Just recently we were reminded how delicate our online ecosystem really is when the mysterious group Anonymous took down big websites like Visa, Mastercard, and PayPal because they refused to support WikiLeaks. Anonymous is the latest in the fascinating history of hackers who have had their way with supposedly secure computer systems. The big difference – most of the other guys got caught.
1. Kevin Poulsen
In 1988, at the age of 23, Kevin Poulsen, known online as Dark Dante, hacked into a federal computer network and started poking around in files for the investigation of Filipino President Ferdinand Marcos. It wasn't his first hack, but it was the first time the feds had noticed him. When he found out they were on to him, he went on the run. But like so many hackers, that didn't mean he went offline.
During the 17 months he was underground, Poulsen hacked FBI files, revealing wiretap details for mobsters, foreign politicians, and the American Civil Liberties Union. He and some hacker friends also took over the phone lines for an L.A. radio station, ensuring they were the winning caller in contests, netting themselves two Porsche sports cars, a couple Hawaiian vacations, and $20,000 in cash. When the TV show Unsolved Mysteries picked up on Poulsen's story and broadcast a segment about him, mysteriously, as soon as the screen displayed the toll-free number viewers could use to report tips on the case, all the show's phone lines went dead. Still, the episode proved to be his downfall, as Poulsen was apprehended shortly after when the employees of a supermarket recognized him from the show.
During their prosecution, the FBI called Poulsen "The Hannibal Lecter of Computer Crime," scaring the courts enough to warrant holding him without bail for five years in a federal prison while the government put their case together.
However, when all was said and done, they could only charge him with lesser crimes like money laundering and wire fraud, dropping some of the more serious hacking charges altogether. He was sentenced to "time served" and released, but was barred from touching a computer for three years.
Since then, Poulsen has become a respected journalist, writing about computer security for Wired Magazine, as well as a few books on the subject, like Kingpin, which comes out in February. He has also used his hacking skills for the forces of good, famously finding 744 registered sex offenders who were using MySpace to troll for underage victims.
2. Albert Gonzalez
Albert Gonzalez, known online as CumbaJohnny, was the mastermind behind shadowcrew.com, a black market website for hackers to sell stolen credit card numbers, Social Security Numbers, passports, and just about any other type of information imaginable. But when he got arrested for credit card fraud in 2003, he switched sides and became the key informant for the government in "Operation: Firewall," a massive program designed to take down hackers. Thanks to Gonzalez's assistance, 28 hackers, scattered across eight states and six foreign countries, were indicted on charges of selling around 1.7 million credit card numbers. For his assistance, Gonzalez was immune from all charges and was offered a job at the Secret Service.
With the Secret Service looking over his shoulder, Gonzalez developed a new online persona known as "soupnazi" to help snare hackers for the U.S. Government. But once he left the office for the day, soupnazi partnered with hacker Maksym Yastremski (aka Maksik), a Ukrainian whose sales of stolen credit card information were said to have reached $11 million between 2004 and 2006 alone.
To get credit card numbers for Maksik to sell, soupnazi and his hacker friends began "wardriving" – driving around town with a laptop hooked up to a powerful antenna, looking for wireless network signals they could breach. From the parking lots of major stores like TJMaxx, Target, Barnes & Noble, and many others, they installed "packet sniffers," software that can sit on the server undetected and grab data, like every credit or debit card transaction, from the store's vulnerable computer network. The sniffer then sent the credit card information over the internet to one of Yastremski's PCs in Turkey, allowing them to collect thousands of valid credit card numbers. Meanwhile, two European cohorts hacked Heartland Payment Systems, one of the largest credit card payment processing companies in the world, and stole card information from an astonishing 130 million transactions. With the two operations combined, Gonzalez and Yastremski were sitting on a virtual goldmine.
With an influx of cash, Gonzalez bought a brand new BMW, and blew thousands of dollars every weekend with his hacker friends on drinks, drugs, women, and swanky hotel suites. That year, he also threw himself a $75,000 birthday party. By this time, Gonzalez was no longer working for the Secret Service, who suspected he was up to no good but couldn't find any evidence. Gonzalez had taught the feds much of what they knew about hacking, so he also knew how to cover his tracks. Their suspicions were confirmed when Ukrainian authorities caught up with Gonzalez's partner, Yastremski. After searching through the files on Yastremski's seized computers, investigators found records of over 600 instant message conversations about acquiring stolen card numbers for sale. The IM name Yastremski was talking to was registered to the email address firstname.lastname@example.org.
Gonzalez and 10 others were indicted in federal court in August 2008. Gonzalez pleaded guilty to all charges and, in March 2010, was sentenced to 20 years in prison. It's been estimated that the companies hit by soupnazi and his crew have spent more than $400 million to cover the damages done by these 11 men and their 11 computers.
3. Kevin Mitnick
Using the alias "Condor," Kevin Mitnick's first big hack was a Department of Defense computer, which he gained access to when he was only 16 years old. His most famous crime in his younger days was stealing $1 million worth of software from computer company Digital Equipment Corporation (DEC). So when the FBI began investigating him in connection with a hack of the California Department of Motor Vehicles in 1992, he was determined not to get caught again and made a run for it. While a fugitive from the law, Mitnick continued to use a laptop and cell phone to break into computer networks and telephone systems across the country, stealing software, files, access codes, and anything else he could get his hands on, including some 20,000 credit card numbers.
For some hackers, like Mitnick, hacking isn't about the money; it's about being better than the other guy. Mitnick was barely challenged by the FBI on his tail, but on Christmas Day 1994, he found the perfect nemesis when he broke into the home computer of network security expert Tsutomu Shimomura (at left). Shimomura took the breach personally and began a year-long crusade to bring Mitnick down. Like a true cat and mouse game, the two were pretty well matched – for every move Mitnick made, Shimomura had a counter move. For example, thanks to internet monitoring stations set up by Shimomura, he was able to track the online movements of Mitnick. But that didn't matter, because Mitnick used his knowledge of telephone and computer networking systems to disguise his real-world location. In the end, though, the resources of the FBI and the skills of Shimomura were too much for one man. After evading capture for over two years, the FBI tracked Mitnick to an apartment in Raleigh, North Carolina, where he was arrested on February 15, 1995.
Thanks to a plea agreement, Mitnick spent five and a half years in prison. However, eight months of that time was in solitary confinement after federal prosecutors convinced the judge of the ridiculous notion that Mitnick could launch nuclear warheads by simply whistling the proper tones into a telephone receiver. Since his release, Mitnick has become a well known speaker at hacking and security conferences, as well as the head of his own company, Mitnick Security Consulting.
4. Jeanson James Ancheta
Just because you're using the mouse and typing on the keyboard doesn't mean you have complete control over your computer. If you're connected to the internet, your PC could be a "zombie," an unwilling member of a "botnet." A botnet is a large network of computers that have been infected with the same virus that will force them to perform some function for the "bot herder," the person who created and controls this illegal network of PCs. Usually, the herder will have your PC send out a few spam emails without your knowledge, or it could become part of an army of computers repeatedly contacting a website, forcing the site to shut down, in what is known as a "Denial-of-Service" (DoS) attack. Because DoS attacks are automated, they can often go on as long as the hacker controlling it would like, opening up the perfect opportunity for extortion (Pay up or the DoS will continue).
For 20-year-old high school dropout Jeanson James Ancheta, creating botnets became easy thanks to software he discovered online. As he continually expanded his army, he set up a website where he rented his zombies to spammers or hackers, complete with price ranges and recommendations for the number of zombies needed to complete the dirty job at hand. At one time during the course of his 14 month crime spree, it's estimated that Ancheta had over 500,000 computers at his disposal, some of which were owned by the U.S. Navy and the Department of Defense. Business was good, as Ancheta was able to buy a used BMW, spent about $600 a week on clothes and car parts, and had around $60,000 in cash at his disposal.
But the fun ended when Ancheta became the first person to be indicted for creating a botnet after getting caught as part of the FBI's "Operation: Bot Roast," a nationwide push to bring down bot herders. In 2006, he pleaded guilty to four felony charges and was sentenced to 57 months in prison, forced to give up his car and the $60,000 in cash, and to pay restitution of $15,000 for infecting federally owned computers.