A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct ‘The Real Deal” dark web marketplace.
The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down.
Threat actors used this platform to sell anything from stolen credentials for U.S. government agencies’ systems and hacking tools to drugs, weapons, and government data.
Among the login credentials put up for sale on the dark web market, court documents mention credentials for computers belonging to the National Aeronautics and Space Administration (NASA), the U.S. Navy, the National Oceanic and Atmospheric Administration (NOAA), the Centers for Disease Control and Prevention (CDC), and the U.S. Postal Service (USPS).
Kaye also allegedly trafficked Twitter and Linked accounts and conspired with a threat actor known as TheDarkOverlord to sell stolen Social Security numbers.
He laundered the cryptocurrency obtained while operating The Real Deal using the Bitmixer.io Bitcoin mixer service to hide the illicit gains from law enforcement’s blockchain tracing analysis efforts.
“While living overseas, this defendant allegedly operated an illegal website that made hacking tools and login credentials available for purchase, including those for U.S. government agencies,” said U.S. Attorney Ryan K. Buchanan.
Best known for crippling German ISP Deutsche Telekom
Kaye made a name for himself as the developer and seller of the GovRAT malware [PDF] that his “customers” used to hack U.S. government agencies.
Kaye infamously hijacked and accidentally took down over 900,000 routers on Deutsche Telekom’s network in late November 2016 using a buggy Mirai botnet malware variant.
The Deutsche Telekom routers were commandeered to boost its DDoS botnet’s firepower after being hired by an undisclosed Liberian ISP to target its local competitors in DDoS attacks.
He also advertised DDoS-for-hire renting services backed by a massive botnet of over 400,000 Mirai-infected IoT devices.
After using his Mirai to take over another 100,000 routers on the network of multiple UK ISPs (i.e., UK Postal Office, TalkTalk, and Kcom) and, again, unintentionally also taking them down, Kaye was arrested by U.K.’s National Crime Agency (NCA) in late February 2017 at a London airport.
According to DOJ’s press release, Kaye was overseas when the indictment was filed, and he consented in September 2022 to his extradition from Cyprus to the U.S.