On Monday, the most outspoken member of a distributed denial of service (DDoS) gang – a British teenager – pleaded guilty to making bomb threats to thousands of schools and to a United Airlines flight between the UK and San Francisco while it was in mid-air last month.
According to the National Crime Agency (NCA), George Duke-Cohan, 19, pleaded guilty to three counts of making hoax bomb threats.
Security journalist Brian Krebs knows all about this guy. Krebs’s site, KrebsOnSecurity, was the recipient of one of multiple DDoS attacks carried out by Duke-Cohan’s group – which goes by the name “Apophis Squad” – over the past few months. Krebs reports that Duke-Cohan, who uses the aliases “7R1D3N7,” “DoubleParallax” and “Optcz1”, “was among the most vocal members” of this “group of internet hooligans.”
The gang also DDoSed ProtonMail.com: an end-to-end encrypted email service that, weirdly enough, many Apophis Squad members used. And taunted on social media. And whose servers they jumped all over.
ProtonMail wrote in a blog post on Thursday that its security team, along with help from other cybersecurity pros, began to investigate the gang almost immediately after the first attacks were launched.
It turns out that in spite of nyah-nyah bragging like this…
Feds cant touch us. NCA cant touch us. KEK we the big bois running around the internet with our 1337 bootnet! Come catch us we are untouchable! Living on TOR nodes and Open DNS. Smoking that good stuff with our bois at radware.
— APOPHIS SQUAD (@apophissquadv2) July 18, 2018
…Apophis Squad practiced lame operational security, ProtonMail said.
In fact, some of their own servers were breached and exposed online.
Krebs fed information to ProtonMail that enabled the email provider to identify Duke-Cohan as an Apophis Squadder in the first week of August.
The bomb threats had resulted in the evacuation of over 400 schools in the UK in March.
Duke-Cohan was arrested a few days after. Regardless, as of the end of August, he, or somebody else in his clique, was still gleefully rubbing their hands over the prospect of more threats when schools reopened this month:
Boi we can NOT wait for schools to go back! Hay! maybe we will offer FREE DDoS attacks to schools so students can g… twitter.com/i/web/status/1…
APOPHIS SQUAD (@apophissquadv2) August 24, 2018
Initially, it was thought that the March school threats came from warring Minecraft players, given that the messages looked like they came from Minecraft server VeltPvP. But the company said that the account had been spoofed and it was being “harassed by a group of cyber criminals that are trying to harass us in any way possible.”
In April, Duke-Cohan was already under investigation when he sent another mass email, to schools in the UK and the US, claiming that pipe bombs had been planted on their premises.
Then, on 9 August, Apophis Squad Tweeted about flight UAL 949 having been grounded due to their hoax threats. The incorrigible, already-arrested Duke-Cohan was on pre-charge bail for the school threats at the time, but he still must have had an urge to terrify innocent people, because he went right ahead and placed the bomb threat to the US-bound flight.
Here’s a recording of one of the phone calls placed to San Francisco Airport and its police.
In the call, Duke-Cohan pretends to be a worried father whose daughter contacted him from the flight to tell him it was being hijacked by gunmen, one of whom had a bomb.
When the plane touched down in San Francisco, it was placed in a quarantined area of the airport and subjected to an intense security search. The NCA says that all 295 passengers had to remain on board, resulting in disruption to their journeys and financial loss to the airline.
And, undoubtedly, a good amount of fear.
In the US and other countries, hoax bomb threats fall under the genre of crime called SWATting, which takes its name from elite law enforcement units called SWAT (Special Weapons and Tactics) teams. It’s the practice of making a false report to emergency services about shootings, bomb threats, hostage taking, or other alleged violent crime in the hopes that law enforcement will respond to a targeted address with deadly force.
Convicted SWATters such as Tyler Barriss will tell you that their intention isn’t to have anybody shot or killed. It is, rather, to shock or cause alarm. It doesn’t matter what Barriss’s “intention” was – it won’t buy back the life of 28-year-old Andrew Finch, whom police shot to death when responding to Barriss’s hoax call.
Fortunately, no deaths resulted from Duke-Cohan’s juvenile pranks. But that’s not to his credit: it was just roll-of-the-dice luck.
Like every other criminal who places these illegal calls, Duke-Cohan was playing a version of Russian roulette. The only difference is that he used somebody else’s gun and pointed it at strangers instead of his own temple.
Duke-Cohan was arrested (for the third time) in his bedroom in Watford, on 31 August. NCA agents found he was in possession of multiple electronic devices, in violation of his pre-charge bail conditions.
He’s in custody and due to appear at Luton Crown Court on 21 September.