Lured To The Dark Side: The Criminal Hacker Journey Pt. 1

Mitch Mayne: If you were to survey a random group of kids, likely very few of them would say, I want to grow up to be a cyber criminal. Yet, it's not uncommon for teens to get caught up in the criminal side of cyber. Things like popularity and online forums, lack of the right kind of guidance and the thrill of a gaming mindset, make online mischief a very attractive lure to a young mind. For today's episode, we sit down with Chris Quevatre. He is a former BBC journalist turned filmmaker and the author of an in depth article that looks at the world of teen hackers. Chris speaks with us about the criminal hackers he got to know and uncovers their motivation and mindset and also how they were given a second chance at life. I am Mitch Mayne and you are listening to Into the Breach. So Chris, as a journalist for BBC, you covered a wide breadth of stories. I went back online and looked at some of the stuff that you have written and all of them tend to be a little more unique than just a traditional journalist who covers a specific beat like policy or health. So how did this specific story come to you and tell me about the background that led you here and why this one happened.

Chris Quevatre: Yeah, working in regional news, you get put on a wider range of stories. I guess, it's one of the perks of not working to a specialty. This particular story, my editor came to me one day and he said, there's this company called Blue Screen IT I've come aware of, there's something going on there with some of the kids they're hiring. Can you go down and check it out? Put in some calls with the company, got friendly with the CEO there. They invited me down to spend some time with their guys and I found out all about their personal stories and some of the guys that they're hiring and they've got some unique backgrounds and some very strange roots into a professional cybersecurity career.

Mitch Mayne: Well, I do like the angle of strange roots because that kind of is indeed what you discovered there. In the story, you tell the tale of two teenage boys who were at least teenagers at the time that they were caught doing criminal hacking. I guess we call them accidental criminals for lack of a better term. Tell me what you discovered about these boys briefly, what their stories are and what their motivation was and how they ended up on the criminal side of this with virtually no education in cyber.

Chris Quevatre: Yeah, I mean, I think the key word in that question there is boys. I think that's one of the biggest things to take from this is that they absolutely were children. Jack was 19 years old when the police turned up at his house, but he had been spoken to by the police and given a cease and desist when he was 16. He said he was watching The Lion King at ten past eight in the morning when the police turned up. He said there were a few patrol cars and lots of officers all stormed in as quickly as possible so that he couldn't delete hard drives and all of this stuff. Yeah, they were there to arrest him. I think that was when it really sunk in that he had broken the law. Before that he hadn't particularly considered himself doing that. He had a really interesting story actually. He'd started looking into designing code and things when he was a lot younger. When he was in his early teens. He said he'd been trying to find a quicker way to do algebra. He didn't want to do the maths, he didn't want to do the arithmetic. He wanted to find a way to do it. So he tried to build a system out of code that would complete algebra for him. He said it didn't go particularly well. I don't think he got many correct answers, but it really peaked his interest in, I think, finding shortcuts and finding what, I guess at the time he would've considered efficiencies in ways to do things. So that was Jack Cameron started in a similar way. Actually, Cameron's one of the other guys that I spoke to at Blue Screen. He started designing systems and code to try and help him be good in video games as well. He was really competitive. He didn't want anyone to beat his top scores and stuff like that. And so he would design programs to either make other people worse or make him better during games. And again, it's that way of efficiency and trying to make shortcuts and in ways that aren't particularly breaking the law. But that stems that interest. It really is the root of it all and if you don't have an outlet for somewhere to put that talent and that skill and that interest, it grows into things that it shouldn't.

Mitch Mayne: That's an interesting perspective and one that I gathered from the article as well, that there was a gaming mindset going on here rather than a criminal mindset and there may have been an element of not just cutting corners, but also thrill seeking as a motive here. Were there any similarities between the two boys? Was there a lack of access to education resources? Were there SES commonalities, or were these just truly just two random middle class boys off the street?

Chris Quevatre: Yeah, I mean I think there were definitely similarities obviously in their interests in what they'd done when they were younger. I think there's definitely a sense of thrill seeking there for sure. I think when you've got talent and these guys clearly had talent, you want to have an outlet for it. You want to be able to develop it and grow it and find new ways of testing it. Now I remember when I was 13, 14 years old and I had what we call information communication technology lessons. I was doing formatting on word processing documents and stuff like that and learning how to use spreadsheets, but I wasn't testing out my coding skills and stuff like that. And that's what these guys wanted to be doing, but they didn't have an outlet for that at school. No one was teaching them this stuff. No one was testing them on this stuff. And I think certainly there was at the time the lack of education, not just in teaching them what's legal and what isn't, but literally just having a curriculum that can guide these skills so that you can test yourself and push yourself further, without going over that line into a illegal activity that can happen if you do it unsupervised. So there's definitely a thrill seeking part there. One hacker I spoke to not featured in the article, had stolen financial records and bank details. He said he had no intention of using them at all. It hadn't even crossed his mind. He was just doing it to see if he could. It was just a test for himself and he hadn't even considered that it was illegal, although to most that would seem obvious, but when you're 14, 15 years old, he was just doing it to test himself, because he had no way to, I guess, measure himself against his peers, or his friends online.

Mitch Mayne: That's an interesting point. And when you and I spoke earlier, we had drawn the analogy of when I was a kid, one of the things that I did was see if I could actually throw my football over the entire house and it actually went through the neighbor's window. There was no malicious intent there, but I did indeed break the window and it was a thrill, I'll have to admit. And for a 13, 14, 15 year old kid to be able to take that gaming mentality that has not been harnessed, for lack of a better term, for the power of good and test it up against a major financial institution and to be able to get in the door, whether or not your intent was bad, that must have been quite a thrill for him.

Chris Quevatre: Yeah, absolutely. And incredibly exciting. There must be a feeling there that if you effectively break into a bank, but you have no intention of stealing anything from the vault, then they're just going to let you off. You're a child, but that's not how it happens at all. I mean, Cameron was arrested on his way to school when he was just 14 years old. When I was 14 I didn't consider anything I was doing illegal. I may well have not been doing anything illegal. But those thoughts, those risks, just don't pop up in your head. You don't think of the fact that they're going to affect you for the rest of your life.

Mitch Mayne: Is it safe to say then that the kids in the interview chose their targets at random? There was no criminal mind mastermind mapping out of who to target. It was just, hey, let's try this website today.

Chris Quevatre: Yeah, I think there was definitely talk of having mentors online. So I spoke to people who had had older hacker, perhaps not older. I mean who knows? I think there was a lot of anonymity there, but certainly more experienced hackers, asking them to do things, but it was all tests to get into groups that would hack and things like that. But there was no targeting people in order to be either a nuisance and disrupt websites, or to steal data or financial information. There wasn't a sense of targeting someone to influence them in some way or to attack them. But I think there were relatively randomly selected targets just in order to prove yourself or test each other.

Mitch Mayne: It's interesting that you mentioned that they ran into, you used the term mentors, so they lack mentors to help teach them how to use these skills in a professional curriculum, in a professional school setting, was relatively easy to find mentors who would help teach them to do things with their skills that were against the law. Did you get a sense of what they knew about their criminal fellows or how well organized these networks were or how they found one another?

Chris Quevatre: I mean, not really to be honest. I think the sense in terms of organization, there were definitely handfuls of people and online gangs that you could join, that you had to pass tests to join and that thing. But I don't know the scale of the organization that was going on there, I think potentially at their age the groups they were joining weren't maybe on the organized crime level. But who knows, perhaps they were.

Mitch Mayne: In our next episode with Nick Rossmann who is the head of threat intelligence for X- Force here, the data now demonstrates that this kind of crime that the two boys were from guilty of isn't really a solo act any longer. We used to think threat actors were these lone wolves, wearing a hoodie in a coffee shop or a lonely guys sitting in their parents' dark basement. But it's not really the case and you've just made that point. Black- hat hacking has grown into a finely honed industry and again, probably looking to recruit people like Jack and Cameron. What do you think, based on what you learned in this story might have become of Jack and Cameron and the other folks at Blue Screen, if they hadn't been caught?

Chris Quevatre: Well at 14 and 19 years old from Cameron and Jack, they would've been charged with a crime. Well, they were charged with a crime. They weren't convicted. That's the difference. These two guys were arrested, Jack when he was 19, Cameron when he was 14, and both charged with a crime, but they were never convicted because that's the point at which they were intercepted by the National Crime Agency as people who had the ability to be reformed with a company like Blue Screen IT. Had they not been put on that path, who knows where they would've ended up. But for Jack, he had initially been stopped by the police when he was 16 and then arrested again when he was 19. So three years on, he was still conducting illegal activity. So if he hadn't been stopped then, there's no reason suggest that wouldn't have continued. For Cameron, it's hard to say. I mean he was stopped so early on when he was 14 years old. He said up to the point that the police arrested him on his way to school, his biggest worry was that he hadn't done his math homework and then suddenly, yeah, he's being stopped on his way to school while walking across the playing fields. And that point, who knows, but if he's at that level that he's getting police attention when he is 14 years old, you can't imagine it's going anywhere good.

Mitch Mayne: Yeah, that's true. I was just actually thinking back to things I was doing when I was 14 and I think my biggest concern was not even homework, but it was more like, does my hair look okay today? So is that a new zit? It's a very, very different mindset and these guys are so clearly intelligent. This just is a fascinating story. You talk a little bit in the story as well about the police officer who was involved in the arrest of at least one of the youth and the police cyber futures program whose aim I'm gathering is to nab these kind of accidental young criminals, and set them on a different path. Did you get a sense at all in the article as you were writing it, of how many of these youth they've been managed to capture or what the fate was after their arrest?

Chris Quevatre: It's hard to say and I imagine it's changed a lot over time, but it sounded like a lot. I mean I don't think Jack and Cameron are anomalies in the data. I think there are people that are willing to go onto this cyber futures program and they're willing to of change teams as it were and put a different hat on. But there are probably a lot of people that aren't willing to do that, both because they maybe feel that they don't fit in that office workplace, in a more professional workplace, but also because they fear repercussions as it were, from switching sides. It's very difficult to shield what you are doing from people who are such prolific hackers online. There will be lots of people that will fear changing sides and fine for the good guys.

Mitch Mayne: So jumping the fence is something that we could actually consider to be a risky venture. Jumping the fence from the dark side to the good side. We have an industry here, Chris, that is absolutely clamoring for talent. The statistics are mind boggling and every day that there's a new one that we're XX million people short of the needed cybersecurity talent in the industry in order to help keep the world safer from government to private industry to you name it. And yet here we have a story about these two kids. I will bet my retirement on the fact that there's millions of these kids out there, who lack the ability to hone their skills in a way that's attractive to them. So is there a lesson here do you think, for the industry?

Chris Quevatre: I mean, I think when you are 14 years old and you are getting your teeth into this stuff, it must be really attractive just because you are potentially getting an income from it, as well as just messing around and testing yourself. You can potentially get income from it and you're not going to be hired by a cybersecurity firm at the age of 14, at the moment I suspect. But I don't know the industry that well. But you can get an income from an early age doing something that you enjoy, something that's a thrill, something that's got a bit of risk to it. It's hard to see what the alternative is for that. There is absolutely a massive pool of people who are talented and can do this job. Once the article came out on the BBC website, Cameron and Jack were not at Blue Screen IT for long. They got poached by other companies. They were talent spotted as a result of the article and in a slightly jokey way, Blue Screen was saying, yeah, it actually hadn't been that good for them because they'd lost a couple of really good members of staff to bigger companies. So there is an absolute clamor for this type of experience. Absolutely, and not just people who have an intricate knowledge of cybersecurity, but people who've got active experience of breaking through it. That is a unique thing to have in your CV and I'd imagine very desirable for companies. They don't want these crimes to happen in the first place of course, but once they have that is probably quite a desirable thing to have in your CV, I'd imagine.

Mitch Mayne: I just can imagine what their graduate school essays would be. That would be absolutely remarkable. Far more interesting than mine. So you experienced a bit more of the uplifting side to cyber crime. There often isn't a silver lining. I think that you may have stumbled upon one, with your exposure to Jack and Cameron and the other youth of Blue screen. Talk to me a little bit about, from somebody looking from the outside in, what were the emotions that you experienced while writing and investigating this story? There were probably a lot of them, but give me a primary few.

Chris Quevatre: It was mainly surreal for me. When I was researching the story, I was 26 years old. These guys were a few years younger than me, but the idea that they'd be arrested when they were 14 years old, walking to school just a few years earlier was absolutely surreal. And the idea that these guys sitting in front of me were just four or five years ago, really big names in the online hack community. I'm sure it's talked about massively at school is that kid that got arrested for accessing thousands of people's personal details, or hacking into a major company. It was just really surreal to be around them and they're so normal, really friendly, really nice guys. You wouldn't know they had been involved in any criminal activity at all. By the time I met them, they'd been in a professional workplace for a couple of years at least, but the idea that they had been responsible for some pretty serious crimes, was just really surreal.

Mitch Mayne: The story seemed surreal to me as well. I think the most serious problem I ever had as a youth, is I grew up in Cal Country in Ranchland and we had an outside Kegar that was busted by the police and I got a ticket for having a beer in my hand at age of 17 and that was absolutely terrifying to me. It was my whole future flashed before my eyes. And so I can imagine what watching the Lion King and having that be interrupted would be in a front in and of itself, but then to be hauled off to jail in charge of something far more serious, would be a little alarming. So Chris, in the story, one of the things that I noticed was that Blue Screen IT actually did some training with the police department, I believe it was again, the cyber futures program. And there was an ironic interaction at that point between one of the boys arrested and actually officer who arrested him. Tell me about that.

Chris Quevatre: Yeah, it was crazy. So Cameron had been arrested when he was very young, so he was 14 years old. He actually spent some time in a prison cell as well, in a holding cell at least. He was arrested by Detective Sergeant John Atkin, who's from the Southwest Regional Cyber Crime Unit. Years later, Cameron's working at Blue Screen IT. He's been safe from being convicted with any crimes and now is working his way through the Blue Screen levels and doing different courses, which will give him official qualifications in cybersecurity. Luckily for him, Blue Screen actually run those courses themselves and they offer it not just to their own staff but to anyone who wants to attend. In his first year at Blue Screen, one of the courses that he attended that was run by the company, it was attended by the same police officer, John Atkin, who had arrested him in 2014. He said, I'd never thought we'd be meeting again on a course when he was arresting me as a 14 year old. There's an element now of learning from each other as well. If something comes up in the forensic examining of digital records, John Atkin is the man to explain it best. But if they're talking about a penetration attack or something like that, then Cameron's the guy who's going to have more expertise. The best element of this whole story, is just how both sides of the coin can give such good input now into fighting cyber crime. And it just gives this really nice feeling of hope for those that can change sides or just be diverted onto the right path, that they can have a really meaningful career in cyber security and they can be really helpful assets in the fight against hacking.

Mitch Mayne: I agree. This was among the more uplifting stories in the cyber realm that I have experienced, which is why I wanted to have a chance to talk with you. I do have to chuckle a little bit about what must have been just a remarkably awkward moment between the police officer and the kid that had been arrested. But again, all turned out for the best for all involved it sounds like.

Chris Quevatre: Yeah, the policeman, John Atkin, he was really good spirited about it, he was like, we're just here on a course. We're both in slightly different sectors of the same industry now. He said, Cameron's a good kid and he is doing really well. The future's bright for him. And he said, hopefully he'll take this forward and then the world's is oyster. So there's no bad blood there at all. They were really friendly, they were getting on, they were learning from each other and I think they put the past behind them and they were both really great guys.

Mitch Mayne: Well, it must have been at least a little bit satisfying for the police officer as well to be able to see somebody that he had arrested had actually learned the lesson and gone on to use his superpowers for good. So that must have been a little satisfaction, job satisfaction, for the officer as well. So let's talk about some personal stuff here. You and I spoke a few minutes before this call and we both agreed to share a little story about what we've learned along our journey in cybersecurity. And my original question to you was, did writing this article make you more conscious of your own private data? What I really want to ask you is, tell me this story about your confidence in your ability to keep your data private and what you might tell your grandmother today.

Chris Quevatre: I think of myself as a very open minded person, but I think having written a lot of stories about, not necessarily in cyber security, but people being scammed in all sorts of ways over the years in national news. There was an element where I was thinking how do people fall for this stuff? And I'm not talking about someone getting an email from the son of a Prince in another continent somewhere, but just everyday scams. I thought, how do they fall for it? And then in July I got scammed and I think that part of my brain that said, how do they fall for it? Which was a small part, but it was definitely there as much as I would've hated to admit it, that part just immediately vanished and I felt very embarrassed, because it's so easily done. I was sat in a car park in the Isle of Sky on the west coast of Scotland on holiday, when I just quickly checked my phone before I set off, I had a text from a delivery company. I was in the process of buying quite a big piece of video kit and I had parts coming from all over the world. It said, oh, just pop your card details in here, because you need to pay a three pound import fee. So I put my details in, hit send or save or whatever it was, and it didn't come out of my bank account. And I thought it was strange because I thought, well, I've definitely put it in, it hasn't asked me for approval, but it hasn't come through. My girlfriend said, just head back onto that link they sent you and see if it links back to the original website. It did not. Once we went on that delivery company's official website, it did look slightly different all over the place. I immediately realized that I'd handed my bank details over to a stranger. Thankfully, I ordered a new bank card within 10 minutes and no harm done other than the annoying process that I think we've all been through, even when just your card expires of having to change your bank details on every single website that you use to pay stuff. But thankfully no harm done. But I realized just how easy it is to fall for this stuff. When we are so used to giving our data over multiple times a day for perfectly legitimate reasons and we do it fast as well.

Mitch Mayne: My story was, I will frankly admit it is embarrassing, Chris. So IBM is a very, very large technology company and we take data security very seriously. Every year we have an annual test that we have to go through for me in cybersecurity, it's a little more robust than it is for some people in other organizations. And we also do testing to see who is the fool in the ship, right? Send out test emails that are actually generated by IT department to find out whether or not people are actually paying attention. Well, I got an email, of course, I was on Slack and I was on a WebEx and I was texting someone and this email came in that said, Hey, you're eligible for a new laptop. And it looked very much like it came from our IT department and I thought, heck yeah, I always want a new laptop. So I clicked the button and then there was the Wa-wa and it was like, okay, the bomb exploded and you've completely breached your entire corporation, which was sent to not only my boss, but my boss's boss, who is the general manager of-

Chris Quevatre: That seems harsh. Does it automatically send to your boss and their boss?

Mitch Mayne: Yes.

Chris Quevatre: That seems really mean.

Mitch Mayne: Well, mercifully, I have a great relationship with both of them. So we, after the embarrassment was over, we did get a good laugh out of it and now I'm able to tell the story, just like you. It's like it pays to pay attention when you're actually clicking on things. Did I hover over the URL to make sure it actually was going to go where it said it was going to go? No. Did I really look at the logo to make sure that it was actually the right logo? Or did it just look close? No, I didn't do that either. So cyber criminals do bank on us being lazy, quick and distracted. I wouldn't call you lazy, but it definitely worked on my behalf. You can do it when you're distracted and it can happen to anybody. It isn't just somebody who's remarkably uninformed who is a victim. It's those of us who are informed as well. So Chris, as we close out here, I just want to make sure that everybody who is listening today has an opportunity to read the story about Jack and Cameron if they have not already done so. How do people find that?

Chris Quevatre: It's on the BBC website and it's called The Teenage Hackers Who Have Been given a Second Chance.

Mitch Mayne: A special thanks to our guest, Chris Quevatre, for his time and insight for today's episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach an IBM production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordan Wallace with audio production by Kirin Banergy. Thanks for venturing Into The Breach.