Daniel Kelley is the first ex-Blackhat in SecurityWeek’s series: Hacker Conversations. He spoke openly on his journey into and out of the cybercriminal world – motivations, experiences, trial, sentence and the future.
Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of UK telecoms firm TalkTalk. In 2019 he was convicted and sentenced to four years in prison.
At the time, the BBC reported, “Kelley will serve his sentence in a young offenders institution.” In the event, he served time at Belmarsh Category-A prison, widely regarded as the most secure prison in the UK – and home to convicted terrorists, murderers and threats to ‘national security’.
This is a brief history of the events and their aftermath.
Like many hackers, both Blackhat and Whitehat, Kelley did not learn his skills in formal education – he was self-taught online. “I’m completely self-taught,” he said, “whether through online forums or blogs.”
He was an avid online 13-year-old gamer, and like many gamers, he liked to cheat. This led him to various bulletin boards and forums, where the techniques of cheating – and more – were frequently discussed. It was here he began to learn the concepts and methodologies he would later use to hack websites.
He learned no cyber skills from school or college – and here it is worth noting that Kelley is a diagnosed Asperger syndrome sufferer (Asperger’s, now known as an autism spectrum disorder – ASD). Social constructs, such as the classroom or office, are a serious difficulty with such conditions.
He began to spend more and more time online, visiting more dubious game cheat websites. “The websites I visited to learn how to hack video games, also had criminals on them – that’s the type of networks and forums they were. People were hacking websites and selling stolen data. I had exposure to that type of thing, even when my intent wasn’t to become a Blackhat.”
In a sense, Kelley never consciously decided to be a Blackhat. He was just on a trajectory that led to it. “I think I just became fascinated with the challenge. And sort of went from there.”
But Blackhat he became. “Essentially, I went around hacking websites, and then extorting the website owners. Whether that was ransomware or sending an email, or just exfiltrating data. That was my objective. I would hack into websites, I would steal data, and then I would demand a ransom payment in exchange for not releasing that data.”
When he was caught and charged, it was said he had caused £70,000,000 damage. But he only ‘earned’ a few thousand pounds from hacking. Most of his victims never paid his extortion.
“I was hit with something like 30 charges. I also pled guilty to selling financial data, and there were several unauthorized access charges. In some cases, I just hacked things and didn’t do anything with my access. So, I’ve been involved in every aspect of it – but the main thing that was in the press is that that I would hack into websites and blackmail the website owners.”
Kelley was never told directly how he was caught, but is ‘fairly confident’ he understands the process. “I basically hacked two websites at once: website A and website B. Website A was a really small website, and website B was a really big website. I tried to blackmail the website owners. For one of the websites, I only used VPN for this, and for the other, I only used Tor. But I provided the same cryptocurrency wallet in both cases, which allowed the authorities to link the incidents.”
In the VPN case, law enforcement obtained the logs from the VPN provider leading to his arrest for both hacks. “The reason I think this theory is plausible is because when they initially arrested me, they only came to arrest me for those two hacks and the associated blackmails – they didn’t come to arrest me for anything else.”
Kelley had little concept of the real, legitimate world before his arrest. Remember his Asperger’s, which meant he couldn’t contemplate formal office work. “I lived my life with a computer screen; I couldn’t and didn’t appreciate the real world,” he said. “I was sometimes spending weeks or months without leaving my house. I was spending 18 hours a day online, and I was sleeping four or five hours a day. That was my life.”
It all changed when he was arrested. “When I was arrested, I was picked up and just thrown into the real world. I spent a week on remand in a Category-B prison in London in 2016, before being bailed to await trial. That week was absolutely horrific for an antisocial kid who lived with his parents.”
But it made him think – firstly that prison was an experience he didn’t want to repeat, but perhaps more importantly, that the skills that put him in prison could be used legitimately to make more money than he ever did through hacking.
After being bailed, he spent several years waiting for his trial. During this time, he made a living doing bug bounties and using his existing skills in a legitimate manner.
The trial was at the Old Bailey in 2019. He had already pled guilty, and the charges carried a 12-year sentence. But the judge recognized that he had reformed and reduced the sentence by eight years to just four years. Interestingly, although Asperger’s has been used as a reason to prevent the extradition of young British hackers to the US, the judge rejected it as a mitigating factor for Kelley.
“In my case, the judge thought otherwise,” said Kelley. “He made it clear in his sentencing notes. He said that even though I may have perceived the world differently and may not have appreciated the consequences of my actions, nevertheless, I still knew what I was doing. He felt that because I’m high functioning, I still had the common sense to realize that what I was doing was wrong. So, me being autistic didn’t do much in terms of my sentence – what did the most was the way I had reformed myself and helped people in the period up to the trial.”
Kelley was sentenced to four years in Belmarsh Category-A prison, the prison normally reserved for the most serious criminals. Surprisingly, his experience was less difficult than he had feared: “The other inmates simply didn’t consider me any sort of threat.”
He was released on probation with a string of personal restrictions in 2021. “I was issued with a serious crime prevention order containing some 20 to 30 restrictions, including both technical and physical restrictions – and a further set of restrictions from the Probation Service.” The probation restrictions will last until 2023, while the release restrictions will run until 2026.
The irony, which he notes but does not criticize, is that during the four-year period from the arrest to the trial, when he was closest to his Blackhat behavior, he had no behavioral restrictions. Now, after serving a prison sentence and being reformed, he has a string of restrictions.
A connection between neurodiversity and Blackhat hackers has been noted before. It makes sense when you consider the symptoms but is not something that is statistically provable. We asked Kelley for his views. “It’s extremely common among hackers,” he said. “But it’s difficult to say whether it’s a mitigating factor for hacking.”
Nevertheless, he said the majority of Blackhats he came across in the past had some form of psychological disorder. “Some of the best hackers I used to know years ago had severe psychological issues. So, yeah, it’s extremely common.”
Having Asperger’s Syndrome and its psychosocial effects almost certainly had a role in Kelley’s descent into malicious hacking. He went to prison for that, reformed himself and has returned to society. But he still has Asperger’s, and he still has difficulty with the idea of working in an office. The very idea of navigating office politics scares him.
“I’ve been to prison,” he said. “So, I’ve been forced to go into social environments. But even today, the thought of going into an office – I just won’t do it. The only reason I’m in cybersecurity now is because ‘work from home’ started because of COVID – for me, that’s the best thing that has ever happened.”
Since leaving prison, Kelley has started a blog and operates a popular cybersecurity newsletter. But that’s not the same as being employed with a salary. We asked him how he earns a living. “I don’t. I have to rely on the state, through universal credit and benefits – and my family helps me out.”
It’s not what he wants, but is what is available to a convicted Blackhat hacker with Asperger’s. “Technically, I’m not banned from cybersecurity,” he said. “What I’m banned from is the technology that will be required for a cybersecurity role.” And this is a potential problem.
“In theory, I could get a cybersecurity role today. But it’s the process of identifying a role, that would be compatible with all the restrictions on me. That’s the real issue. In regard to doing what I want in cybersecurity in four years from now [when his release restrictions expire], well, there’s the issue of keeping up to date. That’s the biggest problem that I’ve got right now. You know, the theory’s good. You can read a ton, but at some point, when it comes to cybersecurity, you must translate a lot of that theory into practice. Otherwise, you start to lose a skill set.”
Kelley’s advice to other youngsters drifting into this situation is to ask themselves, ‘why am I doing this?’ “If the justification is just because it’s fun, well, is it really worth the risk of potentially going to prison because something’s fun? You must question your motive, because there’s a high probability that your motive can be fulfilled in a legal context. You can still hack websites, but in an ethical context. You can make a lot of money in an ethical context.”
Between talking to Kelley and writing this article, Kelley has been offered and has accepted his first formal, legitimate cybersecurity position. It would be a waste to ignore his talents with the current cybersecurity skills gap. He is now senior security researcher at Seedata.io, a firm that uses deception technology to detect malicious activity and undiscovered breaches.
SecurityWeek spoke to Enrico Faccioli, CEO and cofounder of London-based Seedata, about employing Kelley. “Both I and Matt Holland (CTO and cofounder) knew of him by reputation. I followed his blog and had the idea of employing him. We took a quick call to see if our interest, and his skills matched – and they did.”
He stressed that the decision to employ Kelley has nothing to do with rehabilitation. “Our role is non-typical within the security industry. Dan’s knowledge and strong research skills equip him perfectly for this.” Faccioli has no views on employing a reformed hacker – it’s, “More like a case-by-case review. We need to see value in making the recruitment, and risk management.”
But the all-important question: is the position compatible with Kelley’s probation and release restrictions? “He’s more than capable of doing our current role within the scope of his restrictions, but there are some things we need to consider carefully. Probation and the authorities have been really helpful.”
And the cream on Kelley’s cake? It’s all remote working.
Addendum: Daniel Kelley now runs his own cybersecurity content creation agency: Cyberou.com.
Related: Harnessing Neurodiversity Within Cybersecurity Teams
Related: Tapping Neurodiverse Candidates Can Address Cybersecurity Skills Shortage
Related: UK Teen Arrested Over Rockstar Games, Uber Hacks
Related: TalkTalk: Details of Over 1 Million Users Accessed by Hackers