117: Daniel the Paladin

1h 9m

Daniel Kelley (https://twitter.com/danielmakelley) was equal parts mischievousness and clever when it came to computers. Until the day his mischief overtook his cleverness.


Sponsors

Support for this show comes from Keeper Security. Keeper Security’s is an enterprise password management system. Keeper locks down logins, payment cards, confidential documents, API keys, and database passwords in a patented Zero-Knowledge encrypted vault. And, it takes less than an hour to deploy across your organization. Get started by visiting keepersecurity.com/darknet.


Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.

Listen and follow along

Transcript

In 2014, a five-year-old hacked Xbox Live.

A five-year-old.

Yeah, here's what happened.

The family got an Xbox for Christmas.

The five-year-old was having fun playing games, and dad set it up with parental controls.

So the kid could only play a few games that were set aside for him.

But the kids saw some of the other games that dad was playing and wanted to play those too.

He tried to get to those other games, but he couldn't.

It was locked by dad.

But the kid didn't stop trying.

He understood that there were two different accounts, one for kids and one for dad.

So he clicked on his dad's account, which prompted the kid for a password.

The kid didn't know the password.

Heck, he was five years old, so he didn't even know how to spell, even if he knew the password.

But when he got to the password screen, the kid just hit spacebar a bunch of times.

Tap, tap, tap, tap, tap, tap, tap, tap, tap, then enter.

And magically, it worked.

Apparently, there was a vulnerability in the Xbox parental controls that allowed someone to just type in all spaces to get out of the kid's account.

And the kid got into his dad's games and played them.

And when the kid could play his dad's games, this is what he said.

I was like, yeah.

He played them, wasn't very good at it, but then shut them off and went and did something else without his dad knowing, the little sneaker.

And then he did it again another day.

He bypassed parental controls, played the game he wasn't supposed to, and then shut it off before his dad found out.

But then his dad noticed someone was playing his games and was like, that's odd.

And so he asked the kid, hey, were you playing my stuff?

And the kid started to worry a little.

I got in all this.

He was gonna find out.

His dad realized the kid must be breaking out of the parental controls and asked him to demonstrate how he did it.

So the kid showed dad how you can just mash the space key a whole bunch of times to get to the other games.

His dad was dumbfounded.

And they reported this bug to Microsoft, who fixed it.

And they even credited the kid in the bug report as a security researcher involved with identifying it.

These are true stories from the dark side of the internet.

I'm Jack Reeseider.

This is Darknet Diaries.

This episode is sponsored by my friends at Black Hills Information Security.

Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.

Through their anti-siphon training program, they teach you how to think like an attacker.

From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.

Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.

For hackers.

But do you need someone to do a penetration test to see where your defenses stand?

Or are you looking for 24-7 monitoring from their active SOC team?

Or maybe you're ready for continuous pen testing, where testing never stops and your systems stay battle ready all the time.

Well, they can help you with all of that.

They've even made a card game.

It's called Backdoors and Breaches.

The idea is simple.

It teaches people cybersecurity while they play.

Companies use it to stress test their defenses.

Teachers use it in the classroom to train the next generation.

And if you're curious, there's a free version online that you can try right now.

And this fall, they're launching a brand new competitive edition of Backdoors and Breaches where you and your friends can go head-to-head hacking and defending just like the real thing.

Check it all out at blackhillsinfosec.com/slash darknet.

That's blackhillsinfosec.com/slash darknet.

This show is sponsored by DeleteMe.

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

Delete Me knows your privacy is worth protecting.

Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.

DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.

They're even on the lookout for new data leaks that might re-release info about you.

Privacy is a super important topic for me.

So a year ago I signed up.

Delete me immediately got busy scouring the internet looking for my name and gave me reports of what they found.

Then they got busy deleting things.

It was great to have someone on my team when it comes to protecting my privacy.

Take control of your data and keep your private life private by signing up for Delete Me.

Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to join deleteme.com slash darknet darknet diaries and use promo code dd20 at checkout the only way to get 20 off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout that's join delete me.com slash darknet diaries code dd20.

This is the wild and strange story of Mr.

Daniel Kelly.

So I think it's important to go back to 2013, 2014, because that's when a lot of this started that led up to the events that took place.

I had a normal childhood.

I really disliked school.

I had really low attendance.

And my life pretty much resolved around online games.

So I'd go to school.

I'd come home.

I'd play online games.

And I'd basically do the same thing for months on end.

I used to be obsessed with a certain game called World of Warcraft.

And World of Warcraft essentially had a PvP system.

And I used to take this game really serious.

I picture you as a rogue.

When you were telling me the story, I was like, this guy's definitely a rogue.

And he's a griefer, I can tell already.

No, no, that's not true.

I had a few characters, actually.

I used to play a lot of healers.

Like,

my main character was a Holy Paladin.

But then I played Drest of Druid for a bit.

That's pretty much all I used to play, was healers.

I just don't picture you as either a paladin or a druid.

That's so funny.

Yeah.

Daniel played a lot of World of Warcraft for thousands of hours.

And during this time, he was really working hard to rank up in PvP.

This is player versus player skirmishes, where he'd get in a group of other players and battle against other players to see who was better.

He was very high-ranked and very competitive, spending as much time as possible playing this game.

And because he was high-ranked, he would often compete against the same teams who were around his rank.

One day, he got a strange message.

Someone on on my team would always go offline.

It would either be me, or it would either be one of my teammates.

And it got to a point where I ultimately realized that we have no chance of winning whatsoever.

So

I called one of the members of this specific team and asked them what they were doing.

And they sort of made a joke out of it.

They didn't admit it.

They didn't admit that they were doing anything, but they didn't...

say that they weren't doing anything.

So after a while, I sort of went to Google and I started to search on how to cheat on this game.

Basically, he found a forum that talked about the different kinds of cheats and hacks.

He gets on the forum and asks them what could have caused him to be disconnected just before a match started.

I basically explained everything and I sort of like asked people to make a suggestion on what he could be doing.

A lot of people started saying that

there was a high probability that I was being DDoSed.

And back then, I was like 12 years old, so I really didn't understand the concept and I was not familiar with this at all.

So he looks up what DDoS is and finds it stands for distributed denial of service.

And this typically means flooding someone with so much traffic that they cannot get to the internet anymore.

Service is denied.

Okay, that made sense.

Someone may be flooding him with tons of packets and that made him go offline.

And then he found what a booter was, which is a type of hacking tool that does this kind of DDoS attack.

And all you had to do was enter the victim's IP address and you could blast blast them off the internet.

But what didn't make sense to him was how did anyone know his IP address to attack him basically at home?

There's nothing in the game that would show his IP to anyone.

So I sort of interacted with the people that posted on that thread and asked them if they had any theories behind how he may be getting my IP address.

They came back and asked.

Well, have you talked with any of your attackers over Skype in the past?

And yeah, he had.

Remember, he even called the guy up who he thought did this and asked him about it.

Well, as it turns out, back then, when you called someone on Skype, it would store their IP address on your computer.

And then when hackers figured that out, they created a little tool called the Skype Resolver.

And with this little tool, all you had to do is enter someone's Skype username and it would try to call them and then tell you what IP address they had.

And so now he knows exactly what tools they use to find him and kick him offline.

And so now that he knows how it's done, he gives it a try.

And this is pretty much what I was doing when I was like 12.

So I had a booter and I had a Skype resolver and I decided to test this theory.

So

one night we go against this team.

I get his IP address and I DDoS him.

And it basically worked.

We won and I sort of realized that this is what he had been doing all along because the effects were exactly the same

and

at the very beginning, I only used to use it against their team.

And I, to be honest, I didn't even tell the other two players

what I was doing because I didn't want them to know.

It was really tempting to do it to every single team that we code into, but I didn't do that because I'd essentially achieved where I was through hard work and skill and not cheating.

So I wasn't about to ruin all the time that I'd spent learning just so that I could cheat.

He wasn't using this attack that much, but with this knowledge of what it looks like when someone is attacked, he started noticing this happening more often.

In fact, a lot of the top-ranked teams had been using booters to force people to leave just when a match would begin so they could win easier.

And this ruined the fun and the game for him.

So he started playing it less.

But what this all did was it sparked his curiosity about hacking.

So he went back to that forum that taught him how he was booted booted from World of Warcraft to see what other kinds of hacks there were out there.

And this is where he learned about Google dorking.

Google dorking is where you use Google as a vulnerability scanner.

What I mean is Google is a search engine, right?

But in order for it to be a search engine, it needs to go out and scan and spider its way across the entire internet, scooping up tons of data about websites along the way.

And Google's not specifically looking for vulnerabilities, it's just grabbing whatever's out there and putting it into a database so that when you search Google, it can present you with information about what you searched for.

And so you can search Google for specific things that are vulnerabilities in websites.

Like for instance, if you do a Google search for the term entitle index.of ID underscore RSA, this is basically asking Google if they found any files on the internet called IDRSA, which typically stores a private key.

This file should never be out there on the internet and open for anyone to see.

It's like exposing your password.

Yet, Google has found tens of thousands of websites that clearly display their private keys for anyone to see.

These little clever searches were what Daniel was learning, and it opened his eyes to tons of possibilities.

One day he searched for a misconfigured admin portal and found one and was able to log into this website as an admin.

So it was

a website belonging to a school.

I don't want to name the name of the website because it was over 10 years ago.

But and what I ultimately did is deface the website because I just wanted to sort of you know, it was the first vulnerability that I ever found.

So I was sort of intrigued that I found something like that to begin with.

What did you put on the website?

So it was like some stupid picture.

It was like, I think it was like, do you know the picture of the troll face?

Yeah.

I pretty much just left that there for like a couple of days.

But the thing is, back then, I was like really young.

I was like, I think I was 12 or 13.

So I was, it was more, I was doing it for fun, if that makes sense.

This was amazing.

This was legendary.

at least to a 13 year old he got onto a website and changed the picture to whatever he wanted he felt clever and powerful you honestly like sort of feel it's it's like a sensation of euphoria if that makes sense almost like a really

really big achievement but the problem is after you've sort of gained access to that system you start to look for the next thing It's always the next thing because you're always sort of chasing that feeling and trying to replicate what you just did

So we went back to Google typing in search queries that would point him to different websites that were vulnerable and of course when you type anything into Google it gives you 100,000 hits right so he starts looking through the list of potential vulnerable sites.

And as he was scrolling through, looking at the websites on the list, one stood out, Microsoft.com.

Well, it was a subdomain of Microsoft, but still, this is a big company.

So he followed the link to see if the site was vulnerable.

And I found a cross-site scripting vulnerability on a subdomain in this login panel.

And essentially, it allowed me to like inject JavaScript into that web page so I could like craft, for example, a malicious link and then steal user accounts, if that makes sense.

But a cross-site scripting vulnerability is hard to actually exploit.

Finding it is one thing, but using it to actually attack someone is a bit tricky.

So Daniel didn't want to use it to do any kind of malicious attack.

Instead, he just decided to tell Microsoft about it.

So back then, Microsoft ran a responsible disclosure program.

I think it was like one of the few companies back then that did.

And I basically took the proof of concept and submitted it to Microsoft's security team.

And within a couple of hours, they pretty, well, it was either a couple of hours or a couple of days.

They got back to me and triaged the vulnerability and basically confirmed the existence.

Did they give you anything like a

shirt?

No.

So all they pretty much...

So the only real incentive I had was when I found the Responsible Disclosure Programme, they were offering like

a page which allowed you where they put people's names on, where it was like some type of security acknowledgement, where you would submit a vulnerability and they'd put your name on the website in return for submitting that vulnerability.

And then but back then, that type of thing was really

like cool to me

because having like your name on a website like Microsoft when you're so young seemed really sort of fascinating.

So that's basically the only incentive that I used to sort of submit that vulnerability or the only source of like motivation then.

Yeah, so did they add your name to the thing?

Yeah, so my name was added a week or two later and it remains there to this day.

Very good.

So far, this is a great start for Daniel.

Replacing one image on a website, not too bad.

But now finding a vulnerability on Microsoft's website and reporting it to them, nice nice job.

On top of that, he was given a great big thank you.

Even better.

This could be a great start to a prosperous career for Daniel.

If he keeps it up, submits a few more vulnerabilities to companies, he might start getting job offers, or he could be rewarded for responsibly disclosing bugs.

Yeah, so I pretty much started off with really positive intent.

After that initial submission with Microsoft, I basically sort of applied the same.

I started to wonder if other companies would offer some recognition or the same or some type of reward.

So I went through like loads of Fortune 500 companies, started finding vulnerabilities,

and I ultimately ended up submit, well, attempting to submit a lot of vulnerabilities to these Fortune 500 companies.

But none of them ever really provided the same response as Microsoft.

because they didn't run any official responsible disclosure programs.

Okay, so what did you do after telling them they've got a problem and they're not fixing it?

So

the vulnerabilities started to accumulate.

Like it got to a point where I was just sitting in all of these vulnerabilities and I wasn't really sure what to do with them.

Like I just had them saved somewhere.

I kept doing it, kept accumulating vulnerabilities.

I kept trying to reach out to these companies.

But most of the time, they wouldn't respond.

So

two things would happen.

Either they'd respond and nothing would come of it, or they would completely ignore your contact attempt.

But I started to accumulate all these vulnerabilities and

I guess it got to a point where I decided that I was wasting my time.

Now remember, Daniel learned these hacking techniques from a hacker forum, and he he was learning more and more from there.

In fact, he was hanging out in chat rooms with them and stuff.

And so you can just imagine his eyes shifting and darting around between windows, right?

He'd look at one screen, which showed all the vulnerabilities he found, and then would check his email to see if any of the companies replied that he reported vulnerabilities to.

And nothing.

And then he looked at the hacker chat room and the forums he was on.

And then his eyes does the loop again.

Vulnerabilities, empty inbox, inbox, hacker forum.

And he knows the people on this hacker forum loved finding stuff like this.

And obviously those individuals weren't really...

not all of them were ethical.

Not all of them were up to similar things that I was doing at that time.

They were up to like malicious things.

But I ultimately ended up sharing all of the vulnerabilities with people that I'd met on these forums.

And they sort of started using these vulnerabilities with malicious intent and I guess I joined them.

Now keep in mind at this point Daniel has only found vulnerabilities.

He hadn't actually tried to exploit any of them.

It's equivalent to finding a window open on an office building at night but not really looking in or reaching in to grab anything.

So he tells the people on the forums, hey I found some vulnerabilities on some websites.

And of course they loved seeing this.

They went straight to trying to exploit it to see what kind of information they could get out of these companies.

So they'd exploit the vulnerabilities.

They'd gain some type of access.

And then, so they'd like escalate privileges and they would just really pivot around the networks or whatever they'd gained access to.

And sometimes it would result in like data being stolen.

But mainly it was just keeping access.

at that point in time.

Like it was just to see what could really be done with the vulnerabilities, if that makes sense.

I guess they were just doing it to see

what they could sort of accomplish.

Like, there was no real...

There was no real

intent, if that makes sense.

It was more like, let's fuck around and sort of see what we can do.

Were you participating in this?

So, after I shared the vulnerabilities, I pretty much decided to participate in it.

Yeah.

I guess he's already participating, hacking these sites just by sharing vulnerabilities with them.

Doing recon, finding vulnerabilities, and sharing that is all part of the process, right?

And I pause here for a moment because I'm trying to find the actual line that you have to cross to become a criminal.

Walking by a building just looking to see if it has any open windows at night isn't criminal behavior.

But what if you told a group of troublemakers about this way-in you found?

Is that now criminal?

Just telling someone about a vulnerability you found with a company?

It's hard to say.

It depends where you are in the world.

Like, there's different computer laws pretty much in every different country.

And I can only speak on behalf of the UK.

And in the UK, the Computer Misuse Act is so vague that there's like different interpretations of it.

Like, I've read somewhere that the National Crime Agency has their own interpretation of the Computer Misuse Act.

So

I think it ultimately comes down to ethics.

Like if you're going to report a vulnerability,

I think there's a low likelihood that you're really going to be prosecuted for trying to ethically disclose a vulnerability.

But it doesn't always turn out that way.

Like in that time period, I must have reported 20 or 30

vulnerabilities.

And

I never received a negative response, not once.

It was either a null response or a positive response.

Well, now Daniel was switching it up.

Instead of just finding vulnerabilities and reporting them to companies, he was now actively trying to exploit these vulnerabilities and hack into these companies and their websites and trying to get into their systems and doing stuff he absolutely wasn't supposed to be doing.

And this was all just for fun.

Occasionally, someone would take some data or download something, but for the most part, it was just a big thrill to find a way in and look around that was enough for these guys i'm picturing you as like half of you is there to help you're like man this stuff needs to be cleaned up nobody's cleaning it up here you go you guys need to fix this stuff and then half of you is like i'm gonna have fun with what i have at the same time and just screw around with like if these companies aren't gonna be fixing stuff i might as well jump in and see what's going on in there and just take a look and get out yeah that like i i think that's pretty much accurate like i had no real I wasn't on one side, if that makes sense.

I was, I was on both.

Like,

sometimes I'd sort of mess around with a vulnerability, and then sometimes I'd try and disclose it.

I was never really, at that point in time, I was never really on one side, if that makes sense.

Yeah.

So at that point, you start going to college, I believe?

Yeah, so around that time I started going to college.

Daniel completed his level two coursework, which is sort of like high school in the US, and was wanting to go on to level three courses, which is kind of like what you do after high school.

He finds a college near his parents' house in Wales, in the UK, and he signs up to study computers, which was his passion, clearly.

So I complete this level two course and then I apply for the level three course.

And I basically am informed that this level three course consists of a lot of presentations and sort of socially,

you have to be.

There's a lot of activities on this this course that involve there's like a social element to them.

And back then, I was a really unhappy and awkward, fat teenager.

I really didn't like that at all.

I basically had access to this

botnet.

It was essentially a Mirai botnet,

which had loads.

I saw someone online essentially gave me access to this botnet.

Did you pay for it?

No,

it was through someone I'd met online, and they gave me free access to it.

No, what the Mirai botnet is best at is flooding an IP address with gobs of traffic, so much that it will take down a website.

It's very good at doing DDoS attacks.

They pretty much had a website, and on that website, there was a panel where everyone would log in, and that's how everyone used to access all of their work and their documents.

And at the time, I had access to this botnet, and

I guess I got really bored and decided to point it towards the college and I essentially DDoSed that college but what I didn't know at the time is is that the college was also hosting a lot of other networks.

It was basically what so it was one huge network that hosted a lot of services like police stations

quite a few things.

And by so by DDoSing this network, I had pretty much affected a lot of services, not just the college.

And I ended up DDoSing a lot more things than I really intended to.

But yeah, by DDoSing that website, in effect, nobody could log in.

And nobody could really access their work or upload work or pretty much do their coursework.

Well, when the main portal that students used to log in to do their work was down, this resulted in Daniel's class getting cancelled for the day, which was sort of what he wanted.

He didn't want to go to class, but he also didn't want to tell his parents that he didn't want to go to class.

So this was the perfect excuse for him of why he wasn't going to class.

Schools canceled because the computers were out of order.

Once the scheduled time for his class was over, he turned the attack off.

Well, that worked out in his favor for the day.

But then the next week rolls around and he has classes again.

And since attacking the school with a button resulted in class being cancelled last time he decided to launch the attack again and again this took the computers down and it resulted in classes being cancelled and this seemed to be working so every time he had to go to class he just attacked the school so what at the at the very beginning I used to pretty much just do do it in hour intervals like I would DDoS the network for an hour or two

like usually in the morning when everyone would go into the college and quite quickly they'd find out that the network was offline and they'd cancel everything for that day daniel had mixed feelings about all this on one hand he was relieved that he didn't have to do any presentations at school but on the other hand he felt bad for attacking a school and ruining it for other students but then his curiosity was growing wondering how many more days can the school be canceled because of this?

Surely it can't go on forever, right?

Like they're not going to cancel the whole semester, will they?

It sort of made him curious on how they're going to resolve this.

How do you defend against a Maribot net?

How tough is the school to be able to stand up to it?

So he continued to attack the school.

I think in total, I must have done it

well over 30 times.

Like it became a constant thing.

I would pretty much do it

every day.

Like, so whenever the network would come back up, I would just hit it again.

And it became a constant thing.

And,

you know, they used to send, they would cancel lessons for weeks at a time because nobody could do anything, pretty much.

So

basically, one morning, so I was sleeping and I remember opening my eyes to two police officers standing in my bedroom doorway.

Obviously, at this point, I was still living with my parents because I was quite young.

But I remember opening my eyes to these two police officers standing in my bedroom doorway, and they sort of said to me, You need to come downstairs.

And

I pretty much went downstairs.

They

like I sat down on a couch and they were going through everything.

Like they were going through my computer, they were taking all of the electronics, pretty much all the devices in the house.

And at that time, I was cautioned and arrested for for DDoS in the college pretty much.

So

basically, when I was arrested, or even though they came to arrest me for the college DDoS, there was a lot of other material on my hard drive that they wouldn't have been aware of.

And they only became aware of it when they inspected my devices.

So when I previously discussed where I was sort of hacking websites for fun, that was all still on my hard drive.

So what had happened is they'd come to my house, arrested me for DDoS in the college.

They kept me in a police station for a couple of hours.

They interviewed me.

I was released on bail.

But during that bail period, when they sort of inspected my computers, they would have then phoned all the other material, which would have sort of allowed them to

charge me with more things, like

all the computer misuse charges.

Once the police discovered all this new evidence of crimes that Daniel committed, they re-arrested him and charged him with 13 more offenses.

They brought him down to the police station and interviewed him.

They asked him lots of questions about the stuff they found on his computers.

They let him go home and they investigated some more and they brought him back to the station and interviewed him some more.

And this goes on and on for months.

And they finally issue him a court date where the judge will decide what his punishment will be.

So this is where it gets a bit tricky.

So basically, when they issued me with that court date, so they issued me with the court date, I think it was

the following year.

And during that time period, after I'd been released from the police station, I pretty much decided to re-offend.

And that's where it starts to get a bit more complicated.

It's funny you say it like that.

I decided to reoffend.

Was it that clear in your head that, like, I'm going to go reoffend?

It just seems like a weird thing to say.

Um, honestly, no, it wasn't really that clear.

We're going to take a quick break, but stay with us because when we come back, Daniel goes on some serious reoffending.

This episode is sponsored by Vanta.

In today's fast-changing digital world, proving your company is trustworthy isn't just important for growth, it's essential.

That's why Vanta is here.

Vanta helps companies of all sizes get compliant fast and stay that way with industry-leading AI, automation, and continuous monitoring.

So whether you're a startup tackling your first to SOC2 or ISO 27001 or an enterprise managing vendor risk, Vanta's trust management platform makes it quicker, easier, and more scalable.

Vanta also helps you complete security questionnaires up to five times faster so you can win bigger deals sooner.

The results?

According to a recent IDC study, Vanta customers slashed over $500,000 a year in costs and are three times more productive.

Establishing trust isn't optional.

Vanta makes it automatic.

Visit vanta.com/slash darknet to sign up for a free demo today.

That's vanta vanta.com slash darknet.

Daniel had about five months before he was due in court.

Now, the cops still had all his computers.

They confiscated those months ago and kept them for evidence.

So Daniel convinced his parents that he needed a computer in order to resume his life.

By removing my devices, what they had done is sort of stripped my existence.

My every all-I was fulfilling all of my needs through the internet.

I had no other activities.

I used to socialize through the internet.

I used to have fun through the internet, entertainment through the internet.

And basically, I

I ended up committing more offenses on bail.

I can't really explain why, but what happened, what ultimately happened is, is that I resumed everything as if nothing nothing had happened I managed to convince my parents to buy me a new device I went out and I logged into all of these

I locked I like I logged into the communities that I was already established in and I just continued

and

my criminality essentially from that point onwards my criminality essentially escalated from

low-level offending to sort of blackmail

fraud and computer hacking.

There was this three-month period where I basically went on this hacking spree spree and

I acted in a group and I acted on my own.

I sort of would hack into websites, I would steal the data,

and I would then try and blackmail the founder or the

whoever was behind the website for money.

Once he found his way back into the groups he was in and he got all his old tools set up again, there was no stopping him.

He went right back to his old ways.

Because, as the old saying goes,

Now, there was no effort to do responsible disclosure.

His intention was just to figure out how to make money with all the hacking he was doing.

And the easiest thing that came to mind was extortion.

I hacked you.

Pay me or else kind of stuff.

He didn't have his hands on any kind of ransomware, or he might have tried to use that.

But what he would do was find a website with vulnerabilities, exploit them, maybe take some data from them, and then email the owner of the site demanding money, or else he'll publish this data that he stole and publish the vulnerabilities on how he got in.

Sometimes he didn't even exploit the site and steal data.

Sometimes he just told them that he found a severe vulnerability on their site and will publish it unless they pay him.

What Daniel was asking was anywhere between 5 and 40 Bitcoin.

And a Bitcoin then was only worth about $200.

So he was demanding anywhere from $1,000 to $10,000.

Of course, companies weren't paying.

So, sometimes he'd escalate the situation and would get personal data from site employees and show them how he was going to publish their information unless he paid them.

And these were some serious threats to these companies.

So, of course, they were reporting all this to the authorities.

But Daniel was hitting companies in countries all over the world: Canada, the US, Australia.

Did any of these work?

So,

one of the so one of the blackmails worked and

i pretty much ended up extracting about five thousand pound out of an australian company and we basically sent an email to this the ceo of this company and we said if you don't pay we're going to release all the customer data and we're also going to publish the source code which would then sort of make their product a bit useless

And after we sent that email, that's when they decided to pay.

Now, here's why you shouldn't pay people when they try to extort you like this.

As soon as this company paid Daniel, he just wrote back to them and demanded even more money, saying, I found even more stuff, pay me more.

You can't trust criminals to be honorable in this situation.

So, along with blackmail, I was putting some of the data that I had stolen up for sale.

Like, I was trying to sell them on various forums and tried to make money that way.

But even so, I made a couple of hundred of pounds, but I never really made a lot of money.

Now, getting even this little bit of money, it was like jet fuel for Daniel.

It was amazing that his system worked and he was getting paid for hacking.

He just had to hack more and extort more, and he'd get paid more.

So, he kept on the hunt for more vulnerabilities and was going crazy with all kinds of hacking and extortion attempts.

The companies became a lot bigger, the websites became a lot bigger, and the blackmail, like the sums demanded with the blackmail became a lot bigger as well.

And eventually, one of the companies that we, well, that I sort of hit was TalkTalk.

Oh, TalkTalk.

This is a British telecom company.

They provide cell phone and internet services.

It's a big company in the UK.

But this Talk Talk incident was quite the thing.

It all started one evening when Daniel logged into the hacking forum that he frequented.

In fact, he was such a regular at this hacking forum that he was a moderator there.

And one, like one evening, a user makes a post and he basically

he's asking for assistance in

exploiting this vulnerability in TalkTalk.

What he's effectively found is an SQL injection on a subdomain, but he doesn't know how to exploit it.

So he sort of posted it on this forum, asking for help.

And that's when I've come across it.

This user posted a vulnerability for a pretty big telecom company and had no idea how severe this was.

Some savvy users on the site pretty quickly were able to exploit this vulnerability and actually get into Top Talk's network and start moving around and stealing data.

Daniel was seeing the frenzy that was stirring from this forum post.

This was really bad for Top Talk.

This thread sort of got posted and loads of people started sharing it.

Like it went everywhere.

It went over other forums, it went over Java, it went over IRC.

I think at that time there must have been well over 20 people that had this vulnerability in their possession for sure.

And like

there were just so many people exploiting this vulnerability.

So much data was sort of stolen from TalkTalk that it was really unbelievable.

Like even people, so people on like darknet markets even started selling the data.

It was pretty much everywhere.

So I took the vulnerability and I initially shared it with someone on IRC.

And they had pretty much decided to dump as much data as possible.

There was something like 64 databases.

And

they'd stolen, I think it was 100,000 records before

the

website went offline.

and they couldn't dump any more data.

And that person then sent me that data on a server.

The next next day this was all over the news.

Here's a clip from the BBC.

Some breaking news in the last hour.

Police are investigating after a significant and sustained cyber attack on the website of the company TalkTalk.

We actually have CEO of Talk Talk Dido Harding here.

First of all Dido Harding, how many people are affected?

We don't know for certain, but we're taking the precaution tonight of contacting all four million of our customers.

But you didn't do it.

The attack was yesterday.

The attack started yesterday.

We brought brought down all of our websites yesterday lunchtime.

We spent the last 24 hours with the Metropolitan Police and various security experts trying to get to the bottom of what has happened.

Good luck trying to get to the bottom of this one.

20 different people just breached your network.

But not Daniel.

Daniel has only seen the forum post and told a friend to check this out.

And his friend is the one who got in and downloaded the database.

But at this point in Daniel's life, he was actively extorting companies left and right.

So he looked at the data that his friend took from TalkTalk and got an idea.

So I had access to this data, and I basically decided to gather all of the emails from the data.

And like, so the staff emails, like the employee emails, and the CEO's email addresses.

And I decided to send a ransom demand,

basically demanding Bitcoin in exchange for me not to release this data.

And the CEO of Talk Talk, Dido Harding, did in fact get his email.

And I know this because here's another clip from the BBC a few days later.

It's a live criminal investigation.

All I can say is that I had and personally received a contact from someone purporting, as I say, I don't know whether they are or are not to be the hacker looking for money.

The CEO didn't reply to Daniel.

Instead, she just turned over his email to the Metropolitan Police who got right to work investigating this case.

And I've heard from a few listeners that they don't like it when I have teenage hackers on this show.

But let me tell you why I think this is important.

This isn't some cringe, roll your eyes kind of story.

Ah yeah, a teenager hack some company, big whoop.

This guy isn't even that good of a hacker.

Anyone could have done this.

Maybe.

But this whole TalkTalk incident resulted in $70 million in damage to TalkTalk.

They saw scores of customers cancel their service because of this.

Their stock tumbled, and the CEO had to appear before parliament to give testimony as to why their security failed.

This was a huge problem for TalkTalk, which meant it was a huge problem for the highly skilled, talented IT staff that works to secure TalkTalk.

We would receive what's called denial of service attacks on our network every week.

This is their adversary, a teenager who wants to make some money from your one slip-up that you had on a server that came over when TalkTalk acquired another company.

What I'm saying is, this is really important, and you can't ignore this kind of adversary.

You can't roll your eyes and ignore this kind of attack because this kind of attack can destroy your company and bring it to its knees.

This Talk Talk incident is such a big story that I actually spent a whole episode on it, and that was episode four.

So, if you want to know all the details of what went down in the Talk Talk incident, go check out episode four.

Anyway, as the hack died down in the news, a few weeks go by.

One evening in November, I was driving

and I had a phone call from my dad.

And on the phone, all I can hear in the background is someone saying my name and then saying not to tell me something.

But my dad had basically told me that there was police waiting in my house and they wanted to speak to me.

So

I initially, a part of me sort of knew what it was about at that point.

Like, I wasn't that naive.

Like, I sort of knew what it was about.

So, I pretty much

turned the car around and drove home.

And when you turned that car around and you were driving home, what was going on in your head as you were driving home?

Um, I was like, were you, would you, like, I can't imagine you listening to your favorite music and just jamming, you know, dancing around?

Definitely not.

No,

no.

I was

I honestly got lost in my own world.

Like, on the way home, I just had so many thoughts going through my head that I really didn't know what to think.

Like a part of me really sort of didn't want it to be real.

Even though I knew, obviously, then I pretty much knew what it was because there was no other reason for them to sort of come back.

A part of me was just like wishing that it wasn't real and

that it was all sort of

not

reality.

I mean,

it's really hard to explain.

Like, I was just pretty much lost in my own world.

Like, there were no.

There wasn't panic.

I guess I was just focused on

getting back to my house.

He arrives home.

Now, keep in mind, he lives in a small, quiet town out in Wales.

And there's like four police funds, 20 police officers.

There's like multiple agencies, undercover police officers.

And you could tell it was a lot more serious this time.

Like the whole street was closed and it literally looked like a murder scene.

So

I parked my car, I walked past the police officers because they didn't recognize me.

I walked into the house and then my parents told me that this was me.

A part of me thinks that they were like expecting something a lot more serious because at first they didn't even recognize me.

They were like agencies from

there was the National Crime Agency, there was the Metropolitan Police, there was my local cybercrime unit.

They go through the house seizing all his computer equipment just like before.

So they put me in the back of an undercover police van.

They put me in between two police officers and they pretty much escorted us through town.

Like they had their blue lights on.

Like there was one car in front of us, one car behind us.

And we pretty much just flew through my town center.

Like they closed off roundabouts, they closed off roads, and we must have literally got to the police station in minutes.

Now at this point, he's around 17 years old.

They interviewed him and asked him what happened.

Then they let him go back home so they can investigate further.

They bring him back to the police station and charge him with 20 offenses.

And they were charging him with attempting to extort Dido Harding.

And they apparently found some of the other offenses he did on the other companies too.

Which gave Daniel a clue on how they found him.

So when I sent

the extortion email to TalkTalk,

I used TOW, like I used an anonymous email provider.

But around that time, I was obviously still blackmailing other companies.

And what I had done is I had hacked and blackmailed another company

without using Tor.

I only used a VPN.

And they and what I had done is I'd reused a Bitcoin address for the TalkTalk extortion and the other companies extortion.

So they had pretty much managed to use a Bitcoin address to link those two offences together.

And then they had investigated the smaller hack.

And because I was only using a VPN, presumably the VPN provider turned over my IP address.

This case was bigger than what the local police station of Wales could handle.

So they took him to the Metropolitan Police in London, about four hours away.

And about two months after being arrested, he finally gets to go to the Magistrate Court in London.

I go to my first court here, and in effect, I'm then remanded into custody from from that magistrate's court.

Which means he had to go to jail, but only for a week or two.

But this was his first time in jail, and he did not like the experience.

After those seven to ten days, I pretty much decided that, you know, I wasn't built for prison, and it was honestly one of the worst weeks of my life.

I was pretty much a cyber criminal.

Like I was there on computer hacking charges and blackmail.

And then to be put in a cell with someone that was doing five years for armed robbery is really like it's a huge shock to the system because you honestly don't expect to be sharing a cell with someone.

Like, that's really serious offending.

So I pretty much decided from that point on that I was never going to reoffend again.

Like, I think that's when it really hit me that just those seven to ten days, I decided, you know what, I'm never going to reoffend again.

I thought

it's not worth anything to go through that experience again.

Now, this week he spent in jail was not his whole punishment.

I'm confused on how things go in the UK, but my theory is since he had previous charges for hacking the school and he did all this extortion stuff while he was out on bail, the court didn't want him to break more laws.

So they threw him in jail just to give him a taste of what prison life is like.

And this worked.

This shock to his system made Daniel not want to reoffend again, because if this was going to be his consequences, he did not want to make it any worse.

So he gets out on bail and has to wait for his court date where where they're going to figure out what his full sentence is going to be.

Now, when he's out on bail, the judge put a lot of restrictions on Daniel.

A lot of them were really bizarre.

Like I was banned from Python, the program in Lambeth.

I had to register all of my devices with my local police.

I was banned from using TOE.

I was banned from using VPNs.

I was pretty much banned from a lot of technology.

Like I couldn't delete my internet history.

But the only one that really stands out is being banned from Python.

I couldn't really understand why they decided to put that as part of my bail conditions.

But yeah, I had all of these sort of bail conditions on me, and that's pretty much what I had to live by for like

months.

Like, after spending that week in prison, I sort of had like an epiphany and sort of realized that no matter what happens in my life, I never want to be in this place again.

So when I was released from, when I was bailed from prison, a part of me didn't even want to like touch computers again.

Like I found, I would have found it a lot easier just to not

use computers ever again if it meant not going through that week.

But as weeks went by, I sort of like, I guess I got bored.

And I ended up buying

another computer.

And he eventually got back into hacking, looking for vulnerabilities on websites.

But this time it was completely different.

He was serious that he was done offending and was abiding by his bail conditions because what he wanted to do was use his hacking skills for good.

And he started doing responsible vulnerability disclosures for companies, finding problems and then quietly reporting it to them, not exploiting any of it, not stealing anything, and not extorting anyone.

He wasn't even asking for reward.

He was simply trying to make right all the wrongs he did by helping companies secure their systems better.

Like, I started engaging in all of these bug bounty programs.

I started engaging in responsible disclosure.

Like, pretty much every day, I was reporting vulnerabilities in all types of systems while on bail.

So, in my head at the time, I

sort of realized that any good that I could do would be considered during my sentencing hearing.

So, it's basically called mitigation.

So

you can do a lot of good things, and then your lawyers can sort of go to the judge and go, Look, these are all the good things about this defendant, and this is why you should give him less of a prison sentence or no prison sentence at all.

So I pretty much decided to like engage in responsible disclosure, report all of these vulnerabilities to these entities, and pretty much every day for

like two years.

He was finding a lot of stuff and reporting it.

One place he liked reporting bugs to was MITRE's CVE program.

What I would do is, I would take an open source project, I would find a vulnerability,

I would then contact the vendor, I'd inform the vendor, and after they've patched the vulnerability, the vendor would then ask the vendor for permission to sort of file like this proof of concept along with a publication to this like awarding body called Citra.

and they would then publicly issue a CVE ID for this project affected.

Nice.

He's responsible for finding many CVEs?

That's pretty good.

CVEs are like a list of known vulnerabilities and products.

When the vulnerability you found is big enough to merit its own CVE, it means that it's now going to be integrated into antivirus tools, vulnerability scanners, and more security tools to detect when someone else is exploiting this application.

So not only was he privately helping vendors fix bugs, but he was also helping the professional security community be able to identify those bugs if anyone were to do what he did.

Did you get paid for any of these bugs that you found?

So I was doing this with like no real financial intent.

Like I was just doing this for the sole on the sole principle of it contributing to less of a prison sentence.

But sometimes like a lot of companies would offer me money regardless.

And what I would do is I'd accept the financial rewards.

And I just sort of accumulated the money.

And the money then went to re-incompensating

the victims of my offending.

Now, over the course of this time, while he was waiting for his sentencing court date, he found vulnerabilities in lots of companies.

I mean, lots.

And he always simply asked for a thank-you letter or a letter of recommendation from helping someone.

This was the most valuable reward he wanted.

And he got a lot of letters.

He sent them to me to see, too.

The PDF he gave me is over 300 pages long of just really nice things companies have said about Daniel.

For instance, here, let me read one.

Dear Dan, Deutsche Bank appreciates your ongoing efforts in searching and responsibly communicating IT security vulnerabilities.

You showed us a cross-site scripting vulnerability we had on our website.

And we thank you for your dedication to the task of increasing internet security and wish you all the best for your future endeavors.

Signed, the CISO of Deutsche Bank.

The list of companies that he found vulnerabilities in and reported them and got thank-you letters for is really long.

Here, I'll have Daniel tell you a bunch of places that sent him thank-you letters.

The Cron Court Digital Care System, the National Crime Agency, the Ministry of Justice, the Parliament website,

University of Cambridge,

the Australian National University, Stanford University, Yahoo,

GCHQ, Royal Air Force,

DBS Bank, ATT, S3,

BBC,

Sony,

Dutch Telecom,

United Nations,

Duke University, Adobe, AOL, Telegram,

Sage, Amazon.

Tell me when to stop.

Well, I mean, I

like this thousands.

I mean,

at first I was like, oh, this guy's just getting universities and schools.

That's easy.

But then I heard GCHQ and I was like, wait, and then it just keeps going.

So how what was

there's some real,

even though the bulk of them are like cross-site scripting vulnerabilities, there are some real,

really serious vulnerabilities that are reported.

Like

okay, so these ones that you listed, this is, this is like they confirmed, okay, thank you and sent you a letter of

thanks.

So these, yeah, I've I've had actual letters from like the directors and CEOs of these entities where they've said like they've acknowledged the vulnerability and they've said thanks.

The GCHQ, that comes as a surprise as you were listening things.

What happened there?

So GCHQ basically published like this open source project called CyberChef.

Yep, I've used it.

And

when they first published it, there was like a get-based XSS in it, pretty much.

Okay, so this was just a vulnerability in one of the open source tools that GCHQ puts out.

It wasn't a vulnerability into their main database or something.

But still, it's pretty cool to have a letter of appreciation from GCHQ, isn't it?

And one day while doing all this, Daniel came across another vulnerability that someone found on TalkTalk's site.

Daniel confirmed the vulnerability was still valid and immediately reached out to someone.

But this time, instead of telling a friend about it, he reported this to the authorities.

And shortly after that, it got fixed.

So in a way, he even helped TalkTalk become more secure.

Daniel had truly changed his ways and was on a serious, dedicated mission to help as many companies as possible.

He even did some math to try to quantify it all.

The total amount of my offending was probably

like TalkTalk alone was 79 million.

And if you combine everything else, it probably was closer to 100 million.

But when you really look at all the companies that I've sort of disclosed vulnerabilities in, like there's 5,000, there's over 5,000 companies.

and then you take like some of the submissions which are like p1 vulnerabilities on like isps and banks you can only logically assume that i've probably saved more money for those companies than the damage that i caused because

like disclose for example i had a vulnerability on

I had the RCE on Virgin Media, and that was a more critical vulnerability than the vulnerability that I discovered on Talk Talk.

If that had been exploited, then presumably it would have had the same effect as it had on Talk Talk.

So I think it's really fair to say that after submitting all these vulnerabilities, like over 5,000 vulnerabilities,

I honestly can confidently say that I've probably saved a lot more money for companies than my offending ever cost

in terms of damage.

So because

there were so many charges and my case was so complicated, complicated

I was

going to court and they must have told me like five or six times that the next time I would come to court I would be sentenced Except every time that I would go to court I would never be sentenced and there would be some like legal dispute about a charge or something so I sort of had to live the experience of thinking that I was going to be sentenced five to six times.

And when that kept happening, it really started to play on my mental health.

I really, I got really depressed basically because it was a really stressful situation to be in.

And like my, like, my lawyers were telling me, okay, you're going to get 12 and a half years, you're going to get five years.

And

a part of me just wanted to wanted it to like stop completely.

So I would pretty much just go home and

I would honestly do nothing.

Like I would spend months, I would spend pretty much all day just in bed waiting for my next sentence in hearing.

Like it just be, it was like being locked.

It was essentially like being in limbo.

Like I would just wait for the next date, the next date.

And that's pretty much how I lived the last two years on bail.

Like I was my entire life just resolved around

these dates that were being set.

and you know eventually it got to a point where i was so depressed that like i lost over seven stone in weight and i became emaciated like i used to be really overweight i pretty much lost half of my body weight

and i started to get really depressed i like stopped eating

and eventually my

legal team sort of took notice and they started to refer me to doctors and psychiatrists.

He pleaded guilty to 10 or 11 of these charges brought against him, but they were trying to charge him with things he didn't actually do.

And this caused some disputes.

At this point, there was a huge sort of dispute between a lot of psychiatrists and doctors saying whether I was even fit to go to trial.

Because

I intended on pleading not guilty to these new allegations because

I'm actually innocent.

I didn't actually commit them.

You know, there were days I'd even wake up and I wouldn't be able to remember my own name.

So

after this huge dispute of seeing all the psychiatrists and doctors,

they essentially deemed me not fit to go to trial.

So the prosecution essentially wasted a lot of taxpayers' money for no reason.

So with him not able to stand trial to dispute the charges against him, the court had no choice but to simply charge him with whatever they thought he was guilty of and sentence him.

His sentencing date kept getting pushed back, but eventually came after four years of waiting.

It really was four years?

Yeah, so

I was arrested for the talk, talk hack in 2015, November, and then I was sentenced in

2019 in June.

By this point, he was 21 years old.

Sentencing comes, and essentially, it comes down to whether I'm going to go to hospital or prison.

And what the judge had essentially did

is gotten the head of the healthcare unit in HMP Belmarsh to sort of take responsibility for me.

She was at my sentence in Huron.

And when I was being sentenced, the judge put my...

So he read out 12 and a half years.

12 and a half years in prison.

is what the judge said was his punishment.

Oof,

14 years is the maximum for extortion crimes.

It couldn't really get much worse for him.

But this was only the starting point.

Quickly, Daniel's lawyer jumps up and says to the judge that Daniel has had excellent behavior while on bail and has not re-offended.

And this made the judge happy and reduced the sentence a little.

Then Daniel pulled out hundreds of positive letters he received from helping all those companies improve their security.

And the judge was particularly impressed by this and lowered the sentence some more.

And his lawyer kept coming up with other reasons on why Daniel deserves a lower sentence.

And the judge kept lowering it.

He read out 12 and a half years, and then he went 10 years, 9 years, 7 years.

And it essentially got to 4 years.

Four years prison time was his final sentence that he received for this criminal behavior.

Now, in the UK, you only serve half your time in prison and the other half out in the community, sort of like parole in the US.

When it was at the end, there and they said four years, what was going through your mind?

Honestly, at that time, I was just in a I was in a state of shock because

I couldn't actually get over the fact that he'd read out 12 years to begin with.

Like, once I heard that figure, I really

sort of just went numb and like my mind just sort of went blank.

And it was almost like an out-of-body experience.

Like, I couldn't actually believe that he had read out 12 years.

And it was only really after

I'd been taken down under the courts that I really started to consider the possibility of doing two, well, four years in prison.

They immediately whisked him off to prison directly from court.

But first he had to get some health care to get his mental state back to normal.

But once he was showing signs of stability, they put him in the main cell block with the other prisoners.

But just when he got used to the routine, they put him on a bus and moved him to another prison.

a Supermax prison even.

Of course, when you go to a new prison, all the other prisoners want to know what you did to get there.

And he tells them the truth and says, hey, look up my name if you don't believe me.

So they did.

You know, a lot of them actually thought that I stole 70 million pounds from Talk Talk.

They didn't realize that I...

that was the damage cost.

And anyway, I have loads of gang members asking me to hack their phones.

They're asking me to hack the county, hack the prison.

He got on pretty well with the other prisoners.

They liked him since he didn't pose as any threat to them.

And they thought he was smart with computers.

But the prison guards and staff did not like him.

They were afraid of what he might do if he used any of the computers in prison.

And they must have gotten word from someone else too, because they just didn't treat him well.

Like, for instance, they randomly searched his prison cell frequently, much more frequently than any of the other prisoners when he was there.

And he knew something was off because he just couldn't figure out why he was being treated differently.

One morning at 5 a.m., he gets woken up by some guards telling him, get out, we're searching your cell.

And of course, he gets out and looks around and sees there are some other cells being raided, but they're all people he knew in prison.

Out of all the prisoners, why is it him and just the people he knows that are getting raided?

It didn't make sense.

When they raid your cell, they just rip everything apart.

They like tip the bed apart.

They, like, they, I was even so I go back to my cell and I was even told that they were like using like um

screwdrivers and stuff to take furniture apart to see if I was hiding anything.

And

I get back to my cell, I clean everything up, and funnily enough, there was a razor that I didn't even know that was in the cell from the previous occupant, and they just sort of put it on the table and left it there.

Almost to send like a message to say, look, we found something, but I really didn't even know it was in the cell.

So there we go.

So, what that essentially did was make me become even closer friends with these.

They were all part of the Gagang, in effect.

So I become close friends with these people.

days later my cell opens again at 7 a.m and they say right you're being drug test come with us i don't take drugs okay

drug tested uh come with us so i go for some drug test on the piece of paper that they give me it says it's randomly allocated except it's not randomly allocated because you can see the coincidence right but that's how they were abusing the system they were saying it was just randomly allocated it's a lot of bullshit they were just trying to cause some inconvenience i think or they had some source of intelligence someone probably said said something.

I didn't take drugs, but that's how intelligence works.

So I negative on that drug test.

And then Christmas Eve comes.

So Christmas Eve morning.

My cell opens at 6 a.m.

and

they tell me, two prison officers tell me, you're being transferred.

And I said, okay.

At first, I was like, okay, maybe this isn't a bad thing.

Where to?

And they say HMP Bristol.

Now, HMP Bristol is a really bad prison.

Okay, it's a Victorian old prison.

It's in England.

and it's not really a prison anyone wants to go to, especially over Christmas.

It was their way of sort of ruining my Christmas and throwing me out of that prison as fast as they could.

But anyway, after like they tell me I'm being transferred to HMP Bristol,

everyone's out of their cells, and these gang members sort of figure out what's going on.

And they convinced me that it's a really good, I sort of, I was 50-50, apart from me.

I didn't want to go to Bristol,

but I knew I didn't have a choice because I couldn't just stay in Berwin because they now remove that joint.

Like, they removed that option.

If I stayed there, they would have just took me to like segregation or something.

So, one of these gang members essentially convinces me to put a razor.

So, take a safety razor and put it in my mouth.

Okay.

What essentially that does is it invokes like a safer custody issue because that essentially means that it's like self-harm.

Like, the prison officers can't touch you.

And I put it, so I, this guy, like, this is completely out of character, by the way.

I'm not, like, some irrational person that goes around self-harming.

I'm not saying the self-harm is irrational.

I'm just saying I'm not the type of person that do that.

I don't put razors in my mouth and all of this type of thing.

It was only when that suggestion was made to me that I did it.

So I put a safety razor in my mouth

because these gang members had convinced me to do it.

And I'm sort of like, I just put it in my mouth and I looked at the prison officer and I said, I'm not moving.

Anyway, everyone's locked up.

Well, they try to lock everyone up,

because this is taking place in my cell, and all the prisoners essentially refuse because there's a huge crowd outside my cell and they've sort of worked out what's going on.

And because I was on good terms with these prisoners, they thought it was really unfair.

It was my first time in prison.

I was in for computer hacking, and it was really unfair to transfer me to a prison like HMP Bristol on Christmas Eve.

So they refuse.

Prisoners start smashing the wing up.

They started smashing the kiosk.

And in effect, a really small riot starts.

Someone threw a fridge off the top landing.

And all the prison officers left the wing.

I was oblivious to this at this time because I was in my cell.

So later on,

when this is happening, all the prison officers leave their cell,

leave the wing, sorry, and everything goes quiet.

All the prisoners are just there, like rioting.

I'm sitting in my cell.

I've got a razor in my mouth and

we're just sort of sitting here.

So I go by the door frame,

and 45 seconds later, less than a minute,

about eight prison officers wearing riot gear come marching onto the wing.

I can see them coming onto the wing.

They've got riot shields, they've got buttons, and they're all kitted up.

And they're walking towards me.

I sort of realized that if I didn't drop this razor and comply in the next 30 seconds, they were going to force me to comply.

So I spot the razor up and I said, Look, I'm going.

Take me to where you want to go.

They transferred him to another prison and he spent a few months there.

It was much worse than the other two he was in.

But he gets through it and finishes his prison sentence.

So you spent how long in prison?

So I did two years in prison.

When did you get out?

June last year.

Since getting out of prison, he still has to do two years of probation and he has to follow all the rules set forth on him.

He can use a computer and the internet, but he has restrictions.

And he hopes to someday get a regular above-board job doing cybersecurity.

So, last question.

Yeah.

What's your biggest regret?

Probably blackmailing people.

Why?

I don't really...

So

I don't regret

the hacking aspect of what I did.

I just think that my offending became really twisted when I started blackmailing people, because that's where it became really personal.

And I think that's ultimately what sent me to prison.

I think just hacking systems is completely different

in comparison to blackmail.

Thanks to Daniel Kelly for sharing this story with us.

This show is made by me, me, your friendly moderator, Jack Reeseider.

Sound design was done by the two-eard Andrew Merriweather, and our theme music is by the mysterious Breakmaster Cylinder.

Oh, and hey, if you ever have questions about TCPIP, I know the pro to call.

Get it?

Pro to call?

Forget it.

This is Darknet Diaries.