'Prolific, Skilled and Cynical' Welsh Hacker Who Blackmailed Firms World Over For Bitcoins Jailed

Kelley - described by prosecutors as a "prolific, skilled and cynical cyber-criminal” - will serve 4-year term in a young offenders' institution, as he was 18 at the time of his arrest. He originally pleaded guilty to 11 computer crime charges in 2016, and has waited over two and a half years on conditional bail to be sentenced.

Data purloined by Kelley included customer names and addresses, dates of birth, payment card details, phone numbers, and email addresses. In total, roughly 157,000 customers were affected by the hack, which cost the company £77 million to rectify.

It’s alleged Kelley also contacted TalkTalk's then-CEO Dido Harding, demanding a 465 bitcoins in exchange for not leaking the swiped customer database onto the web.

Repeat Offender

TalkTalk is just one of many organisations targeted by Kelley - others included Zippo Lighters, RC Hobbies, ISP JISC, and TAFE Queensland, and Rogers Communications in Canada.

Kelley would "bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety”, prosecutors said. He was eventually caught when authorities traced an IP address used during an attack back to his home.

On occasion, he teamed up with a group of hackers known as Team Hans, but by and large he operated independently. In a particularly egregious example of a team effort hack, he accessed company contracts, employee records and other sensitive data at Rogers Communications, then contacted an employee by phone and email, making reference to his son by name and claiming he was looking at photographs of him. The hack cost the company £400,000 - £580,000.

In another, he demanded and received 10.5 Bitcoins (worth £1,731 at the time from For the Record (FTR) which provides digital recording tools for court evidence worldwide, after he threatened the company's vice-president.

The very same day, he contacted the company via another guise, and offered to help them up their ‘opsec’ capabilities.

"I am not trying to be rude but really, your security is not very good,” he wrote, offering to show the firm every vulnerability he could find for a fee of 5.2 Bitcoins (£861). The company agreed to the terms and paid, only for Kelley to refuse to cough up and demand more money due to his “leverage in this situation”, demanding 10.5 Bitcoins (£1,706) instead, and threatening to “annihilate [their]business in days” for not offering up the goods. The company paid once again, but Kelley upped the ante further to 25 Bitcoins (£4,206), so FTR contacted police and cybercrime detectives.

His demands continued however, becoming increasingly abusive, until the vice-president received an email threatening his one-year-old son with a picture of him attached.

"I am sure [son's name] wouldn't be able to withstand mental abuse, nor your lovely partner...How fun would it be to find your son's background ruined online before he had even hit 10? Anything is possible with a little editing and modification," he wrote.

Since his conviction, Kelley - who’s been diagnosed as suffering from Asperger's syndrome - is said to have suffered bouts of depression and extreme weight loss. His hacking dates back to when he was 16, when he compromised systems at his college and disrupted Wales’ Government Public Sector computer network, disabling communications between hospitals and preventing radiologists from accessing images. He carried out over 40 cyberattacks September 2013 - April 2014 alone, costing hundreds of hours of teaching time and IT defence work. Some students even left the institution due to exam disruption.

His lawyers claimed he’d taken up hacking after failing to secure the requisite GCSE grades to take a level three BTEC college computer course he wished to enrol in.