rogue, When you were telling me this story, I was like,
this guy's definitely a rogue and he's a griefer, I can tell already.
No, no, that's not true.
So I had a few characters, actually.
I used to play a lot of healers.
Like my main character was a holy paladin.
But then I played Dresdor Druid for a bit.
That's pretty much all I used to play was healers.
I just don't picture you as either a paladin or a druid for a bit. That's pretty much all I used to play, was healers. I just don't picture you
as either a paladin or a druid.
That's so funny.
Yeah.
Daniel played a lot of World of Warcraft
for thousands of hours.
And during this time, he was really working hard
to rank up in PvP.
This is player versus player skirmishes,
where he'd get in a group of other players
and battle against other players to see who was better.
He was very high-ranked and very competitive,
spending as much time as possible playing this game.
And because he was high-ranked,
he would often compete against the same teams
who were around his rank.
One day, he got a strange message.
Before the match started, I received an in-game message
which basically said something like,
goodbye.
And the game started and my internet disconnected.
At the time, I didn't even realize that I'd received the message.
It was only when I went back through my chat logs that I see the message.
But basically, it would get to a point where we'd queue against the same team so much
and someone on my team would always go offline.
It would either be me or it would either be one of my teammates.
And it got to a point where I ultimately realized that we have no chance of winning whatsoever.
So I called one of the members of this specific team and asked them what they were doing.
And they sort of made a joke out of it.
They didn't admit it.
They didn't admit they were doing anything,
but they didn't say that they weren't doing anything.
So after a while, I went to Google
and I started to search how to cheat on this game, basically.
He found a forum that talked about the different kinds of cheats and hacks.
He gets on the forum and asks
them what could have caused him to be disconnected just before a match started. I basically explained
everything and I sort of like asked people to make a suggestion on what he could be doing.
A lot of people started saying that there was a high probability that I was being DDoSed.
And back then I was like 12 years old, so I really didn't understand the concept and I was being DDoSed. And back then, I was like 12 years old, so I really didn't understand the concept
and I was not familiar with this at all.
So he looks up what DDoS is
and finds it stands for Distributed Denial of Service.
And this typically means flooding someone
with so much traffic that they cannot get
to the internet anymore.
Service is denied.
Okay, that made sense.
Someone may be flooding him with tons of packets
and that made him go offline.
And then he found what a booter was,
which is a type of hacking tool that does this kind of DDoS attack.
And all you had to do was enter the victim's IP address,
and you could blast them off the internet.
But what didn't make sense to him was how did anyone know his IP address
to attack him basically at home?
There's nothing in the game that would show his IP to anyone.
So I sort of interacted with the people that posted on that thread
and asked them if they had any theories behind how he may be getting my IP address.
They came back and asked,
well, have you talked with any of your attackers over Skype in the past?
And yeah, he had.
Remember, he even called the guy up who he thought did this and asked him about it.
Well, as it turns out,
back then when you called someone on Skype,
it would store their IP address on your computer.
And then when hackers figured that out,
they created a little tool called the Skype Resolver.
And with this little tool,
all you had to do is enter someone's Skype username
and it would try to call them
and then tell you what IP address they had.
And so now he knows exactly what tools they use
to find him and kick him offline.
And so now that he knows how it's done,
he gives it a try.
And this is pretty much what I was doing
when I was like 12.
So I had a booter and I had a Skype Resolver
and I decided
to test this theory. So one night we queue against this team, I get his IP address and I DDoS him
and it basically worked. We won and I sort of realized that this is what he had been doing
all along because the effects were exactly the same.
And at the very beginning, I only used to use it against their team.
To be honest, I didn't even tell the other two players what I was doing because I didn't want them to know.
It was really tempting to do it to every single team that we came into,
but I didn't do that because I'd essentially achieved where I was
through hard work and skill and not cheating. So I wasn't about to ruin all the time that I'd spent
learning just so that I could cheat. He wasn't using this attack that much, but with this
knowledge of what it looks like when someone is attacked, he started noticing this happening more often. In fact, a lot of the top
ranked teams had been using booters to force people to leave just when a match would begin
so they could win easier. And this ruined the fun and the game for him. So he started playing less.
But what this all did was it sparked his curiosity about hacking. So he went back to that forum that taught
him how he was booted from World of Warcraft to see what other kinds of hacks there were out there.
And this is where he learned about Google dorking. Google dorking is where you use Google as a
vulnerability scanner. What I mean is Google is a search engine, right? But in order for it to be a
search engine, it needs to go out and scan and spider its way across the entire internet, scooping up tons of data about websites along the
way. And Google's not specifically looking for vulnerabilities. It's just grabbing whatever's
out there and putting it into a database so that when you search Google, it can present you with
information about what you searched for. And so you can search Google for specific things that are vulnerabilities in websites.
Like, for instance, if you do a Google search
for the term intitle index.of id underscore rsa,
this is basically asking Google
if they found any files on the internet called id rsa,
which typically stores a private key.
This file should never be out there on the internet
and open for anyone to see.
It's like exposing your password.
Yet Google has found tens of thousands of websites
that clearly display their private keys for anyone to see.
These little clever searches were what Daniel was learning,
and it opened his eyes to tons of possibilities.
One day he searched for a misconfigured admin portal
and found one and was able to log into this website as an admin.
So it was a website belonging to a school.
I don't want to name the name of the website
because it was over 10 years ago.
And what I ultimately did is deface the website,
because I just wanted to sort of, you know,
it was the first vulnerability that I ever found.
So I was sort of intrigued that I found something like that to begin with.
What did you put on the website?
So it was like some stupid picture.
It was like, I think it was like, you know, the picture of the troll face?
Yeah.
I pretty much just left that there for like a couple of days. But the thing is, back then I was like really
young. I was like, I think I was 12 or 13. So I was, it was more, I was doing it for fun, if that
makes sense. This was amazing. This was legendary, at least to a 13-year-old.
He got onto a website and changed the picture to whatever he wanted.
He felt clever and powerful.
You honestly sort of feel it's like a sensation of euphoria, if that makes sense.
Almost like a really, really big achievement.
But the problem is, after you've sort of gained access to that system,
you start to look for the next thing.
It's always the next thing
because you're always sort of chasing that feeling
and trying to replicate what you just did.
So we went back to Google,
typing in search queries that would point him
to different websites that were vulnerable.
And of course, when you type anything into Google,
it gives you 100,000 hits, right? So he starts looking through the list of potential vulnerable sites. And as he
was scrolling through, looking at the websites on the list, one stood out, Microsoft.com. Well,
it was a subdomain of Microsoft, but still, this is a big company. So he followed the link to see
if the site was vulnerable. And I found a cross-site scripting vulnerability on a subdomain in this login panel, and essentially
it allowed me to inject JavaScript into that webpage so I could craft, for example, a malicious
link and then steal user accounts, if that makes sense.
But a cross-site scripting vulnerability is hard to actually exploit.
Finding it is one thing, but using it to actually attack someone is a bit tricky.
So Daniel didn't want to use it to do any kind of malicious attack.
Instead, he just decided to tell Microsoft about it.
So back then, Microsoft ran a responsible disclosure program.
I think it was like one of the few companies back then that did.
And I basically took the proof of concept
and submitted it to Microsoft's security team.
And within a couple of hours,
well, it was either a couple of hours or a couple of days,
they got back to me and triaged the vulnerability
and basically confirmed the existence.
Did they give you anything like a shirt?
No.
So all they pretty much,
so the only real incentive I had was when I found the responsible disclosure
program,
they were offering like a page which allowed you,
where they put people's names on,
where it was like some type of security
acknowledgement where you would submit a vulnerability and they'd put your name on
the website in return for submitting that vulnerability and then but back then that
type of thing was really um like cool to me because having like your name on a website
like microsoft when you saw young seemed really sort of fascinating.
So that's basically the only incentive that I used
to sort of submit that vulnerability
or the only source of motivation then.
Yeah, so did they add your name to the thing?
Yeah, so my name was added a week or two later,
and it remains there to this day.
Very good. So far, this is a week or two later, and it remains that to this day. Very good.
So far, this is a great start for Daniel.
Replacing one image on a website, not too bad.
But now finding a vulnerability on Microsoft's website and reporting it to them, nice job.
On top of that, he was given a great big thank you.
Even better.
This could be a great start to a prosperous career for Daniel.
If he keeps it up, submits a few more vulnerabilities to companies,
he might start getting job offers.
Or he could be rewarded for responsibly disclosing bugs.
Yeah, so I pretty much started off with really positive intent.
After that initial submission with Microsoft,
I basically sort of applied the same.
I started to wonder if other companies would offer some recognition
or some type of reward.
So I went through loads of Fortune 500 companies,
started finding vulnerabilities.
And I ultimately ended up attempting to submit a lot of vulnerabilities
to these Fortune 500 companies,
but none of them ever really provided
the same response as Microsoft
because they didn't run any official
responsible disclosure programs.
Okay, so what did you do after telling them
they've got a problem and they're not fixing it?
So the vulnerability started to accumulate.
It got to a point where I was just sitting in all of these vulnerabilities
and I wasn't really sure what to do with them.
I just had them saved somewhere.
I kept doing it, kept accumulating vulnerabilities.
I kept trying to reach out to these companies,
but most of the time they wouldn't respond. So two things would happen. Either they'd respond
and nothing would come of it, or they would completely ignore your contact attempt.
But I saw, I started to accumulate all these vulnerabilities, and I guess it got to a point where I decided that I was wasting my time.
Now remember, Daniel learned these hacking techniques from a hacker forum,
and he was learning more and more from there.
In fact, he was hanging out in chat rooms with them and stuff.
And so you can just imagine his eyes shifting and darting around between
windows, right? He'd look at one screen, which showed all the vulnerabilities he found,
and then would check his email to see if any of the companies replied that he reported vulnerabilities
to. Nothing. And then he looked at the hacker chat room and the forums he was on.
And then his eyes does the loop again. Vulnerabilities, empty inbox, hacker forum.
And he knows the people on this hacker forum loved finding stuff like this.
And obviously those individuals weren't really, not all of them were ethical.
Not all of them were up to similar things that I was doing at that time.
They were up to malicious things.
But I ultimately ended up sharing all of the vulnerabilities with people that I had met on these forums.
And they sort of started using these vulnerabilities
with malicious intent, and I guess I joined them.
Now keep in mind at this point, Daniel has only found vulnerabilities.
He hadn't actually tried to exploit any of them.
It's equivalent to finding a window open on an office building at night,
but not really looking in or reaching in to grab anything.
So he tells the people on the forums,
hey, I found some vulnerabilities on some websites.
And of course they loved seeing this.
They went straight to trying to exploit it
to see what kind of information they could get out of these companies.
So they'd exploit the vulnerabilities,
they'd gain some type of access
so they'd escalate privileges
and they would just really pivot around the networks
or whatever they'd gained access to
and sometimes it would result in like data being stolen um but mainly
it was just keeping access at that point in time like it was just to see what could really be done
with the vulnerabilities if that makes sense i guess they were just doing it to see what they
could sort of accomplish like there was no real there was no real, there was no real intent, if that makes sense.
It was more like, let's fuck around
and sort of see what we can do.
Were you participating in this?
So after I shared the vulnerabilities,
I pretty much decided to participate in it.
Yeah.
I guess he's already participating,
hacking these sites just by sharing vulnerabilities with them.
Doing recon, finding vulnerabilities, and sharing that is all part of the process, right?
And I pause here for a moment because I'm trying to find the actual line
that you have to cross to become a criminal.
Walking by a building just looking to see if it has any open windows at night
isn't criminal behavior. But what if you told a group of troublemakers about this weigh-in you
found? Is that now criminal? Just telling someone about a vulnerability you found with a company?
It's hard to say. It depends where you are in the world. Like there's different computer laws pretty much in every different country. And I can only their own interpretation of the computer misuse
act so i think it ultimately comes down to ethics like if if you're going to report a vulnerability
i think there's a low likelihood that you're really going to be prosecuted for trying to
ethically disclose a vulnerability but it doesn't always turn out that way.
In that time period, I must have reported 20 or 30 vulnerabilities.
And I never received a negative response, not once.
It was either no response or a positive response.
Well, now Daniel was switching it up.
Instead of just finding vulnerabilities and reporting them to companies,
he was now actively trying to exploit these vulnerabilities
and hack into these companies and their websites
and trying to get into their systems
and doing stuff he absolutely wasn't supposed to be doing.
And this was all just for fun.
Occasionally, someone would take some data or download something.
But for the most part, it was just a big thrill to find a way in and look around. That was enough for these guys.
I'm picturing you as like half of you is there to help. You're like, man, this stuff needs to
be cleaned up. Nobody's cleaning it up. Here you go. You guys need to fix this stuff. And then half
of you is like, I'm going to have fun with what I have at the same time
and just screw around with, like, if these companies aren't going to be fixing stuff,
I might as well jump in and see what's going on in there and just take a look and get out.
Yeah, I think that's pretty much accurate.
Like, I had no real, I wasn't on one side, if that makes sense.
I was on both.
Like, sometimes I'd sort of mess around with a vulnerability,
and then sometimes I'd sort of mess around with a vulnerability, and then sometimes I'd
try and disclose it. I was never really, at that point in time, I was never really on one side,
if that makes sense. Yeah. So at that point, you start going to college, I believe.
Yeah. So around that time, I started going to college.
Daniel completed his level two coursework, which is sort of like
high school in the US, and was wanting
to go on to level three courses, which is kind of
like what you do after high school.
He finds a college near his parents' house in
Wales, in the UK, and he signs up
to study computers, which was his
passion, clearly. So I complete this
level two course, and then I apply
for the level three course, and I basically
am informed that this level three course consists of I apply for the level three course and I basically I'm informed that
this level three course consists of a lot of presentations and sort of socially you have to be
um there's a lot of activities on this course that involve there's like a social element to
them and back then I was a really unhappy and awkward fat teenager.
I really didn't like that at all.
I basically had access to this botnet.
It was essentially a Mirai botnet, which had loads. I saw someone online essentially gave me access to this botnet.
Did you pay for it?
No, so it was through someone I'd met online
and they gave me free access to it.
Now, what the Mirai botnet is best at
is flooding an IP address with gobs of traffic,
so much that it will take down a website.
It's very good at doing DDoS attacks.
They pretty much had a website.
And on that website, there was a panel
where everyone would log in.
And that's how everyone
used to access all of their work and their documents and at the time I had access to this
botnet and I guess I got really bored and decided to point it towards the college and I essentially
dedosed that college but what I didn't know know at the time is that the college was also hosting a lot of other networks.
It was one huge network that hosted a lot of services like police stations, quite a few things.
So by DDoSing this network, I had pretty much affected a lot of services, not just the
college. And I ended up DDoSing a lot more things than I really intended to. But by DDoSing that
website, in effect, nobody could log in and nobody could really access their work or upload work or pretty much do their coursework.
Well, when the main portal that students used to log in to do their work was down, this
resulted in Daniel's class getting canceled for the day, which was sort of what he wanted.
He didn't want to go to class, but he also didn't want to tell his parents that he didn't
want to go to class.
So this was the perfect excuse for him of why he wasn't going to class.
Schools canceled because the computers were out of order.
Once the scheduled time for his class was over, he turned the attack off.
Well, that worked out in his favor for the day.
But then the next week rolls around and he has classes again.
And since attacking the school with a botnet resulted in class being canceled last time,
he decided to launch the attack again.
And again, this took the computers down and it resulted in classes being canceled.
And this seemed to be working.
So every time he had to go to class, he just attacked the school.
So at the very beginning, I used to pretty much just do it in hour intervals.
Like I would DDoS the network for an hour or two. Like usually in the morning when everyone would
go into the college and quite quickly they'd find out that the network was offline and they'd
cancel everything for that day. Daniel had mixed feelings about all this.
On one hand, he was relieved that he didn't have to do any presentations at school.
But on the other hand, he felt bad for attacking a school
and ruining it for other students.
But then his curiosity was growing,
wondering how many more days can the school be canceled because of this?
Surely it can't go on forever, right?
They're not going to cancel the whole semester, will they?
It sort of made him curious
on how they're going to resolve this.
How do you defend against a Marai botnet?
How tough is the school
to be able to stand up to it?
So he continued to attack the school.
I think in total, I must have done it
well over 30 times.
Like, it became a constant thing thing i would pretty much do it
every day like so whenever the network would come back up i would just hit it again and it
became a constant thing and you know they used to send they would cancel lessons for
weeks at a time because nobody could do anything pretty much so basically one morning
so i was sleeping and i remember opening my eyes to two police officers standing in my bedroom
doorway obviously at this point i was still living with my parents because I was quite young but I remember opening my eyes to these two police officers standing in my bedroom doorway
and they sort of said to me you need to come downstairs and I pretty much went downstairs.
They like I sat down on a couch and they were going through everything like they were going through
my computer they were taking all of the electronics pretty much all the devices in the house
and at that time I was cautioned and arrested for DDoS in the college pretty much so when I
basically when I was arrested or even though they came to arrest me for the college DDoS, there was a lot of other material on my hard drive that they wouldn't have been aware of.
And they only became aware of it when they inspected my devices.
So when I previously discussed where I was sort of hacking websites for fun. That was all still on my hard drive.
So what had happened is they'd come to my house, arrested me for DDoS in the college.
They kept me in a police station for a couple of hours. They interviewed me.
I was released on bail. But during that bail period, when they sort of inspected my computers,
they would have then found all the other material,
which would have sort of allowed them to charge me with more things,
like all the computer misuse charges.
Once the police discovered all this new evidence of crimes that Daniel committed,
they re-arrested him and charged him with 13 more offenses.
They brought him down to the police station and interviewed him.
They asked him lots of questions about the stuff they found on his computers.
They let him go home and they investigated some more
and they brought him back to the station and interviewed him some more.
And this goes on and on for months.
And they finally issue him a court date
where the judge will decide what his punishment will be.
So this is where it gets a bit tricky. So basically, when they issued me with that court
date, so they issued me with a court date, I think it was the following year. And during that time
period, after I'd been released from the police station, I pretty much decided to re-offend.
And that's where it starts to get a bit more complicated.
It's funny you say it like that.
I decided to re-offend.
Was it that clear in your head that like,
I'm going to go re-offend?
It just seems like a weird thing to say.
Honestly, no, it wasn't really that clear.
We're going to take a quick break, but stay with us,
because when we come back, Daniel goes on some serious reoffending.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast,
my focus was on finding a catchy name, some cool stories,
and working out the best way to record. But oh, so much more goes into making a podcast? My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off.
Because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag-and-drop templates.
And Shopify helps you manage your growing business. Shipping, taxes, and payments are
all visible from one dashboard, allowing you to focus on the important stuff. So what happens if
you don't act now and someone beats you to the idea? The best time to start your new business
is now with Shopify. Your first sale is closer than you think. Established in 2025. That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at Shopify.com slash Darknet.
Go to Shopify.com slash Darknet and start selling with Shopify today.
Shopify.com slash Darknet.
Daniel had about five months before he was due in court.
Now, the cops still had all his computers.
They confiscated those months ago and kept them for evidence.
So Daniel convinced his parents that he needed a computer in order to resume his life.
By removing my devices, what they had done is sort of stripped my existence.
I was fulfilling all of my needs
through the internet I had no other activities I used to socialize through the internet I used to
have fun through the internet entertainment through the internet and basically I I ended
up committing more offenses on bail I can't really explain why but what happened what ultimately
happened is is is that I resumed everything as if nothing had happened.
I managed to convince my parents to buy me a new device.
I went out and logged into all of these.
I logged into the communities that I was already established in and I just continued. My criminality essentially, from that point onwards, my criminality essentially escalated from low level offending to sort of blackmail, fraud and computer hacking.
There was this three month period where I basically went on this hacking spree and I steal the data, and I would then try and blackmail the founder or whoever was behind the website for money.
Once he found his way back into the groups he was in, and he got all his old tools set up again, there was no stopping him.
He went right back to his old ways.
Because, as the old saying goes,
In for a panic, in for a fun You should never jump or the merry-go-round
In for a panic, in for a fun
Now, there was no effort to do responsible disclosure.
His intention was just to figure out how to make money
with all the hacking he was doing.
And the easiest thing that came to mind was extortion.
I hacked you. Pay me or else.
That kind of stuff.
He didn't have his hands on any kind of ransomware,
or he might have tried to use that.
But what he would do was find a website with vulnerabilities,
exploit them, maybe take some data from them,
and then email the owner of the site demanding money,
or else he'll publish this data that he stole
and publish the vulnerabilities on how he got in. Sometimes he didn't even exploit the site and money or else he'll publish this data that he stole and publish the vulnerabilities
on how he got in. Sometimes he didn't even exploit the site and steal data. Sometimes he just told
them that he found a severe vulnerability on their site and will publish it unless they pay him.
What Daniel was asking was anywhere between 5 and 40 Bitcoin. And a Bitcoin then was only worth
about $200. So he was demanding anywhere from $1,000 to $10,000. Of course, companies weren't paying. So sometimes he'd escalate the situation and would get personal
data from site employees and show them how he was going to publish their information unless he paid
them. And these were some serious threats to these companies. So of course, they were reporting all
this to the authorities. But Daniel was hitting companies and countries all over the world.
Canada, the US, Australia.
Did any of these work?
So, one of the blackmails worked.
And I pretty much ended up extracting about £5,000 out of an Australian company.
And we basically sent an email to this, the CEO of this company,
and we said, if you don't pay, we're going to release all the customer data,
and we're also going to publish the source code,
which would then sort of make their product a bit useless.
And after we sent that email, that's when they decided to pay.
Now, here's why you shouldn't pay people when they try to extort you like this.
As soon as this company paid Daniel, he just wrote back to them and demanded even more money,
saying, I found even more stuff, pay me more. You can't trust criminals to be honorable in
this situation. So along with blackmail, I was putting some of the data that I had stolen up for sale.
Like I was trying to sell them on various forums
and try to make money that way.
So I made a couple of hundred of pounds,
but I never really made a lot of money.
Now getting even this little bit of money,
it was like jet fuel for Daniel.
It was amazing that his system worked
and he was getting paid for hacking. He just had to hack more and extort more and he'd get paid
more. So he kept on the hunt for more vulnerabilities and was going crazy with all
kinds of hacking and extortion attempts. The companies became a lot bigger. The websites
became a lot bigger and the blackmail, like the sums demanded with the blackmail became a lot bigger, the websites became a lot bigger, and the blackmail, like the sums demanded with the blackmail
became a lot bigger as well.
And eventually, one of the companies that I sort of hit was TalkTalk.
Oh, TalkTalk.
This is a British telecom company.
They provide cell phone and internet services.
It's a big company in the UK.
But this TalkTalk incident was quite the thing.
It all started one evening when Daniel logged into the hacking forum that he frequented.
In fact, he was such a regular at this hacking forum that he was a moderator there.
On one evening, a user posted a vulnerability for a
pretty big telecom company and had no idea how severe this was. Some savvy users on the site
pretty quickly were able to exploit this vulnerability and actually get into TalkTalk's
network and start moving around and stealing data. Daniel was seeing the frenzy that was stirring from this forum post.
This was really bad for TalkTalk.
This thread sort of got posted,
and loads of people started sharing it.
Like, it went everywhere.
It went over other forums, it went over Java, it went over IRC.
I think at that time, there must have been well over 20 people
that had this vulnerability in their possession, for sure.
And like, there were just so many people exploiting this vulnerability.
So much data was sort of stolen from TalkTalk.
It was really unbelievable.
Like even people, so people on like darknet markets
even started selling the data.
It was pretty much
everywhere so i i took the vulnerability and i initially shared it with someone on irc
and they had pretty much decided to like dump as much data as possible there was something like 64
databases and they'd they'd stolen i think it was 100,000 records before the website went offline and they
couldn't dump any more data. And that person then sent me that data on a server. The next day,
this was all over the news. Here's a clip from the BBC. Some breaking news in the last hour.
Police are investigating after a significant and sustained cyber attack
on the website of the company TokTok.
We actually have CEO of TokTok, Dido Harding, here.
First of all, Dido Harding, how many people are affected?
We don't know for certain, but we're taking the precaution tonight
of contacting all four million of our customers.
But you didn't do so, the attack was yesterday.
The attack started yesterday. We brought down all of our customers. But you didn't do it. The attack was yesterday. The attack started yesterday.
We brought down all of our websites yesterday lunchtime.
We spent the last 24 hours with the Metropolitan Police
and various security experts
trying to get to the bottom of what has happened.
Good luck trying to get to the bottom of this one.
20 different people just breached your network.
But not Daniel.
Daniel has only seen the forum post and told a friend to check this out.
And his friend is the one who got in and downloaded the database.
But at this point in Daniel's life, he was actively extorting companies left and right.
So he looked at the data that his friend took from TalkTalk and got an idea. So I had access to this data and I basically decided to gather all of the emails from the
data.
And so the staff emails, like the employee emails and the CEO's email addresses.
And I decided to send a ransom demand, basically demanding Bitcoin in exchange for me not to release this data.
And the CEO of TalkTalk, Dido Harding, did in fact get his email.
And I know this because here's another clip from the BBC a few days later.
It's a live criminal investigation.
All I can say is that I had and personally received a contact from someone
purporting, as I say, I don't know whether they are or are not, to be the hacker looking for money.
The CEO didn't reply to Daniel. Instead, she just turned over his email to the Metropolitan Police,
who got right to work investigating this case. And I've heard from a few listeners that they
don't like it when I have teenage
hackers on this show. But let me tell you why I think this is important. This isn't some cringe,
roll your eyes kind of story. Oh yeah, a teenager hacked some company, big whoop. This guy isn't
even that good of a hacker. Anyone could have done this. Maybe. But this whole TalkTalk incident
resulted in $70 million in damage to TalkTalk. They saw scores of customers cancel
their service because of this. Their stock tumbled, and the CEO had to appear before
Parliament to give testimony as to why their security failed. This was a huge problem for
TalkTalk, which meant it was a huge problem for the highly skilled, talented IT staff that works
to secure TalkTalk. We would receive what's called denial
of service attacks on our network every week. This is their adversary, a teenager who wants
to make some money from your one slip-up that you had on a server that came over when TalkTalk
acquired another company. What I'm saying is this is really important and you can't ignore this kind
of adversary. You can't roll your eyes and ignore this kind of attack, because this kind of attack can destroy your company and bring it to its knees.
This TalkTalk incident is such a big story that I actually spent a whole episode on it.
That was episode four. So if you want to know all the details of what went down in the TalkTalk
incident, go check out episode four. Anyway, as the hack died down in the news, a few weeks go by.
One evening in November, I was driving and I had a phone call from my dad. And on the phone,
all I can hear in the background is someone saying my name and then saying not to tell me
something. But my dad had basically told me that there was police waiting in my house
and they wanted to speak to me. So I initially, a part of me sort of knew what he was about at
that point. Like I wasn't that naive. Like I sort of knew what he was about. So I pretty much
turned the car around and drove home.
When you turned that car around and you were driving home,
what was going on in your head as you were driving home?
I can't imagine you listening to your favorite music and just jamming, dancing around.
No, definitely not.
I honestly got lost in my own world.
Like, on the way home, I just had so many thoughts going through my head
that I really didn't know what to think.
Like, a part of me really sort of didn't want it to be real,
even though I knew, obviously then I pretty much knew what it was,
because there was no other reason for them to sort of come back.
A part of me was just, like like wishing that it wasn't real and that it was all sort of not reality.
I mean it's really hard to explain, like I was just pretty much lost in my own world,
like there were no, there wasn't panic. I guess I was just
focused on getting back to my house. He arrives home. Now keep in mind, he lives in a small,
quiet town out in Wales. And there's like four police fans, 20 police officers. There's like
multiple agencies, undercover police officers. And you could tell it was a lot more serious this time. Like the whole street was closed
and it literally looked like a murder scene.
So I parked my car.
I walked past the police officers
because they didn't recognize me.
I walked into the house
and then my parents told me that this was me.
A part of me thinks that they were like
expecting something a lot more serious
because at first they didn't even recognize me.
They were like agencies. So lot more serious because at first they didn't even recognize me. They were like agencies.
So there was the National Crime Agency.
There was Metropolitan Police.
There was my local cybercrime unit.
They go through the house seizing all his computer equipment, just like before.
So they put me in the back of an undercover police van.
They put me in between two police officers.
And they pretty much escorted us
through town. Like they had their blue lights on. Like there was one car in front of us, one car
behind us. And we pretty much just flew through my town center. Like they closed off roundabouts,
they closed off roads. And we must have literally got to the police station in minutes.
Now at this point,
he's around 17 years old. They interviewed him and asked him what happened. Then they let him
go back home so they can investigate further. They bring him back to the police station and
charge him with 20 offenses. And they were charging him with attempting to extort Dido
Harding. And they apparently found some of the other offenses he did on the other companies too, which gave Daniel a clue on how they found him.
So when I like sent the extortion email to TalkTalk, I used Toe, like I used an anonymous
email provider.
But around that time, I was obviously still blackmailing other companies.
And what I had done is I had hacked and blackmailed another company
without using Tor I only used a VPN and they and I what I had done is I'd reused a Bitcoin address
for the TalkTalk extortion and the other company's extortion. So they had pretty much managed to use a Bitcoin address
to link those two offenses together.
And then they had investigated the smaller hack.
And because I was only using a VPN,
presumably the VPN provider turned over my IP address.
This case was bigger than what the local police station in Wales could handle.
So they took him to the Metropolitan Police in London,
about four hours away. And about two months after being arrested, he finally gets to go to the magistrate court in London. I go to my first court here. And in effect,
I'm then remanded into custody from that magistrate's court.
Which means he had to go to jail, but only for a week or two. But this was his first time in jail, and he did not like the
experience. After those seven to 10 days, I pretty much decided that, you know, I wasn't built for
prison. And it was honestly one of the worst weeks of my life. I was pretty much a cyber criminal.
Like I was there on computer hacking charges and blackmail. And then to be put in a cell with
someone that was doing five years
for armed robbery is really like it's a huge shock to the system because you honestly don't expect to
be sharing a cell with someone like that's really serious offending so i pretty much decided from
that point on that i was never going to re-offend again like i think that's when it really hit me
that just those seven to ten days i decided you know what i'm never going to re-offend again. I think that's when it really hit me that just those seven to
10 days, I decided, you know what, I'm never going to re-offend again. It's not worth anything
to go through that experience again. Now, this week he spent in jail was not
his whole punishment. I'm confused on how things go in the UK, but my theory is since he had
previous charges for hacking the school and he did all this
extortion stuff while he was out on bail, the court didn't want him to break more laws. So they threw
him in jail just to give him a taste of what prison life is like. And this worked. This shocked
his system made Daniel not want to re-offend again. Because if this was going to be his consequences,
he did not want to make it any worse. So he gets out on bail and has to wait for
his court date where they're going to figure out what his full sentence is going to be. Now, when
he's out on bail, the judge put a lot of restrictions on Daniel. A lot of them were really bizarre.
Like, I was banned from Python, the programming language. I had to register all of my devices with my local police.
I was banned from using Toe.
I was banned from using VPNs.
I was pretty much banned from a lot of technology.
I couldn't delete my internet history.
But the only one that really stands out is being banned from Python.
I couldn't really understand why they decided to put that as part of my bail conditions but yeah i had all of these sort of bail conditions on me and that's pretty much what i
had to live by for like months like after spending that week in prison i sort of had like an epiphany
and sort of realized that no matter what happens in my life I never want to be in this
place again so when I was released from when I was bailed from prison a part of me didn't even want
to like touch computers again like I found I would have found it a lot easier just to not
use computers ever again if it meant not going through that week. But as weeks went by, I sort of like, I guess I got bored.
And I ended up buying another computer.
And he eventually got back into hacking, looking for vulnerabilities on websites.
But this time it was completely different.
He was serious that he was done offending and was abiding by his bail
conditions. Because what he wanted to do was use his hacking skills for good. And he started doing
responsible vulnerability disclosures for companies, finding problems and then quietly
reporting it to them, not exploiting any of it, not stealing anything and not extorting anyone.
He wasn't even asking for a reward. He was simply trying to make
right all the wrongs he did by helping companies secure their systems better.
Like I started engaging in all of these bug bounty programs. I started engaging in responsible
disclosure. Like pretty much every day, I was reporting vulnerabilities in all types of systems while on bail.
So in my head at the time,
I sort of realized that any good that I could do would be considered during my sentence in hearing.
So it's basically called mitigation.
So you can do a lot of good things
and then your lawyers can sort of go to the judge and go,
look, these are all the good things about this defendant and this is why you should give him less of
a prison sentence or no prison sentence at all.
So I pretty much decided to like engage in responsible disclosure, report all of these
vulnerabilities to these entities and pretty much every day for like two years.
He was finding a lot of stuff and reporting it.
One place he liked reporting bugs to was MITRE's CVE program.
What I would do is I would take an open source project.
I would find a vulnerability.
I would then contact the vendor.
I'd inform the vendor.
And after they've patched the vulnerability,
I'd then ask the vendor for permission
to sort of file this proof of concept
along with a publication to this awarding body called Citra.
And they would then publicly issue a CVE ID
for this project affected.
Nice. He's responsible for finding many CVEs?
That's pretty good. CVEs are like a list of known
vulnerabilities in products. When the vulnerability you found is big enough to merit its own
CVE, it means that it's now going to be integrated into antivirus
tools, vulnerability scanners, and more security tools to detect
when someone else is exploiting this application. So not only was he privately helping vendors fix bugs,
but he was also helping the professional security community
be able to identify those bugs if anyone were to do what he did.
Did you get paid for any of these bugs that you found?
So I was doing this with no real financial intent.
I was just doing this on the sole on the sole principle of it
contributing to less of a prison sentence. But sometimes like a lot of companies would offer me
money regardless. And what I would do is I'd accept the financial rewards. And I just sort
of accumulated the money and the money then went to re-encompass it in the victims of my offending.
Now, over the course of this time, while he was waiting for his sentencing court date,
he found vulnerabilities in lots of companies. I mean, lots. And he always simply asked for a
thank you letter or a letter of recommendation from helping someone. This was the most valuable
reward he wanted. And he got a lot of letters.
He sent them to me to see too.
The PDF he gave me is over 300 pages long of just really nice things companies have said about Daniel.
For instance, here, let me read one.
Dear Dan, Deutsche Bank appreciates your ongoing efforts
in searching and responsibly communicating
IT security vulnerabilities.
You showed us a cross-site scripting vulnerability we had on our website.
And we thank you for your dedication to the task of increasing internet security
and wish you all the best for your future endeavors.
Signed, the CISO of Deutsche Bank.
The list of companies that he found vulnerabilities in
and reported them and got thank you letters for is really long.
Here, I'll have Daniel tell you a bunch of places that sent him thank you letters for is really long here i'll have daniel tell you a bunch of places that sent him
thank you letters the chrome court digital case system the national crime agency the ministry of
justice the parliament website universe university of cambridge the australian national university Stanford University, Yahoo, GCHQ, Royal Air Force, DBS Bank, AT&T, S3, BBC, Sony, Dutch Telecom, United Nations, Duke University, Adobe, AOL, Telegram, Sage, Amazon. Tell me when to stop.
I mean,
there's thousands.
I mean,
at first I was like, oh, this guy's
just getting universities and schools. That's easy.
But then I heard GCHQ and I
was like, wait, and then it just keeps going.
So what was...
There's some real, even though the
bulk of them are like cross-laced scripting vulnerabilities, there's some real, even though the bulk of them are like cross-lay scripting vulnerabilities, there are some real, really serious vulnerabilities that are reported.
Okay, so these ones that you listed, this is like, they confirmed, okay, thank you, and sent you a letter of thanks? things. I've had actual letters from the directors and CEOs of these
entities where they've said they've
acknowledged the vulnerability and they've said thanks.
The GCHQ, that comes as a
surprise as you were listing things. What happened there?
GCHQ basically published
this open source
project called CyberChef.
I've used it.
When they first published it, there was this open source project called CyberChef. Yep, I've used it.
And when they first published it,
there was a get-based XSS in it, pretty much.
Okay, so this was just a vulnerability in one of the open source tools that GCHQ puts out.
It wasn't a vulnerability in their main database or something.
But still, it's pretty cool to have a letter of appreciation
from GCHQ, isn't it?
And one day while doing all this,
Daniel came across another vulnerability that someone found on TalkTalk's site. Daniel confirmed
the vulnerability was still valid and immediately reached out to someone. But this time, instead of
telling a friend about it, he reported this to the authorities and shortly after that, it got fixed.
So in a way, he even helped TalkTalk become more secure. Daniel had truly
changed his ways and was on a serious, dedicated mission to help as many companies as possible.
He even did some math to try to quantify it all. Like, TalkTalk alone was 79 million. And if you combine everything else, it probably was closer to 100 million.
But when you really look at all the companies that I've sort of disclosed vulnerabilities in,
like, there's over 5,000 companies.
And then you take, like, some of the submissions, which are, like, P1 vulnerabilities on, on like ISPs and banks,
you can only logically assume that I've probably saved more money for those companies
than the damage that I caused.
Because like, for example, I had a vulnerability on,
I had an RCE on Virgin Media.
And that was a more critical vulnerability
than the vulnerability that I discovered on TalkTalk. And that was a more critical vulnerability than the vulnerability that I
discovered on TalkTalk. If that had been exploited, then presumably it would have had the same effect
as it had on TalkTalk. So I think it's really fair to say that after submitting all these
vulnerabilities, like over 5,000 vulnerabilities, I honestly can confidently say that I've probably saved a lot more money
for companies than my offending ever cost in terms of damage so because my because there
were so many charges and my case was so complicated I was going to court and they must have told me
like five or six times that the next time I would come
to court I would be sentenced except every time that I would go to court I would never be sentenced
and there would be some like legal dispute about a charge or something so I sort of had to live
the experience of thinking that I was going to be sentenced five to six times and when that
kept happening it really started to play like on my mental health I really I got really depressed
basically because it was a really stressful situation to be in and like my like my lawyers
were telling me okay you're going to get 12 and a half years, you're going to get five years. And a part of me just wanted it to like stop completely. So I would pretty much like
just go home and I would honestly do nothing. Like I would spend months, I would spend pretty
much all day just in bed, waiting for my next sentence in hearing.
Like it just be, it was like being locked.
It was essentially like being in limbo.
Like I would just wait for the next date, the next date.
And that's pretty much how I lived the last two years on bail.
Like I was, my entire life just resolved around these dates that were being set.
And eventually it got to a point where I was so depressed that I lost over seven stone in weight.
And I became emaciated.
I used to be really overweight.
I pretty much lost half of my body weight.
And I started to get really depressed. I stopped eating.
And eventually my legal team sort of took notice and they started to refer me to doctors and
psychiatrists. He pleaded guilty to 10 or 11 of these charges brought against him, but they were
trying to charge him with things he didn't actually do.
And this caused some disputes.
At this point, there was a huge
sort of dispute between a lot of psychiatrists
and doctors saying whether I was even
fit to go to trial, because I was
I intended on pleading not guilty
to these new allegations
because
I'm actually innocent.
I didn't actually commit them. You know, there
were days I'd even wake up and I wouldn't be able to remember my own name. So after
this huge dispute of seeing those psychiatrists and doctors, they essentially deem me not
fit to go to trial. So the prosecution essentially wasted a lot of taxpayers' money for no reason.
So with him not able to stand trial to dispute the charges against him, the court had no choice
but to simply charge him with whatever they thought he was guilty of and sentence him.
His sentencing date kept getting pushed back, but eventually came after four years of waiting.
It really was four years?
Yeah, so I was arrested for the Talk Talk hack in 2015, November,
and then I was sentenced in 2019 in June.
By this point, he was 21 years old.
Sentencing comes, and essentially it comes down to whether I'm going to go to hospital or prison.
And what the judge essentially did is gotten the head of the health care unit in HMP Belmarsh to sort of take responsibility for me.
She was at my sentencing hearing.
And when I was being sentenced, the judge put my, so he read out 12
and a half years. 12 and a half years in prison is what the judge said was his punishment. Oof,
14 years is the maximum for extortion crimes. It couldn't really get much worse for him.
But this was only the starting point. Quickly, Daniel's lawyer jumps up and says to the judge
that Daniel has had excellent behavior while on bail and has not reoffended.
And this made the judge happy and reduced the sentence a little.
Then Daniel pulled out hundreds of positive letters
he received from helping all those companies improve their security.
And the judge was particularly impressed by this
and lowered the sentence some more.
And his lawyer kept coming up with other reasons on why Daniel deserves a lower sentence.
And the judge kept lowering it.
He read it 12 and a half years and then he went 10 years, 9 years, 7 years.
And it essentially got to 4 years.
4 years prison time was his final sentence that he received for this criminal behavior.
Now in the UK, you only serve half your time in prison and the other half out in the community,
sort of like parole in the US.
When it was at the end there and they said four years, what was going through your mind?
Honestly, at that time, I was just in a, I was in a state of shock because I couldn't actually, I couldn't actually get over the fact that he'd read out 12 years to begin
with. Like once I heard that figure, I really, I sort of just went numb and like my mind just sort
of went blank. And it was almost like an out of body experience. Like I couldn't actually believe
that he had read out 12 years. And it was only really after I'd been taken down under
the courts that I really started to consider the possibility of doing four years in prison.
They immediately whisk him off to prison, directly from court. But first he had to get some health
care to get his mental state back to normal. But once he was showing signs of stability,
they put him in the main cell block with the other prisoners. But just
when he got used to the routine, they put
him on a bus and moved him to another
prison. A supermax prison, even.
Of course, when you go
to a new prison, all the other prisoners want
to know what you did to get there.
And he tells them the truth and says, hey, look up
my name if you don't believe me. So they did.
You know, a lot of them actually thought that I stole
70 million pounds from TogTog. They realize that I, that was the damage cost.
And anyway, I have loads of like gang members asking me to hack their phones. They're asking
me to hack the canteen, hack the prison. He got on pretty well with the other prisoners.
They liked him since he didn't pose as any threat to them. And they thought he was
smart with computers. But the prison guards and staff did not like him.
They were afraid of what he might do
if he used any of the computers in prison.
And they must have gotten word from someone else too,
because they just didn't treat him well.
Like, for instance,
they randomly searched his prison cell frequently,
much more frequently than any of the other prisoners
when he was there.
And he knew something was off, because he just couldn't figure out why he was being treated
differently. One morning at 5 a.m., he gets woken up by some guards telling him, get out,
we're searching your cell. And of course, he gets out and looks around and sees there are some other
cells being raided, but they're all people he knew in prison. Out of all the prisoners, why is it him
and just the people he knows that are getting raided? It didn't make
sense. When they raid your cell,
they just rip everything apart.
They tip the bed apart.
I was
even, so I go back to my cell and I was even
told that they were using
screwdrivers and stuff
to take furniture apart
to see if I was hiding anything.
And stuff to take furniture apart to see if I was hiding anything. And I get back to my cell, I clean everything up.
And funnily enough, there was a razor that I didn't even know that was in the cell from
the previous occupant.
And they just sort of put it on the table and left it there, almost to send like a message
to say, look, we found something, but I really didn't even know it was in the cell.
So there we go so what that essentially
did was make me become even closer friends with these they just they were all part of like a gang
in effect so I become close friends with these people two days later my cell opens again 7am
and they say right you're being drug test come us. I don't take drugs, okay? Drug tested. Come
with us. So I go for some drug test. On the piece of paper that they give me, it says it's randomly
allocated, except it's not randomly allocated because you can see the coincidence, right?
But that's how they were abusing the system. They were saying it was just randomly allocated.
It's a load of bullshit. They were just trying to cause some inconvenience, I think, or they
had some source of intelligence. Someone probably said something. I didn't take
drugs, but that's how intelligence works. So I negative on that drug test. And then Christmas
Eve comes. So Christmas Eve morning, my cell opens at 6am and they tell me, two prison officers tell
me, you're being transferred. And I said, okay.
At first I was like, okay, maybe this isn't a bad thing.
Why too?
And they say HMP Bristol.
Now, HMP Bristol is a really bad prison, okay?
It's a Victorian old prison.
It's in England.
And it's not really a prison anyone wants to go to,
especially over Christmas.
It was their way of sort of ruining my Christmas
and throwing me out of that prison as fast as they could. But anyway, after like they tell me I'm being transferred to HMB Bristol,
everyone's out of their cells and these gang members sort of figure out what's going on.
And they convinced me that it's a really good, I sort of, I was 50-50 apart from me. I didn't
want to go to Bristol, but I knew I didn't have a choice because i couldn't just stay in berwin because they'd now remove that choice like they removed that option if i stayed
that they would have just took me to like segregation or something so one of these gang
members essentially convinces me to like put a razor so take a safety razor and put it in my
mouth okay what essentially that does is it invokes like a safer custody issue because that essentially means that it's like self-harm like the prison officers can't
touch you and i put it so i this guy like this is completely out of character by the way i'm not
like some irrational person that was around self-harming i'm not saying the self-harm is
irrational i'm just saying i'm not the type of person to do that. I don't put razors in my mouth and all of this type of thing. It was only when that suggestion was made to me
that I did it. So I put a safety razor in my mouth because these gang members had convinced me to do
it. And I put it in my mouth and I looked at the prison officer and I said, I'm not moving.
Anyway, everyone's locked up.
Well, they tried to lock everyone up because this is taking place in my cell
and all the prisoners essentially refused
because there's a huge crowd inside my cell
and they've sort of worked out what's going on.
And because I was on good terms with these prisoners,
they thought it was really unfair.
It was my first time in prison.
I was in for computer hacking
and it was really unfair to transfer me to a prison like HMP Bristol on Christmas Eve so they refused
prisoners start smashing the wing up they they started smashing the kiosk and in effect a really
small riot starts someone threw a fridge off the top landing.
And all the prison officers left the wing.
I was oblivious to this at this time because I was in my cell.
So later on.
So when this is happening, all the prison officers leave their cell.
Leave the wing, sorry.
And everything goes quiet.
All the prisoners are just there like rioting.
I'm sitting in my cell. I've got a razor in my mouth.
And we're just sort of sitting here.
So I go by the doorframe.
And 45 seconds later, less than a minute,
about eight prison officers wearing riot gear come marching onto the wing.
I can see them coming onto the wing.
They've got riot shields, they've got buttons, and they're all kitted up. And they're walking towards me. And I sort of
realized that if I didn't drop this razor and comply in the next 30 seconds, they were going to
force me to comply. So I spat the razor out and I said, look, I'm going. Take me to where you want to go.
They transferred him to another prison, and he spent a few months there.
It was much worse than the other two he was in.
But he gets through it and finishes his prison sentence.
So you spent how long in prison?
So I did two years in prison.
When did you get out?
June, last year. Since getting out of prison, he still has to do two years in prison. When did you get out? June, last year.
Since getting out of prison, he still has to do two years of probation,
and he has to follow all the rules set forth on him.
He can use a computer and the internet, but he has restrictions.
And he hopes to someday get a regular, above-board job doing cybersecurity.
So, last question.
Yeah.
What's your biggest regret?
probably blackmailing people
why?
I don't really
I don't regret
the hacking aspect
of what I did
I just think that my offending became really twisted
when I started blackmailing people
because that's where it became really personal
and I think that's where it became really personal.
And I think that's ultimately what sent me to prison.
I think just hacking systems is completely different in comparison to blackmail.
Thanks to Daniel Kelly for sharing the story with us.
This show is made by me, your friendly moderator, Jack Recider.
Sound design was done by the two-eared Andrew Merriweather,
and our theme music is by the mysterious Breakmaster Cylinder.
Oh, and hey, if you ever have questions about TCP IP,
I know the pro to call.
Get it? Pro to call?
Forget it. This is Darknet Diaries.