BloombergBusinessweek December 23, 2019
Insteadofjoiningthebotnet,DeutscheTelekomrouterssim-
plycrashed.It’snotclearwhetherKayewasdeliberately
tryingtoexpandhisbotnetbytargetingGermandevices,
buthecertainlydidn’tintendforthemtostopworking.
UnlikeLiberia,whichlackedevenbasiccomputercrime
laws,Germany’spoliceforcehadaformidabletechnology
division.I’mf---ed,Kayethought.OnNov. 27 hisfriendin
Israelmessagedtoask:“What’shappening?”Kayereplied:
“IhavebrokentheInternetandamdeadafraidbutother-
wiseeverything’shunkydory.”
Inanefforttodistractattentionfromwhathe’ddone
inLiberia,Kayedecidedtosharehisbotnet,justasthe
original creators of Mirai had done. Working with contacts
from hacking forums, he sent out spam messages offering
access in return for Bitcoin, with prices ranging from $2,000
to $20,000. Some of his first customers were gamers, who
used it against rivals. Others had more ambitious targets.
On Jan. 11, 2017, employees at Lloyds Bank Plc, in the
U.K., received emails from someone using the alias “Ibrham
Sahil.” Lloyds’s website would be taken offline, the messages
said, unless the bank paid a “consultancy fee” in Bitcoin,
then worth about £75,000 ($90,000), rising to £150,000
after two days. Lloyds didn’t pay. Twenty minutes later, its
website was disrupted by the first of 18 DDoS attacks over
19 hours.
Sahil contacted Barclays Bank Plc the same day. What
happened to Lloyds was no glitch, Sahil wrote. Barclays
would suffer the same fate unless it paid 75 Bitcoin within
18 hours. “Don’t make us get our money by using well time
PUT options on the Barclays share price,” Sahil wrote,
threatening to force down the bank’s share price unless it
complied. It didn’t, and Barclays’ website was hit a few days
later. Both lenders spent about £150,000 each to mitigate the
effects of the attacks and keep their sites up and running.
Hutchins, the British researcher monitoring Mirai#14 and
other variants, watched the situation unfold. His job, work-
ing for a company called Kryptos Logic, was to seek out
the internet’s most dangerous malware (worms, bugs, and
viruses),whichhedidfromDevoninEngland’sruralsouth-
westbetweentripstothebeachtosurf.HetracedMirai#14
toa serverandfoundcontactdetailsfortheoperator, who
was using the alias “popopret.”
There was little Hutchins could do remotely, so he
decided to see what would happen if he just asked popo-
pret to stop. He composed a message appealing to the hack-
er’s conscience. As proof of the real-world consequences,
he attached Twitter posts from bank customers stuck with-
out access to funds. To his surprise, the hacker responded
and seemed receptive. Although Hutchins didn’t realize it at
the time, he was communicating with Kaye—who retained