Hacker sentenced to four years after cyber-attack on TalkTalk
A “cruel and calculating” cyber criminal who took part in a massive TalkTalk hack attack and blackmailed former chief executive Dido Harding has been locked up for four years.
Daniel Kelley, from Llanelli, South Wales, turned to “black hat” hacking when he failed to get the GCSE grades to get on to a computer course.
He hacked the college “out of spite” before targeting companies in Canada, Australia and the UK – including the Telecommunications giant which has four million customers.
The 22-year-old has Asperger’s syndrome and has suffered from depression and extreme weight loss since he pleaded guilty to 11 hacking-related offences in 2016.
Judge Mark Dennis sentenced him at the Old Bailey to four years’ detention in a young offenders institution.
Judge Dennis said Kelley hacked computers “for his own personal gratification” regardless of the damage caused.
He went on to blackmail company bosses, revealing a “cruel and calculating side to his character”, he said.
Kelley caused “stress and anxiety” to his victims as well as harm to their businesses, with the total cost to TalkTalk from multiple hackers estimated at £77 million.
Previously, prosecutor Peter Ratliff has described Kelley as a “prolific, skilled and cynical cyber-criminal” who was willing to “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety – behind the screen of a computer”.
Between September 2013 and November 2015, he engaged in a wide range of hacking activities, using stolen information to blackmail individuals and companies.
Despite attempts at anonymity, his crimes were revealed in his online activities.
In September 2012, he boasted on Skype that he was “involved with black hat activities and I can ddos (Distributed Denial of Service)” in reference to malicious hacking.
Commenting on what he was doing, he wrote on an online forum: “Oh God, this is so illegal.”
The court heard how Kelley was just 16 when he hacked into Coleg Sir Gar out of “spite or revenge”.
The DDoS attack caused widespread disruption to students and teachers and also affected the Welsh Government Public Sector network – including schools, councils, hospitals and emergency services.
After he was arrested and bailed, Kelley continued his cyber crime spree for a more “mercenary purpose”.
Mr Ratliff said Kelley had been “utterly ruthless” as he threatened to ruin companies by releasing personal and credit card details of clients.
He hacked into TalkTalk and blackmailed Baroness Harding of Winscombe and five other executives for Bitcoin, the court heard.
Kelley’s activities contributed to TalkTalk losses of tens of millions of pounds, while smaller firms he targeted were forced to spend hundreds of thousands of pounds to mitigate the damage.
The defendant, who has Asperger’s syndrome and depression, only received £4,400 worth of Bitcoins through all his blackmail attempts, having made demands for more than £115,000.
In another instance, he contacted all the customers of a hacked company and demanded they each pay one Bitcoin under threat of their personal data being released.
Mr Ratliff said Kelley got “enjoyment and excitement from the power he wielded” over his victims.
Kelley sometimes worked with a hacking collective named Team Hans, the court heard.
He did not confine himself to online blackmail – and on one occasion made a menacing phone call, Mr Ratliff said.
If people refused to pay up, he would offer their details for sale on the dark web.
He was also found to be in possession of computer files containing thousands of credit card details.
In mitigation, Dean George QC had appealed to the judge not impose a jail sentence on a young man who suffers with “severe depression”.
Kelley, who had been on conditional bail, had gone from being “overweight” in 2016 to undergoing “extreme” weight loss, as a result of the case, the court was told.
In December 2016, Kelley pleaded guilty to 11 charges including hacking with intent, six counts of blackmail, encouraging hacking, offering to supply data in connection with fraud, and possession of articles for fraud.