Three years in jail for teenager who spammed out school bomb threats

George Duke-Cohan also made hoax call about a hijacked plane.

Graham Cluley
Graham Cluley
@[email protected]

Three years in jail for teenager who spammed out school bomb threats

A British teenager has been jailed for three years for making hoax bomb threats that closed hundreds of schools up and down the UK.

In March 2018, George Duke-Cohan emailed more than 1700 schools, colleges, and nurseries from the bedroom of his home in Watford, warning that explosives had been planted. The emails said that unless US $5,000 was paid within three hours into the account of US-based Minecraft server VeltPvP, buildings would be blown up.

Although the police said that the emails were not believed to represent any genuine threat, hundreds of schools were still evacuated.

School tweet

Two days later, 19-year-old Duke-Cohan was arrested on suspicion of blackmail and making malicious communications, following an investigation by the National Crime Agency (NCA).

VeltPvP, the Minecraft server named in the emails, had nothing to do with the threats. The only reason its name appeared to have been used was that Duke-Cohan had had a disagreement with them.

Sign up to our free newsletter.
Security news, advice, and tips.

Normally you would expect Duke-Cohan’s wrong-doing to end there, but sadly that wasn’t to be the case.

Just one month after the initial wave of threats, and despite knowing that the authorities were investigating his activities, Duke-Cohan sent a further wave of 24,000 hoax bomb emails to schools in the UK and United States. The emails claimed that pipe bombs had been hidden on school premises, and a car would be driven at students at home-time.

One such email read:

“Student Report (STAFF ONLY). Hello, a male student will be sent into your campus as you start the day, he will look normal but what is in his bag is a bomb. The explosive that is in the two plastic bottles is called ANFO it is a very powerful explosive. The point is that when you put the school on lockdown this student will set off the bomb, and will kill EVERY student in the room and maybe the rooms next to it.”

Duke-Cohan was arrested again, and under his bail conditions prohibited from using any electronic devices.

Again, this didn’t stop the teenager who used online aliases such as “7R1D3N7”, “DoubleParallax”, and “optcz1”, and was thought to be connected to the Apophis Squad DDoS and hacking group.

Duke-Cohan’s next trick was to make a phone call, pretending to be a worried father. His daughter, he claimed was on a United Airlines flight from London to San Francisco. Duke-Cohan claimed that his daughter had contacted him mid-flight to say that the plane had been hijacked by gunmen one of whom had a bomb.

When United Airlines flight 949 ultimately landed in San Francisco there was, understandably, a significant security presence waiting for it. The plane was placed in a quarantined area of the airport, and all 295 passengers ordered to remain on board while investigations took place, causing disruption to onward journeys and financial loss to United Airlines.

Apophis Squad tweeted its joy about the disruption it caused to United Airlines
Apophis Squad tweeted its joy about the disruption it caused to United Airlines

When police arrested Duke-Cohan for the third time at his home in Watford on 31 August 2017, they found numerous electronic devices in his possession that were banned under the terms of his bail agreement.

The news of the arrest was welcomed by encrypted email service ProtonMail, which had been targeted by Apophis Group through DDoS attacks.

Duke-Cohan was jailed for one year for the email threats and two years for the airport security scare.

As BBC News reports, in sentencing Judge Richard Foster told the teenager:

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow. You were playing a game for your own perverted sense of fun in full knowledge of the consequences. The scale of what you did was enormous.”

Apophis Squad has not posted a single tweet since Duke-Cohan’s third and final arrest on August 31st 2018.

For more discussion of this topic, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #108: 'Hoaxes, Huawei and chatbots - with Mikko Hyppönen'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Further reading: Judge Richard Foster’s summing-up of the case against Duke-Cohan, before sentence was passed.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.