December 7, 2018

The ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions — has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials.

George Duke-Cohan, 19, caused a massive uproar earlier this year after communicating a series of bomb threats against 1,700 schools, colleges and universities across the United Kingdom. But shortly after being arrested on suspicion of the threats and released, Duke-Cohan was back at it again — this time expanding his threats to include schools in the United States.

One of many tweets from the attention-starved Apophis Squad, which launched multiple DDoS attacks against KrebsOnsecurity over the past few months.

At the same time, authorities in the U.K. and U.S. discovered that Duke-Cohan was responsible for falsely reporting the hijack of a plane bound for the United States. That flight, which had almost 300 passengers on board, was later quarantined in San Francisco pending a full security check.

Duke-Cohan was part of an attention-seeking group of ne’er-do-wells who called themselves the Apophis Squad. Duke-Cohan and his crew modeled themselves after the actions of the Lizard Squad, another group of e-fame seeking online hoodlums who also ran a DDoS-for-hire service, called in bomb threats to airlines, DDoSed this Web site repeatedly and whose members were nearly all subsequently arrested and charged with various cybercrimes.

Indeed, until recently the Apophis Squad’s Web site and DDoS-for-hire service was hosted on the same Internet server used by a handful of other domains that were tied to the Lizard Squad.

Earlier this year, KrebsOnSecurity.com came under sustained attack from the Apophis Squad, who took to Twitter to taunt this author while the attacks were underway. Duke-Cohan and other Apophis Squad members also attacked the free email service Protonmail, even as all of them continued to use their Protonmail accounts to communicate about the attacks.

KrebsOnSecurity assisted Protonmail in its investigation into the attacks, and the company later credited this author with helping to identify Duke-Cohan as the driving force behind the DDoS attacks.

Sources close to the investigation say Duke-Cohan may yet see additional charges from U.S.-based authorities. Also, several other members identified by this author as alleged co-conspirators along with Duke-Cohan have not yet been charged with a crime either in the U.K. or in the United States.

It’s not always fun when your site isn’t responsive because of determined attacks from groups like the Apophis Squad, but I try not to get too bent out of shape when these attacks do occur — mainly for two reasons: Firstly, those responsible typically end up getting busted and going to jail. Also, I usually get at least one good story out of it. In this case, make that two good stories.

Further reading:

Schools Bomb Hoaxes: Teenager Jailed for Nationwide Threats

A video of the the U.K. National Crime Agency (NCA) questioning and detaining Duke-Cohan.


42 thoughts on “Bomb Threat Hoaxer, DDos Boss Gets 3 Years

  1. Odd

    Good. These “jokers” need to be taught a lesson, as well as made an example of, to deter others. They should be made to pay for theirs sins in both jurisdictions.

    1. Paul

      All the resources used in determining that the threats were hoaxes cost a lot of money. The taxpayers should not pay it. The perpetrators should pay it in full; even if it takes a lifetime of payments.

  2. The Sunshine State

    Question, did George Duke-Cohan, have Autism ? Asperger ? mental illness or some other excuse to why he did those crimes.

    1. AJ North

      The last sentence from The Guardian article, linked in my comment below:

      “The judge said that, for the purposes of sentencing, he accepted that Duke-Cohan has autism spectrum disorder.

      1. goodriddance

        I’m so sick of the defense that oh i have apergers so I can burn down buildings and it’s okay because I’m socially awkward.

        No question people with these disorders are misdiagnosed, undiagnosed and otherwise ignored. Certainly that needs to change. But pretending people who have aspergers or are on the autism spectrum deserve a free pass when it comes to repeated criminal behavior that threatens the lives of thousands of people is just dumb.

        1. Joe dal

          What’s wrong with you. If you were blind would you blame the person for not seeing? Autism is a disability – if it is has not been treated with therapy – it will causes behavioral problems.

          Even @briankreb – have some empathy for people with autism – at least report that he is on the spectrum.

          1. Pensato

            As someone who has PDD, I disagree with you completely. I was never properly diagnosed with my disorder until l I was in my mid 20’s, yet I never ran around acting like an idiot. Your argument is flawed. It’s the same thing as saying, it’s okay for underprivileged and uneducated teens to act out and commit crimes.

            It’s not. We all know what’s right and wrong. People like you are just empowering people like Duke-Cohan to break the law. worse, you’re acting like you understand people with this kind of disorder when
            you really don’t know anything about it.

            1. Joe dal

              @ Pensato your argument is flawed. You said “We all know what’s right and wrong.” Wrong, some do not. This dude may not know or at a minium does not how to control his impulse. Good that your PDD is not impairing you, but you can not make a universal conclusion with a sample of 1. I agree on your point on underprivileged, but autism is a medical condition – not a financial or social situation.
              Plus, I do understand ASD, because I have a young son who is in the spectrum.

    2. David

      The Daily Mail has more of the judge’s remarks than The Guardian. It seems not everybody bought the ‘Aspergers’ excuse.

      https://www.dailymail.co.uk/news/article-6471395/Teenager-hoax-bomb-threats-jailed-three-years.html

      Your principal mitigation is your early guilty pleas. Other mitigating factors are your age and lack of maturity, the fact that you have no previous criminal convictions and, to a limited extent, your functioning deficiencies which have contributed to a diagnosis of autism.

      In mitigation, Anya Lewis told the court how Duke-Cohan was a lonely boy who was friendless at school and frequently bullied by peers.

      She told Judge Foster this streak of lonlieness continued in custody, where she said he was goaded by prisoners and prison officers alike.

      She also told the court that his parents separated when he was six years old and he lived with a physologically abusive father until he was 13 – and from whom he is now estranged.

      Ms Lewis claimed he was manipulated and groomed in the online community from whom he desperately sought the validation and acceptance lacking from his real life.
      She also cited a suspected diagnosis of autistic spectrum disorder (ASD) for both his troubled personal life and later offending, which Judge Foster referenced while sentencing – citing a report from consultant forensic psychiatrist Dr. Tim Rogers.

      ‘He is of the view that there is a range of evidence in support of a diagnosis, but accepts that other medical professionals may take a different view.

      For the purposes of sentencing, I accept that you do suffer from that disorder,’ Judge Foster told Duke-Cohan.

      ‘However, to say this is an excuse for what you have done is an insult to the many thousands of suffers who lead law-abiding lives. Importantly, Dr. Rogers expresses this as a result of his consultation with you:

      ‘Mr Duke-Cohan alluded to ordinarily hidden feelings of shame, insecurity, vulnerability, and humiliation that had given rise to fantasies of, and a search for, success, power, acclaim from prominent hackers and the achievement of wider online notoriety’.’

  3. The Realist

    To “the sunshine state”; autism and Aspergers doesn’t provide and excuse for performing illegal activity. Negligence of the law is not a defence.

    1. MattyJ

      I dunno. Three years in jail is a lot of time for a 19 year old. And what 19 year old script kiddie is gonna have any money, anyway? He’s life hasn’t even started yet.

  4. Occam

    This three year sentence doesn’t mean 3 years. He’ll typically (for the UK) be out on probation or under supervision in less than 18 months. This is nowhere near enough for scumbags such as this one.
    What is now needed is for the US to seek to extradite him, at which point the autism/aspergers defence will be deployed as has happened with other such inadequates.

    1. RW

      My two kids’ school was one of those affected by the threats. I am also lucky enough to teach computing to young people with autism/ apsergers (none of which are ‘inadequates’, as you state, actually).

      And given your choice of president, I think that extraditing him to your country is the worst possible way to rehabilitate him.

        1. Bob

          The difference is your president was voted in.
          Brits get no choice regarding the queen.
          Most Brits couldn’t care less about the royals…they’re only there because tourists seem to go nuts about them

            1. somguy

              Lots of people didn’t bother to vote period either. Like half of the people in the country don’t bother even when registered.

  5. g.s.

    Brian – what do you think of the length of the sentence?

    I’m conflicted. On the one hand 3 years, with the likely possibility of early release doesn’t seem long enough. Especially factoring in the airline call but also just the scale of the havoc of all those thousands of schools.

    But he is only a 19 year old kid and 3 years will seem like a lifetime to him – guaranteed enough to make him regret his actions and hopefully change his ways .

    I gusss I’m trying to decide between punishment and deterrent.

    1. BrianKrebs Post author

      I think the reason he got 3 years was he spat in the face of the investigators and prosecutors, after he re-offended doing the same stuff he was arrested for months prior. Anyway, as others have said he likely won’t do the whole 3 years. Aspergers, autism or no, I think when people repeatedly show themselves to be a threat to the safety of others they need to be set apart from society. Whether that means jail or something slightly less harsh is not really my area of expertise.

    2. K.N.

      Agree. The first time the police picked him up should have been a deterrent, but he could have cared less as he went right back at it. It seems like a light sentence to me.

      As far as his age–there was a guy a couple years older than myself when I was in high school. He came from a family that was a little rough around the edges, but he was not a trouble maker or a bully. Over the summer after his graduation, he decided to go on a road trip with a buddy. For some reason they had at least one gun in their possession and got the idea that they could get away with an armed robbery, during which the guy that went to my school was shot and killed by police.

      The moral of the story–19 years old is plenty old enough to cause serious trouble and a 3 year jail sentence for the things that guy was doing is not harsh. He is a young adult. Sometimes you only get one shot at stupid. Hopefully he the jail time convinces him of the seriousness of his bad behavior. And hopefully his apprehension leads the authorities to others he was associated with.

  6. Jim

    Good write-up. Like usual.
    Asperger’s dosent mean irresponsible, or uncontrollable. Just overloaded with inputs. Many are responsible citizens. Under a autocontrol. And it’s a very loose definition of I want attention and will do whatever I want. Hopefully, the jails in England will help him control his outbursts and teach him a useful outlet, like bull milking, for a new outlet.

  7. George G

    A couple of quotes from those who commented before me.

    “Duke-Cohan was a lonely boy who was friendless at school and frequently bullied by peers”. Aspergers, autism, psychologically abusive father, etc.

    “However, to say this is an excuse for what you have done is an insult to the many thousands of suffers who lead law-abiding lives. ”

    Well said.

  8. Nick

    Great Article. Yes, like the others have stated, No condition is an excuse to commit a crime. People. he committed a crime. just because it involves 0’s and 1’s at the root level does not make this any less of a crime.

  9. Kris

    Brian, If this is 19yr old stuff what can older ones do? I fail to understand how this whole cyber security thing can be done by 15+ olds. Did internet evolve too fast for it’s own good?

  10. jonny

    Ur all unintelligent. It just goes to show how easy it is to fool people & schools, airlines etc, etc. What a flimsy weak world we live in, 15+ kids can beat us all easy…

  11. JimV

    From the thoroughly shallow nature of his tweets attempting to diss BK, it certainly seemed that ‘Apophis’ was little more than the epitome of a punk — appears to be confirmed with release of his age.

  12. Hayton

    “… several other members identified by this author as alleged co-conspirators along with Duke-Cohan have not yet been charged with a crime”.

    If those names were made public in one of Brian’s earlier articles I can’t find it now. In a comment to the earlier article linked to from here I noted that there were reports that other people had supposedly been arrested but nothing about them was made public. One of the arrests was said to be in the US.

    I also predicted (part of) the defence strategy – “I bet his lawyer pleads autism or Asperger’s or bi-polar disorder and gets a reduced sentence”. Didn’t really work though, not this time.

    And he still has not been charged any DDoS offences. So there’s a loophole for the FBI if they want to swoop on him when he comes out of his (relatively) comfortable Category C prison in a couple of years’ time.

  13. vk

    As long as there are kids being mobbed and mistreated (sexually abused / beated etc.) by their family members, there will always be cases like this.

    To say “3 years is not enough for this scumbag” or “needs to be extradited to the US” is showing that you look at this the completely wrong way! Of course this kid caused a huge mess and pain for a lot of people and he has to deal with the consequences but imagine you are a growing up kid in the very important “growing up” phase before you probably start a job or go the a university and you have no friends, are being mobbed regularly, misused by family,…

    If we would actually spend more effort into helping kids like that (in any way possible) before it escalates, I guess we would also have to deal less with such outcomes and jails wouldn’t be that full.

  14. Readership1

    The real crime is the absence of a proper photo of the suspect. The newspapers keep showing the same blurry images from video.

    As for the sentence and conviction, it’s absurd that government will lock up a jerk for being annoying, while claiming to value free speech.

    Locking down schools and airplanes over phone calls is security theater. If they cared to prevent bombings, they’d better protect those targets so they can sat with confidence, “the threat is fake,” without sending in the bomb squad every time.

    They’re locking this jerk in prison to cover for the fact that none of those targets were ever protected.

    1. Jamie

      This isn’t “being annoying”, this is putting the safety of others at risk for a game. You don’t seem like a smart person, but try and consider what it would feel like to have a bomb threat called into your childs school.

      Your suggestion that they would just declare the threat safe, or have the ability to know 100% it is a hoax is unwarranted and belies a complete lack of security, physical in particular.

      I guess you are trolling.

      1. Readership1

        Outside the US, modern bomb threats have been either identifiable and true (e.g. the IRA and some Middle East groups), or anonymous and false.

        The most recent, anonymous — and true — bomb threat in the US occurred at the University of Wisconsin. The bomb was in the math building, during the Vietnam War.

        Since 1970, there hasn’t been a single, credible anonymous bomb threat in the US. [1]

        It’s time for government to stop endangering us with their overreactions and disruptions. Police guns and speeding police vehicles kill more Americans each year than terrorists. [2 & 3]

        Spend less effort worrying about the false threats of anonymous jerks. Instead, wake up to the fact that it’s government that puts “safety of others at risk.”

        [1] https://m.inlander.com/Bloglander/archives/2015/04/10/idle-threats-expert-says-bomb-threats-are-pretty-much-always-duds

        [2] https://www.usatoday.com/story/news/2015/07/30/police-pursuits-fatal-injuries/30187827/

        [3] https://krebsonsecurity.com/2017/12/kansas-man-killed-in-swatting-attack/

    2. Joe

      The long standing example of the major exception to “free speech” is falsely yelling fire in a crowded movie theater.

      There is a reason for this. Freedom of speech is not a universal get out of jail free card. Speech that directly leads to, or is intended to cause harm… is something that can and should be, prohibited.

      Words have meaning and consequences. Freedom of speech is intended to protect the flow of ideas, especially those ideas critical of those in power.
      It was not intended to protect idiots from hiding behind the defense of, “it was just words”… as a means of doing harm and avoiding the consequences.

      1. Readership1

        Joe,

        What harm occurred? The offender caused no injuries, nor did he intend any. No plaintiffs have filed suit to claim financial or personal harm, either.

        1. Joe

          You are kidding, right?
          Bomb threats and swatting, no harm?

          There is no requirement to prove and quantify harm or derive a financial, medical or social cost,… for something to be considered harmful or even criminal.

          Sorry, but the defense of “I only meant to scare” when pulling a gun on someone… doesn’t work. It is still criminal.
          Swatting is essentially tricking law enforcement into threatening serious bodily harm and death. Bomb threats also. The threat alone, with or without intent, is harmful, both psychological and financial.

          All of it smacks of self gratification and justification for criminal behavior that can and should remain illegal.

  15. Nicole

    Another great article Brian and I suspect you’ll be keeping tabs on Duke-Cohen in about 2 years time when he regains access to a computer and the internet.
    By the sounds of it this kid has had a pretty raw deal out of life so far (not an excuse). As his lawyer points out he flourished on this online community of hoodlums because he finally got the validation, respect and connection with others that he was likely missing for a good part of his childhood. The same reason kids join gangs and end up in jail before they’re 20.
    I agree people that commit these attacks need to face consequences for their actions. However, jail time isn’t going to stop him from going right back to this behavior as soon as he’s given the chance. Jail time isn’t going to stop these crimes from continuing to happen.
    If we really, truly want to put an end to young people using their access and little bit of smarts to divert first responders from a potentially real threat to deal with a hoax, we need to address the why. He deserves jail time, but he needs support and connection and a way out.

  16. Hayton

    The link below is to the judge’s summing-up before he passed sentence. It’s worth reading – backstory and timeline of offending (including some things Brian didn’t mention, but not the DDoS attacks on this site or ProtonMail). There is a reference to others supposedly involved but not identified. And this : “You have [said] … that you know how to design and build bombs. ”

    He won’t serve three years in prison; he’ll be out in less than 18 months – “You will serve half of the sentence in custody after which you will be eligible for release on licence … Any time you have spent in custody on remand will count towards your sentence.”

    https://www.judiciary.uk/wp-content/uploads/2018/12/r-v-duke-cohan-sentencing-remarks.pdf

  17. Aaron

    You could say he still won. He wanted some media attention and he got it.

Comments are closed.