It was October 2016 when over half a million security cameras worldwide simultaneously connected to a few servers used by Lonestar Cell MTN, a mobile carrier in Liberia, Africa. Shortly thereafter, Lonestar’s network system became overwhelmed and overloaded. The internet access for 1.5 million customers of this carrier slowed down and eventually came to a complete halt.
The technique used in this attack was DDoS, or Distributed Denial of Service. Simple yet effective, a DDoS attack employs an army of compromised and controlled machines, known as a botnet, to simultaneously connect to a single online point.
For Liberia, one of the poorest countries in Africa, this botnet was one of the largest they had ever faced. While most DDoS attacks last only for a moment, the attack on Lonestar lasted for many days.
And due to the civil war ending in 2003, Liberia had no fixed telephone lines, leaving half the country cut off from services like online banking, farmers unable to call for crop prices, and students unable to Google. In the capital Monrovia, their largest hospital also lost connection for a whole week. Infectious disease specialists were dealing with an Ebola outbreak without being able to communicate with other international healthcare agencies.
Not long after, the attack began to spread.
By November 27, the German telecommunications company Deutsche Telekom AG began receiving tens of thousands of calls from angry customers whose internet service was down. Even the computer systems in a water plant lost connection, requiring a technician to manually check each pump.
By this time, Deutsche Telekom discovered a massive botnet, similar to the attack in Liberia, damaging their routers. The company quickly deployed a patch within days, but the sheer scale of the attack led one security researcher to suggest it was the work of Russia or China.
Until this botnet took down dozens of websites belonging to two UK banks, the UK’s National Crime Agency, and the BKA (Federal Criminal Police Office) of Germany, with support from the FBI of the United States launching an investigation into the matter. German police discovered a username linked to an email and a Skype account, as well as a Facebook page belonging to a 29-year-old British citizen named Daniel Kaye, who grew up in Israel and considered himself a freelance security researcher.
On the morning of February 22, 2017, Kaye was arrested by British police while checking in at London Luton Airport to fly to Cyprus. Upon searching him, police found a stack of $100 bills totaling about $10,000 hidden on his person. However, contrary to many people’s expectations, he was not a Russian spy or a crime boss.
The court’s indictment and police reports from Kaye’s interrogations revealed that Kaye was merely a hired gun and a weak individual with a history of severe diabetes.
Born in London, Kaye moved to Israel with his mother at the age of six after his parents divorced. By the age of 14, being diagnosed with diabetes further limited Kaye’s interactions with the outside world, yet he found a vast new world online.
He taught himself to code, voraciously consumed exercises he found, and frequently participated in web forums about exploiting security vulnerabilities under the nickname “spy[d]ir”. In 2002, spy[d]ir’s first achievement emerged with a screenshot showing the website of an engineering company in Egypt being defaced with the line: “Hacked by spy[d]ir! LOL! This was too Easy.” Over the next four years, numerous websites in the Middle East faced similar attacks.
At this time, Kaye graduated from high school and decided to drop out of college to pursue a freelance programming career. An intelligent but easily frustrated individual, Kaye seemed ill-suited for a corporate life like other ordinary employees. Often awkward in social interactions, his way of answering questions made him appear as if he was hiding something.
Even in 2011, Kaye reached the final interview stage of a major cybersecurity company, RSA Security LLC, but was rejected due to concerns from the HR department. By his twenties, Kaye focused entirely on freelancing for individual clients who knew him through hacking forums or word of mouth.
Not long after, in 2012, he moved to London with his newly engaged girlfriend. A former university administrator, she wanted to continue her career in the UK, while Kaye sought a fresh start.
By 2014, Kaye heard from a friend about an entrepreneur offering freelance work for someone skilled in hacking techniques in Israel. This friend introduced Kaye to a successful entrepreneur named Avi, who was seeking help with cybersecurity. At the time, this entrepreneur was running a business in Liberia – and the story began.
This entrepreneur, Avi, or Avishai “Avi” Marziano, was then the CEO of Cellcom, the second-largest telecommunications company in Liberia. Founded in 2004, this carrier had experienced explosive growth over the years thanks to a series of aggressive promotional campaigns, such as giving away motorcycles to winners, sponsoring beauty pageants, and continuously attacking their number one competitor, Lonestar, in commercials.
But despite these efforts, Cellcom’s market share remained stuck in second place in the Liberian market. Although business slowed down in 2014 due to the Ebola outbreak, the CEO of Cellcom proclaimed that the growth phase was over and it was time to dominate. His plan began with meeting Kaye. When he couldn’t beat his rival in business, he would use another method to take them down.
One of Kaye’s first tasks was to secure the system for a sister company of Cellcom in the neighboring country of Guinea. Using his tools, Kaye encrypted all of Cellcom’s data to protect it from political upheaval. As a result, Kaye was paid $50,000 by Marziano along with thousands of dollars in bonuses for each test. But the next task was far less merciful.
Marziano ordered Kaye to hack into Lonestar’s network system to look for evidence of bribery or other illegal activities. Finding nothing unusual in Lonestar’s system, Kaye downloaded the entire customer database of this carrier and sent it to Marziano – this was the true purpose of this mission. It allowed Cellcom to send messages inviting customers to switch networks. But that was still not enough.
In 2015, Kaye and Marziano discussed ways to launch a DDoS attack and slow down Lonestar’s internet service to persuade customers to switch networks. A real technical challenge. It was not easy to DDoS a large carrier like Lonestar even with Liberia’s weak internet infrastructure.
By 2016, luck was smiling on this duo. Cellcom was approached for acquisition by France’s giant telecommunications company, Orange, in January 2016, and Marziano was retained as CEO. Kaye’s fortune came from another event. In 2016, the global internet was shaken by a notorious malware called Mirai. Mirai spread through webcams, wireless routers, and other poorly secured devices to create the largest botnet ever recorded and used it to launch DDoS attacks on Minecraft players.
Based on the Mirai code shared on hacking forums, Kaye – now lounging in Cyprus – had found the tool he was looking for. By tweaking the lines of code within, Kaye could target poorly secured Chinese security cameras and prevent other Mirai variants from taking control of his botnet.
Excited by the power of the botnet Kaye possessed, Marziano agreed to pay him $10,000 a month to use this “project”. It was time to set Marziano’s plan in motion.
Liberia’s already weak internet infrastructure had only one undersea fiber optic cable connecting it to the outside world. Facing half a million machines sending data simultaneously, Lonestar’s servers quickly went down. From October 2016 to February 2017, Kaye launched at least 266 more attacks. Each time an attack occurred, half of this African country, which was a customer of Lonestar, fell out of contact with the outside world.
Cellcom’s long-standing claim of being Liberia’s fastest carrier became a reality. There are hardly any words to describe Marziano’s satisfaction. He even snapped a picture of a newspaper headline reading “Paralyzed by Cyber Attack: Liberia Calls for Help from the US and UK” to send to Kaye.
Contrary to Marziano’s joy, Kaye began to feel danger as signs indicated that many security researchers were paying attention to this attack due to its similarities with the notorious Mirai malware.
Not long after, Kaye’s botnet began to spiral out of control and spread to Germany. Infected devices continuously sought new targets, forcing them to download malware. As a result, they took down Deutsche Telekom’s routers when they refused to join this botnet – an unexpected damage from the attack, as Kaye later admitted. And thus, the German police began their work. At this point, Kaye was genuinely terrified.
To divert attention from the investigation of his attacks in Liberia, Kaye decided to share the botnet – in other words, to rent it out to attack others – to be paid in Bitcoin (ranging from $2,000 to $20,000 depending on scale). While many clients were gamers wanting to use it to attack opponents, others had greater ambitions.
One individual nicknamed “Ibrham Sahil” utilized this botnet for ransom attacks. As a result, the websites of two banks, Lloyds Bank Plc and Barclays Bank Plc – two major lenders in the UK – were taken down by dozens of DDoS attacks as they refused to pay the attacker’s demands. To mitigate the attacks and keep their websites operational, each bank had to spend around £150,000 – equivalent to the amount the attacker demanded from each bank.
These attacks only ceased when Marcus Hutchins, a British security researcher, tinkered with the attack’s control server and contacted its operator, a person with the alias “Popopret” – another alias of Kaye.
Not only posting evidence of the aftermath of the cyber attack, Hutchins also warned that intelligence agencies would get involved since the banking system was considered critical infrastructure for the country. At this point, attacks on banks ceased. However, attacks in Liberia continued.
A few weeks later, Kaye flew from Cyprus to London to meet Marziano and collect his remaining bonus. Both brought their families to the meeting. (It seemed their families were unaware of the illegal activities of this duo). In some ways, this quirky duo had become more like friends than a typical business partnership.
Upon receiving $10,000 in cash from Marziano, Kaye headed to Luton Airport to board his flight back to Cyprus. This was where British police lay in wait and arrested Kaye while he was checking in.
Initially, Kaye denied everything, of course. Only when extradited to Germany and the BKA’s cryptographic unit unlocked Kaye’s mobile phone, finding WhatsApp messages between Kaye and Marziano, pictures of the types of security cameras used in the botnet that attacked Liberia, as well as a video showing someone controlling the massive botnet causing the attack, did Kaye finally confess.
For the next year and a half was a period of debates between Kaye’s legal team and prosecutors. During this time, Kaye had to post bail to avoid jail time and was placed under house arrest at his father’s home, unable to leave the UK.
Kaye was sentenced on January 11, 2019, at Blackfriars Crown Court in South London. Avoiding criminal charges, Kaye’s cyber attack in Liberia was only viewed as a “financially motivated attack against a legitimate business.” Ultimately, Kaye was sentenced to 32 months in prison without parole.
As for Marziano, he was arrested by British police in August 2017, shortly after Kaye appeared in court in London. However, he was quickly released without any charge. In 2017, he also left the Orange Cellcom venture and cut off all contact since then. Even his ex-wife did not know where Marziano went.
In 2018, Lonestar Cell filed a lawsuit against Orange and Cellcom in London over allegations related to the cyber attack. Both carriers issued statements denying the allegations and claimed they were unaware of Marziano’s activities and did not benefit from these attacks.
In Liberia, many believed the attacks on Lonestar had political motives, not economic profit. The chairman of Lonestar at the time was Benoni Urey, leader of the All Liberian Party, who ran for president in 2017. Meanwhile, Cellcom openly supported one of Urey’s opponents, former President Sirleaf, who ruled the country from 2006 to 2018.
At the beginning of 2020, Kaye was set to be released. By then, he would face restrictions on using phones, computers, and security software, even though he still hoped to continue working in cybersecurity. Until then, he was still painstakingly chopping vegetables in the kitchen of Belmarsh, a maximum-security prison that houses murderers, rapists, and terrorists.
Source: Bloomberg