After Kaye woke up in the hospital, still groggy from the effects of the diabetic coma, the officers took him straight to the interview room at Luton Police Station. It was almost midnight when they began. “I’m sorry if my words are a bit slur-ish and my responses are a bit mixed up,” he told his interrogators, according to a transcript of the conversation. “My sugar is very high at this point.”
Kaye denied everything. He claimed he wasn’t behind the Liberia botnet, hadn’t ordered the attacks, and didn’t know the names spdrman or popopret. “Maybe I should start with my background?” he said, explaining that he was a security consultant and an “IT solutions designer” who studied malware as a hobby “to stay sharp.” He said he might have accessed the servers controlling the Liberia botnet for research but couldn’t recall when, how, or what device he’d used. Asked about the encrypted laptop recovered from his luggage, Kaye said he couldn’t access it because his password no longer worked.
After about a week in a British jail, Kaye was extradited to Germany to face charges over the disruption to Deutsche Telekom. When he was interviewed at a prosecutor’s office, his memory at first was as fuzzy as it had been for the British police. Then the BKA’s cryptography department cracked his mobile phone. On it they found WhatsApp messages between Kaye and his hacker friends, discussions on an encrypted chat app with Marziano, a photograph of the type of security camera used in the Liberia botnet, and a video showing someone using the Telnet internet protocol to control a large botnet.
Faced with this damning evidence, Kaye gave a full confession over several days in May. He identified Marziano as the person who ordered him to attack the Lonestar network. “The goal was for the attack to make customers of Lonestar so annoyed about the service they switched to the competitor Cellcom,” Kaye told the prosecutor. “There aren’t that many options in Liberia.” When the prosecutor observed that $10,000 wasn’t much of a fee, Kaye said, “I needed the money because I wanted to get married.” He added, “I had also had quite a lot to drink at that time. So I took what I could get.”
What had happened to Deutsche Telekom was an accident, Kaye said, collateral damage as the botnet tried to spread itself. The prosecutor believed him. Kaye pleaded guilty to computer sabotage and, on July 28, was given a suspended sentence.
In August he was sent back to the U.K., where the National Crime Agency filed charges against him a day later. “He is a sophisticated and computer-literate cybercriminal” motivated by money, prosecutor Russell Tyner said during Kaye’s first court appearance. “He offers his services for hire to others.” There were 12 counts in all, including blackmail, money laundering, and various computer offenses. Unusually, Kaye was charged with putting lives at risk by misusing a computer, because of the impact of his actions in Liberia. The maximum sentence for that offense was 10 years. The NCA also wanted to pin the Barclays and Lloyds attacks on Kaye.
For the next year, Kaye’s legal team negotiated with prosecutors. Eventually, he was released on bail and moved in with his father, unable to leave the country. In December 2018 he agreed to plead guilty to the counts relating to the attack on Liberia. Prosecutors dropped the charges linked to the British banks—Kaye denied he was behind them, and the NCA had no evidence to prove otherwise.
He was sentenced on Jan. 11, 2019, at Blackfriars Crown Court in South London. Kaye, dressed more smartly than usual in a white shirt, looked less defiant than in previous hearings. His mother had flown in from Israel and his fiancée from Cyprus.
“There are no sentencing guidelines for this type of offense,” prosecutor Robin Sellers said when the hearing got under way. He cited a victim statement, sent by a Lonestar executive, estimating its losses at tens of millions of dollars.
Kaye’s lawyer, Jonathan Green, objected, saying the figures were unrealistic and Liberia’s internet coverage was patchy anyway. “Nobody died,” he said. “This was commercial skulduggery, not a criminal offense.” Kaye is a “highly intelligent young man with a powerful drive to understand how things work,” Green told Judge Alexander Milne, adding that his client had recently received job offers from the security industry. “The world needs Mr. Kaye to be on the side of the angels.”
The judge adjourned for half an hour to consider the sentence. Among Kaye’s legal team, the mood was upbeat. One of his attorneys, asked if he might escape jail, replied: “Anything is possible.” Even Kaye’s mother was smiling.
At 4 p.m., the judge came back into court to inform Kaye of his fate. The attack on Liberia was a “cynical and financially driven attack upon a legitimate business enterprise,” the judge said, reading from the screen of his laptop. “I sentence you to 32 months in prison. I’m afraid I will not, in the circumstances, be able to suspend the sentence.” Kaye, seated in the dock, wiped away tears with his sleeve.
One of the enduring mysteries of the Liberia hack is its timing. When Kaye, on Marziano’s instructions, set his botnet on Lonestar, Cellcom had already been sold to Orange, netting a $132 million windfall for its owners. Marziano was just a consultant for the combined company at that point, so why take such a big risk?
Marziano hasn’t said anything publicly since leaving Orange Cellcom in 2017. He was arrested by British police that August, just as Kaye made his first appearance in a London courtroom, and released without being charged. The NCA’s investigation is, technically, ongoing. Marziano didn’t respond to repeated attempts to contact him via mail, email, LinkedIn, or the Ethiopian Maritime Training Institute, where he was listed as a manager in 2017. At his former address in Israel, his now ex-wife says she has no idea where he is.
In 2018, Lonestar Cell MTN filed a lawsuit against Orange and Cellcom in London. Kaye and Marziano are also named as defendants in the suit, which hasn’t yet reached court. “As the intended consequence of the DDoS attacks, Lonestar has suffered and continues to suffer a substantial loss,” the claim documents allege. Orange has “vicarious liability,” even if it didn’t know what the conspirators were up to, because of laws making companies responsible for the conduct of employees. Orange said in a statement that it knew nothing about Kaye’s activities until it received the legal complaint from Lonestar in 2018. “Orange strongly condemns these actions and has taken all the necessary steps to ensure the full compliance of all its operations with the group’s stringent ethical guidelines,” the company said.
In Liberia, many people believe the Lonestar attacks were motivated by politics, not profit. Urey, who’s no longer Lonestar’s chairman but is still a major shareholder, keeps a bottle of Johnnie Walker Blue Label whisky on his desk. “I’m saving it for the day I become president,” he says in his office in Monrovia. (He ran unsuccessfully in 2017.)
For years, Cellcom publicly supported the party of one of Urey’s opponents, former President Sirleaf, whose government was in power from 2006 until 2018. An attack on Urey’s company, the theory goes, might have been intended to weaken him and his All Liberian Party. Urey himself blames the American-Israeli management team that used to own Cellcom. “An American citizen launched an attack on this country, and nothing was done about it,” he says. Representatives of Cohen, his companies, and LR Group didn’t respond to requests for comment. In defense papers from the Lonestar suit, Cellcom said it had no knowledge or oversight of Marziano’s activities after the sale to Orange and didn’t benefit from them.
There’s really nothing stopping other hackers-for-hire from using DDoS for corporate espionage or chaos. It’s proved to be a cheap and effective way to hobble a rival. Since the Liberia attack, the ranks of internet-connected devices have continued to grow rapidly, including cars, medical implants, even beehives. While the technology to defend against botnets has advanced, too, it’s yet to be tested by a next-generation Mirai-type incident, according to Payton, the former White House online security official. If that happens, it’s unclear how or whether those defenses will hold up, she says. “We won’t know until we are there.”
Kaye served the first part of his sentence in several prisons around London before moving to Belmarsh, a maximum-security facility that houses rapists, murderers, and terrorists. Its nickname, Hellmarsh, is scrawled on the walls inside.
In a series of interviews at the Belmarsh visiting room, Kaye, now 31, has little to say about his life or work and denies being behind most of the online identities that have been linked to him. He can’t even explain his use of Spider-Man references. It was random, he says.
There may be good reasons for Kaye to keep quiet. Some of his alleged aliases have been linked to other offenses. Journalist Brian Krebs, who runs the news website KrebsOnSecurity, has reported that bestbuy and popopret were observed on black-market hacking forums selling GovRAT, a virus used to target U.S. government institutions. Bestbuy and popopret were also users of Hell, an infamous darkweb forum popular with black-hat hackers (its slogan: “F— heaven, hell is hot”). Kaye might be both bestbuy and popopret, as some police officials believe, or neither of them. They might be different people, part of his circle of criminal hackers. Kaye denies being behind either alias, although he admits to using bestbuy’s name to cover his tracks.
Kaye says he hasn’t spoken to Marziano since their lunch in London just before his arrest. When Kaye is released in early 2020, he’ll face court-mandated restrictions limiting his access to phones, computers, and encryption software, though he hopes to continue his career in online security. Until then, he spends all day in the prison kitchen, chopping vegetables. The more controlled environment allows him to avoid contact with Belmarsh’s more frightening residents. Does he have any regrets? Of course, he says, looking around at the tattooed inmates in the visiting room. “I can’t believe I ended up here.”