Daniel Kelley, a reformed British computer hacker who committed over £70,000,000 in damages, has decided to share his story and answer questions from Redditors on the famous IAmA subreddit.
Kelley was arrested in 2015 and released on bail until his trial in 2019. He spent the last two years in HMP Belmarsh, a high-security prison in London.
Kelley claims, “The majority of my offences did not require extensive technical knowledge and were committed through easily identifiable web application vulnerabilities.”
He believes that he could’ve easily escaped getting caught if he adequately obfuscated transactions and “reused Bitcoin addresses when making ransom demands.” This allowed authorities to link him more easily to his offenses. “I didn’t care or even consider the possibility of the consequences of what I was doing,” Kelley said in his Reddit post.
All he did was take basic countermeasures such as modifying var/log entries and bash history to ensure that nothing was blatantly obvious.
After spending two years in prison, he concluded that freedom is way more important than anything that could come from a life of criminality. His online activity will still be vigorously tracked for the next 10 to 20 years, he admitted in one of his answers.
Kelley also complained that the £70,000,000 figure in damages he caused was calculated, as metrics such as customers unsubscribing from a service within a certain time period and beneficial hardware upgrades resulting from his hacks were also added to the figure.
In the past four years, Kelley has been working with 100s of prominent companies, institutions, and government agencies in helping them identify vulnerabilities in their systems. Some of the entities he has worked with so far are the University of Cambridge, Deutsche Bank, AT&T, Amazon, the Ministry of Justice, Parliament, and many more.
He is now focused on starting a career in cybersecurity, but he believes it will take a while since people still have trust issues over what he’s done in the past.
necessarily want to learn how to benefit from vulnerabilities. “I didn’t start out with that mindset; it was more of a curiosity,” he said. His interest in hacking began when he was a kid when he wanted to gain an unfair advantage in the MMO games he played.
To learn, Kelley mainly relied on trial and error since the resources at the time were much more limited compared to know. Most of the methodology he used at the time was from online forums. “To identify vulnerabilities, you must first understand how the technology behind most vulnerabilities work, which allows you to then make identifications. It’s no good trying to identify an XSS if you don’t understand what HTTP and JS is, for example.”
“I didn’t have a plan for when I gained access. Most of my hacks were the result of a vulnerability in an insecure web application and generally involved uploading a web shell (typically WSO or C99). From there, I’d just exfiltrate the data and then use it to ransom the relevant company. I definitely had the opportunity to do a lot more and could have spent much longer pivoting around, but I wasn’t really interested – all that I wanted was the data,” said Kelley when asked about what his plan was once he infiltrated a certain network.
If you don’t want your company to be mentioned in a former hacker’s AMA in the future, contact LIFARS. LIFARS is an industry leader that develops proactive strategies and tactics against evolving cybersecurity threats. Our services such as comprehensive gap assessment, red-teaming, penetration testing, threat hunting and vulnerability assessment reveal a company’s vulnerabilities. Our vCISOs will ensure your optimal cybersecurity strategy and adequate posture.