The Hacker Who Took Down a Country

(Bloomberg Businessweek) -- The attack against Liberia began in October 2016. More than a half-million security cameras around the world tried to connect to a handful of servers used by Lonestar Cell MTN, a local mobile phone operator, and Lonestar’s network was overwhelmed. Internet access for its 1.5 million customers slowed to a crawl, then stopped.

The technical term for this sort of assault is distributed denial of service, or DDoS. Crude but effective, a DDoS attack uses an army of commandeered machines, called a botnet, to simultaneously connect to a single point online. This botnet, though, was the biggest ever witnessed anywhere, let alone in Liberia, one of the poorest countries in Africa. The result was similar to what would happen if 500,000 extra cars joined the New Jersey Turnpike one morning at rush hour. While most DDoS attacks last only moments, the assault on Lonestar dragged on for days. And since Liberia has had virtually no landlines since the brutal civil war that ended in 2003, that meant half the country was cut off from bank transactions, farmers couldn’t check crop prices, and students couldn’t Google anything. In the capital of Monrovia, the largest hospital went offline for about a week. Infectious disease specialists dealing with the aftermath of a deadly Ebola outbreak lost contact with international health agencies.

Eugene Nagbe, Liberia’s minister for information, was in Paris on business when the crisis began. He struggled to marshal a response, unable to access his email or a reliable phone connection. Then his bank card stopped working. On Nov. 8, with hundreds of thousands of people still disconnected, Nagbe went on French radio to appeal for help. “The scale of the attack tells us that this is a matter of grave concern, not just to Liberia but to the global community that is connected to the internet,” he said. The onslaught continued. No one seemed to know why, but there was speculation that the hack was a test run for something bigger, perhaps even an act of war.

Then, on Nov. 27, Deutsche Telekom AG in Germany started getting tens of thousands of calls from its customers angry that their internet service was down. At a water treatment plant in Cologne, workers noticed the computer system was offline and had to send a technician to check each pump by hand. Deutsche Telekom discovered that a gigantic botnet, the same one targeting Liberia, was affecting its routers. The company devised and circulated a software fix within days, but the boldness and scale of the incident convinced at least one security researcher that Russia or China was to blame.

When the botnet took down the websites of two British banks, the U.K. National Crime Agency got involved, as did Germany’s BKA, with support from the U.S. Federal Bureau of Investigation. German police identified a username, which led to an email address, which led to a Skype account, which led to a Facebook page, which belonged to one Daniel Kaye, a lanky, pale, 29-year-old British citizen who’d been raised in Israel and described himself as a freelance security researcher.

When Kaye checked in for a flight to Cyprus at London’s Luton Airport on the morning of Feb. 22, 2017, he triggered a silent alarm linked to a European arrest warrant in his name. He was in line at the gate when the cops arrived. “That’s him!” an officer said, and Kaye felt hands grab him roughly under the arms. He was taken to a secure room, where officers searched him and found $10,000 in a neat stack of $100 bills. Afterward they drove him to a nearby police station and locked him up. That was until Kaye, a severe diabetic, began nodding in and out of consciousness, then collapsed in his cell. He was rushed to a nearby hospital, where two police officers stood guard outside his room just in case their prisoner managed to overcome his hypoglycemic coma and escape.

But Kaye was no Kremlin spy or criminal mastermind, according to court filings, police reports, and interviews with law enforcement, government officials, Kaye’s associates, and Kaye himself. He was just a mercenary, and a frail one at that.

Growing up, Kaye showed few signs that he would one day be one of the world’s most wanted hackers. Born in London, he moved to Israel with his mother at age 6, when his parents divorced. In the suburbs outside Tel Aviv, he learned Hebrew, played basketball, and collected soccer cards. A diabetes diagnosis at age 14 limited his social life, but by then Kaye had found a much bigger world to explore online.

He taught himself to code, devouring all the training material he could find, and became a regular on the web forums where young Israelis gathered to boast about their hacking exploits. His alias was “spy[d]ir,” according to Rotem Kerner, an online friend from those days. They were “just kids curious about technology and how you can bend it,” Kerner says.

In 2002 a forum user called spy[d]ir posted a screenshot of an Egyptian engineering firm’s website, defaced with the message: “Hacked By spy[D]ir! LOL This Was too Easy.” Over the next four years websites throughout the Middle East got similar treatment. The homepage of a Beirut karaoke bar was tagged with a Star of David. When an Iranian leather retailer was hit, spy[d]ir shared credit with a group called IHFB: Israeli Hackers Fight Back. Kaye, a teenager at the time, denies he was spy[d]ir. But he admits he used online aliases including Peter Parker, spdr, and spdrman, all references to another unassuming young man with hidden gifts.

By that time, Kaye says, he’d graduated from high school and decided to forgo university in favor of freelance programming. He was smart but easily bored, and the internet seemed to offer unlimited challenges and possibilities. Yet translating his love of puzzles and pwnage into paying gigs soon took him into sketchier territory.

Generally speaking, hackers fall into one of a couple of varieties. Black-hat hackers are spies, crooks, and anarchists. White hats hack legally, often to test and improve a client’s defenses. And then there are gray hats, who aren’t chaos agents like the black hats but don’t follow the white hats’ strict ethical codes, either. “A gray hat is just told, ‘Get the job done, and you get paid,’ ” says Theresa Payton, a former White House chief information officer who now runs Fortalice Solutions LLC, a cybersecurity consulting firm. “They don’t have a rule book.”

Kaye inhabited this quasi-legal world, working for private clients who heard about him through hacking forums or word-of-mouth. He also applied for straight jobs, but his demeanor put employers off. While he was thoughtful and soft-spoken, there was a “black cloud around him,” says Avi Weissman, founder of an Israeli cybersecurity school, who considered working with him. Kaye was awkward in person, with a pronounced squint and a way of answering questions that made it seem like he was hiding something.

In about 2011, Kaye was a finalist for a job at RSA Security LLC, a large American cyberdefense company with offices in Israel, but was rejected because of unspecified human resources concerns. Kaye told himself it was for the best. Corporate life didn’t appeal to him. Now in his 20s, he relished his freedom, working through the night when he needed to and hanging out with his friends in bars when he didn’t.

His adventures in the online underworld carried risks. In 2012, Israeli police questioned him in connection with an investigation of a gray-hat acquaintance. Kaye was released without charge. That year he decided to move to London. He’d just proposed to his girlfriend, a former university administrator who moved to Israel to be with him. She wanted to pursue her career in the U.K., and he wanted a fresh start.

Anthony Zboralski, a hacker-turned-entrepreneur, met Kaye at a West London party in 2014 and recalls sensing his frustration and bitterness. Kaye had rare and valuable skills, yet no upstanding company would employ a hacker with his background. Zboralski says he tried to find Kaye legitimate work, without success.

A few months later, Kaye heard from a friend back home about a businessman offering freelance work to people in the Israeli hacking scene. The friend connected them, and the man, whose name was Avi, called to say he was looking for help with cybersecurity. His business was based in Liberia.