The 20-Year Hunt for the Man Behind the Love Bug Virus

[Karlston]

The 20-Year Hunt for the Man Behind the Love Bug Virus

For two decades, Onel de Guzman has been suspected of unleashing the groundbreaking virus. But he's never confessed to anything—until now.

 

 

This story is adapted from Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global, by Geoff White.

 

It’s 30 degrees in the shade and I’m standing, sweating, at the entrance to a sprawling street market in the Quiapo district of Manila, capital of the Philippines. On a piece of paper I’ve written the name of the person I’m searching for: a Filipino man named Onel de Guzman. I’ve heard he might have worked among the mass of stalls spread out before me ... maybe ... several years ago.

 

I start showing the piece of paper to people at random. It seems an impossible task. The wildest of goose chases. I don’t know what de Guzman looks like now, because the only photo I have of him is almost 20 years old. Even worse: In the grainy shot, taken at a chaotic press conference, de Guzman is wearing sunglasses and covering his face with a handkerchief.

 

The young student had good reason to hide. He’d been accused of unleashing the Love Bug, a high-profile and extremely successful virus that had infected an estimated 45 million computers worldwide and caused billions of dollars’ worth of damage.

 

The virus was groundbreaking. Not because of its technical complexity or the disruption it caused, but because it showed how to utilize something far more powerful than code. It perfectly exploited a weakness not in computers, but in the humans who use them—a tactic that has been used in countless cybercrimes since. But de Guzman had never admitted to anything. He’d mumbled his way through the press conference, given a couple of noncommittal interviews to the media, and escaped without prosecution. Then he’d gone to ground and hadn’t surfaced in two decades. No social media, no online profile. A ghost in the digital world he’d once been accused of terrorizing.

 

It had taken me a year to get any kind of lead as to his whereabouts. There were rumors he was in Germany, that he worked for the United Nations in Austria, that he’d moved to the United States, or even that he’d been hired by Microsoft. And now I was stumbling through a market in Manila, showing his name in the hope someone would recognize it.

 

 

 

If I could find him, maybe I could ask him about the virus and whether he understood its impact. And perhaps I could get him to tell me, after 20 years, whether he was really the one behind it. But as I brandished his name, all I got were blank looks and suspicious questions. Then one of the market stallholders grinned at me.

 

“The virus guy? Yeah, I know him.”

 

The Love Bug virus was unleashed on May 4, 2000. It was simple, but devastatingly effective and highly contagious. Once infected, many of the user’s files would be overwritten with copies of the virus, so that whenever the victim tried to open the files, they’d reinfect their system. The virus also tried to steal people’s passwords. But the true genius lay in how it spread. Once infected, the victim’s computer would send an email to everyone in their Microsoft Outlook contacts book. The emails read: “kindly check the attached love letter coming from me,” and attached was a copy of the virus, disguised as a text file with the title “love-letter-for-you.”

 

Faced with such a tempting message, many people took the bait, opened the attachment, and got infected. It didn’t take long for the virus to spread around the world. When you think about the math, its success becomes easy to understand, and quite frightening: If the initial victim had sent it to 50 people, and then each of them infected another 50 people, and so on, it would only take six jumps for the virus to infect everyone in the world (presuming they all had computers).

 

Panic ensued: Systems in banks and factories were infected. In the UK, Parliament shut down its email network for several hours to prevent infection. Even the Pentagon was reportedly affected.

Advertisement

 

 

Just a few months previously, the world had been fretting about the risk of a so-called Y2K bug—the fear that computers would fail to cope with the switch from dates in the 1900s to the 2000s. The damage predictions had been massively exaggerated, and the vast majority of systems were unaffected. But just as the tech industry breathed a sigh of relief, the Love Bug virus showed the true scale of devastation that could be caused in an increasingly connected world. Estimates of the damage ran into the tens of billions of dollars—much of it spent on fixing infected computers and preventing reinfection. Once it was released, the virus code could be downloaded and tweaked by anyone: within days, researchers were seeing dozens of copycat versions being unleashed.

 

As the news coverage became ever more shrill, investigators got to work trying to trace the source of the bug. The passwords stolen by the virus were being sent to an email address registered in the Philippines. Local police traced the email account to an apartment in Manila. The net was closing in.

 

After some initial questioning, they identified one Onel de Guzman, a 23-year-old computer science student at AMA Computer College, studying at the Makati campus, a grim, gray concrete building in the center of the city. The virus had mentioned the phrase grammersoft, which investigators quickly established was an underground hacking cell made up of AMA students, some of whom had started experimenting with viruses. De Guzman was a leading member.

 

As journalists poured into town, de Guzman’s lawyer hastily arranged a press conference so the world’s media could put their questions to the man increasingly assumed to be at the heart of global virus outbreak. De Guzman appeared, seemingly terrified, hiding behind dark glasses and holding a handkerchief over his face, covering his prominent acne scars. He hung onto his sister, Irene, who lived in the flat that the police had originally raided. Flashguns popped and news cameras zoomed in as de Guzman took his seat. But anyone expecting clarification was soon disappointed. De Guzman’s lawyer fielded many of the questions with vague non-answers.

 

De Guzman himself seemingly didn’t speak much English. Finally, one of the assembled media managed to ask a key question: Did de Guzman, perhaps, release the virus accidentally?

 

“It is possible,” mumbled de Guzman.

 

And that was it. There were no more questions. The press conference ended, and de Guzman’s solitary non-answer was the closest anyone got to an explanation of a virus that infected 45 million machines worldwide.

 

De Guzman was never prosecuted because, at that time, the Philippines had no law against computer hacking. Soon, the cameras packed up, the news crews left, and the story slipped off the agenda.

 

With the true author unconfirmed, suspicion fell on de Guzman’s schoolfriend Michael Buen, whose name had appeared on a previous virus, called Mykl-B. Buen denied having anything to do with the Love Bug outbreak, but his pleas were largely ignored. Most online sources still list de Guzman and Buen as the creators of the virus, either jointly or separately, and that’s how it’s been for 20 years. Until now.

 

The Minor Basilica of the Black Nazarene is one of Manila’s most revered Catholic shrines, and in its shadow lies the labyrinthine expanse of Quiapo market, home to everything from Hello Kitty backpacks to LED-lit Virgin Mary statuettes. It was here, acting on a tip-off, that I came to look for Onel de Guzman.

 

Eventually, the friendly stall-holder who remembered him directed me across town to a different shopping district. I went down another rabbit hole of market stalls, flashing the piece of paper with de Guzman’s name written on it, looking like a tourist dad who’d lost his kids. After many blank looks and suspicious questions, a bored-looking trader pointed me in the direction of a nearby commercial unit. It was empty, but after 10 hours of waiting for him to turn up to work, I finally came face to face with Onel de Guzman.

 

Advertisement

 

Now 43, his juvenile acne scars have all but disappeared, and his diamond-shaped face has filled out into comfortable middle age. Still as shy as he was at the press conference all those years ago, he hides his gaze under a mop of jet-black hair, his face occasionally breaking into a smile displaying a distinctive set of uniform teeth. He’d changed so much, I began to doubt I was actually speaking to the real de Guzman, so I started making a furtive sketch in my notepad of the position of the moles on his face, to compare later on with the photo of him from 20 years ago. Back then, in the chaotic press conference, he’d swerved the question of whether he had written the virus, giving the half-answer that’s remained hanging in the air ever since. According to de Guzman, it wasn’t his idea to be so evasive.

 

“That’s what my lawyer told me to do,” he says, in halting English.

 

I’d expected to have to extract the truth from de Guzman by forensic interview, and I’d lined up my evidence like an amateur barrister. Remarkably, he wasted no time in confessing to a wrongdoing he’d ducked ever since the turn of the millennium. “It wasn’t a virus, it was a Trojan,” he says, correcting my terminology to point out that his malicious software worked by sneaking onto a victim’s computer disguised as something benign. “I didn’t expect it would get to the US and Europe. I was surprised.”

 

The story he went on to tell is strikingly straightforward. De Guzman was poor, and internet access was expensive. He felt that getting online was almost akin to a human right (a view that was ahead of its time). Getting access required a password, so his solution was to steal the passwords from those who’d paid for them. Not that de Guzman regarded this as stealing: He argued that the password holder would get no less access as a result of having their password unknowingly “shared.” (Of course, his logic conveniently ignored the fact that the internet access provider would have to serve two people for the price of one.)

 

De Guzman came up with a solution: a password-stealing program. In hindsight, perhaps his guilt should have been obvious, because this was almost exactly the scheme he’d mapped out in a thesis proposal that had been rejected by his college the previous year.

 

At the time, he says, designing such software wasn’t difficult. “There was a bug in Windows 95,” he says. “If someone clicks the attachment, [the program] will run through their machine.”

 

But there’s the rub: how to get people to click on the attachment? De Guzman says he would hang out in internet chat rooms where Manila internet users gathered, and strike up conversations. He would then send his victims an infected file, pretending it was his picture. It worked. “I chatted only to people that had no knowledge of computers, to experiment on them,” he says.

 

De Guzman had good reason to confine his hacking to Manila residents. At this time, internet access relied on dialup. Since Manila’s dialup passwords would only work on Filipino phones, and de Guzman was stealing passwords to use on his home phone line, he had no need to target victims outside the city. If he’d kept it that way, his life might have been very different. But, like many hackers, de Guzman was curious, and wanted to push his virus forward.

 

In May 2000, he tweaked his original code so that it would not simply be restricted to Manila residents. He also made two other changes that would ensure his place in hacker history. First, he programmed the virus so that once it had infected a computer, it would send a copy of itself to each person in the victim’s email address book. By doing so, he created a so-called worm virus, a self-spreading monster with no off switch. Once released, de Guzman would have no control.

 

Advertisement

 

His second change was the work of true, if perhaps unconscious, genius. Once the virus spread beyond de Guzman’s hands, he needed a way of tempting recipients into opening the attachment that contained the code. His old trick of pretending it was a photo wouldn’t work, so he came up with a new tactic: He gave the virus a title that had universal and near-irresistible appeal. “I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” he says.

 

The Love Bug was born.

 

Like many hackers, de Guzman is a night owl. He finds the dark hours quieter, making it easier to concentrate. It was 1 am when de Guzman found his patient zero, the person whose initial infection would go on to spread the virus. He was chatting online to a fellow Filipino who was living in Singapore. De Guzman can’t remember who the man was, but he remembers sending him a copy of his new, improved virus.

 

Unaware of the worldwide chaos he’d just unleashed, de Guzman says he then went out and got drunk with a friend. Within a day, though, his virus had spread like wildfire and investigators were closing in on their suspect.

 

His mother contacted him. She’d received word the police were hunting a hacker in Manila, and she knew of her son’s illicit hobby. She hid his computer but crucially left the disks, one of which had the Mykl-B virus on it, pulling Michael Buen and several dozen other AMA students onto the police’s radar.

 

For 20 years, de Guzman’s silence left a cloud hanging over his classmate Buen, who is commonly listed as the joint author of the virus. Yet according to de Guzman, he had nothing to do with it. The pair had written viruses before, he says, but the Love Bug was written by de Guzman alone.

 

De Guzman says he had to take a year off after the incident to let the heat die down, during which he didn’t touch a computer. He never went back to AMA and never graduated. He later became a mobile-phone technician. He says he regrets writing the virus, but he now faces the fate of all wrongdoers in the internet age: infamy that will never decay. “Sometimes I get my picture on the internet,” he says. “My friends said, ‘It’s you, it’s you!’ They find my name. I’m a shy person, I don’t want this.” His children are ages 7 and 14. He knows one day soon they will find out about his role in one of the world’s most infamous viruses. He’s not sure how he’ll deal with that.

 

At the end of our interview, de Guzman goes back to his job, disappearing into the mall’s mass of tiny tech repair stalls, where he sits surrounded by soldering irons, multimeters, and disassembled mobile phones. He says he loves his work and that he’s content, but as I make my way out of the Blade Runner-esque fluorescent-lit maze of cramped computer shops, I get the feeling this isn’t where he’d imagined his life would end up.

 

The Love Bug wasn’t the smartest computer virus, nor the most disruptive, and it certainly wasn’t the most profitable. But it’s the perfect illustration of a basic truth about much of the computer crime currently plaguing society today: It’s not about the tech, it’s about the people. Twenty years later, many of the biggest hacks and manipulations carried out on the internet—the digital burglary of Sony Pictures Entertainment, the hi-tech heist of $81 million from Bangladesh Bank, the interference in the 2016 US presidential election—aren’t, at their heart, about code, software, or hardware. They’re about exploiting human frailty. The hacker’s first step is to fool people into doing things they shouldn’t. The real trick is how to convince their victims to perform such actions, and that relies on psychological acumen every bit as much as technical skill. A good hacker needs an instinctive grasp of human behavior, and a deep understanding of our desires and fears.

 

Advertisement

 

De Guzman was absolutely not the first person to realize this, but in naming his virus he had, almost inadvertently, come up with the greatest lure of all time. His attack succeeded and became a global menace because he hit upon the one thing sought by everyone on the planet: love.

 

 

The 20-Year Hunt for the Man Behind the Love Bug Virus