"And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. ‘This is it... this is where I belong…’"
– “The Conscience of a Hacker" by The Mentor, written shortly after his arrest in 1986
Let’s picture a filmmaker working on her next feature film. One of the main characters is a cybercriminal and they don’t want to go with the stereotype: the shadowy figure in a hoodie, hunched over a keyboard, surrounded by glowing strings of green code... yep, you know that trope—it worked fine for a while. But in the ever-changing world of cybercrime, it seems outdated now. They want the actor to come across as a hacker while at the same time avoiding any clichés.
In 2013, I had the opportunity of working with Keiichi Matsuda on the sci-fi film Hyper-Reality, and one of the characters was a hacker. Her job was to steal people's digital identities by hacking into their accounts, impersonating customer service, and asking them to walk towards a specific location where she'd intercept them and take their biometric samples by force. We ended up using something similar to Philip K. Dick's scramble suit, but instead of displaying a million separate identities, her entire body had a mirror-like material reflecting the extended reality she lived in.
I don't remember us discussing it at the time, but in hindsight, the mirror overlay was communicating something relevant about today's cybercrime: the perpetrator could be anyone around you.
Question everything, trust no one
Let's say a coworker, a friend, or a family member reaches out to you via email, Facebook, or WhatsApp, asking for help.
You think it's unusual that out of the blue they're requesting a bank transfer, but there's a sense of urgency in their message, and the last thing you want is to delay any help you can provide. So you brush off any doubts and transfer the money. Next time you talk with them, you realize they didn't get in touch with you at all. They never asked you for money. You were scammed.
Cybercriminals scrape the social media profiles of your contacts and use the personal information people make publicly available—email addresses, places of interest, personal posts—to learn how to play their roles. The more they know about them, the better they can deceive you.
In a practice called social engineering, attackers accomplish their malicious activities through the oldest interface of all: human conversation. By gathering data and using psychological manipulation, the face of cybercrime is no longer an obscured figure: it shapeshifts into the people you trust.
Hackers were not criminals
Let’s go back in history to the 1960s MIT. Decades before the association with threat actors using computers for malicious activities, the term hacker had an intellectual overtone. Members of the Tech Model Railroad Club, a group of young MIT engineers with a passion for model railroads, used a PDP-1 computer to modify the model’s switching systems and make it more efficient. They were pushing that computer to its limits and along the way not only invented programming tools but most of the slang vocabulary and subversive sense of humor of the hacker culture we recognize today.
Their definition of a hack was:
“a project undertaken or a product built not solely to fulfill some constructive goal, but with some wild pleasure taken in mere involvement.”
Little did they know at the time that they were inadvertently laying the groundwork for cybercrime.
In the 1970s, the first demonstration of a computer virus was created. Under the name “Creeper”, this proto-virus was designed as a security test to move through Tenex terminals on the ARPANET (the computer network that evolved into what we know as the internet), displaying the message:
“I’m the Creeper: Catch me if you can”.
At the time, computers were the exclusive domain of government agencies and big corporations, but the telephone system, available at anyone's fingertips, became the experimentation playground of a new breed of hackers.
Cereal box toy whistles were blown into phones at a tone of 2600 hertz to emulate AT&T switching signals and gain operator mode access. Blue box devices came after that, built with cheap electronics to produce tones that made free long-distance calls possible.
An article in Esquire magazine about the so-called “phreaking” scene introduced the concept to a mass audience, capturing the interest of people like Steve Wozniak and Steve Jobs, who collaborated on manufacturing and selling blue boxes before they went on to found Apple Computer.
As computer use drastically increased in the 1980s with the introduction of IBM Personal Computer and dial-up modems became portals into underground e-zines hosted in bulletin board systems with a variety of forbidden knowledge including how to break into computer systems, the hacker community gained visibility in the public eye.
Groups with flamboyant names such as Legion of Doom, the Masters of Deception, and Neon Knights appeared on the scene. Popular culture further added to the “hackers are dangerous” narrative with the release of the film WarGames (1983), about a teenage hacker who breaks into a military system by mistake nearly causing World War III. The film led the US Congress to adopt the Computer Fraud and Abuse Act (1986), a cybersecurity bill with criminal penalties that changed the hacking game forever: breaking into computers was now something you could be jailed for.
The rise of monetized hacking
“What will computer crime look like in ten years? [...] It’ll be like it is now, only worse [...] Still there in the background, ticking along, changing with the times: the criminal underworld. It’ll be like drugs are.”
– The Hacker Crackdown: Law and Disorder on the Electronic Frontier, Bruce Sterling (1992)
With the increasing popularity of the internet in the 1990s, companies began to charge users for products and services, paving the way for criminal activity. Credit card theft and pirated software were a concern for authorities that already had their hands full prosecuting hackers. Even though a series of raids led by the US Secret Service called Operation Sundevil was completed in 1990, new collectives such as L0pht Heavy Industries, the Cult of the Dead Cow, and the Chaos Computer Club emerged.
Kevin Mitnick became one of the most famous hackers in the world—one that inspired films and documentaries—even before he was convicted of breaking into computer networks and stealing proprietary code. After serving his 5-year sentence, he became a cybersecurity consultant, a career move that became commonplace in the hacker community. It’s well known that in 1998 members of L0pht Heavy Industries, transitioning from an underground organization into a computer security company, testified to the US Congress that they could take down the internet in 30 minutes.
But some of the ones who didn’t join the “white hat” side of hacking were persuaded to join international crime rings. And although others were moved by political reasons, recognition within the community, or an act of protest, financial gain was one of the most common motivations.
In the aughts, the advent of e-commerce and social networking sites sprung most of the attack vectors we know today: phishing, identity theft, cyberstalking, ransomware, pharming, etc. Far from being driven by curiosity or intellectual challenges, modern cyberattacks are part of a trillion-dollar industry with very little likelihood of detection and prosecution. By some estimates, if it were measured as a country, cybercrime would be the world’s third-largest economy after the U.S. and China.
Cybercrime is bigger than the drug trade
This affirmation has abundantly appeared in reports and papers and proclaimed in cybersecurity conferences around the world since 2005. What’s not often considered is that cybercriminals and drug criminals are now working together, tricking their victims through deception tactics leveraged by technology platforms, making it harder to differentiate between the two types of crime.
Modern drug trade attacks use catfishing, a social engineering method where attackers create fake social media identities, to insert themselves into people’s social circles and dupe them into consuming what apparently are opioids (Adderall, Oxycodone, and Xanax) but in reality are Fentanyl, a synthetic drug that'll get them killed or addicted for life.
Here’s how similar Fentanyl and Oxycodone look:
Supply chain attacks employ similar tactics. Cybercriminals often use the social engineering method of typosquatting to trick developers who inadvertently mistype the name of a legit package to get them to install an analogous but tainted package.
Here’s a malicious package we discovered recently with a similar name to the legit package, aiming at getting developers to install ransomware:
As the technology industry keeps growing and competitive advantage forces organizations to reduce time-to-market and speed up development times, build environments are often left unsecured and vulnerable to supply chain attacks.
The face under the hoodie is not a lonely hacker anymore. It’s a mirror, reflecting the people close to you. And there’s something else underneath their skin: a permutation of all the shadowy faces that make up the global cybercrime industry.
Faces that are always changing, unrecognizable, and unpredictable, but with the right precautions, you can identify their malicious intent, keep them away from your build environment, and be ahead of the game.