Tech

Meet ‘Derp,’ the U.K. teen police say helped hack the CIA director’s AOL account

‘Derp’ remains free—for now.

Photo of Dissent Doe

Dissent Doe

Article Lead Image
Photo via Fry1989 / Flickr (CC by 3.0) Remix via Max Fleishman

A British teenager arrested for his alleged role in hacking the Central Intelligence Agency director’s email account learned on Monday that he will remain free on an unconditional bail. Now, the 16-year-old must wait to find out if he will be charged and tried as an adult.

Featured Video

The teen, known online as “Derp,” was part of a group of teenagers calling themselves “Crackas With Attitude.” CWA burst on the scene last October when they claimed to have hacked CIA Director John Brennan’s personal AOL account. Although no classified material was exposed, Brennan’s emails and files were dumped publicly, and the emails were subsequently shared on WikiLeaks.

Over the next few months, CWA announced similar hacks of Jeh Johnson, secretary of the Department of Homeland Security; John Holdren of the White House’s Office of Science and Technology Policy; James Clapper, the director of National Intelligence; and FBI Deputy Director Mark Giuliano and his wife. CWA also hacked the social media accounts of Vonna Weir Heaton, former senior executive at the National Geospatial-Intelligence Agency. They even managed to gain access to Clapper’s Verizon FIOS account, and changed his phone settings to re-route all incoming calls to the Free Palestine Movement, a cause that the hackers claimed was the motivation for their attacks on government officials.

“I know I’m being charged with attacks I took no part in, but there will soon be evidence that I didn’t have any part.”

Advertisement

If it seems that a bunch of young teens were simply romping through the personal accounts of a veritable D.C. A-list, they were. And what made the attacks especially embarrassing was that no exploits or sophisticated techniques were involved. Security professionals winced as team members gloated on Twitter and in media interviews about how they used social engineering and phishing techniques—basic tools that require little technical skill—to gain access to accounts and government databases.

Most problematic, perhaps: The teenagers managed to access a government law enforcement portal and databases with loads of sensitive information, some of which was subsequently dumped on paste sites. The release was announced on Twitter on Feb. 8 by @dotgovs, one of numerous Twitter accounts that have been used by the team’s apparent leader, “Cracka,” although it is unclear if he had sole control of that account.

Busted!

The arrests of CWA members seemed to come as rapid-fire as their announcements of their hacks. On Jan. 25, British police arrested Derp, known on Twitter as @derplaughing. His arrest seems to have flown under the media radar until a second 16-year-old, “Cracka,” was arrested in the U.K. on Feb. 9. One week later, a 15-year-old teen in Scotland known as “Cubed” was also arrested. Others who have been linked to CWA, such as “Incursio,” “Fearz,” and “Zoom,” do not appear to have been arrested.  

Advertisement

Under U.K. law, the names of the arrested teenagers have not been revealed in the media due to their age.

For Derp, whose real identity is known to Daily Dot, the January arrest was actually his second arrest on suspicion of violating the U.K.’s Computer Misuse Act. He had previously been arrested on Sept. 8, 2015, as he was getting ready to attend his second day of college.  

At the time of Derp’s September 2015 arrest, material provided to the Daily Dot indicates, he was suspected of conspiring to commit offenses under Sections 1 and 2 of the Computer Misuse Act, a fact Derp noted in his Twitter profile. Non-public information provided to the Daily Dot shows that specific incidents included an attack on the Sussex Police Department and dumping of some of the officers’ information in a public online document, as well as publishing nine pages of data on Secretary Johnson on Pastebin.  

The dump of Johnson’s information was announced by the @derplaughing account on Twitter on Aug. 26 without naming Johnson. The tweet and paste seem to have flown under the media radar at the time, getting only a few retweets and no replies. Of note, if the data were dumped on Aug. 26, it appears that the Johnson breach occurred months before CWA formally brought it to the media’s attention.

Advertisement

At the time of his September 2015 arrest, police seized Derp’s laptop, a 1TB external hard drive, his PlayStation 4, Xbox 360, two USB drives, a computer tower, two cellphones, and two Guy Fawkes masks.

Based on materials viewed by the Daily Dot, much of the prosecution’s evidence against Derp appears to be based on his tweets and pastes as much as evidence obtained from his devices. Derp claims that police have accused him of taking part in some incidents with which he had no involvement simply because he tweeted about an incident. He also allegedly told police interviewers that at least one other person had access to his Twitter account.

“I know I’m being charged with attacks I took no part in, but there will soon be evidence that I didn’t have any part.”

Following his arrest, Derp was granted unconditional bail and was scheduled to return to Eastbourne Custody Centre on Jan. 26, 2016, for a bail continuation hearing. The day before he was to return, however, he was arrested again, and authorities seized his cellphone. Thanks to the previous seizure of Derp’s devices four months earlier, he faces potential charges for alleged activities with CWA. Derp told the Daily Dot on Monday that he will remain free on an unconditional bail, although his attorney informed him that the long duration of his case means he may face trial in Crown Court rather than a youth court.

Advertisement

According to information provided by Derp to the Daily Dot, he is suspected of involvement in an SQL injection attack on the Sussex Police website; the incidents involving Brennan and Johnson, an attack on the National Crime Agency (NCA) website; an attack on the Denver Police Department website; and involvement in a number of online protests, including #OpStopYuLin, #OpIsrael, and #OpCharlieHebdoe.  

Derp tells the Daily Dot that both the September and January cases have been consolidated into one case, and any forthcoming charges will likely be based on evidence found on his devices as well as tweets and pastes he made.

Like Cracka, Derp potentially faces conspiracy charges under all three sections of the Computer Misuse Act:

  • Conspiracy to Commit Unauthorised Access to Computer Material Contrary to Section 1 of the Computer Misuse Act of 1990.

  • Conspiracy to Commit Unauthorised Access With Intent to Commit Further Offences Contrary to Section 2 of the Computer Misuse Act of 1990.

  • Conspiracy to Commit Unauthorised Access With Intent to Impair or with Recklessness as to Impair an Operation of a Computer Contrary to Section 3 of the Computer Misuse Act of 1990.

Advertisement

Derp claims that his only role in some incidents was to announce a hack for the team or create a paste about it. Asked whether he understood at the time that he might be charged as a conspirator under the Computer Misuse Act for tweeting announcements relating to attacks he had not directly participated in, Derp told the Daily Dot  “I didn’t know that since it’s only spreading the news. So if that’s true, I guess they should build conspiracies against mainstream media for spreading the news of attacks, too.

“And I know I’m being charged with attacks I took no part in, but there will soon be evidence that I didn’t have any part.”

Harris Paley Schone attorneys, who are representing Derp, did not respond to our requests for comment. According to a statement the South East Regional Organised Crime Unit and Counter Terrorism Unit emailed to the Daily Dot on Monday, no charges have been filed against Derp at this stage in the investigation.

Passionate about social justice

FreeAnons, an organization that supports arrested members of Anonymous (including ex-Anons like Derp), recently wrote a strong statement supporting Derp as a social-justice hacktivist. The pledge of support provides insight into why this teenager would allegedly risk his freedom.

Advertisement

Publicly available information confirms that Derp’s online activities generally seemed focused on humanitarian and social-justice issues. He has not been accused of any activities that would involve theft or misuse of personal information, such as credit card information, for financial gain.  

One of the issues Derp feels strongly about is feeding and caring for the homeless (#OpSafeWinter). While flatly denying any involvement in the leak of the Sussex Police data, Derp told the Daily Dot that the attack on the department seemed motivated by a December 2014 news report describing how Sussex police had tried to stop a disabled man from feeding the homeless. Similarly, #OpSafeWinter attacks on two Florida websites were motivated by a Fort Lauderdale ordinance that prohibited feeding the homeless outdoors.

Derp traces his concern for homeless people back to an incident when he was 10 years old:

I was still in school uniform, and I tried giving money to a homeless man sitting on the street, but he rejected it because he worried about me since he knew I was still in school. That’s what struck me. Knowing homeless people worry more about other people and the youth than themselves show they deserve all help anyone can provide them.

Advertisement

Derp’s commitment to social-justice issues also helps explain his involvement in #OpSyria and #OPStopYuLin in February 2015. Derp said he is also especially proud of #OpHongKong, an Anonymous operation launched by others after Hong Kong police clashed with pro-democracy protesters in 2014.

“Seeing that something I partook in had a positive reaction by the people being helped was a good feeling,” Derp said. “Knowing the people we were helping appreciated the work of me and the many others had shown me we were doing a good thing.”

As much as Derp admired the Anonymous collective as it used to be, he has distanced himself from it in the past year, telling Daily Dot—and anyone who will listen to him on Twitter—that Anonymous is dead, and that too many people are just “efame whores” who engage in what he sees as useless operations such as #OpISIS and quests for personal revenge.

Advertisement

Cloudy with a chance of prison?

While there is concern among supporters that the U.S. might try to extradite Derp for his alleged crimes against U.S. entities, his age and the fact that he faces charges in the U.K. for at least some of those incidents may make any attempt at extradition difficult if not impossible for the U.S. government. Although some have suggested similarities between Derp’s situation and that of Lauri Love, who faces potential U.S. extradition for allegedly hacking the Federal Bureau of Investigation and NASA, there are important differences between the two cases that make it less likely for the U.S. to attempt to extradite Derp.

Advertisement

“I feel OK for now, but the day I have to attend court, I know my feelings will change and I’ll be nervous not knowing what will happen.”

As it stands, someone convicted under the Computer Misuse Act of 1990 could face a maximum of two years incarceration for a Section 1 charge, five years for a Section 2 charge, and 10 years for a Section 3 charge. All charges could also carry monetary fines.

With such serious charges potentially looming, Derp remains focused on tangible things, like getting his laptop back from the police.

“I know I will get charged with something at least. I feel OK for now, but the day I have to attend court, I know my feelings will change and I’ll be nervous not knowing what will happen,” Derp said. “However, the thing I am mostly concerned about is my devices, because I hope I can get everything back. The laptop was a birthday gift, and my family aren’t very wealthy so it’s a lot of loved devices.”

Advertisement

On Monday, Derp was happy to learn that he will soon get his consoles back. He understands that he will likely not be getting anything else back soon.

Dissent Doe” is the pseudonym of a privacy advocate who reports on privacy issues and data security breaches on PogoWasRight.org and DataBreaches.net. Her research on breaches has fueled resources such as DataLossDB.org and InfoisBeautiful, and it has served as the basis for a number of Federal Trade Commission investigations.

 
The Daily Dot