From cryptocurrency schemes to shutting down schools — some of the biggest cybercrimes in 2020 and in recent years have been pulled off by individuals who weren’t old enough to graduate high school…
When I think of a teen hacker, Matthew Broderick’s role of Ferris Bueller or David Lightman in WarGames often come to mind. But modern teens aren’t just hacking schools to change their grades. Nowadays, they’re committing crypto fraud schemes, seeking out vulnerabilities to exploit, or they’re trying to make the world a better place. It all just depends on which color hat they like to wear.
Basically, teens and stereotypical hackers go together like plaid and lumberjacks or hipsters and manbuns. As a generation that’s grown up as tech natives, it’s not surprising that they’re able to figure out new ways to game systems and take advantages of cybersecurity weaknesses. Sometimes, their efforts are beneficial (such as those who seek out bug bounties). But other times, they’re extremely harmful to their targets (and others who are affected by their actions).
Individuals, schools, businesses, and other organizations have been the targets of cyber attacks and DDoS attacks in recent months that have been carried out by teenage hackers. Now, I’m not talking about minor hacks — I’m talking about several sophisticated cyber attacks that have impacted thousands of people and resulted in millions of dollars in indirect and direct losses.
Let’s get right to the topic of teen hacker news. We’ll cover some of the top attacks by teen hackers and talk about the impacts they’ve had businesses and individuals in the U.S. and around the world. After that, we’ll talk about what happens to teen hackers when they get caught.
Let’s hash it out.
Three Teen Hackers Allegedly Involved in the July 15 Twitter Account Takeovers
Up first on our list of teen hacker news… Unless you’ve been living under a rock, you’ve likely heard about July 15 hack of Twitter. The social engineering attack resulted in the hijacking of 130 accounts — some of which included high-profile targets like former President Barack Obama, Apple, Elon Musk, Bill Gates, and Joe Biden. KrebsOnSecurity reports that that “the bitcoin accounts associated with the scam received more than 400 transfers totaling more than $100,000.”
On July 31, the FBI announced that they’d charged three individuals for their roles in the attack, including:
- Mason John Sheppard, 19, of Bognor Regis (U.K.)
- Nima Fazeli, 22, Orlando, Florida (U.S.)
- Graham Ivan Clark, 17, Tampa, Florida (U.S.)
However, last week, the CoinTelegraph reported that Clark may not have been the only juvenile involved in the attack. A report by The New York Times says that an unnamed 16-year-old in Massachusetts also may have played a “significant role” in the attack. With a search warrant in hand, authorities searched the home that the teen shares with his parents.
According to the Times:
“Now authorities have homed in on another person who appears to have played an equal, if not more significant, role in the July 15 attack, according to four people involved in the investigation who declined to be identified because the inquiry was ongoing. They said the person was at least partly responsible for planning the breach and carrying out some of its most sensitive and complicated elements.”
Teen Allegedly Responsible for 8 Miami-Date Public School System Cyber Attacks
This next incident brings us to good ol’ Florida, where a 16-year-old teen hacker named David Oliveros was arrested for a series of cyber attacks against Miami-Dade County Public Schools (MDCPS). The attacks, which took place during the first week of school (starting Aug. 31), resulted in a series of network outages that affected the web systems that support the remote learning program My School Online.
MDCPS shared the following in an official statement on Sept. 3:
“Miami-Dade County Public Schools (M-DCPS) has been the target of more than a dozen of these types of attacks since the 2020-2021 school year began. Detectives are continuing their investigation to determine whether additional individuals are responsible for the attacks.”
According to a report by NBC Miami 6, investigators were able to trace multiple attacks back to an IP address at the teen’s home. The teenager, who is a junior at South Miami Senior High School, has now been arrested and charged with a third-degree felony and a second-degree misdemeanor.
This teen hacker is thought to be responsible for at least eight of the attacks against the school system. However, it appears that there may have also been attacks on the school district that originated overseas, such as in China, Russia, and Ukraine.
Just as a quick note: The school district still appears to have some improvements left to make in terms of upping their cybersecurity. For example, their official website doesn’t appear to be using an SSL/TLS certificate installed to help secure their information. Surely, they can be doing more to help secure their site, particularly in light of these recent cyber attacks…
Manage Digital Certificates like a Boss
14 Certificate Management Best Practices to keep your organization running, secure and fully-compliant.
Madrid Teen Hacker Allegedly Perpetrates “Numerous” Hacks Since Late 2019
An unnamed 16-year-old from Madrid, Spain, was arrested on April 3 for carrying out numerous hacks against Spanish and international public and private organizations. According to Europepress, the attacks, which date back to as early as late 2019, resulted in a variety of service downtimes, as well as the theft of personal information and medical data.
Some of the stolen personal data includes the medical information of Spanish politician Santiago Abascal. El Pais reports that the hacker shared this medical information via Instagram and Twitter. The hacker was captured in the midst of carrying out an attack against a prominent parcel company. He claimed that he wasn’t trying to “do evil,” and the National Police are trying to figure out whether the teen profited financially from his crimes in any way.
Several of the cyber attacks targeted the applications of organizations and businesses that provide services relating to healthcare, education, logistics and transportation, and telecommunication (among others). La Guardia reports that one attack against a leading video streaming service provider involved the creation of 141,000 fraudulent accounts using stolen payment cards. This cost the target company losses of about €450,000 (approximately the equivalent of $530,535 in U.S. dollars).
TeleMadrid reports that the teen, who sought out fame for his achievements, gave gifts — like free access to the video streaming service — to his social media followers.
Iranian Teen Hackers Deface Websites of U.S. Businesses
Although these are relatively minor compared to some of the other attacks mentioned above (and ones we’ll get to shortly), there were still some cyber attacks in January that affected small businesses, individuals and institutions around the U.S.
Tensions mounted in 2019 due to military-related conflicts and soared with the death of Iranian General Qassem Soleimani in January 2020. As a result, The Verge reports that the unpatched websites for these entities were hijacked and defaced by pro-Iranian messages and images. Many of the responsible parties were thought to be teen hackers who are part to be hacktivists and part of larger hacker groups.
Cyber Crimes That Were Committed by Teens in Recent Years
There are several cases going through the court systems in the U.S. and abroad this year for crimes that were committed in previous years. From a motivation perspective, the different cases span the gamut. We’ll cover several of these cases starting with the most recent as we continue our list of teen hacker news.
Teen Hacker Sentenced to Up to 15 Years in Prison for Hacking & Stealing Images
Cameron Charles Brush, an 18-year-old from Mohave Valley, Arizona faced potentially 35 charges — 25 from a 2020 case and 10 from a 2019 case — relating to the sexual exploitation of minors and computer tampering. The crimes were committed between April and September 2019.
Brush was 17 when he hacked the social accounts of multiple minors to steal thousands of images, including sexually explicit ones. Infosecurity Magazine reports that Brush blackmailed his victims, stating that he’d send the photos to their families and friends if they didn’t send him new lewd videos and images. Investigators found more than 4,000 images of child pornography on devices in his home.
The Mohave Daily News reports:
“Brush is charged in a 2020 case with 25 counts including sexual exploitation of a minor, sexual extortion, computer tampering and attempted sexual exploitation of a minor. Those incidents allegedly occurred between April and September 2019.
Brush also is charged in another 2019 case with 10 counts of sexual exploitation of a minor for allegedly hacking a girl’s computer and possessing child pornography.”
He initially faced a maximum of around 600 years of prison time for all of the charges in the two cases. However, a June 2020 article by the Mohave Daily News shows that the judge sentenced Brush to a maximum of 15 years in prison and supervised probation for the rest of his life.
Teenagers Carry Out SIM-Swap Attacks Totaling Hundreds of Millions of Dollars
Losses from cryptocurrency-related thefts, hacks and fraud totaled $4.5 billion in 2019 alone, making it the highest year on record according to CipherTrace. This year, there were $1.4 billion in such losses reported between January and May 2020.
Joel Ortiz, Nick Truglia, and Ellis Pinsky — those are the names of three teenagers who were arrested or sentenced for crimes related to stealing cryptocurrency and carrying out SIM-swapping attacks during their teens. All of these individuals were living large prior to their capture — they’d flaunt their riches with expensive clothes, apartments and AirB&B rentals, cars, watches, and parties.
Nothing screams excess like pouring pricey champagne over very expensive watches (as shown in an embedded via in this article by Brian Krebs) while partying at a night club.
Of course, there are other teen hackers that have been cashing in on SIM swapping — like Xzavyer Narvaez (one of the owners of the aforementioned watches) and Samy Bensaci — but we figure it’s best to limit ourselves to talking about just a few of them.
SIM swap attacks involve using victims’ personally identifying information (PII) to illegally port their phone numbers to unauthorized devices. This gives the attackers access to the victims’ email accounts, social accounts, digital wallets, and cryptocurrency accounts.
SIM swappers typically do this by either tricking mobile phone providers’ employees into performing the transfer or having insiders who work for those mobile companies that they pay or threaten to assist them. These attacks can be utterly devastating for the victims who may lose thousands or millions of dollars within a matter of minutes.
So, just who are these guys? Let’s get to know a bit more about these three teen hackers…
Joel Ortiz, who was arrested in July 2018 at the age of 20, was convicted of stealing an excess of $7.5 million in cryptocurrencies from at least 40 victims. Ortiz, who was a valedictorian of Boston Public Schools and a student at UMass, was a prolific SIM-swapper. He’s thought to be the first SIM swapper to get convicted of using cell phone hacking to steal digital money, according to San Jose Insider.
The County of Santa Clara District Attorney describes Ortiz as “a prolific SIM swapper who targeted victims to steal cryptocurrency and to take over social media accounts with the goal of selling them for Bitcoin.” The DA office also reports that Ortiz was sentenced to 10 years in prison in April 2019 after pleading no contest to 10 felony theft charges in January 2019.
Nick Truglia, who was arrested in November 2018, was sentenced to 10 years for SIM swapping after porting the accounts of multiple victims, including Robert Ross. In the attack on Ross, Truglia stole $1 million — the victim’s life savings and also the funds he had for his daughters’ college educations.
Truglia was 18 when he SIM-swapped the device of blockchain investor Michael Terpin. This crime along resulted in the theft of nearly $24 million ($23.8 million) in cryptocurrency. Truglia also had an associate that he worked with — another teenager named Ellis Pinsky — and they worked together to carry off their SIM-swapping attacks and crypto heists. Medium reports the following about Truglia and his collaboration with Pinsky:
“Finding vulnerable people and sim cards were his specialty. He would get the victim’s passcodes and then procure a blank sim card before handing everything over to Pinsky.”
Truglia, who was busted for his participation in another crime, was sentenced to pay $75 million to Terpin for his crime. He’s also been sentenced to serve 10 years behind bars for his crimes.
Ellis Pinsky is a computer hacker who allegedly has engaged in different types of cybercrimes — everything from stealing and selling social media handles to SIM swapping. Pinsky, now 18, is being sued by Terpin as well for $71.4 million. Terpin claims that Pinsky and Truglia worked together to steal the nearly $24 million in cryptocurrency from him when the teen was 15 years old.
Terpin also is suing AT&T for $224 million since he’s had two SIM swap attacks occur on their watch. According to a GlobalNewswire release on the case: “The evidence will show that AT&T not once, but twice allowed hackers posing as Michael to obtain his SIM card.”
In addition to his cybercriminal activities, the New York Post reports that a 16-year-old accomplice who helped Pinsky launder Terpin’s money claims that Pinsky threatened to kill him or his mother. The 16-year-old also says that Pinsky claimed to have $100 million and that “I could buy you and your family,” according to the Cointelegraph.
Former Teen Hacker Faces Double-Whammy of Hacking Nintendo & Child Porn Charges
Ryan Hernandez, now a 21-year-old from Palmdale, California, pleaded guilty to crimes of computer hacking and child porn possession back in January. He was originally discovered in 2016 as stealing and publishing Nintendo’s confidential files, including info on the company’s upcoming Switch console release. He used phishing to gain access to a Nintendo employee’s credentials to carry out his activities.
The U.S. Department of Justice reports that although the FBI reached out to him and his family with a warning to stop, which he agreed to, Hernandez went right back to his malicious activities. Between at least June 2018 and 2019, he admits to “hacking into multiple Nintendo servers and stealing confidential information about various popular video games, gaming consoles, and developer tools.” He didn’t bother to hide his identity and was blatantly boasting about his activities on social media.
Needless to say, the FBI wasn’t as forgiving the second time — they searched his home and seized electronic devices that included pirated games and software. And what they found there was worse than “just” stolen proprietary information:
“On those devices, they discovered thousands of confidential Nintendo files. Forensic analysis of his devices also revealed that HERNANDEZ had used the internet to collect more than one thousand videos and images of minors engaged in sexually explicit conduct, stored and sorted in a folder directory he labeled ‘Bad Stuff.’”
“Bad stuff.” Really? Yeah, that’s putting it mildly.
The U.S. DOJ reports that Hernandez pleaded guilty to the 2016 Nintendo server hacks as well as the possession of more than 1,000 pornographic videos and images. Hernandez was originally set to be sentenced on April 21. However, that was been delayed until September due to the COVID-19 pandemic, The Daily Swig reports. In addition to agreeing to pay $259,323 in restitution for remediation costs to Nintendo, Hernandez also must register as a sex offender following his conviction, the DOJ’s press release shows.
Hashed Out reached out to Emily Langlie, Communications Director for the U.S. Attorney’s Office, to get an update about his sentencing date. Langlie says that Hernandez’s sentencing has been delayed until Nov. 17, 2020.
A Little Insight About Teen Hackers
Data regarding the average age of hackers is hard to pinpoint and varies by country. The most recent data I’ve found is from a 2017 study by the United Kingdom’s National Crime Agency (NCA), which reported that the average age of hackers in the U.K. was 17. The study also found that the majority of those interviewed viewed hacking as a “moral crusade” rather than a way to make some dough, The Guardian reports.
So, what factors could contribute to teens becoming hackers? According to another study that was published by Holt, Navarro and Clevenger in 2019:
“The findings demonstrated that individuals with low self-control and deviant peer associations were significant predictors for both males and females. Specifically, those whose peers used drugs, shoplifted, and played computer games were more likely to engage in hacking. In addition, individual involvement in piracy, parents owning their own vehicle, and living in small towns were consistent predictors across both sexes. There were also distinct factors affecting the risk of offending, as females were more likely to hack if they spent more time with their peers generally, and also had peers who frightened others […] Males were more likely to hack if they owned their own computer and mobile device, spent more time watching TV and playing computer games, and had peers who engaged in vandalism.”
Now, this isn’t to say that hackers don’t live in big cities. This study, for which the data on 48,327 juveniles was collected in 2007, just provides some insight into some of the factors that may contribute to males and females engaging in computer hacking behavior.
Of course, there are also teens that get involved in cybercrimes in non-hacking roles as well. For example, The Guardian reports that hacking gangs frequently use teenagers as money mules and pawns to help carry out cybercrimes. In these scenarios, teens serve as runners or “middles” to:
- Recruit other teens,
- Keep those recruits in line,
- Collect personal details on friends and family members to set up new bank accounts, and
- Funnel funds through those accounts.
So, What Happens to Teenage Hackers?
The short answer is “it depends.” After all, some teen hackers are never caught and other never engage in criminal activities in the first place. Others, like U.K. hacker Marcus Hutchins — the guy who stopped the WannaCry cyber attacks of 2017 — may engage in criminal activities early on but then may choose to walk the straight and narrow path as they get older. (In Hutchins’ case, however, he was later arrested for crimes he’d committed as a teenager.)
For those who do commit crimes, the long answer also varies depending on different factors, including the severity of their crimes or if they’ve engaged in crimes at all. For example, teen hackers who are arrested and found guilty of their crimes in the U.S. frequently serve time for their crimes. Ideally, they learn their lessons and choose to follow the law from now on. In some cases, they’re recruited by cybersecurity companies and government organizations to work for them after their release or in exchange for lesser sentences.
For example, the BBC published a nice article on a company called BlueScreen that gives U.K. teen hackers who are caught a second chance. The goal is to help them learn to use their skills for good by protecting the company’s clients against attacks from online criminals.
Now, of course, not all teen hackers are bad…
Some Teen Hackers Use Their Skills & Knowledge for Good from the Get-Go
There are also white hat hackers like Santiago Lopez, who choose to use their hacker skills for good instead of evil early on. Lopez, 19, became a millionaire the legal way — plying his white hat hacker trade as a bug bounty hunter. Another named Sam Curry reportedly makes about $100,000 annually working as an ethical hacker.
Bug bounty programs make it possible for white hats to put their skills to use in positive ways by identifying vulnerabilities and bugs. Some of these programs include (but are certainly not limited to):
One teen hacker who goes by her hacker name CyFi really seems to embody this idea of trying to use her knowledge and skills to make the internet a safer place. In 2011, CyFi helped co-found the r00tz Asylum, which is a non-profit that focuses on helping kids to become white-hat hackers. They also hold workshops for kids at DEF CON.
The U.K. Government Aims to Reach Teens Before They Commit Crimes
The U.K. government also offers the Cyber Discovery program, a training platform that targets 13- to 18-year-old hackers who live in the United Kingdom. The goal is to train these tech-savvy teens and hackers to become the next leaders in cybersecurity.
But what are other countries doing once teen hackers get caught?
Netherlands Authorities Test Intervention Pilot Targeting First-Time Offenders
For some teen hackers who live in the Netherlands, there’s another option known as Hack_Right. According to the Centrum voor Criminaliteitspreventie en Veiligheid (CCV) in the Netherlands — or the Center for Crime Prevention and Safety in English —the intervention program aims to help young hackers turn away from criminal activities. Hackers ages 12 to 23 who are convicted of a cybercrime for the first time may be eligible to participate.
The Hack_Right program, which started in 2017, runs until December 2021. So far, according to the CCV article, the program has had more than 20 participants. There’s no telling yet what the results of the study will be, but it’ll be interesting to see if and how it helps to recidivate these teen hackers.
Teen hackers have so much potential and a lot to offer the world of cybersecurity. They’re natives to the digital world that they’re born into and take to technology like ducks to water. Some of the world’s rising stars in cybersecurity are kids and teenagers. It’s imperative that parents and teachers alike encourage their curiosity but also teach them to responsibly explore and technologies from a young age.
This will help them learn to identify vulnerabilities but not exploit them. You know, the whole Spiderman/Uncle Ben “with great power comes great responsibility” thing.