In November 2016, a cyberattack on the routers of the German telecommunications company Deutsche Telekom caused more than 1 million customers to lose connection to the internet.

Mirko Manske, first detective chief inspector of the Federal Criminal Police Office of Germany (BKA), said the home routers were taken over by the malicious malware Mirai. He spoke about the search for the hacker, known by the alias BestBuy and Popopret, at the 2018 International Conference on Cyber Security on Jan. 9.

According to Manske, the hacker took advantage of a security vulnerability that had once enabled Deutsche Telekom to fix and update its customers’ home routers remotely.

The case’s investigators worked to uncover the identity of the hacker, and discovered several clues along the way, he said.

“The attacking scripts had one very interesting comment in there that was linking to an Instagram post, and it was a picture of a flyer that was called BotNet14,” said Manske. Referring to the 29-year-old man now identified as Daniel Kaye, Manske said “he basically left his fingerprints to say, “That’s me that’s attacking you.’”

A Global Win

Manske said his team relied on open source intelligence, which helped them to pinpoint important information about Kaye, including IP addresses he used and locations that he’d traveled to before the attack. They also learned that BestBuy and Popopret were the same person.

“He was bouncing through proxies all around the world, so we were not going to be able to find out where he was,” said Manske.

Under his pseudonyms, Kaye was also doing interviews with the media about the massive outage—while the investigation was still pending, said Manske.

“[He was] really [hacking]on a professional level…” he said, noting that investigators had to demonstrate the impact of Kaye’s crime in order for the court to bring charges against him: Even though Kaye had implemented a threatening cyberattack on millions of people in the country, Manske said that he did so inadvertently while trying, unsuccessfully, to compromise the routers.

“From our legal perspective, what he did was basically digital graffiti,” he added.

Even though Kaye served only five months in prison, Mankse argued that the operation was effective. He also believes there may be additional legal woes ahead for the hacker, since he was re-arrested in court after being released, and extradited to the United Kingdom for allegedly extorting U.K. banks.

“It’s a global win,” Manske said.