In March 2018, George Duke-Cohan emailed more than 1700 schools, colleges, and nurseries from the bedroom of his home in Watford, warning that explosives had been planted. The emails said that unless US $5,000 was paid within three hours into the account of US-based Minecraft server VeltPvP, buildings would be blown up.
Although the police said that the emails were not believed to represent any genuine threat, hundreds of schools were still evacuated.
Two days later, 19-year-old Duke-Cohan was arrested on suspicion of blackmail and making malicious communications, following an investigation by the National Crime Agency (NCA).
VeltPvP, the Minecraft server named in the emails, had nothing to do with the threats. The only reason its name appeared to have been used was that Duke-Cohan had had a disagreement with them.
Normally you would expect Duke-Cohan’s wrong-doing to end there, but sadly that wasn’t to be the case.
Just one month after the initial wave of threats, and despite knowing that the authorities were investigating his activities, Duke-Cohan sent a further wave of 24,000 hoax bomb emails to schools in the UK and United States. The emails claimed that pipe bombs had been hidden on school premises, and a car would be driven at students at home-time.
Duke-Cohan was arrested again, and under his bail conditions prohibited from using any electronic devices.
Again, this didn’t stop the teenager who used online aliases such as “7R1D3N7”, “DoubleParallax”, and “optcz1”, and was thought to be connected to the Apophis Squad DDoS and hacking group.
Duke-Cohan’s next trick was to make a phone call, pretending to be a worried father. His daughter, he claimed was on a United Airlines flight from London to San Francisco. Duke-Cohan claimed that his daughter had contacted him mid-flight to say that the plane had been hijacked by gunmen one of whom had a bomb.
When United Airlines flight 949 ultimately landed in San Francisco there was, understandably, a significant security presence waiting for it. The plane was placed in a quarantined area of the airport, and all 295 passengers ordered to remain on board while investigations took place, causing disruption to onward journeys and financial loss to United Airlines.
When police arrested Duke-Cohan for the third time at his home in Watford on 31 August 2017, they found numerous electronic devices in his possession that were banned under the terms of his bail agreement.
The news of the arrest was welcomed by encrypted email service ProtonMail, which had been targeted by Apophis Group through DDoS attacks.
Duke-Cohan was jailed for one year for the email threats and two years for the airport security scare
As BBC News reports, in sentencing Judge Richard Foster told the teenager:
“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow. You were playing a game for your own perverted sense of fun in full knowledge of the consequences. The scale of what you did was enormous.”
Apophis Squad has not posted a single tweet since Duke-Cohan’s third and final arrest on August 31st 2018.