An email with the subject line "ILOVEYOU" infected 45 million computers in 24 hours after it was released in May 2000 — disabling email systems at the Pentagon, the CIA, and most of the world's largest corporations — and the 23-year-old Filipino college dropout who wrote it now runs a phone repair booth in Manila, never prosecuted because cybercrime was not yet illegal in the Philippines

You receive an email from someone you know. The subject line reads, simply, “ILOVEYOU.” The attachment is called LOVE-LETTER-FOR-YOU.txt.vbs — though most email clients in May 2000 hid the .vbs file extension by default, so what you see is just LOVE-LETTER-FOR-YOU.txt, an apparently harmless text file from a colleague or family member who, on this particular Thursday morning, has decided to send you a note titled with the three most universally recognised words in the English language. You click. The text file opens. Nothing visible happens. But behind the screen, the Visual Basic Script you have just executed is now opening your Microsoft Outlook address book, sending an identical copy of itself to every person you have ever exchanged email with, overwriting the JPEG, music, and document files on your hard drive with copies of its own code, and attempting to steal any internet passwords stored on your computer to send back to an email address registered in the Philippines.

Within hours, the virus reached email servers at major corporations, government agencies, and military installations across North America, Europe, and Asia. According to CNN Business’s retrospective on the outbreak twenty years later, the ILOVEYOU worm was the fastest-spreading piece of malware in human history at the time of its release. It moved approximately 15 times faster than the Melissa virus, which had been the previous record-holder in 1999. The US Pentagon shut down its external email systems to contain the spread. The CIA did the same. The British Parliament took its email offline for several hours. Major corporations across the world disconnected employees from email networks until they could clear the infection. The estimated total damage, calculated from lost productivity, data loss, and remediation costs, eventually reached approximately $10 billion globally — making ILOVEYOU, by some measures, the most expensive single piece of malware of its era.

What the virus actually did

The technical sophistication of the ILOVEYOU worm was, by modern standards, modest. The entire code was 10.31 kilobytes — small enough to fit in a single email attachment without any compression. It was written in Visual Basic Script, a relatively simple language designed for system administration tasks. It used no novel attack vectors, no zero-day vulnerabilities, no advanced obfuscation. The single feature that made it work was social engineering: an email with the subject line “ILOVEYOU,” apparently from someone the recipient knew, was sufficiently irresistible to overcome the cautious instincts that might have prevented victims from opening less personally-charged attachments. The author had correctly identified that in the late 1990s and 2000, the cultural script of “love letter from a friend” was strong enough to bypass essentially all of the rudimentary security awareness that email users had built up against more obviously suspicious messages.

Once activated, the worm performed two operations in parallel. The first was reproductive: it accessed the victim’s Microsoft Outlook address book and sent an identical copy of itself to every contact listed there, with the original recipient’s name and address as the sender — meaning that the second wave of infections arrived from someone the new victim actually knew, dramatically increasing the probability that the attachment would be opened. The second was destructive: it scanned the victim’s hard drive for image, video, and document files of certain types and overwrote them with copies of its own code, effectively destroying the original files. It also installed a hidden program called WIN-BUGSFIX.EXE that attempted to harvest internet account passwords and send them to an email address registered in the Philippines.

How the author was found

The investigation that followed was, by the standards of subsequent cybercrime investigations, remarkably fast. According to the Wikipedia reference on the ILOVEYOU outbreak, the FBI, in collaboration with the National Bureau of Investigation in the Philippines, traced the stolen passwords back to the email address in the worm’s code. The email address was registered to an apartment in the Sampaloc district of Manila. The apartment was occupied by the brother of a computer science student named Onel de Guzman, who attended AMA Computer College, a private university in the Filipino capital. Police searches of the apartment recovered computer equipment, draft code, and a rejected undergraduate thesis paper in which de Guzman had proposed creating a program that would steal internet passwords from neighbourhood users so that he could access the internet without paying. The thesis had been rejected by his professors on ethical grounds, and de Guzman had subsequently dropped out of the university. He had then written the ILOVEYOU worm and released it on 4 May 2000.

De Guzman appeared at a hastily-arranged press conference in Manila on 11 May 2000, wearing a striped shirt and dark Matrix-style sunglasses, with a towel partially covering his face. He spoke in halting English (later admitting he had been instructed by his lawyer to pretend he spoke less English than he actually did) and answered questions only briefly. When asked directly whether he had released the virus, he replied that he “possibly” had, and that he could not rule out having released it by accident. He was 23 years old at the time of the press conference and would turn 24 later in 2000.

Why he was never prosecuted

The legal situation that emerged in the weeks after the press conference was one of the more unusual aspects of the entire affair. According to the Computer Weekly long-form profile based on Geoff White’s investigative reporting for his book Crime Dot Com, the Philippines in May 2000 had no law specifically criminalising the creation or release of computer malware. The country had laws against fraud, theft, and various other property crimes, but the legal definitions of those crimes did not clearly extend to actions taken entirely through computer networks. Filipino prosecutors initially charged de Guzman under existing fraud and credit card theft statutes, but the charges were dropped by the Philippine Department of Justice in August 2000 on the grounds that the existing laws did not apply to the conduct in question, and that prosecuting under inapplicable laws would be unconstitutional.

The Philippines did pass the E-Commerce Act of 2000 (Republic Act No. 8792) later that year, partly in response to the ILOVEYOU outbreak. The new law criminalised hacking, the creation of malware, and several related computer crimes. But Philippine constitutional law prohibits retroactive application of criminal statutes. The new law could be applied to anyone who released malware after its passage, but it could not be used against de Guzman for conduct that had been technically legal at the time he committed it. The Filipino legal system, in other words, was forced to acknowledge that the author of what was at the time the most economically destructive piece of software ever created had not, technically speaking, broken any Filipino law. He was released. The case was closed.

What he is doing now

Onel de Guzman essentially disappeared from public view after 2000. Various online rumours over the following two decades placed him in Germany, Austria, the United States, or working for Microsoft on a generous contract that was never publicly disclosed. None of the rumours turned out to be true. According to BBC News’s coverage of Geoff White’s tracking down of de Guzman in early 2020, after months of searching, White was eventually directed to a small phone repair booth in a shopping mall in Manila. The booth was cramped, messy, and located at the back of the building. White waited several hours for de Guzman to arrive at the stall. When he did, the journalist recognised him immediately by his distinctive facial features. De Guzman was 44 years old, was working alone repairing mobile phones for walk-in customers, and had not given a public interview since 2000.

De Guzman acknowledged authorship of the ILOVEYOU worm to White in their first conversation. He explained that his original intention had been to steal internet passwords so that he and other Filipinos in similar economic circumstances could access the internet without paying the per-minute charges that dial-up service then required. He said he had not anticipated that the virus would spread to the United States or Europe, that he had not intended the destructive file-overwriting behaviour to operate on machines outside the Philippines, and that he had been horrified by the global scale of the damage once he understood what had happened. He had spent the intervening twenty years quietly, mostly in Manila, working at a series of small technical jobs.

The phone repair booth was his current source of income. He was, by every indication, an ordinary middle-aged Filipino man with a complicated past and no public profile. The booth has no signage indicating its proprietor’s identity. Most of the customers who come in for a screen replacement or a battery swap have no idea who is repairing their phone. The author of one of the most consequential pieces of malware in the history of computing now charges, by White’s account, the equivalent of a few US dollars per repair, and asks his customers not to share his location with strangers.