Man warns 'this is just the beginning' after cyber attack on Merseyside Police
A man warned "this is just the beginning" after targeting Merseyside Police in a cyber attack. Ehtosham Javed flooded force accounts with more than 10,000 emails in the space of less than four hours, "crippling" critical services and "potentially putting lives at risk".
It came after he developed a grievance following an earlier raid upon his home by the police. He passed his actions off as "not a big deal", but told an online contact: "I am going to make an example of Merseyside which no police force will forget."
Liverpool Crown Court heard this afternoon, Wednesday, that officers from Merseyside Police’s cyber dependent crime unit attended Javed's address on Priory Road in Bowdon, Greater Manchester, on August 31 last year "as part of an investigation into the activities of an online group". The 34-year-old was taken into custody and arrested but later lodged a complaint over his arrest and "stated that he wished for no further contact" from the force.
READ MORE: Man says 'love ya' as he's jailed for what he did in Pret A Manger
READ MORE: "Don't think I won't hit you because your mate is here"
Charles Lander, defending, described how the issue was subsequently referred to its professional standards department, with updates on the matter thereafter being provided to the defendant via his solicitors. Then, between 4.59pm and 8.47pm on April 7 this year, Merseyside Police was the subject of a cyber attack in which a total of 12,304 emails were sent to addresses across nine departments.
These included the police and crime commissioner's office, the serious collision investigation and safer roads units, rural wildlife heritage, the staff union and volunteer police cadets. Shortly after 5.30pm on that date, Javed rang the force and told a call handler: "You might notice an influx of emails to Merseyside Police.
"I’m basically spamming your email addresses with about close to a few million emails, to the point where your email addresses will be completely useless. I've been trying to get your attention for a while now and it seems that the only way I seem to be getting attention is if I just completely disrupt your services.
"Ten of your police officers came to my home, did an illegal raid. The information commission told me to email your data protection, and for some reason they decided they’re not going to respond to me. They just decided to completely ignore me. I’ve been sat here patiently waiting weeks for a response."
When told that he was committing a criminal offence, Javed replied: "I don't think it's a big deal". He went on to say during the course of the four-minute call: "The issue is that the police officer I’ve basically been trying to contact for the last three months, the reason why basically this is all happening is he’s been really ignoring me for several months. This is just the beginning. There’s more to come."
One inbox targeted was said to have been used by other forces and agencies in order to contact Merseyside Police, including with "important information which is sometimes critical and can have information that involves life and death situations". Javed's emails began at an initial rate of four per minute, but "as time went on were getting faster and bigger".
The services of numerous IT specialists had to be enlisted in order to combat the cyber attack as it could not be predicted how long the incident would persist for. Greater Manchester Police officers then visited Javed's home at 7pm and detained him.
A "half packed suitcase" was discovered inside the property, and it was believed that he may have been planning to leave the UK for Pakistan. He made no comment under interview "save for denying that he was leaving for Pakistan and that the suitcase was from a recent journey".
While no computers were located inside Javed's home, his Samsung mobile phone was found to contain the Team Viewer app. This was said to have allowed "remote control of other computers" and was shown to have access to two other devices.
It was meanwhile found that he had carried out a number of Google searches since the early hours of April 7, researching how to carry out a denial of service attack "designed to flood a web server with sufficient traffic to cause that server to become overloaded and affect its ability to function". Javed had go on to search for "Merseyside Police email" and "how much damage would millions of emails cost an organisation", as well as visiting the force's website.
He had also sent a message to a fellow user on Discord the previous day stating: "What is funny is that Greater Manchester Police made the same mistake a few years ago and Merseyside Police made the same mistake, except I didn't continue with suing them as my case dropped. I am going to make an example of Merseyside which no police force will forget."
Javed has two previous convictions for assault in 2008 and obstructing a railway in 2021. Ronan Maguire, defending, told the court that his client had suffered "lifelong difficulties with social communication and interaction" and added: "I appreciate that there are elements that may concern your honour with regards to comments he has made during these events. I ask the court to look at the words he said in the context of his condition.
"It seems to be, so far as his ire towards Merseyside Police is concerned, that this was relatively short lived. It seems he researched the act only on the day of the offence itself.
"It is clear that he was frustrated. The complaint to Merseyside Police on its own was not without some legitimacy. He felt as though he was being ignored. Of course, it gives him absolutely no excuse at all for what he did.
"But your honour has to look at his reaction, in my submission, in the context of his condition. It might be said, given his diagnosis, that the way he has reacted is perhaps rather predictable.
"His time in custody has been very difficult. He has been subject to consistent bullying. He has been assaulted quite seriously on two occasions, when boiling sugar water was thrown at him. He literally bears the scars of his time in custody.
"He has complained to the authorities about this. He understands that jail is not meant to be a holiday, but it has been particularly difficult for him.
"This is a man who is lightly convicted for his age. Bearing in mind that his condition is one that has afflicted him for his whole life, it is clear that for lengthy periods of time he has managed it."
Javed admitted unauthorised modification of computer material. Appearing via video link from HMP Liverpool wearing a black Bench jumper and glasses, he was handed a year in prison.
However, he has already served 33 weeks on remand in custody and will therefore be released in the near future. Sentencing, Judge David Potter said: "It is clear that you were very significantly unhappy with the information you were provided with and the progress of your complaint.
"You knew, having done research on the internet, that some of the inboxes you targeted were critical to the operation of Merseyside Police. By effectively crippling them for hours, lives were potentially put at risk.
"Partway through this ambush, you contacted Merseyside Police yourself and explained to a call handler that you were spamming them with what you eventually hoped would be a few million emails. You were trying to get their attention and believed that the only way to do that was to disrupt their services.
"You did not consider spamming Merseyside Police in the way that you did was a big deal, quote unquote. You placed more in the fact that you had been ignored than the damage you were doing to Merseyside Police systems.
"The effect of what you did was serious. The police were not able to predict how and when it would end and had to prepare for the worst. Numerous specialists had to be brought in to right the damage that you had done.
"There was an element of revenge. You are clearly a highly intelligent individual who had the capacity to carry out this cyber attack.
"There must be an element of deterrent. Those who are tempted to launch denial of service attacks on vital public services can expect to receive prison sentences.
"I give you this solemn promise. If you go on the internet again and seek to disrupt any public service, or any other service, with a denial of service, the sentence that will be imposed next time will be considerably longer than it is today."