Any teenager can be a cyberattacker now, parents warned

In March last year a gang of teenagers dressed in black and carrying weapons travelled from London to the Suffolk village of Bawdsey, broke into a house, intimidated the people inside and stole watches and a computer.

Their target was a hacker in the Community, or Com, a loose collection of mostly young men from Britain and America who perpetrate a range of cybercrimes, such as ransomware and online sexual exploitation. A feud in the Com had spread from their online world into the physical. The teenagers were arrested in a neighbouring village and the whole enterprise was played out on the Telegram messaging platform and reported by the 404 Media website.

There is a thread that connects the Com to the recent hacking attacks on Marks & Spencer and the Co-op: both are thought to have been carried out by a hacking collective called Scattered Spider, that evolved in the Community.

• Who are Scatterered Spider attackers linked to the M&S cyberattack?

The M&S hack laid bare the scale of the threat from hackers. The retailer estimates that it will lose £300 million as a result. Despite this, GCHQ’s cyber chief, Richard Horne, recently expressed his frustration that organisations are not heeding advice from the National Cyber Security Centre on how to protect themselves.

An alleged Scattered Spider ringleader, Tyler Buchanan, 23, from Dundee, was extradited to the US last month where he is accused of hacking into dozens of companies. He was arrested in Spain after fleeing Scotland because he too fell foul of the type of intimidation carried out in Bawdsey by a rival gang who hired thugs to invade his home, assault his mother and threaten to burn him with a blowtorch.

Tyler Buchanan, 23, from Dundee is alleged to be a ringleader of the Scattered Spider hacking group

Experts believe that the nature of young hackers has changed since the early to mid-2000s when groups such as Anonymous and its offshoot LulzSec would target corporations, governments and institutions to promote free speech and expose security flaws for the kicks (or “lulz”, internet slang for fun).

It has a much darker side now, fuelled by cryptocurrency.

The biggest change is that almost anyone can be a hacker now, not just the computer-literate. “It’s a different on-ramp for hackers now compared to 20 years ago,” Professor Thomas Holt, the director of the Center for Cybercrime Investigation and Training at Michigan State University, said.

The first step on the hacking ladder for the so-called “script kiddie” (a novice hacker with little experience of writing software) is often to use the freely available “booster” and “stressor” tools needed to take down a website or service by bombarding it with traffic. From there they move on to the “malicious economic side”, Holt adds.

Julia Davidson, a professor of criminal justice and cybercrime at the University of East London who has researched how young people become hackers, said of one interviewee: “We asked him how he learned how to hack. And he said: ‘Well, actually, it’s just all out there on the open web. It used to be on the dark web, it used to be much more difficult to access … but now it’s just all out there on the open web’.”

The FBI and US justice department gave some insight into some hackers’ lifestyles last week after charging 12 people connected to the Com with stealing more than $263 million (£198 million) in cryptocurrency.

The men, who are mostly between 19 and 22, are accused of using the money to fund lavish lifestyles, spending $4 million at nightclubs and $9 million on exotic cars. They would sometimes spend $500,000 in one visit to a nightclub, the indictment alleges.

• Inside the M&S meltdown

Luxury watches were bought for between $100,000 and $500,000 and homes were rented in upmarket areas of Los Angeles, the Hamptons and Miami, which they would shuttle between on private jets, it is claimed.

The group hired a team security guards and acquired at least 28 cars: Rolls-Royces, Lamborghinis, Ferraris, Porsches, BMWs, a McLaren GT and a Pagani Huayra. Even after one of them was arrested, another member of the gang would buy luxury handbags worth more than $10,000 and fly them to his girlfriend in Miami, the indictment says. The only member of the group aged over 22 was Kunal Mehta, 45, whose nickname was Papa.

Helen Rance, the deputy director of the National Crime Agency, Britain’s equivalent of the FBI, said: “We are seeing a significant rise in teenage boys joining online communities that only exist to engage in criminality and cause harm.

“These communities commit a range of criminality, from cybercrimes and cyber-enabled fraud and grooming and coercing victims to physically harm or sexually abuse themselves. They work across international borders and multiple online channels, from messaging apps and forums to gaming platforms, to conduct their crimes.

• How to protect yourself from getting hacked in five steps

“While many offenders do not seek out this content in the beginning, they are brought together by shared skills and interests and then find themselves collaborating or competing to commit criminal activity, and gaining kudos from their networks for who can inflict the most damage.”

One of the more notorious members of the Com to emerge from the UK is Arion Kurtaj, from Oxford. Diagnosed with autism as a boy, he started his online criminal career aged 11 and became a hacker in his teens, targeting, among others, Nvidia, Microsoft, Samsung and BT. He caused millions of dollars in damage through data breaches, SIM swapping and extortion.

In September 2022, after his arrest and while on bail, he was placed in a Travelodge by police with his mother for their safety after he was threatened by rival hackers and his home was attacked. Despite being banned from the internet he managed to commit his most serious hacks from the hotel room through an Amazon Firestick plugged into the TV, which was connected to a keyboard, mouse and iPhone.

He hacked into Rockstar Games and stole and leaked unreleased video clips and source code for the highly anticipated Grand Theft Auto VI game. He also hacked into Uber.

BACKYARDPRODUCTION/GETTY IMAGES

He was deemed unfit to stand trial for criminal intent because of his autism, but a jury found that he had committed the hacks and in December 2023 was sentenced to an indefinite hospital order, meaning he will only be released when deemed to not be a threat to the public.

Alongside the rise of the Com has been the demise of some of the biggest ransomware hacking groups such as LockBit and BlackCat/ALPHV at the hands of law enforcement. This has left the hacking market “fractured and uncertain”, according to a recent report by the ransomware recovery company Coveware, which identifies “unaffiliated, lone operator extortionists” as one of three main players left.

The rate of companies paying ransoms has also been falling for years, according to Coveware, down to 27 per cent in the first quarter of this year from a high of 85 per cent in 2019, as victims become better at rebuilding their systems and less trustful of the hackers.

Parents should be keeping an eye out for tell-tale signs their children could be getting lured into cyber-crime, Holt said.

“Getting parents more aware [that] ‘my child is not just online frequently, but also, for some reason, they have a Bitcoin wallet they never had that before’. Or the same would be true for Discord or for Telegram — if they don’t have a particular reason to be on those services, why would your youth need a Signal account or a Telegram account? Who is it that they might be communicating with?”