Children and teenagers are behind some of the most aggressive and profitable cyberattacks in the world, and many are getting away with it because they know they’re unlikely to face serious consequences.
It comes as John Hultquist, Chief Analyst at Google’s Threat Intelligence Group, spoke with TechDay exclusively to reveal who exactly is behind these attacks.
“We’re talking tens of millions – if not hundreds of millions – of dollars that these kids are making,” Hultquist said. “There’s clearly a financial motive, but it’s also about reputation. They feed off the praise they get from peers in this subculture.”
The average cybercriminal today is not a shadowy figure backed by a government agency, but often a teenager with a high tolerance for risk and little fear of repercussions.
And according to Hultquist, that combination is proving incredibly difficult for law enforcement to counter.
“There’s no deterrent,” he said. “They know they’re unlikely to face serious consequences, and they exploit that. One reason I wouldn’t do cybercrime – aside from the ethical one – is I don’t want to go to jail. These kids know they probably won’t.”
His concern is echoed by Mandiant Consulting’s latest global data.
In 2024, 55% of cyberattacks were financially motivated, the majority involving ransomware or extortion.
Mandiant also observed that teen-driven groups like UNC3944 (aka Scattered Spider) are behind many of the most damaging breaches, often relying on stolen credentials and social engineering to bypass defences.
“Younger actors are willing to cross lines even the Russian criminals won’t – threatening families, for example,” Hultquist said. “They don’t worry about norms outside their subculture. Inside their world, they’re being praised.”
Even when authorities know who is behind an attack, bringing them to justice is rarely fast. “Building a case takes years. In the meantime, they can do serious damage,” he said.
The urgency is underscored by the pace at which attackers now move.
According to Mandiant, the median global dwell time – the time it takes to detect an intruder – has dropped to just 11 days, and in ransomware cases, often as little as 6 days. More than 56% of ransomware attacks are discovered within a week, showing just how rapidly these operations unfold.
Though many of these actors operate independently, some operate in blurred lines between criminal enterprises and state-sanctioned campaigns. Hultquist explained that governments – particularly in Russia and Iran – often outsource cyber operations to criminal groups, giving them protection in exchange for service.
“It’s a Faustian bargain,” he said. “The government lets them continue their criminal activity as long as they’re also doing work on its behalf.”
Google’s acquisition of Mandiant in 2022 has enabled Hultquist and his team to monitor global threats more effectively by combining Google’s in-house security team with Mandiant’s threat intelligence capabilities.
This merger formed the Google Threat Intelligence Group, which Hultquist described as a “juggernaut”.
“We’ve got great visibility on threats all over the world,” he said. “We get to see the threats targeting Google users.”
That level of access and scale has allowed Google’s team to take cyber defence to unprecedented levels. In one recent case, they used an AI model to uncover and neutralise a zero-day vulnerability before attackers could use it.
“It literally found the zero-day,” Hultquist said. “The adversary was preparing their attack, and we shut it down. It doesn’t get any better than that.”
AI is becoming both an asset and a threat. While Google uses it to pre-emptively defend systems, attackers are beginning to leverage it to enhance their own capabilities. Fake images, videos, and text have long been used in phishing and disinformation campaigns, but Hultquist said the next phase is far more concerning.
“We’ve seen malware that calls out to AI to write its own commands on the fly,” he said. “That makes it harder to detect because the commands are always changing.”
He warned that AI could soon automate entire intrusions, allowing cybercriminals to break into networks, escalate privileges, and deploy ransomware faster than defenders can respond.
“If someone can move through your network at machine speed, they might ransom you before you even know what’s happening,” he said. “Your response window gets smaller and smaller.”
As attackers evolve, many defenders still rely on outdated mental models, particularly when it comes to cloud security.
“People are still thinking like they’re defending old-school, on-prem systems,” Hultquist said. “One of the biggest problems in cloud is identity – especially third-party access. That’s where your crown jewels might be, and you don’t always have full control.”
And while some worry about cyber threats to governments, Hultquist said the private sector is often the true target.
“If a country retaliates against the Five Eyes, they’re not going after military or intelligence,” he said. “They’ll go after privately held critical infrastructure. That’s always been the asymmetrical advantage.”
Despite the constant evolution of threats, Hultquist said progress has been made on both sides. He recalled the early days of Chinese state-backed attacks, where errors in spelling and grammar made their emails laughable – and traceable.
“We used to print them out and tack them to our cubicle walls,” he said. “Now, they’re incredibly sophisticated. But the reason they’ve improved is because we’ve gotten better. Our defences have evolved.”
And according to Hultquist, that cat-and-mouse game won’t be ending anytime soon.
“We’re not fighting the laws of physics like safety engineers,” Hultquist said. “Our adversaries adapt. If we fix everything, they’ll just change to overcome it.”
