56
BloombergBusinessweek December 23, 2019barely-thereunderpants.Kayesmokedweedandplayed
Skyrim, a swords-and-sorcerycomputergame.Evenso,they
hitit off.KayesawinMarzianoa morestablefuturewith
long-termcontractsorperhapsa full-timejob.Marzianosaw
inKayesomeonewhocouldsolveproblems,noquestions
asked.You’lldealdirectlywithme,hetoldKaye.
OneofKaye’sfirsttaskswastosecurethesystemsof
Cellcom’ssistercompanyinneighboringGuinea.Kayecame
upwitha toolthatcouldencryptCellcom’sdataoncom-
mandincasepoliticalinstabilitythreateneditsoperations.
Forthat,Marzianopaid$50,000,plusseveralthousanddol-
larsmoreforroutinesecuritytests.Thenextbitofbusiness
wasfarlessbenign.MarzianoorderedKayetohackinto
Lonestar’snetworktolookforevidenceofbriberyorother
misconduct.Kayecouldn’tfindanythingincriminating,so
hedownloadeda Lonestarcustomerdatabaseandsentit to
Marziano,whoappearedtoenjoythesubterfuge.“It’slike
a dramamovie,”hetoldthehacker.
In2015,KayeandMarzianodiscussedusingDDoSattacks
toslowdownLonestar’sinternetserviceandirritateits
customersintoswitching.Kayestartedsmall,usinga web-
sitecalled“VDosStresser”thatbombardedothersiteswith
trafficfora fee.Leakedmessagesfroma VDosdatabaseshow
anindividualusingthename“bestbuy,”likelyKayeoran
associate,askingabouttheserviceonoffer.“Ineedquitea
lotmorepower,”bestbuywrote.
Bynow,KayewasearningenoughfromCellcomand
othergigstomovetoCyprus,whereherentedanapart-
mentwitha poolanda seaview.If hecoulddohisjobfrom
anywherewithaninternetconnection,whynotdoit from
somewheresunny?Hisfiancéejoinedhim.
Marziano’sfuturewasalsolookingbright.InJanuary2016,
OrangeSA,theFrenchwirelesscarrier,announcedit was
buyingCellcomLiberia.Withglobalsalesofabout€41bil-
lion($45.6billion),Orangeisa giant,part-ownedbythe
Frenchgovernment.Thetermsofthedealandidentityof
thesellersweren’tdisclosed,butit wouldmeana bigpay-
dayforCohenandhisbackers.OrangekeptMarzianoonas
a consultant,butheremainedCellcom’sCEO.
Thedeal,however,didn’tcoolthehostilitiesbetween
CellcomandLonestar.Weekslater,ina pressstatementthat
calledoutCohenbyname,LonestaraccusedCellcomof
illegallytextingcustomerstoofferitslatestpromotion.A
Cellcomspokesmanresponded:“Lonestaris a bigcrybaby,
bentonexploitingtheLiberianpeople.”Thestrainofmalicious software knownasMiraifirst
emergedin2016.Named,probably,aftera Japanesecar-
tooncharacter, it was created by gamers to wield against
other gamers, specifically those playing Minecraft.
Mirai sought out webcams, wireless routers, and other
cheap, poorly defended devices that could be hijacked for
DDoS attacks against other Minecraft players. It could also
seek out fresh targets semiautonomously, spreading itself
without human input. In the summer of 2016, the malwaredoubled its number of infected machines every 76 minutes
to create, within a few days, the largest botnet on record.
Before the American college students who wrote the
code were arrested, they shared it on hacking forums, pro-
viding the basis for dozens of variants. Kaye, who was look-
ing for a superpowered botnet, thought it might be just what
he needed. He tweaked the code to exploit a vulnerability
in Chinese-made security cameras, made sure his malware
blocked other forms of Mirai so no one could take over his bot-
net, and then, in September 2016, turned his creation loose.
“If it works I should have access to five million cameras
that I can use,” Kaye told Marziano using an encrypted mes-
saging service. Marziano agreed to pay him $10,000 a month
for the “project.” Later that September, he asked Kaye to test
the botnet on a competitor’s website offering cheap inter-
national calls—the site, Marziano said, was “killing my inter-
national traffic” at Cellcom.
Even Kaye didn’t know exactly how big his botnet had
become, so he tested it on a site that measured traffic.
Visualized in a graph, its power looked awesome: It could
direct about 500 gigabytes’ worth of data—roughly equiva-
lent to downloading Avengers: Endgame 50 times in ultra-
highdefinition—persecond.Histargetdidn’tstanda chance.
Liberia’sinternetinfrastructurewasalreadyfragile,depen-
dentona singleunderseafiber-optic cable to connect to the
outside world. Faced with a half-million machines sending
data all at once, Lonestar’s servers would simply stop func-
tioning. Kaye pulled the trigger again and again, at least
266 times from October 2016 to February 2017. He kept in
touch with one of Marziano’s analysts to monitor the impact
in Liberia, texting regularly to ask how Lonestar’s network
was performing. “Almost dead,” the analyst said one day in
November. “Really? Sounds good,” Kaye replied.
Marziano’s company had for years claimed to be Liberia’s
fastest network. Now it was undeniable. On Nov. 9 an appar-
ently satisfied Marziano sent a photograph of a newspaper
clipping to Kaye. “After crippling cyber attack: Liberia seeks
US, UK Aid,” the headline read.
Kaye, though, was alarmed. He’d assumed no one would
care about a company in Liberia and hadn’t made much
effort to cover his tracks. Security researchers had also
noticed his botnet’s unusual power and focus. They chris-
tened it Mirai#14. Marcus Hutchins, a British security ana-
lyst known as MalwareTech, set up a Twitter account to
record the botnet’s targets. Soon afterward, one of the Mirai
variants turned its power on Hutchins’s website, knocking
it out. He took the attack as a warning to back off. When
KevinBeaumont,anotherBritishresearcher,tweetedabout
thebotnet,it startedsendingthreateningmessages,like
“shadows.kill”and“kevin.lies.in.fear.”(Kayedeniestar-
getingHutchinsorBeaumont.)“Itgotoutofcontrol,” Kaye
wrote to a friend in Israel.
Then the outbreak spread to Germany. Each camera
infected by Mirai#14 was continuously reaching out to
other devices, trying to get them to download the software.