Monkey Business - stock.adobe.co
TalkTalk hacker Daniel Kelley gives up his black hat for good
After serving a four-year prison sentence for his role in the 2015 TalkTalk hack and other cyber offences, Daniel Kelley now wants to pursue a legitimate cyber security career
Donning a navy T-shirt and smiling at the camera, Daniel Kelley looks every bit a typical young person. But he’s actually one of Britain’s most prolific cyber criminals, having served four years behind bars for his involvement in the infamous TalkTalk cyber attack.
The cyber breach cost the telecoms giant around £77m and compromised the personal information of more than 150,000 customers. Everything from bank account details to email addresses was stolen as a result of the incident.
In addition to the TalkTalk hit, Kelley racked up a slew of other serious cyber offences that landed him in jail – he also hacked the Llanelli-based college he attended in 2015, Coleg Sir Gar, along with many other organisations.
Kelley has a black hat resume that many budding cyber criminals can only dream of, but the truth is that he never intended to pursue a career as a hacker, let alone play a role in a famous attack. In fact, he fell into it. “I didn’t choose to get into computer hacking or cyber security – it just happened when I was a teenager, around 13 years old,” he says.
“It was more like an undesired transition. I used to play an online game when I was younger, and ended up cheating on it, and the forums I found the cheats on also gave me exposure to more criminal stuff. It wasn’t like a logical leap internally, it was more like a thing that I ended up falling into. I didn’t wake up and make a rational decision.”
Learning the tricks of the trade
Like many other black hats, Kelley didn’t study cyber security in college or at university – he acquired all his technical knowledge and skills online. “The majority of the information I needed to learn, concepts and methodology, came from online forums. I eventually joined groups on these online forums and began associating myself with various IRC and Jabber chat rooms (XMPP),” he says.
“I didn’t choose to get into computer hacking or cyber security – it just happened when I was a teenager. I didn’t wake up and make a rational decision”
Daniel Kelley, ex-black hat hacker
Kelley got his first real taste of hacking as a young teenager, when he used his newfound cyber know-how to unearth a web application vulnerability on a Microsoft subdomain. “It was in 2011, I was 13 years old, and the vulnerability allowed me to essentially inject code into a webpage,” he recalls. “I reported it to Microsoft’s bug bounty programme and, in turn, they listed my credentials on their hall of fame. My credentials remain on their website to this day.”
Kelley didn’t purposely set out to use his skills as a hacker to conduct serious acts of cyber crime. But, as can often be the case, he got so absorbed in his craft that he didn’t stay on the straight and narrow path for very long.
“I started out with good intentions, but as time went on, the responses I received from using the responsible disclosure model became increasingly negative. I’d find web application vulnerabilities in large websites and try to notify the appropriate security team, but I’d get no response,” he says.
“I ultimately accumulated all of these vulnerabilities, gained access to these forums where people weren’t really the most ethical, and things began to spiral out of control. So it wasn’t a conscious decision, but something I fell into with relevant exposure.”
Reflecting on his experiences as a black hat, Kelley finds it hard to list all the nefarious actions he’s taken. He says his criminal career “spanned several years”, during which he “racked up charges ranging from unauthorised access to blackmail”.
He continues: “It’s difficult to summarise my experience because I’ve probably been involved in every aspect of criminality that comes with the nature of my offending. I suppose the method of exfiltrating data and then demanding ransom payments was what eventually got me caught and what I regret the most.”
The golden ticket
Many people would think hacking into a major corporation such as TalkTalk is a difficult undertaking. However, Kelley explains that such companies often have the worst cyber security and can be easier – and somewhat less rewarding – to hack. Meanwhile, companies that invest heavily in cyber security are much harder to breach, and the process involves “chaining multiple vulnerabilities together”.
Daniel Kelley, ex-black hat hacker
He says it took the perpetrators of the TalkTalk breach just a few hours, rather than days, to discover and exploit a security vulnerability that enabled them to hack into the firm’s website. This, he says, was straightforward.
He tells Computer Weekly: “It was a simple web application vulnerability that allowed you to pull data from databases through a web page. You didn’t need any special skills to exploit it – it would have taken less than an hour to teach anyone with a computer how to do it.”
While the TalkTalk hack was surprisingly simple to pull off, Kelley wasn’t prepared for the publicity that would follow. “I recall sitting in front of my computer watching the national news when the CEO of TalkTalk announced that she had received a blackmail demand, and for some reason, despite the fact that the link was transparent, it just seemed opaque to me,” he recalls. “It was like I couldn’t register the realism and severity of what I had done. I just sort of continued going about my day.”
Law catches up
Most people who break the law eventually get caught and must face the consequences of their actions, and it wasn’t long until Kelley attracted the interest of the police, first when he was arrested on suspicion of hacking his college, then again on suspicion of blackmailing two companies, including TalkTalk.
“I wasn’t expecting the first arrest, but it was over in less than five hours. The second arrest was much more serious, and it felt like something out of a film. There were several agencies waiting for me at my house,” he says.
“I was escorted to my local police station by two police cars while sitting in the back of an unmarked police van. Because of the high-profile nature of the case at the time, they evacuated the custody suite and processed me quickly.”
As someone on the autistic spectrum, Kelley believes he was misunderstood in prison. “For example, because I posed a security risk to a particular prison, they decided to cut off my phone calls. What they don’t realise is that on the outside, I wouldn’t go a day without talking to my family, so you’re now putting me in that environment and cutting off my family contact.”
Prisons are rife with people with a variety of mental health issues and, subsequently, prison staff often treat all inmates the same, Kelley explains. This can and does result in vulnerable people – whose disabilities may not be obvious – being neglected.
“When you tell staff you’re on the spectrum, they simply take one look at you and don’t see anything wrong with you, so they simply assume that you’re attempting to take advantage of the system,” he says. “When I arrived in one prison, my record had all of these notes about my ASD [Autism Spectrum Disorder] diagnosis. I told the nurses, who said they understood, but the senior officer in reception simply came up to me and said, ‘Look, you’ve done Belmarsh, I don’t give a fuck about your history’. This is just an example.”
Although Kelley found many aspects of prison life difficult due to his disorder, not everything was bad. In fact, he describes the “strict routine” of prison as a good thing and says he enjoyed doing the same things daily.
Tech in prison
It’s easy to assume that a hacker sent to prison wouldn’t be exposed to computers, but on the inside, Kelley found he wasn’t away from a PC for very long – entering the system, he had to complete numeracy and literacy tests on a computer.
“I was called up to the classroom and seated in front of a computer, where I recall sitting for 10 minutes, contemplating whether it was a good idea to use the computer in front of me. I had an SCPO [serious crime prevention order] that required me to register all of the devices I used, but it did not go into effect until I was released from prison.”
Even though Kelley didn’t use the prison computers to conduct any serious hacking offences, he did cause some cyber mischief. “It was clear that the teacher had no idea who I was or what I’d done,” he says.
“They had an application on all of the computers that consisted of a 20-question exam [and] when you’re finished, you simply press save, and it saves the web page containing the results as an HTML file. So, in Notepad, I opened the HTML file and changed both exam results to level four. The teacher came over and just stared at me, amazed. A month later, I found out that the highest mark you could get for these two exams was a level three, which gave me a good laugh.”
Kelley didn’t just use his technical skills to tweak test results in prison. He also spotted an opportunity to modify his television and get more channels. “After a few months of being bored of watching the same things over and over, I looked at the television one evening and realised that the aerial was just some copper. As a result, I had this brilliant idea of making my own aerial. I was working in recycling at the time and came across a spare radio in the trash,” he says.
“I took all of the copper out of it and brought it back to my cell, where I built a large aerial that I forced into the back of the television. I pointed it out of the window and I took the make and model of the television, looked up the unlock code, and retuned my television. My jaw dropped when it began to pick up over 200 Freeview channels, which improved my time.”
A reformed hacker
One could argue that these acts pale in comparison to the TalkTalk hack – and are pretty ironic. The reality is that Kelley didn’t run the risk of committing serious computing offences behind bars, like breaching prison networks, and genuinely seems to have learnt his lesson.
Since leaving prison, Kelley describes himself as a reformed hacker and doesn’t plan on returning to the world of cyber crime. He says his “perspective on life has shifted dramatically” and he does not “see the point in committing crimes”.
“The motivation I used to have for it has waned to the point where I no longer find it appealing,” he says. “I blackmailed people for money, albeit a small amount of money, and it has become clear to me that I could have earned more money through legal means in a shorter period of time than I did through criminal activity.”
Daniel Kelly, ex-black hat hacker
Kelley is now putting his cyber security skills to good use and building a credible career in the industry, instead of hacking and blackmailing companies. When he was on bail, he teamed up with computer incident response teams, system administrators, website developers and government bodies to address more than 3,000 cyber security vulnerabilities, and even ranked 11th place on a major bug bounty service.
You could say that Kelley has hung up his black hat forever. “To put it bluntly, but cynically, I don’t think the burden of criminality is worth it to me. Sure, you can make a lot of money, but what good is money if you’re always paranoid and don’t know whether you’ll be arrested tomorrow? People rarely think about the consequences of a criminal lifestyle,” he says.
“If you want to make a lot of money and build a life with it, you must consider the possibility of losing it all in 20 or 30 years. If you stop committing crimes one day, that doesn’t mean all of your previous offences are no longer valid. It’s a more significant decision than most people realise.”
Given that Kelley now has a serious crime prevention order against his name, building a genuine career in the cyber security industry hasn’t been easy for him. “It’s not so much probation that’s the problem – the probation team in charge of me is fantastic to work with, and I’ll be off probation next year. The main problem is the SCPO,” he reveals.
“It has a number of limitations that prevent me from using basic technology, and it won’t expire until 2026. If an employer wants to hire me, they must accept the responsibility that comes with it. It’s not like I can just apply for a regular job and follow the established procedures.”
But regardless of these challenges, Kelley is enthusiastic about his future in the cyber security industry and remains laser-focused. “I’ve been looking for work and will continue to do so, but it’s all about making the best of the situation.”
The only thing he doesn’t regret about his black hat career is that it enabled him to acquire “real-world offensive computer hacking experience” that cannot be achieved “outside of a job”. He adds: “Of course, CTFs [capture the flag] and emulated environments exist, but they aren’t the same as illicit computer hacking.”
When asked to provide advice for young people looking to pursue a career in the cyber security industry and stay out of trouble, he says: “If you want a career in cyber security, find what it is you want to do and then start to look at the requirements for that specific role. There’s material available now that wasn’t available 10 years ago, and plenty of people in the industry that are willing to help.”
Learn more about Daniel Kelley’s story on his personal website and keep up with him via social media on Twitter or LinkedIn.
Read more about ethical hacking
- HackerOne CISO Chris Evans looks back at how the security community successfully rose to the challenge of Log4Shell, and saved organisations millions.
- Ethical hackers working on the Bugcrowd platform save organisations almost $30bn in risk during pandemic, as community sheds old stereotypes.
- Find out why and how hitting your own business with a cyber attack can help improve security.