ADVERTISEMENT

The Hacker Who Took Down a Country

Daniel Kaye, also known as Spdrman, found regular jobs tough but corporate espionage easy. He’s about to get out of prison.  

The Hacker Who Took Down a Country
(Illustration: Viktor Hachmang for Bloomberg Businessweek)

(Bloomberg Businessweek) -- The attack against Liberia began in October 2016. More than a half-million security cameras around the world tried to connect to a handful of servers used by Lonestar Cell MTN, a local mobile phone operator, and Lonestar’s network was overwhelmed. Internet access for its 1.5 million customers slowed to a crawl, then stopped.

The technical term for this sort of assault is distributed denial of service, or DDoS. Crude but effective, a DDoS attack uses an army of commandeered machines, called a botnet, to simultaneously connect to a single point online. This botnet, though, was the biggest ever witnessed anywhere, let alone in Liberia, one of the poorest countries in Africa. The result was similar to what would happen if 500,000 extra cars joined the New Jersey Turnpike one morning at rush hour. While most DDoS attacks last only moments, the assault on Lonestar dragged on for days. And since Liberia has had virtually no landlines since the brutal civil war that ended in 2003, that meant half the country was cut off from bank transactions, farmers couldn’t check crop prices, and students couldn’t Google anything. In the capital of Monrovia, the largest hospital went offline for about a week. Infectious disease specialists dealing with the aftermath of a deadly Ebola outbreak lost contact with international health agencies.

Eugene Nagbe, Liberia’s minister for information, was in Paris on business when the crisis began. He struggled to marshal a response, unable to access his email or a reliable phone connection. Then his bank card stopped working. On Nov. 8, with hundreds of thousands of people still disconnected, Nagbe went on French radio to appeal for help. “The scale of the attack tells us that this is a matter of grave concern, not just to Liberia but to the global community that is connected to the internet,” he said. The onslaught continued. No one seemed to know why, but there was speculation that the hack was a test run for something bigger, perhaps even an act of war.

Then, on Nov. 27, Deutsche Telekom AG in Germany started getting tens of thousands of calls from its customers angry that their internet service was down. At a water treatment plant in Cologne, workers noticed the computer system was offline and had to send a technician to check each pump by hand. Deutsche Telekom discovered that a gigantic botnet, the same one targeting Liberia, was affecting its routers. The company devised and circulated a software fix within days, but the boldness and scale of the incident convinced at least one security researcher that Russia or China was to blame.

When the botnet took down the websites of two British banks, the U.K. National Crime Agency got involved, as did Germany’s BKA, with support from the U.S. Federal Bureau of Investigation. German police identified a username, which led to an email address, which led to a Skype account, which led to a Facebook page, which belonged to one Daniel Kaye, a lanky, pale, 29-year-old British citizen who’d been raised in Israel and described himself as a freelance security researcher.

When Kaye checked in for a flight to Cyprus at London’s Luton Airport on the morning of Feb. 22, 2017, he triggered a silent alarm linked to a European arrest warrant in his name. He was in line at the gate when the cops arrived. “That’s him!” an officer said, and Kaye felt hands grab him roughly under the arms. He was taken to a secure room, where officers searched him and found $10,000 in a neat stack of $100 bills. Afterward they drove him to a nearby police station and locked him up. That was until Kaye, a severe diabetic, began nodding in and out of consciousness, then collapsed in his cell. He was rushed to a nearby hospital, where two police officers stood guard outside his room just in case their prisoner managed to overcome his hypoglycemic coma and escape.

But Kaye was no Kremlin spy or criminal mastermind, according to court filings, police reports, and interviews with law enforcement, government officials, Kaye’s associates, and Kaye himself. He was just a mercenary, and a frail one at that.

Growing up, Kaye showed few signs that he would one day be one of the world’s most wanted hackers. Born in London, he moved to Israel with his mother at age 6, when his parents divorced. In the suburbs outside Tel Aviv, he learned Hebrew, played basketball, and collected soccer cards. A diabetes diagnosis at age 14 limited his social life, but by then Kaye had found a much bigger world to explore online.

He taught himself to code, devouring all the training material he could find, and became a regular on the web forums where young Israelis gathered to boast about their hacking exploits. His alias was “spy[d]ir,” according to Rotem Kerner, an online friend from those days. They were “just kids curious about technology and how you can bend it,” Kerner says.

In 2002 a forum user called spy[d]ir posted a screenshot of an Egyptian engineering firm’s website, defaced with the message: “Hacked By spy[D]ir! LOL This Was too Easy.” Over the next four years websites throughout the Middle East got similar treatment. The homepage of a Beirut karaoke bar was tagged with a Star of David. When an Iranian leather retailer was hit, spy[d]ir shared credit with a group called IHFB: Israeli Hackers Fight Back. Kaye, a teenager at the time, denies he was spy[d]ir. But he admits he used online aliases including Peter Parker, spdr, and spdrman, all references to another unassuming young man with hidden gifts.

By that time, Kaye says, he’d graduated from high school and decided to forgo university in favor of freelance programming. He was smart but easily bored, and the internet seemed to offer unlimited challenges and possibilities. Yet translating his love of puzzles and pwnage into paying gigs soon took him into sketchier territory.

Generally speaking, hackers fall into one of a couple of varieties. Black-hat hackers are spies, crooks, and anarchists. White hats hack legally, often to test and improve a client’s defenses. And then there are gray hats, who aren’t chaos agents like the black hats but don’t follow the white hats’ strict ethical codes, either. “A gray hat is just told, ‘Get the job done, and you get paid,’ ” says Theresa Payton, a former White House chief information officer who now runs Fortalice Solutions LLC, a cybersecurity consulting firm. “They don’t have a rule book.”

Kaye inhabited this quasi-legal world, working for private clients who heard about him through hacking forums or word-of-mouth. He also applied for straight jobs, but his demeanor put employers off. While he was thoughtful and soft-spoken, there was a “black cloud around him,” says Avi Weissman, founder of an Israeli cybersecurity school, who considered working with him. Kaye was awkward in person, with a pronounced squint and a way of answering questions that made it seem like he was hiding something.

In about 2011, Kaye was a finalist for a job at RSA Security LLC, a large American cyberdefense company with offices in Israel, but was rejected because of unspecified human resources concerns. Kaye told himself it was for the best. Corporate life didn’t appeal to him. Now in his 20s, he relished his freedom, working through the night when he needed to and hanging out with his friends in bars when he didn’t.

His adventures in the online underworld carried risks. In 2012, Israeli police questioned him in connection with an investigation of a gray-hat acquaintance. Kaye was released without charge. That year he decided to move to London. He’d just proposed to his girlfriend, a former university administrator who moved to Israel to be with him. She wanted to pursue her career in the U.K., and he wanted a fresh start.

Anthony Zboralski, a hacker-turned-entrepreneur, met Kaye at a West London party in 2014 and recalls sensing his frustration and bitterness. Kaye had rare and valuable skills, yet no upstanding company would employ a hacker with his background. Zboralski says he tried to find Kaye legitimate work, without success.

A few months later, Kaye heard from a friend back home about a businessman offering freelance work to people in the Israeli hacking scene. The friend connected them, and the man, whose name was Avi, called to say he was looking for help with cybersecurity. His business was based in Liberia.

The Hacker Who Took Down a Country

In February 2012 a dozen young women in heels tottered up the steps of an office building in Monrovia, wearing fixed smiles and colorful sashes bearing the names of their home counties. They were contestants in the Miss Liberia beauty pageant and had been invited to the headquarters of Cellcom Liberia, the event’s sponsor and the country’s second-largest telecommunications company. Inside, Avishai “Avi” Marziano, Cellcom’s chief executive officer, took the microphone. An Israeli with gelled black hair, Marziano was dynamic and had a gift for flashy promotions. “We are all about Liberia,” he said.

Cellcom was owned by a group of adventurous American and Israeli businessmen led by Yoram Cohen, a Miami-based former attorney with shipping interests in the region, and LR Group, an African investment firm run by former Israeli Air Force pilots. Cellcom had grown rapidly since its 2004 creation, its red-and-white logo plastered across shantytowns and marketplaces around the country. Marziano, a trained engineer, seemed to enjoy the attention. After presenting each Miss Liberia hopeful with a new phone and SIM cards loaded with credit, he grinned for the cameras and signed off with his company’s slogan: “With Cellcom, you are always No. 1.”

In terms of market share, though, Cellcom was stuck firmly in second place behind Lonestar, a former monopoly backed by one of Africa’s largest telecommunications groups. Lonestar’s figurehead, chairman, and part owner was Benoni Urey, who’d faced international sanctions because of his links to jailed warlord Charles Taylor. (The sanctions were lifted in 2014.) Urey’s 40% stake in Lonestar made him Liberia’s wealthiest man, one of the country’s few bona fide millionaires.

Across Africa, mobile phone use was soaring, bringing technology to places where few people had access to a computer. The rivalry between Urey’s Lonestar and Marziano’s Cellcom was “cutthroat” from the start, according to Nagbe, the Liberian information minister. When Cellcom announced it would give defecting Lonestar customers a month of free calls, a decade-long price war followed. Under Marziano, Cellcom gave away 100 motorcycles in 100 days, commissioned a pop song for promotional videos, hired comedians as spokespeople, and mocked Lonestar relentlessly in its ads.

Urey complained to the Liberian Telecommunications Authority, as well as to President Ellen Sirleaf, that Cellcom’s giveaways were unfair, to no avail. Cellcom’s market share grew steadily. At its 10-year anniversary party in December 2014, scaled down somewhat because of a deadly Ebola outbreak, Marziano told guests that the company’s development phase was over. Now it was time to dominate. “We aim to be at the top of the telecommunications market in 2015,” he said.

At least part of Marziano’s plan would rely on a man who’d never set foot in Liberia: Daniel Kaye. The CEO and the hacker met for the first time in London in about 2014. They made an odd pairing. Marziano liked to quote Henry Ford’s management aphorisms and spend hours at the gym, taking steroids to get extra ripped. He also entered bodybuilding contests, where he posed for photos in barely-there underpants. Kaye smoked weed and played Skyrim, a swords-and-sorcery computer game. Even so, they hit it off. Kaye saw in Marziano a more stable future with long-term contracts or perhaps a full-time job. Marziano saw in Kaye someone who could solve problems, no questions asked. You’ll deal directly with me, he told Kaye.

One of Kaye’s first tasks was to secure the systems of Cellcom’s sister company in neighboring Guinea. Kaye came up with a tool that could encrypt Cellcom’s data on command in case political instability threatened its operations. For that, Marziano paid $50,000, plus several thousand dollars more for routine security tests. The next bit of business was far less benign. Marziano ordered Kaye to hack into Lonestar’s network to look for evidence of bribery or other misconduct. Kaye couldn’t find anything incriminating, so he downloaded a Lonestar customer database and sent it to Marziano, who appeared to enjoy the subterfuge. “It’s like a drama movie,” he told the hacker.

In 2015, Kaye and Marziano discussed using DDoS attacks to slow down Lonestar’s internet service and irritate its customers into switching. Kaye started small, using a website called “VDos Stresser” that bombarded other sites with traffic for a fee. Leaked messages from a VDos database show an individual using the name “bestbuy,” likely Kaye or an associate, asking about the service on offer. “I need quite a lot more power,” bestbuy wrote.

By now, Kaye was earning enough from Cellcom and other gigs to move to Cyprus, where he rented an apartment with a pool and a sea view. If he could do his job from anywhere with an internet connection, why not do it from somewhere sunny? His fiancée joined him.

Marziano’s future was also looking bright. In January 2016, Orange SA, the French wireless carrier, announced it was buying Cellcom Liberia. With global sales of about €41 billion ($45.6 billion), Orange is a giant, part-owned by the French government. The terms of the deal and identity of the sellers weren’t disclosed, but it would mean a big payday for Cohen and his backers. Orange kept Marziano on as a consultant, but he remained Cellcom’s CEO.

The deal, however, didn’t cool the hostilities between Cellcom and Lonestar. Weeks later, in a press statement that called out Cohen by name, Lonestar accused Cellcom of illegally texting customers to offer its latest promotion. A Cellcom spokesman responded: “Lonestar is a big crybaby, bent on exploiting the Liberian people.”

The strain of malicious software known as Mirai first emerged in 2016. Named, probably, after a Japanese cartoon character, it was created by gamers to wield against other gamers, specifically those playing Minecraft.

Mirai sought out webcams, wireless routers, and other cheap, poorly defended devices that could be hijacked for DDoS attacks against other Minecraft players. It could also seek out fresh targets semiautonomously, spreading itself without human input. In the summer of 2016, the malware doubled its number of infected machines every 76 minutes to create, within a few days, the largest botnet on record.

Before the American college students who wrote the code were arrested, they shared it on hacking forums, providing the basis for dozens of variants. Kaye, who was looking for a superpowered botnet, thought it might be just what he needed. He tweaked the code to exploit a vulnerability in Chinese-made security cameras, made sure his malware blocked other forms of Mirai so no one could take over his botnet, and then, in September 2016, turned his creation loose.

“If it works I should have access to five million cameras that I can use,” Kaye told Marziano using an encrypted messaging service. Marziano agreed to pay him $10,000 a month for the “project.” Later that September, he asked Kaye to test the botnet on a competitor’s website offering cheap international calls—the site, Marziano said, was “killing my international traffic” at Cellcom.

Even Kaye didn’t know exactly how big his botnet had become, so he tested it on a site that measured traffic. Visualized in a graph, its power looked awesome: It could direct about 500 gigabytes’ worth of data—roughly equivalent to downloading Avengers: Endgame 50 times in ultrahigh definition—per second. His target didn’t stand a chance. Liberia’s internet infrastructure was already fragile, dependent on a single undersea fiber-optic cable to connect to the outside world. Faced with a half-million machines sending data all at once, Lonestar’s servers would simply stop functioning. Kaye pulled the trigger again and again, at least 266 times from October 2016 to February 2017. He kept in touch with one of Marziano’s analysts to monitor the impact in Liberia, texting regularly to ask how Lonestar’s network was performing. “Almost dead,” the analyst said one day in November. “Really? Sounds good,” Kaye replied.

Marziano’s company had for years claimed to be Liberia’s fastest network. Now it was undeniable. On Nov. 9 an apparently satisfied Marziano sent a photograph of a newspaper clipping to Kaye. “After crippling cyber attack: Liberia seeks US, UK Aid,” the headline read.

Kaye, though, was alarmed. He’d assumed no one would care about a company in Liberia and hadn’t made much effort to cover his tracks. Security researchers had also noticed his botnet’s unusual power and focus. They christened it Mirai#14. Marcus Hutchins, a British security analyst known as MalwareTech, set up a Twitter account to record the botnet’s targets. Soon afterward, one of the Mirai variants turned its power on Hutchins’s website, knocking it out. He took the attack as a warning to back off. When Kevin Beaumont, another British researcher, tweeted about the botnet, it started sending threatening messages, like “shadows.kill” and “kevin.lies.in.fear.” (Kaye denies targeting Hutchins or Beaumont.) “It got out of control,” Kaye wrote to a friend in Israel.

Then the outbreak spread to Germany. Each camera infected by Mirai#14 was continuously reaching out to other devices, trying to get them to download the software. Instead of joining the botnet, Deutsche Telekom routers simply crashed. It’s not clear whether Kaye was deliberately trying to expand his botnet by targeting German devices, but he certainly didn’t intend for them to stop working. Unlike Liberia, which lacked even basic computer crime laws, Germany’s police force had a formidable technology division. I’m f---ed, Kaye thought. On Nov. 27 his friend in Israel messaged to ask: “What’s happening?” Kaye replied: “I have broken the Internet and am dead afraid but otherwise everything’s hunky dory.”

In an effort to distract attention from what he’d done in Liberia, Kaye decided to share his botnet, just as the original creators of Mirai had done. Working with contacts from hacking forums, he sent out spam messages offering access in return for Bitcoin, with prices ranging from $2,000 to $20,000. Some of his first customers were gamers, who used it against rivals. Others had more ambitious targets.

On Jan. 11, 2017, employees at Lloyds Bank Plc, in the U.K., received emails from someone using the alias “Ibrham Sahil.” Lloyds’s website would be taken offline, the messages said, unless the bank paid a “consultancy fee” in Bitcoin, then worth about £75,000 ($90,000), rising to £150,000 after two days. Lloyds didn’t pay. Twenty minutes later, its website was disrupted by the first of 18 DDoS attacks over 19 hours.

Sahil contacted Barclays Bank Plc the same day. What happened to Lloyds was no glitch, Sahil wrote. Barclays would suffer the same fate unless it paid 75 Bitcoin within 18 hours. “Don’t make us get our money by using well time PUT options on the Barclays share price,” Sahil wrote, threatening to force down the bank’s share price unless it complied. It didn’t, and Barclays’ website was hit a few days later. Both lenders spent about £150,000 each to mitigate the effects of the attacks and keep their sites up and running.

Hutchins, the British researcher monitoring Mirai#14 and other variants, watched the situation unfold. His job, working for a company called Kryptos Logic, was to seek out the internet’s most dangerous malware (worms, bugs, and viruses), which he did from Devon in England’s rural southwest between trips to the beach to surf. He traced Mirai#14 to a server and found contact details for the operator, who was using the alias “popopret.”

There was little Hutchins could do remotely, so he decided to see what would happen if he just asked popopret to stop. He composed a message appealing to the hacker’s conscience. As proof of the real-world consequences, he attached Twitter posts from bank customers stuck without access to funds. To his surprise, the hacker responded and seemed receptive. Although Hutchins didn’t realize it at the time, he was communicating with Kaye—who retained ultimate control of the botnet even as he rented it out—either directly or through one of his associates.

The next day, though, bank websites were still being bombarded. “Wtf?” Hutchins said in a message to popopret, who replied that he was being paid a lot of money by a customer using his botnet. Hutchins tried a different approach. Banks are considered critical infrastructure in the U.K., he said, and protecting them is a matter of national security. Unless you want intelligence agencies coming after you, Hutchins suggested, cut off the customer. It seemed to work. The assault on British lenders stopped. The attacks on Liberia, however, continued.

A few weeks after Hutchins’s warning, Kaye flew from Cyprus to London to meet Marziano and collect his latest monthly payment. Marziano brought his wife and young children, and Kaye brought his fiancée for lunch at a tapas restaurant near Piccadilly Circus. (There’s no evidence their families knew of any wrongdoing.) Over drinks, Kaye congratulated Marziano on the Orange deal. Marziano handed over $10,000 in cash, which Kaye stuffed into his pocket. The CEO and the hacker parted as friends.

Kaye got to Luton Airport for his flight home to Cyprus, and that’s where the police found him.

After Kaye woke up in the hospital, still groggy from the effects of the diabetic coma, the officers took him straight to the interview room at Luton Police Station. It was almost midnight when they began. “I’m sorry if my words are a bit slur-ish and my responses are a bit mixed up,” he told his interrogators, according to a transcript of the conversation. “My sugar is very high at this point.”

Kaye denied everything. He claimed he wasn’t behind the Liberia botnet, hadn’t ordered the attacks, and didn’t know the names spdrman or popopret. “Maybe I should start with my background?” he said, explaining that he was a security consultant and an “IT solutions designer” who studied malware as a hobby “to stay sharp.” He said he might have accessed the servers controlling the Liberia botnet for research but couldn’t recall when, how, or what device he’d used. Asked about the encrypted laptop recovered from his luggage, Kaye said he couldn’t access it because his password no longer worked.

After about a week in a British jail, Kaye was extradited to Germany to face charges over the disruption to Deutsche Telekom. When he was interviewed at a prosecutor’s office, his memory at first was as fuzzy as it had been for the British police. Then the BKA’s cryptography department cracked his mobile phone. On it they found WhatsApp messages between Kaye and his hacker friends, discussions on an encrypted chat app with Marziano, a photograph of the type of security camera used in the Liberia botnet, and a video showing someone using the Telnet internet protocol to control a large botnet.

Faced with this damning evidence, Kaye gave a full confession over several days in May. He identified Marziano as the person who ordered him to attack the Lonestar network. “The goal was for the attack to make customers of Lonestar so annoyed about the service they switched to the competitor Cellcom,” Kaye told the prosecutor. “There aren’t that many options in Liberia.” When the prosecutor observed that $10,000 wasn’t much of a fee, Kaye said, “I needed the money because I wanted to get married.” He added, “I had also had quite a lot to drink at that time. So I took what I could get.”

What had happened to Deutsche Telekom was an accident, Kaye said, collateral damage as the botnet tried to spread itself. The prosecutor believed him. Kaye pleaded guilty to computer sabotage and, on July 28, was given a suspended sentence.

In August he was sent back to the U.K., where the National Crime Agency filed charges against him a day later. “He is a sophisticated and computer-literate cybercriminal” motivated by money, prosecutor Russell Tyner said during Kaye’s first court appearance. “He offers his services for hire to others.” There were 12 counts in all, including blackmail, money laundering, and various computer offenses. Unusually, Kaye was charged with putting lives at risk by misusing a computer, because of the impact of his actions in Liberia. The maximum sentence for that offense was 10 years. The NCA also wanted to pin the Barclays and Lloyds attacks on Kaye.

For the next year, Kaye’s legal team negotiated with prosecutors. Eventually, he was released on bail and moved in with his father, unable to leave the country. In December 2018 he agreed to plead guilty to the counts relating to the attack on Liberia. Prosecutors dropped the charges linked to the British banks—Kaye denied he was behind them, and the NCA had no evidence to prove otherwise.

He was sentenced on Jan. 11, 2019, at Blackfriars Crown Court in South London. Kaye, dressed more smartly than usual in a white shirt, looked less defiant than in previous hearings. His mother had flown in from Israel and his fiancée from Cyprus.

“There are no sentencing guidelines for this type of offense,” prosecutor Robin Sellers said when the hearing got under way. He cited a victim statement, sent by a Lonestar executive, estimating its losses at tens of millions of dollars.

Kaye’s lawyer, Jonathan Green, objected, saying the figures were unrealistic and Liberia’s internet coverage was patchy anyway. “Nobody died,” he said. “This was commercial skulduggery, not a criminal offense.” Kaye is a “highly intelligent young man with a powerful drive to understand how things work,” Green told Judge Alexander Milne, adding that his client had recently received job offers from the security industry. “The world needs Mr. Kaye to be on the side of the angels.”

The judge adjourned for half an hour to consider the sentence. Among Kaye’s legal team, the mood was upbeat. One of his attorneys, asked if he might escape jail, replied: “Anything is possible.” Even Kaye’s mother was smiling.

At 4 p.m., the judge came back into court to inform Kaye of his fate. The attack on Liberia was a “cynical and financially driven attack upon a legitimate business enterprise,” the judge said, reading from the screen of his laptop. “I sentence you to 32 months in prison. I’m afraid I will not, in the circumstances, be able to suspend the sentence.” Kaye, seated in the dock, wiped away tears with his sleeve.

One of the enduring mysteries of the Liberia hack is its timing. When Kaye, on Marziano’s instructions, set his botnet on Lonestar, Cellcom had already been sold to Orange, netting a $132 million windfall for its owners. Marziano was just a consultant for the combined company at that point, so why take such a big risk?

Marziano hasn’t said anything publicly since leaving Orange Cellcom in 2017. He was arrested by British police that August, just as Kaye made his first appearance in a London courtroom, and released without being charged. The NCA’s investigation is, technically, ongoing. Marziano didn’t respond to repeated attempts to contact him via mail, email, LinkedIn, or the Ethiopian Maritime Training Institute, where he was listed as a manager in 2017. At his former address in Israel, his now ex-wife says she has no idea where he is.

In 2018, Lonestar Cell MTN filed a lawsuit against Orange and Cellcom in London. Kaye and Marziano are also named as defendants in the suit, which hasn’t yet reached court. “As the intended consequence of the DDoS attacks, Lonestar has suffered and continues to suffer a substantial loss,” the claim documents allege. Orange has “vicarious liability,” even if it didn’t know what the conspirators were up to, because of laws making companies responsible for the conduct of employees. Orange said in a statement that it knew nothing about Kaye’s activities until it received the legal complaint from Lonestar in 2018. “Orange strongly condemns these actions and has taken all the necessary steps to ensure the full compliance of all its operations with the group’s stringent ethical guidelines,” the company said.

In Liberia, many people believe the Lonestar attacks were motivated by politics, not profit. Urey, who’s no longer Lonestar’s chairman but is still a major shareholder, keeps a bottle of Johnnie Walker Blue Label whisky on his desk. “I’m saving it for the day I become president,” he says in his office in Monrovia. (He ran unsuccessfully in 2017.)

For years, Cellcom publicly supported the party of one of Urey’s opponents, former President Sirleaf, whose government was in power from 2006 until 2018. An attack on Urey’s company, the theory goes, might have been intended to weaken him and his All Liberian Party. Urey himself blames the American-Israeli management team that used to own Cellcom. “An American citizen launched an attack on this country, and nothing was done about it,” he says. Representatives of Cohen, his companies, and LR Group didn’t respond to requests for comment. In defense papers from the Lonestar suit, Cellcom said it had no knowledge or oversight of Marziano’s activities after the sale to Orange and didn’t benefit from them.

There’s really nothing stopping other hackers-for-hire from using DDoS for corporate espionage or chaos. It’s proved to be a cheap and effective way to hobble a rival. Since the Liberia attack, the ranks of internet-connected devices have continued to grow rapidly, including cars, medical implants, even beehives. While the technology to defend against botnets has advanced, too, it’s yet to be tested by a next-generation Mirai-type incident, according to Payton, the former White House online security official. If that happens, it’s unclear how or whether those defenses will hold up, she says. “We won’t know until we are there.”

Kaye served the first part of his sentence in several prisons around London before moving to Belmarsh, a maximum-security facility that houses rapists, murderers, and terrorists. Its nickname, Hellmarsh, is scrawled on the walls inside.

In a series of interviews at the Belmarsh visiting room, Kaye, now 31, has little to say about his life or work and denies being behind most of the online identities that have been linked to him. He can’t even explain his use of Spider-Man references. It was random, he says.

There may be good reasons for Kaye to keep quiet. Some of his alleged aliases have been linked to other offenses. Journalist Brian Krebs, who runs the news website KrebsOnSecurity, has reported that bestbuy and popopret were observed on black-market hacking forums selling GovRAT, a virus used to target U.S. government institutions. Bestbuy and popopret were also users of Hell, an infamous darkweb forum popular with black-hat hackers (its slogan: “F--- heaven, hell is hot”). Kaye might be both bestbuy and popopret, as some police officials believe, or neither of them. They might be different people, part of his circle of criminal hackers. Kaye denies being behind either alias, although he admits to using bestbuy’s name to cover his tracks.

Kaye says he hasn’t spoken to Marziano since their lunch in London just before his arrest. When Kaye is released in early 2020, he’ll face court-mandated restrictions limiting his access to phones, computers, and encryption software, though he hopes to continue his career in online security. Until then, he spends all day in the prison kitchen, chopping vegetables. The more controlled environment allows him to avoid contact with Belmarsh’s more frightening residents. Does he have any regrets? Of course, he says, looking around at the tattooed inmates in the visiting room. “I can’t believe I ended up here.” —With Leanne de Bassompierre, Jonathan Levin, Yaacov Benmeleh, and Jordan Robertson

To contact the editor responsible for this story: Jeff Muskus at jmuskus@bloomberg.net, Matthew Campbell

©2019 Bloomberg L.P.