In 2015, hackers targeted UK telco TalkTalk and stole information, including credit card data, on 157,000 customers. Shortly after, the company reported a loss of £60 million ($74 million), and said 101,000 customers had left for other providers.
Several people were arrested in the wake of the hack, including Daniel Kelley, 19, who recently admitted trying to blackmail TalkTalk as well. Now, facing more than a dozen years in prison, Kelley is warning other would-be crooks not to follow in his footsteps.
"What I've done is essentially going to haunt me for the rest of my life," Kelley told Motherboard in an online chat.
In October 2015, hackers were spreading details of a vulnerability in TalkTalk's systems. Kelley used it to steal credit card information, and then sent a ransom message to TalkTalk demanding 465 bitcoins (worth $125,550 at the time, according to historical pricing data compiled by CoinDesk). From this, Kelley is a "prolific and calculating cyber-criminal," Detective Chief Inspector Jason Tunn, from the Metropolitan Police Falcon Cyber Crime Unit (MPCCU), said in a recent statement.
"It's really crazy to think that he's talking to me but I guess that's how they look at it," Kelley said.
Kelley is from Heol Dinbych, Llanelli, a small town in South Wales. He had an interest in computers throughout school, he told Motherboard, but claimed the area didn't offer many chances to develop his technical skills.
"There's not much to do, and the internet offered me opportunities and a way to cure boredom," he said.
Although he did participate in some bug bounty programs, eventually Kelley was mixing in more malicious hacking circles.
"When you're surrounded by people on these networks that engage in these criminal acts it essentially becomes a norm, and it's extremely addicting. There's nobody around to tell you what you're doing is wrong," he said.
"It's a difficult feeling to explain, but it's essentially a feeling of euphoria, and once you've experienced it, it's something that you always chase. It's a bit like a drug, but on a whole different level obviously. And the more you develop your skills, the stronger the feeling becomes because you're able to do more things," he added.
After his arrest, Kelley said he has been continuing his development through legal means, informing NHS Trusts of vulnerabilities in their websites, and running a service to inform victims of data breaches.
Kelley's sentencing is on March 6. He faces up to as much as 14 years in prison; time that he says instead could be used to help others find security issues.
"I know that it's probably the advice they were expecting, but seriously—don't do it," he said, imagining what he would tell other young people who may get into criminal hacking.
"Crimes online are treated no different from crimes in the real world, I've had to learn that the difficult way. You might assume that you're more or less invincible but if you do something serious enough, you'll be caught and put through the justice system," he said.
Update: This story has been updated to include the value of the bitcoin ransom at the time, rather than today's exchange rates.