The bad guys don't always get away with it.
Unlike the other hackers in our list, Kevin Mitnick wasn't really motivated by profit.
Crime, they say, doesn’t pay. Yet every year, billions of pounds are lost to cyber criminals, and the chances of recovering anything are often slim. So, it would seem, crime does, in fact, pay quite a lot of money, quite a lot of the time, which is no doubt why so many people are engaged in it.
But that doesn’t mean the authorities are completely powerless. Identifying and capturing cyber criminals is often difficult and time consuming, but it happens all the time - with 2017 being a particularly good year for law enforcement, according to the 2018 SonicWall Threat Report.
To celebrate their successes, we’ve put together a list of notorious cyber criminals, who were caught and prosecuted.
Who: Arguably the most famous cyber criminal of all time, Kevin Mitnick, unlike many black hat hackers, wasn’t motivated by profit. Instead, he committed multiple computer and communications crimes just for the sheer hell of it. From the tender of age of 12, he learned the power of social engineering, convincing a bus driver to tell him where to buy the special punch that was used to mark transfers, and then using it to mark blank transfers he dug out of station bins – thereby getting free bus travel all over Los Angeles. He also used social engineering and phone phreaking to explore the phone networks of the day, getting free long-distance calls and access to secret information.
What he did: The social engineering and phone phreaking were just the start of things to come for Mitnick. It was when he started gaining unauthorised access to computer networks that he really got into trouble. In 1989, he was sentenced to a year in prison, followed by three years’ probation, for hacking into computers at Digital Equipment Corp. and stealing $1 million of software. While on release, he hacked into voicemail computers at Pacific Bell, and an arrest warrant was issued. But rather than go quietly, Mitnick went on the run for two and a half years, before eventually being arrested in 1995. Yet it wasn’t until 1999 that he pleaded guilty to wire fraud, possession of unauthorised devices and unauthorised access to a federal computer, among other things.
Length of sentence: 46 months, plus another 22 months for violating his 1989 parole. He served a total of five years in prison – four and a half of which were served pre-trial. He also spent eight months in solitary confinement, because law enforcement officials convinced a judge that Mitnick could launch nuclear missiles by whistling down the phone.
Where is he now?: After being released in 2000, Mitnick was banned from using computers and other communications technology, but he appealed against that and won. Today, he’s turned legit and makes a living as a cyber security expert, as head of Mitnick Security Consulting LLC. He also, controversially, started selling security exploits.
Who: A Canadian schoolboy from Île Bizard, Quebec, who went by the handle MafiaBoy.
What he did: In February 2000, Calce launched several high-profile denial-of-service attacks against companies like Yahoo, Amazon, Dell, eBay and CNN. He began by targeting Yahoo, under a project he called Rivolta (Italian for ‘riot’), before turning to other firms, bringing each of their websites to their knees. It was later reported that these attacks caused a total of around CAD$1.2 billion.
Length of sentence: Because he was only 15 at the time of the offence, Calce got off relatively lightly. The Montreal Youth Court sentenced him to eight months of ‘open custody’, a year of probation, restrictions on his internet use and a small fine.
Where is he now?: Calce wrote a book, called Mafiaboy: How I Cracked the Internet and Why It's Still Broken, which was published in 2008. He also set up his own company, Optimal Secure, which tests other firms’ cyber security measures, and has worked with HP on a security-related documentary.
Who: Max Ray Butler grew up in Idaho, USA, and was known online as Iceman. Growing up, Max was expelled from school, arrested for burglary, and convicted of assault. He would later change his name to Max Ray Vision, while living in a rented mansion with a group of other computer enthusiasts.
What he did: Butler was convicted multiple times for crimes spanning several years. As well as his previous scrapes with the law, he hacked US government websites in 1998, and was sentenced to 18 months in prison in 2001. After being released in 2003, he went back to crime, using WiFi to commit attacks, programming malware and stealing credit card information. In 2007, he was arrested and eventually pleaded guilty to wire fraud, stealing millions of credit card numbers and around $86 million of fraudulent purchases.
Length of sentence: Considering the nature of his crimes and his history, it’s perhaps no surprise Butler was given a much more hefty sentence this time. In fact, at the time it was the longest ever sentence handed out for hacking in the US: 13 years.
Where is he now?: According to the Federal Bureau of Prisons website, Max was released from the Federal Detention Center, Victorville, on 17th April 2019. In 2018, there were reports that he had returned to old tricks while behind bars, but nothing more has been reported about his current whereabouts or activities.
Who: Hailing from Miami, USA, Gonzalez had various screen names, including cumbajohny, soupnazi and segvec. When he was just 14, he hacked into NASA and was duly visited at school by the FBI.
What he did: Like Max Butler, Gonzalez had a long history of trouble with the law. In 2003, he was arrested for being part of ShadowCrew, a group that stole and then sold card numbers online. Proving there really is no honour among thieves, he did what all good hackers do in this situation – he turned grass, working with the authorities in exchange for his freedom.
But this was just the beginning. From around 2006, Gonzalez was involved in a string of hacking crimes, once again stealing credit and debit card details. Before his arrest in 2008, he managed to steal millions of dollars, which he used to pay for lavish parties and hotels. Among the companies targeted were TJX, Heartland Payment Systems and Citibank.
Length of sentence: He was eventually indicted on charges in several different cases, in Boston, New York, Massachusetts and New Jersey. As part of a plea deal, his sentences in all these cases were allowed to run concurrently, but he still got 20 years – beating the previous record set by Max Butler.
Where is he now?: Gonzalez is serving his time at FMC Lexington, Kentucky. He’s due for release in 2025.
Who: The son of Russian Parliament member Valery Seleznev, his hacker handles included nCux and Track2.
What he did: Between 2009 and 2013, Seleznev hacked into more than 500 businesses and 3,700 financial institutions in the US and stole card details, which he would then sell online. Doing this, he is said to have made tens of millions of dollars. Many of the businesses affected were small firms, and in at least one case, this led to their bankruptcy.
Eventually, the law caught up with Seleznev. US Secret Service agents picked him up in the Maldives, as he headed back to Russia from a holiday with his girlfriend. His father has since gone on to claim Roman was kidnapped by the US.
Roman Selezy was convicted for 38 charges, including hacking and wire fraud.
Length of sentence: They really pushed the boat out for this one. In April 2017, a judge gave poor Roman 27 years in the slammer. And to compound his misery just that bit more, in December 2017, he was given another 14 years for a separate case (to be served concurrently).
Where is he now?: Roman currently resides in the Federal Correctional Complex in Butner, North Carolina, USA. His release date is set as 2038, which would make him 53 by the time he gets out.
How would your security stand up to cyber criminals like these? Call us on 0333 900 9050 to find out about TMB's range of cyber security services and products - including firewalls, email filtering and phishing simulations.