The Year of the Teenage Hacker

The year 2020 was full of high-profile cyberattacks launched by criminal gangs and state-sponsored hackers. But dozens of headline-grabbing cybersecurity incidents and arrests this year involved teenagers—some of whom haven’t even graduated high school yet.

As the coronavirus pandemic forced schools across the country to adopt distance learning programs and change the way they operate, some students—likely pent up at home with a lot of time and little to do that doesn’t involve a Wi-Fi connection—seem to have used it as an opportunity to hone their hacking skills. Many of them used their classrooms—both physical and virtual ones—as a testing ground, invading online lessons and launching attacks that disabled school networks.

A review of court documents and Justice Department filings this year suggests that their attacks ran the gamut from school-focused stunts to serious money-making enterprises. They included distributed denial-of-service attacks and Zoom-bombing incidents meant to disrupt classes, cryptocurrency scams, extortion schemes, and digital theft of indecent images. The most notable incident, however, was the Twitter hack in July, in which a 17-year-old allegedly compromised the accounts of some of the most famous people on the social media network, including Bill Gates, Kanye West, Elon Musk, and Barack Obama.

Graham Ivan Clark, the alleged mastermind behind the incident that has since been dubbed one of the biggest hacks of the year, was able to steal an employee’s credentials and access the social media site’s customer service portal. He was aided by a British 19-year-old and a 22-year-old from Orlando, who were also charged.

“The hackers are alleged to have created a scam bitcoin account, to have hacked into Twitter VIP accounts, to have sent solicitations from the Twitter VIP accounts with a false promise to double any bitcoin deposits made to the scam account, and then to have stolen the bitcoin that victims deposited into the scam account,” according to a Justice Department filing. “As alleged in the complaints, the scam bitcoin account received more than 400 transfers worth more than $100,000.”

Of course, teenagers have been getting into trouble on the internet since its inception. But a notable difference is that the recent incidents have in some cases caused huge amounts of damage and resulted in lengthy prison terms and six-figure fines.

“There’s a long tradition of teenagers being hackers, but now it’s much more serious,” said Allan Liska, a ransomware specialist at Recorded Future.

In January, for example, an 18-year-old living in Montreal was charged in connection with a SIM-swapping scam that netted $50 million in stolen cryptocurrency from U.S. accounts. SIM swapping involves tricking a wireless carrier into switching a SIM card linked with a victim’s phone number and replacing it with one in a fraudster’s possession. Once the phone number has been assigned to a new card, the fraudster can receive a victim’s incoming calls and text messages, including two-factor authentication codes linked to cryptocurrency exchanges.

Just one month earlier, a Brooklyn teenager was charged in a similar scheme that siphoned more than $1 million in cryptocurrency from dozens of victims.

The schooling changes prompted by the coronavirus outbreak has also made it easier for student hackers to cause big disruptions. Many schools around the country have been operating in a state of flux over the last several months, with IT administrators juggling new online learning programs while trying to maintain the infrastructure of traditional classroom environments. Dozens of schools and districts have had to temporarily shut down due to cyberattacks—some of which have been carried out by students themselves.

In September, a 16-year-old student was arrested for orchestrating eight distributed denial-of-service attacks against the Miami-Dade County’s public school network. The attacks caused widespread disruptions that lasted for days, stifling the school system’s first day of virtual learning. DDoS attacks, as they’re often abbreviated, work by flooding a target with junk traffic, overwhelming the network and making it unreachable. The student was charged with computer use in an attempt to defraud, a felony, and interference with an educational institution, a misdemeanor, The New York Times reported.

In a less sophisticated type of attack, students across the country have become familiar this year with the phenomenon known as Zoom-bombing, in which an outsider hijacks a video conference often by taking advantage of lax security settings. Although the attack can be as simple as entering a meeting that isn’t password protected, authorities say they take such incidents seriously. In April, a Connecticut teenager was arrested and charged with computer crimes for carrying out such a disruption on a high school online class.

A number of other high-profile cases that involved teenage hackers came to a close this year, though the incidents were carried out several years ago. Ryan Hernandez, a California man who is now 21-years-old, was sentenced to three years in prison earlier this month for breaking into Nintendo’s servers and stealing confidential files between 2016 and 2019. Also this month, federal prosecutors announced that an individual pleaded guilty in connection with the Mirai botnet DDoS attack in 2016 that caused widespread outages at major streaming and social media sites. The individual’s name is being withheld because they were a juvenile at the time of the offense, prosecutors said.

And it’s not just U.S. teenagers who have been getting in trouble for their hacking escapades. In September, the Justice Department indicted a 19-year-old Iranian with a history of selling stolen credit card details for allegedly defacing U.S. websites with messages including “Down with America,” CyberScoop reported.

One explanation for why so many teenage hackers have been in the news this year is that they’re not very good at covering their tracks. More experienced cybercriminals are able to walk away without getting caught—and sometimes without the victim even knowing that they’ve been attacked. But the teenage hackers who orchestrated heists and disruptions were all sloppy enough to garner the attention of law enforcement and have the incidents traced back to themselves.

For example, although the Twitter hack was one of the most brazen attacks this year, targeting high-profile accounts at a highly protected technology firm, law enforcement officials were quick to point out that it didn’t take long to catch the young hackers behind it.

“While investigations into cyber breaches can sometimes take years, our investigators were able to bring these hackers into custody in a matter of weeks.” said San Francisco FBI Special Agent in Charge John F. Bennett.