Teenage hacker admits making hoax bomb threats against schools and airlines

British police have announced that they have arrested a 19-year-old man in connection with a series of hoax bomb threats and distributed denial-of-service (DDoS) attacks.

George Duke-Cohan (who goes by online aliases such as “7R1D3N7”, “DoubleParallax”, and “optcz1”) is also reported to be a member of the Apophis Squad hacking gang, which has launched denial-of-service attacks against secure email provider ProtonMail, and cybersecurity blogger Brian Krebs.

Duke-Cohan was arrested at the home in Watford, UK, on Friday last week by the National Crime Agency (NCA).

What is perhaps surprising is that this is not the first time that the teenager had been arrested for making bomb threats.

Back in March of this year, Duke-Cohan was arrested by the NCA after thousands of British schools received warnings that they would be bombed if ransom payments were not made to him.

Although the threat was not believed to represent a genuine threat, that wave of extortion spam resulted in approximately 400 schools being evacuated in an abundance of caution.

Despite knowing that the authorities were investigating his activities, Duke-Cohan launched another wave of 24,000 hoax bomb emails the following month. His victims this time were schools in the UK and United States, and the emails claimed that pipe bombs were hidden on their premises. Recipients were told that unless US $5,000 was paid within three hours, buildings would be blown up.

Duke-Cohan was arrested for a second time, and under his bail conditions was prohibited from using any electronic devices. Clearly the law enforcement authorities were concerned that he might be tempted to get up to his old tricks again.

Those concerns, unfortunately, were well-founded. Duke-Cohan’s next victim was not a school, but instead a United Airlines flight 949 traveling last month from London to San Francisco.

According to NCA investigators, working in co-operation with the FBI, the teenager phoned in bomb threats to San Francisco airport:

“In a recording of one of the phone calls which was made while the plane was in the air, he takes on the persona of a worried father and claims his daughter contacted him from the flight to say it had been hijacked by gunmen, one of whom had a bomb.”

“On arrival in San Francisco the plane was the subject of a significant security operation in a quarantined area of the airport. All 295 passengers had to remain on board causing disruption to onward journeys and financial loss to the airline.”

This latest incident resulted in the arrest of Duke-Cohan at his home in Watford on Friday 31 August. Numerous electronic devices – banned under the terms of his bail agreement – were found in Duke-Cohan’s possession.

In a blog post, ProtonMail says that it began investigating Apophis Squad “almost immediately after the first attacks were launched,” and was able to identify Duke-Cohan and pass on information to the authorities.

It appears that the disruption to the United Airlines flight, and the imminent reopening of British schools this week for the new academic year, prompted the authorities to act.

Despite Apophis Squad’s boasts about being untouchable, ProtonMail told me that the group’s attempts to hide its identities were amateurish:

“They had such bad opsec that even before law enforcement requested data from us, we had already more or less identified them from publicly available data and our sources in the infosec community.”

George Duke-Cohan pleaded guilty to three counts of making bomb threats, and is due to next appear in Luton Crown Court on 21st September, where he may face further charges. The spectre of possible extradition to the United States also looms over him.