back to article Teen TalkTalk hacker ordered to pay £400k after hijacking popular Instagram account

One of the crew who hacked TalkTalk has been ordered to hand over £400,000 after seizing control of a high-profile Instagram account following a hack on Aussie telco Telstra. Elliott Gunton, 19, pleaded guilty to breaching a Sexual Harm Prevention Order (SHPO), Computer Misuse Act crimes and money laundering at Norwich Crown …

  1. J. R. Hartley

    Not bad

    Still, 7 grand is a lot of money for a kid.

    1. NoneSuch Silver badge

      Did you notice...

      Governments hate the idea of crypto-currency, but try their hardest to get their grubby hands on as much as they can. That's a chin scratcher.

      In five years, it will play a role in the 2020 version of the Iran Contra scandal.

      1. LDS Silver badge

        Re: Did you notice...

        You usually have to surrender any illegal item, or the profits from your illegal operations, whatever form they have.

        1. Robert Helpmann??

          Re: Did you notice...

          You usually have to surrender any illegal item, or the profits from your illegal operations, whatever form they have.

          Actually, you have to surrender any purportedly illegal item or gains. While I get the reason for this, it opens the door to abuse as having one's bank accounts frozen makes it difficult to mount a legal defense which makes it much more likely you will be found guilty thus making it a lot easier for the state to hold on to the seized assets.

  2. Blockchain commentard

    So, Telstra holds Instagram passwords? Or did the kid just pretend to be a Telstra employee and get the victim to hand over his IG password? To me, it sounds like 2 unconnected crimes.

    And he's a bit of a twat not keeping CCleaner on a USB stick!

    1. Mr Humbug

      My guess was that he socially engineered his way into some Telstra customer e-mail accounts and used the Instagram password recovery feature

  3. TechyLogic


    why was CCleaner the trigger? its a cleaning app :') the only "dodgy" bit is the drive wiper.....

    1. Anonymous Coward
      Anonymous Coward

      Re: hmm

      It is a bit odd, as I remember it, it doesnt do a particularly secure wipe, Spybot S&D on the other hand, used to have a VERY secure wipe option (not sure about the current version - which is a bit useless).

      One of the first things asked when I was arrested after a faked up kiddi-rape accusation, was if I had a shredder program.

      "Yes, part of Spybot, but I dont recall ever using it" was my reply.

      Released after 3 hours of questioning, by which time they had finally realised I was in hospital 12-14 miles away at the time of the alleged rape.

      Cleared entirely after 3 days, albeit after a LOT of prevaricating (trying out different dates I might have committed the rape).

      Had the wrecked remains of my PCs and laptop returned 12 months later - along with my car keys - £1,000+ of missing or broken stuff.

      The apology and/or action against the malicious complainant - 12 years and counting.

    2. Throatwarbler Mangrove Silver badge

      Re: hmm

      It's an indicator that Gunton was trying to cover his tracks, when he knew that the police might enter his premises at any time to investigate his browsing history. I can think of any number of things he could have done more cleverly, but I suppose we should be grateful that there's a significant population of stupid, careless criminals.

    3. tmTM

      Re: why was CCleaner the trigger?

      The searches were done by un-skilled PC's, who will have just had a list of banned items to watch out for.

      Find something on the list and call in the Techs.

  4. tiggity Silver badge

    dodgy images

    Were those actual dodgy images, or given he was a 16 yo at the time of that conviction, were they just images of his gf / bf / whatever term used.

    Given that there's the legal screwup in UK that 2 16 yos can have sex legally, but if they have sexual mages of themselves at that age (under 18) then its illegal child pr0n.

    Given there's sometimes the mentality of creating as many charges as possible against someone I did cynically wonder (if it was just them and a partner imagery then its a bit evil as CP conviction is likely to make any time in jail rather unpleasant & protests about conviction not being what it appears don't necessarily get a considered hearing in E wing)

    1. Anonymous Coward
      Anonymous Coward

      Re: dodgy images

      but if they have sexual mages of themselves at that age (under 18) then its illegal child pr0n.

      That used to be the case, but for a while now there has been a specific exception for married couples, civil partners and cohabiting couples.

  5. Anonymous Coward
    Anonymous Coward

    and where is this 400k going to?

    1. popetackler

      Spoiler: not us.

      1. Tigra 07

        RE: Pope

        Well, it's Bitcoin...So after transferring it's now 350K. After the report is written it's 420K. In the court case it will be 600K. By the time he's in prison it'll be 50K.

  6. Anonymous Coward
    Anonymous Coward

    Ok...are people listening...

    Give. These. Kids. Jobs. Pay. Them. Handsomely.

    Fuck hiring so called, qualified "Cybersecurity Experts".

    A Cybersecurity qualification is like a Comedy Award.

    Accepting a comedy award means you take comedy too seriously and it's not comedy anymore. The same concept applies to security. If you spend too much time studying the rules and regulations you forget how to protect against those that don't follow the rules and regulations.

    Knowing ISO 27002 backwards doesn't stop some teenager pwning your shit.

    You just can't hire a Cybersecurity expert based on a formal qualification. You need someone that goes beyond.

    You need a raving lunatic in a corner of the office, foaming at the mouth, constantly attacking and telling you where the flaws are. You then need a second techie (the straight man) to implement the protection.

    I know for some sysadmins this is a frightening concept because it makes everyday a threat to you, but come on...these large organisations have done the best they can to protect themselves and have failed. It's mostly because the endless meetings and standards documents are based on prior attacks. Nobody is spending time considering what the next attack will be because they don't know where their weaknesses lie.

    1. robidy

      Re: Ok...are people listening...

      Strangely I see some valid points, the red mist however does it no justice.

      Yes, they have skills and yes, gameful employment is a good path.

      Yes ISO 27001 is only as good as the implementor(s).

      However in any post, you need to take your audience with you...a rant rarely helps your case :)

      1. werdsmith Silver badge

        Re: Ok...are people listening...

        What rant?

      2. Anonymous Coward
        Anonymous Coward

        Re: Ok...are people listening...

        There's gainful employment, and then there's 400K of bitcoin.

    2. LDS Silver badge

      "You need a raving lunatic [...] foaming at the mouth"

      This is a racist stereotype - I met a lot of very skilled pen testers that are quite far from your description. And anyway when you let someone attack your systems, you want someone responsible - not one that behind your backs sells what it finds on the black market.

      1. Tigra 07

        Re: "You need a raving lunatic [...] foaming at the mouth"

        Since when are raving lunatics a race?

        1. LDS Silver badge

          Re: "You need a raving lunatic [...] foaming at the mouth"

          When you think a given type of people should all exhibit the same aspect/behaviour that becomes a form of racism.

          1. LewisRage

            Re: "You need a raving lunatic [...] foaming at the mouth"

            You're thinking of bigotry, racism by definition can only be directed at a race.

          2. Tigra 07

            Re: "You need a raving lunatic [...] foaming at the mouth"

            I'm the same as everyone else. I find your description racist. I identify as a nutter. Please don't call me a raving lunatic, as that is hate speech against my race.

    3. Mike Moyle

      Re: Ok...are people listening...

      And who will indemnify the company against anything done by the loose cannon while on the clock which might be -- shall we say...? -- slightly outside the bounds of propriety? Because people who think the rules don't apply to them when they are on their own aren't likely to be any more circumspect after being told "We hired you to think outside the box and go beyond expectations!"

      There's a REASON that companies don't like to hire loose cannon types; it's called "limiting liability".

      1. Anonymous Coward
        Anonymous Coward

        Re: Ok...are people listening...

        Limiting liability has nothing to do with the business, it's everything to do with arse covering and protecting those paid to be responsible and accountable because they don't really want to be responsible or accountable...but they do want the money.

    4. Moosh

      Re: Ok...are people listening...

      Skills aren't all thats needed. You also need to be of a certain moral calibre. Imagine hiring this 1337 teen hacker for your cyber security only for him to rinse your company for all its fucking worth.

      Some teens do get into trouble for innocuous curiosity that goes too far; however this clearly wasn't the case. He wasn't just testing the limits; he was actively targeting them and profiting off of them.

      It would be like hiring a raging alcoholic as your wines and spirits buyer and expecting everything to go okay.

  7. Mark 85 Silver badge

    He was said to be adept at "social engineering and exploitation of the network provider's inadequate systems"

    I guess a case could be made that the "inadequate systems" part of this could also be large problems. Reads to me as Talk-Talk and Telstra are a steaming piles of insecurity.

    1. robidy

      ...deluded by the belief they are "pretty secure" according to some paper pusher.

    2. Alan Brown Silver badge

      "Reads to me as Talk-Talk and Telstra are a steaming piles of insecurity."

      Oh, indeed - and an astute judge could make hay by dint of simply pointing out that the only reason they're not facing massive charges and fines themselves is because noone's thought to prosecute them yet.

      If a social-engineering skript kiddie can crash into someone's IG account by sweet talking telco employees, then the privacy bodies in all countries affected should be going in boot-and-all for maximum fines.

      Yes he's a criminal scumbag, but they still broke a bunch of laws (and GDPR liabilities apply for TalkTalk) by handing over the data. Right now they can blame the 'evil hacker' instead of being made to sweat a few million, have some explaining to do to the shareholders and fix their broken processes so it doesn't happen again (What was the Talktalk record? 3 almost identical bull-in-a-china-shop hacks in as many months where they tried to play it down as "sophisticated and subtle" and "we've fixed our security" - fines should be tripled when that kind of bare faced lie is publicly shown up for what it is.)

  8. tallenglish

    only in the uk

    I had to laugh, only in the uk is it aparently illegal to use ccleaner because cops are stupid and obviously incompetant at their job .

    Wondering if putting your browser in perma private mode where it doesnt save any history is also banned for these orders.

    I could understand if they said (like the USA), you cant use a computer at all, or forced the internet provider to record everything he does (at his expence). But relying on a criminal to behave and nannying him is just how stupid our police have come.

    1. robidy

      Re: only in the uk

      I wonder how many visits there were before it was found ha ha.

    2. werdsmith Silver badge

      Re: only in the uk

      CCleaner is not illegal in the UK.

      People under an SHPO must not erase their browsing histories under the terms of the order. If they breach those terms they will be back in court.

      This is to allow any untrained police to carry out visits and checks without having to use IT forensic guys.

      Of course there are a 1000 ways around this, but they have to work with the resources they have.

      But feel free to have a good old scoff.

    3. Roj Blake

      Re: only in the uk

      But by relying on the criminal to not clean his devices but knowing full well that he will even if he's behaving himself, it gives the plod a wonderful pretext to nick him again any time they want.

    4. Spanners Silver badge

      Re: only in the uk

      ....only in the uk is it aparently (sic) illegal to use ccleaner...

      I must have missed that part. I didn't read anything there that said it was illegal in this country. HE had a conviction and some court requirements. If I wanted to, I could happily buy and use it, safe in the misunderstanding that it would hide everything I had done

    5. paulf

      Re: only in the uk

      This reminds me of an experience I had with the police. I was witness to two operatives committing a broad daylight burglary on a bike shed in the car park of some flats. After calling plod on 999, I grabbed my Canon dSLR and Telephoto lens and started snapping away to capture their antics as evidence.

      They were disturbed by a well meaning resident asking what they were up to (I'm sure it wasn't obvious - I regularly unlock my own bike lock with bolt croppers) and decided to scarper with what they had, but the cops were on silent approach and pulled up just as they tried to cycle away. They were cuffed and taken down the knick for a good kicking before signing their ready completed confessions questioning.

      Some PC showed up to take a statement from me about what happened. I noted the photos taken and he asked to take my memory card (a CF card with Canon format *.CR2 Raw files). I offered to convert to JPG and put on a CD but no, they had to have the memory card to reduce the chance that the pictures have been doctored. Thankfully I'd already downloaded them all to my computer so let him take it away in the hope of increasing the chance of them being banged up. He promptly lost the card on the way to his car which was returned to me by someone who found it and saw pictures of me on the card (note how easy some random person was able to read the files on it!). Card was duly returned to the cops.

      The cops finest technology team at HQ repeatedly failed at every attempt to read the Canon CR2 files. They asked me and I gave them info on how to download viewers from the Canon website (I'm sure Canon UK would have helped had they contacted direct).

      One of the crims decided to plead Not Guilty so it went to the local Magistrate's court and I was summonsed by the CPS as a witness. This was several months later and the cops still hadn't figured out how to read standard Canon CR2 files from a standard CF card, so the CPS lawyer was worried he'd struggle to present the case against him.

      I'd thought ahead and printed out the whole lot in a big pack of A4. I handed him this and his face lit up with relief. 10 minutes later the Magistrate had discharged me without having to give evidence as the photos were enough evidence to send him to Crown court for a bigger sentence (11 months in the end as the fucker was already out on licence from his previous conviction for being a thieving bastard).

      I did get my CF card back but I'm not sure if the cops ever figured out how to read the CR2 files. Good job no one waited for them to. In light of that I'm not surprised about anything in this story, or the comments, regarding browser history cleaning tools and questions about the competence of plod with respect to technology.

      1. Alan Brown Silver badge

        Re: only in the uk

        "I did get my CF card back but I'm not sure if the cops ever figured out how to read the CR2 files."

        I'm pretty sure they don't know how to read fingerprints or DNA either, after an experience crashing into a car driven by someone who ran off - the license plates, tax disc and VIN plate on the car all turned out to be counterfeit (never existed at all - which might explain the scarpering), but somehow the Met managed to lose those in less than 48 hours - AND they didn't manage to get any DNA or fingerprints off the driver's airbag.

        Meantime the guys attending the crash told me that London's facing a plague of about 10-15% cars being on faked (usually cloned) plates to avoid congestion and other charges - with that kind of response to being handed pretty much easy evidence to go track someone down (and a bunch of their CCTVs watching) you start understanding why people start believing most police are lazy jobsworths who can't hold down work anywhere else.

        I suspect that if they keep their historic 5% "solution" rate on crimes, they'll find themselves being made redundant by the general public.

      2. David 132 Silver badge

        Re: only in the uk

        @Paulf - I’m glad the story had a satisfactory outcome in your case, but I’m afraid I’m rather cynical about the state of law enforcement in the UK these days, and was three-quarters expecting your story to end with some variant of “...and after releasing them for lack of evidence, the police decided to prosecute me for taking pictures of the ‘thieves’ without their consent.”

        Icon because, well, I’m obviously a grumpy old git now.

      3. Tigra 07

        Re: paulf

        This is exactly why CSI Britain never took off...The police here couldn't arrest their way out of a wet (recyclable) paper bag.

    6. LDS Silver badge

      "Wondering if putting your browser in perma private mode"

      From the previous article:

      A normal condition of SHPOs is that they ban the offender from using private browsing mode, deleting browser history or doing anything else that prevents unskilled police employees on home visits from trawling through an offender's internet activities.

      "Our unit does not have specialist software for home visits and we have to rely on the honesty of the offender," said DC Hollis, as reported by the Eastern Daily Press. "It would be impossible for us to know if he has deleted any history."

      So it's something alike "show us we can trust you" - as they can, as happened, to decide to perform a deeper analysis if suspicious - without deploying a far more intrusive surveillance.

      Anyway, luckily many criminals are stupid, as in this case. You know you're under surveillance and then act against yourself? At least a real hacker would have been able to write his own cleaning utility, instead of using one with a bad reputation.

    7. Halfmad

      Re: only in the uk

      It's not the use of that specific tool that's the problem, he was under and order where he was not permitted to clear information relating to his activity - that's not something which is limited to the UK,.

  9. LDS Silver badge

    stopped his client from taking a job at a "multinational accounting firm"

    Good luck with that, now....

    1. David 132 Silver badge

      Re: stopped his client from taking a job at a "multinational accounting firm"

      Au contraire... given his apparent total lack of morals and inability to distinguish between “mine” and “thine”... I feel sure that he will be snapped up by Deloitte, PWC or KPMG in no time.

  10. Halfmad

    It took two weeks for the hapless designer to regain access to it

    Victim blaming el'reg? seems a bit of a low blow tbh.

  11. Halfmad


    That's a lot of Bitcoin to just have sitting there, wonder what he intended to do with £377,759.31 of Bitcoin.

    What I would give to have £747,856.91 of Bitcoin kicking about.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022