Onel de Guzman, like many hobbyist hackers, never thought that his “Love Bug” worm would get much attention.
But when he released it into the wild in 2000, it spread farther and faster than had ever been seen before — and left billions of dollars of damages in its wake.
Stay One Step Ahead of Cyber Threats
What could have compelled the young programmer to create such a powerful, devastating program? And just why was de Guzman’s worm so successful at its mission?
Onel de Guzman at a Glance
- In 2000, Filipino programming student Onel de Guzman created malware that could steal dial-up passwords, allowing him to access the internet for free.
- His professors were unimpressed with his creation, so he modified it to self-replicate via email, using a love letter as a disguise.
- Within hours of its release, the so-called “Love Bug” worm spread to millions of computers, crashing email servers and causing shutdowns at organizations like the Pentagon.
- Police traced the worm back to de Guzman, but due to weak cybercrime laws in the Philippines, he was never prosecuted for creating the worm.
- Love Bug became one of the most widespread pieces of malware in history, eventually infecting over 80 million computers and causing over $18 billion in damages and removal costs.
The Life of Onel de Guzman
A Troubled Thesis
In early 2000, the world was caught in the thralls of the computer craze.
After months of panic about the impending Y2K disaster, in which computer systems would supposedly malfunction as the date changed from 1999 to 2000, the new millennium had arrived largely without a hitch. Home computing and internet access were becoming commonplace, and most people saw the web as a positive, if somewhat inscrutable, development in human history.
But for some, the inequalities — and destructive potential — of the digital age were harder to ignore.
23-year-old Onel de Guzman was in his final year of a computer science degree at AMA Computer College in Manila, Philippines. He was talented but far from a star pupil, eschewing academic success for a top spot in the hierarchy of Grammersoft, an underground hacking collective comprised of AMA students.
But at the time, the only option for home internet in Manila was an expensive dial-up connection, and de Guzman and his family couldn’t afford it. Though he saw internet access as a human right, it was restricted to those who purchased dial-up passwords.
This inequity gave de Guzman an idea for his undergraduate thesis: a so-called “Trojan” program that could run automatically and harvest internet passwords from any computer it landed on. It wasn’t stealing; he said — the “victims” still retained their own internet access, so they weren’t being deprived of anything.
But de Guzman’s professors were unenthused and rejected his thesis proposal. De Guzman described them as “close-minded” people who simply did not want to believe that he was capable of exploiting OS vulnerabilities so easily.
Undeterred, de Guzman refined his program and began conducting live tests of it. He went on local message boards and struck up conversations with people who didn’t seem particularly computer-literate, then sent them a file he claimed was a photo of himself.
However, the file wasn’t a photo at all. It was a script that would run automatically when the file was opened, search the computer for internet passwords, then pass anything it found back to de Guzman.
The scheme kept de Guzman online for months, but like many hackers, he knew that his program could do more — and he hungered to see it for himself.
Hatching the Love Bug
In May 2000, de Guzman modified his password stealer in several significant ways.
First, he removed its geographical restrictions: rather than only targeting computers in Manila, the new and improved Trojan would work anywhere in the world.
Second, he gave it the ability to spread by itself. Once it found a new victim, it would exploit a bug in Microsoft Outlook to send a copy of itself to every email address in the victim’s contacts list, making it a full-fledged computer worm.
Third, he granted the worm some new abilities. Not only would it steal passwords, but it would also overwrite random files with copies of itself, making its power grow every time the victim attempted to open an infected file.
Fourth, realizing that random people from around the world wouldn’t be interested in opening his self-portrait, he gave the program a new disguise. People, he reasoned, wanted more than anything to find love — so if they received an email titled “ILOVEYOU” with a love letter attached, they’d almost certainly open it.
The new file was called “LOVE-LETTER-FOR-YOU.TXT.vbs”. At the time, Windows would hide the extension for recognized file types by default, so to recipients, the file would simply look like a text file — the .vbs script extension would be invisible.
At 1 AM on May 4, 2000, de Guzman selected his first victim: a Filipino man living in Singapore. He sent the man a copy of the worm, then went out drinking with a friend.
When he returned home later that day, his life changed forever.
Catching the Love Bug
De Guzman’s Love Bug worm immediately proved more successful than he had ever imagined. As the world woke from east to west that morning, people checked their email, found the “ILOVEYOU” message, opened it, and created a cascade of infections as the worm spread to everyone in their contacts.
Within hours, hundreds of email servers were overwhelmed as millions of people were infected by the worm. Corporations across the world shut down their email systems as the worm spread, and even the Pentagon and the British parliament hunkered down against it.
Police were quickly able to narrow down their search to the Philippines: the stolen passwords were being sent en masse to an email address registered there, specifically to an apartment in Manila where de Guzman lived with his sister.
De Guzman’s mother heard that there was a manhunt for a hacker in Manila and, knowing that her son enjoyed hacking, called him and warned him. Fearing a police raid, she then hid his computer, though she accidentally left the disks containing his worm out in the open.
When police arrived at the apartment the next day, de Guzman wasn’t there, but his sister’s boyfriend, Reonel Ramones, was. Police arrested Ramones and put a warrant out for de Guzman.
But because hacking and malware creation weren’t crimes in the Philippines, they weren’t sure what charges would apply.
De Guzman hired a lawyer and laid low in his mother’s house for days, afraid to use a computer or go outside as he became globally known as Love Bug’s creator. At a press conference, he hid his face as his lawyer answered questions for him but did speak up once to tell reporters that he may have released the worm by accident.
By then, Love Bug had spread to over 50 million computers — as many as 10% of all internet-connected machines in the world. Damage estimates began to pour in as companies struggled to recover their overwritten files and resume normal operations, with totals ticking up into the billions.
Meanwhile, other hackers were recognizing Love Bug as an opportunity: it was simple to edit the worm’s code to deploy different payloads and use different disguises. New variants began to circulate, with some particularly nasty ones corrupting entire operating systems.
The Aftermath of the Love Bug
Prosecutors considered charging de Guzman with credit card fraud, theft, and malicious mischief but soon realized that their case was too weak to proceed with. The proposed charges required criminal intent, and de Guzman’s press conference statement that the release may have been an accident made intent nearly impossible to prove.
Within three months, the charges against de Guzman and Ramones (who had not been involved) were dropped. The Philippine Congress quickly got to work on a bill that cracked down on cybercrimes, but because retroactive charges were unconstitutional, the new law wouldn’t apply to de Guzman and his Love Bug.
De Guzman had always been shy and fearful of publicity, and the global chaos surrounding Love Bug rattled him to his core. For a year after the incident, he didn’t touch a computer, and he never went back to AMA to complete his degree.
He eventually became a mobile phone technician, and in 2020 he admitted for the first time that he had created Love Bug — and that he deeply regretted it. He still feels embarrassed and ashamed every time a friend brings up Love Bug or asks him about it, and he’s not sure how he’ll explain his illicit past to his children.
In the end, Love Bug spread to over 80 million computers, caused as much as $8.7 billion in damages, and cost upwards of $10 billion to remove.
Onel de Guzman: The Power of Love
Love Bug wasn’t the most destructive malware in history, and Onel de Guzman didn’t create it to be.
But it did bring attention to many neglected elements of modern computing: the prevalence of simple yet devastating bugs, the lack of comprehensive cybercrime laws, the inequalities of internet access, and the power that one programmer has to change the world.
And today, many of the most successful hackers make use of one lesson they learned from Onel de Guzman and Love Bug: the human element is often the weakest, especially when it comes to love.
Onel de Guzman – A Filipino Hacker Who Stunned the Entire World (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
