In an amusingly told, but ultimately worrying presentation Mirko Manske, first detective chief inspector from the German Federal Criminal Police Office detailed how he - and a cast of what seemed like thousands, tracked down and ultimately incarcerated the cyber-criminal who caused telecom services to crash for 1.2 million Deutsche Telekom users.
The actual crash was not the intended outcome of the hacker, who was creating botnets - but his instruction stream url was too long due to a problem at the Telekom provider, and the combination caused the system to keep re-trying and ultimately crash.
Under GDPR the search would have fallen at an early hurdle as it was a result of trawling hoarded old records that enabled Manske to discover an old email from when the hacker was less careful, and this identified him as BestBuy - and then further research found that he had another email as Spiderman, which in turn led to email@example.com. And using the domain search service of 'Who is' - now not allowed under GDPR, a billing address for Daniel Kaye based in Tel Aviv was found - and subsequently a Facebook posting with a photo of the offender with his fiancee.
Mankse reported how German law enforcement was unable to get any help from Facebook, because the offender was outside of German jurisdiction. In fact, he observed that Facebook, Google and other US global players tend to make it very, very, very, very complicated for non-US law enforcement to do their job.
However Manske persisted and German law enforcement had kept tabs on a CAV service (counter- anti-virus, used by hackers to test their malware to check that it is not already known by the AV companies) and these criminal services keep all their records. Using its access to the backend of this CAV service, they found that BestBuy was a customer on the service, so now they had an IP address and malware. Having previously tracked the hacker moving from Tele Aviv to the UK, they now found that he had moved to Cyprus.
A problem was defining the exact law broken as the hacker had not sought to bring down the telekom service, but connectivity was lost because of a falw in the system giving an unintended result.
As a result DT provided a lot of data, but it showed that only 16 victims remained, incuding himself and a friend plus 14 researchers including the chaos computer club.
With no victim to make a case, Manske then sought to take over the botnet. First, it was necessary to take over the initial controldomains. AS dot.us is run by Newstar where Manske knew the owner, it was suggested tho transfer ownership of securityupdates.us, he should get a warrant against a German entity. This was done though it was actually a warrent against a closed German company, but it still allowed the domain to transfer ownership under German law..
Shadowserver - described as a non profit which helps the goood guys, and is trying to save the internet, is strong in the domain hosting world and stepped in to help. It gave the warrent its support, and pursuaded others to transer domain names voluntarily.
Shadowserver started sinkholing the botnet but there were now no victims.
Kaye was arrested at Luton Airport while travelllng to London in February 2917. His fiance emptied their suitcase at the airport, repacked her own belongings and went on to Cyprus - where law enforcement had already raided their house.
Kaye got 20 months in July 2017, having spent five months in detention then stepped out of cout and was released. However, despite complicated health issues, he was re-arrested under an international arrest warrent in th UK where he is now awaiting trial for extorting UK banks. And when he is eventually released, he will then face the US courts for attacking their critical infrastructure.