We look at some of the most famous cases against European hackers and explore whether extradition and imprisonment is really the right response.
The internet is borderless, with hackers able to cross international boundaries and launch attacks on distant governments and infrastructure with just the click of a button.
With cybercrime laws varying from country to country and international cooperation sometimes patchy, nation states are often reliant on extradition as a means to prosecute hackers who have attacked infrastructure in their territory.
In recent years, the US has sought to extradite hackers from the UK and the EU, but has faced pushback from state governments, human rights organisations and criminal lawyers, who protect clients that are often vulnerable.
As high-profile hacking cases continue to crawl through international courts, we take a look back at some of the most famous extradition cases on record and explore whether extradition and imprisonment is really the right response.
“I think we have to cut these people some slack,” explains Alexander Urbelis, Senior Counsel at Crowell and Moring LLP and a member of the Privacy and Cybersecurity Group.
“We have an extraordinarily talented group of individuals who are figuring out how systems work. They may transgress a lot of boundaries when acquiring that knowledge and they may wreak a lot of havoc, but I think it would be wrong to mete out extraordinarily harsh or criminal consequences to people who may not necessarily understand the consequences of their actions.”
The case against Omnipotent, the RaidForum hacker
In 2015, 14-year-old Portuguese national Diogo Santos Coelho allegedly set up RaidForums, a hacking forum made available on the open web. Easily accessible by anyone searching for it, the forum shared data breaches, provided hacking tools and distributed pornography.
Coelho, who went by the hacker alias Omnipotent, visited the US in 2018 and although he was held in custody and had his devices seized, he was not immediately arrested. Instead the US, as part of an international, multi-country investigation codenamed Operation Tourniquet, continued to collect data from RaidForums, until Coelho was eventually arrested in the UK in 2022.
The US is now seeking his extradition, though his lawyer, Ben Cooper, argues that extraditing Coelho, who is autistic, would pose a major risk to his health.
“There’s a longstanding underfunding of the federal penitentiary system in the United States,” explains Cooper. “So particularly with autism, the prisons are not attending to vulnerabilities that arise with that condition.”
Coelho’s case is not the first to be defended on these grounds, and with many young hackers living with neurodivergence, trying them for crimes they committed when they were minors is proving both controversial and challenging, as Cooper explains.
“It’s not uncommon for the defendants to be exposed to de facto life sentences in the US. The US prosecutors will essentially start from the point of adulthood, ignoring the fact that some of the conduct may have taken place when the defendant was a minor.”
The precedent-setting cases of Lauri Love and Gary McKinnon
Back in 2018, Ben Cooper also represented Lauri Love, an activist of dual Finnish and British citizenship who hacked into US government websites, leading the US to seek his extradition. Citing a diagnosis of autism dating back to 2012 and the suicide risk that he posed because of other mental health conditions, his extradition was eventually blocked upon appeal.
His defenders argued that the US prison system lacked the safeguards to support Love’s complex needs, and as such it would be dangerous to extradite him.
This argument had been made previously in the case of Gary McKinnon, who fought a 10 year legal battle against extradition for hacking the US military, in what was considered the biggest military hack of all time.
In 2012, then-UK Home Secretary Theresa May blocked his extradition on human rights grounds, arguing that he may take his own life if extradited. McKinnon has Asperger’s and was deemed a suicide risk because of this and other health factors.
Hackers who’ve been extradited to the US
While these landmark cases have not gone the way the US government planned, extraditions have gone through for other hackers based in Europe. Joshua Polloso Epifaniou, a 22-year-old hacker based in Cyprus, became the first Cypriot national ever to be extradited to the US after he ran a scam to extort money from website operators by threatening to leak their data.
Similarly, UK hacker Joseph James O’Connor, 23, who operated under the alias PlugwalkJoe, was extradited from Spain after launching an attack on Twitter in July 2020. The attack saw the accounts of famous people such as Joe Biden, Barack Obama and Kim Kardashian compromised. O’Connor is due to be sentenced later this year but could face over 70 years in prison.
Is there another way forward?
Though the US is keen to make an example of anyone who attacks them, whether prison is the right place for young cyber criminals is open for debate, as Cooper explains.
“So my experience of these situations is that once arrested the defendant will immediately realise the gravity of what they’ve done and will often help in combatting cybercrime,” says Cooper. “And having understood the consequences of their actions, will want to make good”.
Many European countries are now running reform courses for young first offenders, steering them towards ethical hacking instead of further criminality. But for Christian Funk, Lead Security Researcher at Kaspersky, it all comes down to trust.
“If you don’t trust someone has the right morals or ethics, how can you ever be sure they won’t be lured back to cybercrime for money or other motivations? Kaspersky has always had a policy of not hiring hackers for this very reason.”
However, he still believes that children deserve a second chance, especially as young people are so easily influenced by their peers.
“I do believe that kids deserve a second chance, and guidance on how to use their skills and knowledge for good rather than harm,” he explains.
“Equally education is imperative – we have to teach kids from a young age about the power of the internet and the responsibility that comes with that, so that they are empowered to make good choices and we can work together for a safer online future.”
By educating children from a young age, and making early interventions if they start to go down the wrong path, many talented young people could be taught to use their skills for good, rather than ending up as victims of the prison system.