Hacker sentenced to four years after cyber-attack on TalkTalk
Judge Dennis said Kelley hacked computers ‘for his own personal gratification’ regardless of the damage caused.
A “cruel and calculating” cyber criminal who took part in a massive TalkTalk hack attack and blackmailed former chief executive Dido Harding has been locked up for four years.
Daniel Kelley, from Llanelli, South Wales, turned to “black hat” hacking when he failed to get the GCSE grades to get on to a computer course.
He hacked the college “out of spite” before targeting companies in Canada, Australia and the UK – including the Telecommunications giant which has four million customers.
The 22-year-old has Asperger’s syndrome and has suffered from depression and extreme weight loss since he pleaded guilty to 11 hacking-related offences in 2016.
Judge Mark Dennis sentenced him at the Old Bailey to four years’ detention in a young offenders institution.
Judge Dennis said Kelley hacked computers “for his own personal gratification” regardless of the damage caused.
He went on to blackmail company bosses, revealing a “cruel and calculating side to his character”, he said.
Kelley caused “stress and anxiety” to his victims as well as harm to their businesses, with the total cost to TalkTalk from multiple hackers estimated at £77 million.
Previously, prosecutor Peter Ratliff has described Kelley as a “prolific, skilled and cynical cyber-criminal” who was willing to “bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety – behind the screen of a computer”.
Between September 2013 and November 2015, he engaged in a wide range of hacking activities, using stolen information to blackmail individuals and companies.
Despite attempts at anonymity, his crimes were revealed in his online activities.
In September 2012, he boasted on Skype that he was “involved with black hat activities and I can ddos (Distributed Denial of Service)” in reference to malicious hacking.
Commenting on what he was doing, he wrote on an online forum: “Oh God, this is so illegal.”
The court heard how Kelley was just 16 when he hacked into Coleg Sir Gar out of “spite or revenge”.
The DDoS attack caused widespread disruption to students and teachers and also affected the Welsh Government Public Sector network – including schools, councils, hospitals and emergency services.
After he was arrested and bailed, Kelley continued his cyber crime spree for a more “mercenary purpose”.
Mr Ratliff said Kelley had been “utterly ruthless” as he threatened to ruin companies by releasing personal and credit card details of clients.
He hacked into TalkTalk and blackmailed Baroness Harding of Winscombe and five other executives for Bitcoin, the court heard.
Kelley’s activities contributed to TalkTalk losses of tens of millions of pounds, while smaller firms he targeted were forced to spend hundreds of thousands of pounds to mitigate the damage.
The defendant, who has Asperger’s syndrome and depression, only received £4,400 worth of Bitcoins through all his blackmail attempts, having made demands for more than £115,000.
In another instance, he contacted all the customers of a hacked company and demanded they each pay one Bitcoin under threat of their personal data being released.
Mr Ratliff said Kelley got “enjoyment and excitement from the power he wielded” over his victims.
Kelley sometimes worked with a hacking collective named Team Hans, the court heard.
He did not confine himself to online blackmail – and on one occasion made a menacing phone call, Mr Ratliff said.
If people refused to pay up, he would offer their details for sale on the dark web.
He was also found to be in possession of computer files containing thousands of credit card details.
In mitigation, Dean George QC had appealed to the judge not impose a jail sentence on a young man who suffers with “severe depression”.
Kelley, who had been on conditional bail, had gone from being “overweight” in 2016 to undergoing “extreme” weight loss, as a result of the case, the court was told.
In December 2016, Kelley pleaded guilty to 11 charges including hacking with intent, six counts of blackmail, encouraging hacking, offering to supply data in connection with fraud, and possession of articles for fraud.
Kelley made no reaction as he was sent down and his father declined to comment as he left the Old Bailey.
Speaking outside court, Detective Constable Rob Burrows, of the Metropolitan Police cyber crime unit, described Kelley as a “prolific and ruthless” hacker.
He said: “The convictions and sentencing today send out a clear message to cyber criminals committing crime anonymously online – they will be identified and prosecuted for their destructive crimes.”
Russell Tyner, CPS specialist prosecutor, said: “Daniel Kelley is an opportunistic and utterly ruthless hacker who, motivated by financial gain and spite, caused enormous financial and reputational damage to his victims.
“Far from showing mercy to the distressed employees of the companies he targeted, it is clear he took a vindictive pleasure in the anxiety and suffering his bullying inflicted on them.
“Hidden behind a cloak of anonymity, Kelley thought he could act with impunity by targeting companies worldwide he thought were vulnerable to cyber-attack.
“Indeed he saw himself as a coach and mentor to his fellow hackers. But, working with colleagues in Canada and Australia, the CPS was able to piece together the many complex strands of evidence, which resulted in Kelley pleading guilty to 11 offences.”