Revealed: How police caught teenage hacker who made £400,000 from his bedroom
PUBLISHED: 16:23 01 September 2019 | UPDATED: 14:47 05 September 2019
From his bedroom on a Norwich estate an unemployed teenager with a history of sexual offences quietly amassed a fortune from computer hacking.
Elliott Gunton had earned a reputation among the hacking community in 2015 after publicly exposing vulnerabilities in telecoms company TalkTalk, costing £42m.
He was just 16 at the time, and went on to hone his skills by probing the systems of three Norwich schools for weaknesses.
His 2016 conviction did not deter him, and within a year detectives uncovered hundreds of thousands of pounds in cryptocurrency in his name.
Gunton had been hacking and trading valuable social media accounts, and earlier this month police recovered £400,000 of "ill-gotten gains" from the teenager.
A team of 16 detectives and analysts form the cyber, intelligence and serious crime department for Norfolk and Suffolk, working out of Halesworth police station.
The unit was set up four years ago, and they say the investigation into Gunton was a "test case" - the first in the region into cryptocurrency money laundering.
Gunton boasted to police he would be a "millionaire in three years", claiming he had been trading in cryptocurrency legally.
So investigators had to prove where his money had come from.
"We know criminals are getting very clever," said DS Sam Shelvin, who leads the cyber-crime team. "It is really evolving and they are becoming quite expert.
"Forget the old days of money mules and money laundering - there is a whole hidden element to this."
After Gunton, now 19, was jailed for 20 months for computer hacking and money laundering, DS Shevlin and T/DS Mark Stratford received a judge's commendation, along with analysts who worked on the case.
T/DS Stratford led the investigation and tried to follow the money. But he said tracing and identifying cryptocurrency transactions is "insanely difficult".
"People hide behind online anonymity, and tracing their comments or website visits back to someone in the real world presents real challenges," he said.
"One of the first things we would look for are financial motivations, and covert currency on the internet tends to be cryptocurrency."
The appeal of cryptocurrency for criminals is its inherent security and lack of traditional regulation.
"Essentially you become your own bank," T/DS Stratford explained. "You are not reliant on any third party to facilitate a transaction and it happens very quickly.
"The bank can't stop it or seize it and you become the holder of your own personal vault."
All cryptocurrency transactions are public on the "blockchain" - a record of payments.
The difficulty for investigators is that all transactions are anonymous and it can be almost impossible to crack their security systems.
"It is like a big room of safety deposit boxes in a bank, but all of them are transparent," said T/DS Stratford. "You can look in and see what transactions have come in and gone out, but you can't touch it unless you have the private key."
A cryptocurrency account holder will have a private key - the "key to their vault".
That private key controls funds assigned to up to any number of "disposable" public keys - codes attributed to an account without revealing the identity of the holder.
"The public key is like an account number and sort code," said T/DS Stratford. "If I have it I can't touch your balance or take it from you, but it is enough information to transfer money to you.
"The private key is like your login details and controls the funds within."
The private key can look like anything. It could be QR code or a random sequence of 12 words, and can unlock either hardware or software which stores the funds.
Gunton had his fortune stored on a "nano ledger" - a device the size of a USB drive.
His laptop had been seized by public protection officers in April last year when suspicions were first raised.
He was being monitored by police under a sexual harm prevention order after being convicted of possessing indecent images a year earlier and had asked for the order to be shortened so he could seek work.
Cyber-crime detectives knew of Gunton following his TalkTalk conviction, and wanted to take a look at his computer.
The team identified a public key from "digital footprints" on Gunton's laptop which revealed a suspicious amount of money.
"How has this 17 or 18-year-old, unemployed, registered sex offender, got a massive amount of cash?" said T/DS Stratford.
The teenager was arrested and remanded in custody to ensure he didn't siphon the funds away while the team worked to identify the full scale of his offending.
"It was hours and hours of really labour intensive work," said DS Shevlin. "Evidentially it was quite a new thing for us because we had to demonstrate the movement of the cryptocurrency."
Detectives had to apply to court for an order to force Gunton to hand over the recovery phrase for the nano ledger so they could access his funds. He had already given them two inaccurate codes and they were in danger of being locked out.
An alternative option was to approach a cryptocurrency exchange - a trading platform - to hand over Gunton's details.
But that comes with its own difficulties.
"There are plenty of exchanges out there that are either decentralised or will refuse law enforcement," T/DS Stratford said. "There are a lot of legitimate exchanges that are perfectly law abiding, but then there is the underground.
"One is registered in the Seychelles and operated from Hong Kong.
"It becomes an incredibly expensive and drawn out process to get anywhere, so coming from a standing start is difficult."
Eventually detectives believe Gunton got lazy, leaving traces of his crimes on chat logs and hacking forums.
In one post on his @Gambler Twitter account Gunton wrote: "Having lots of money is cool, but having lots of money without people knowing is cooler".
He was also prolific on the HackForums website, where his anonymous persona Glubz was seen advertising "fresh to market" and "original" high tier Instagram accounts for $3,000 apiece.
And he even boasted of his crimes in Facebook chats to his friends.
One conversation, on November 13, 2017, revealed an apparent plot to "heist" Australian telecoms giant Telstra.
"If he was using his technical skills to clean up his activity there is no reason we would have found evidence of cryptocurrency and the accounts for sale in his chat logs," said T/DS Stratford.
"It takes time and effort to clean up properly and forensically.
"He wanted to be recognised, and he became a big deal on HackForums. He was trusted and had a reputation.
"He built up this online identity he did not have in the real world."
Gunton has now been handed a three year criminal behaviour order, banning him from disguising his internet use or withholding passwords from the police.
The cyber, intelligence and serious crime department currently have 62 active investigations on their books.
Usually they deal with ransomware attacks - phishing emails which contain malicious software.
If the victim is in Norfolk and Suffolk the case will fall with the cyber-crime team until a suspect is identified. Then there is a "discussion" over jurisdiction.
The offender is rarely local. Gunton was targeting Australian telecommunications networks and social media accounts, successfully taking control of the Instagram account of Phil Darwen, an Australian designer with 1.4m followers.
"You would be a bit of an idiot if you commit a crime on your own doorstep," said T/DS Stratford.
But local offenders can often be students targeting their own school networks, as Gunton did with the Open Academy, Thorpe St Andrew and Sprowston High Schools.
Often it can be out of curiosity or mischief, but there is a danger it can become a gateway to more serious hacking.
"Rather than criminalise them we refer them into the Prevent network which sets them on the right track," T/DS Stratford said. "It is trying to stop them going down the dark path of becoming Elliott Gunton.
"A lot of people are not necessarily aware hacking into a school network, or giving yourself administrator privileges, is an offence."
As an emerging trend, officers are generally not trained to spot the signs of hacking or cryptocurrency activity.
While public protection officers were suspicious of hacking software found on Gunton's laptop, they lacked specialist software to analyse his devices.
And the cyber-crime team want to roll out training so all officers can spot the signs.
"Officers are out there all day every day engaging with the public or doing warrants and there is often evidence of cryptocurrency somewhere," said DS Shevlin.
"It is all evolving and we need to know if that person potentially has some cryptocurrency. Organised crime groups are using it because they think it can't traced."
Officers are able to seize cash of more than £1,000 for investigation. But a cryptocurrency account "could look like anything".
"Educating officers who do those searches is on our to do list," said T/DS Stratford.
"It is easy to hear about cryptocurrency heists, thefts and hacks, but criminals have been using currency in one form or another since day dot. This is just the latest incarnation."
The force is also looking at cyber volunteers - people with technical skills supported by their employers to work for the police.
The emerging threat
It is difficult to grasp the scale of online offending as it so often crosses international borders and is under-reported.
But social media and digital systems mean the online world is taking over more of our lives, making us more vulnerable to hackers.
According to the Crime Survey of England and Wales, there were more than 7,500 fraud and computer misuse crimes in Norfolk and Suffolk last year - a rate of 5 in every 1,000 people.
And police have warned "anyone can be a victim".
"A victim can be a six-year-old girl at primary school or an elderly person who has been a victim of a scam," said DS Shevlin.
"It is really indiscriminate and anyone can be a victim.
"There is a hidden harm to cyber-crime but we know from research it is really affecting people's lives.
"A lot of our offenders live abroad, so how are you going to deal with that?
"There is always reporting in drugs, county lines or sexual offences. You do not really see that with cyber-criminals."
Any digital device that is seized in Norfolk and Suffolk will go to the analysts in Halesworth to review and interpret the data.
In Gunton's case, fragments of conversations online and Bitcoin transactions coming into his cryptocurrency accounts were enough to prove his criminality.
"They can make things difficult for us but they are not always as hidden as they think they might be," said T/DS Stratford.
Gunton was handed 20 months in prison for his most serious offence - the hack of an influential Instagram account.
The charge carried a maximum penalty of 10 years.
And investigators believe legislation needs to be updated to keep pace with ever-evolving crime.
"We are using legislation that is 29 years old," said T/DS Stratford. "The Computer Misuse Act was made in 1990, and the legislation could not possibly envisage this type of offending."
DS Shevlin added: "This type of offence is not frequent and there are no test cases or sentencing guidelines.
"It is a new, emerging type of offending."
There are various "methods of attack" for hackers.
But T/DS Stratford said the easiest way to protect yourself online is to: "Guard your email accounts above everything else".
So-called "brute force" attacks will target user passwords, and once a hacker has gained access to your email account they can set about hijacking your entire online security system.
"The email address is the gateway to all the other online accounts," said T/DS Stratford.
"Once they are past security your whole online life is potentially compromised."
Two-factor authentication can add an extra layer of security to your email account and protect against brute force attacks.
But another method can bypass two-factor authentication.
Sim-swap hacks involve targeting telecommunications networks to gather mobile phone numbers and take control of it.
With that, hackers can scour open source data from sites like Facebook to gather information about a person that could be used as answers to security questions.
But T/DS Stratford said: "Two-factor authentication is a second level of security and everyone should have that."