Teens hacking into large corporations are once again in the news. This time, a group of teens in the UK have taken responsibility for a series of major hacks of big tech companies like Microsoft, Nvidia, and Okta over the last month. On Wednesday, the group, known as Lapsus$, claimed that it had absconded with 70GB of data from a health app that was partnering with Apple.
Two suspected members of the group, ages 16 and 17, are appearing before the Highbury Corner Magistrates’ Court in the UK on Friday on charges of a variety of cybercrimes connected to their alleged activities with the hacking group. UK authorities have reported arresting seven people in total, all of whom are between the ages of 16 and 21. Cybersecurity researchers believe that a 16-year-old living in his mother’s house near Oxford, England, is the mastermind of the group, though it’s unclear if he was one of the people arrested last week.
It seems like we hear some version of this story every few years or so. In 2020, a 17-year-old engineered a hack of dozens of prominent Twitter accounts belonging to the likes of Barack Obama and Elon Musk. And before that, a 16-year-old was accused of hacking the email accounts of high-level officials like then-CIA Director John Brennan.
Can teen hackers be stopped? I spoke to Marcus Hutchins, a cybersecurity researcher who was celebrated for ending the particularly destructive WannaCry ransomware attack in 2017. Shortly afterward, however, he was arrested by the FBI for hacking he’d performed years ago as a teen. The judge ultimately decided that he had “turned the corner” and gave him a sentence of time served plus a year of supervised release. Our conversation has been condensed and edited for clarity.
What was your reaction to Lapsus$’s various exploits? Do you empathize with them in any way, or could you have seen yourself doing any of this stuff as a teen?
I definitely understand how people of that age can fall into this kind of stuff. I wasn’t really surprised by anything they were doing, but it’s typical for teens to just get in with the wrong people and end up doing all kinds of crazy stuff.
What do you think attracts certain teen coders to hacking? What is the allure of it when you’re that age?
I think it’s the power, or the ability to just do things that other people can’t.
Why do you think teen hacking is a recurring issue?
There’s not really much structure if you are interested in computers below a certain age. Most of school computing is very, very basic stuff, so you can’t really find any way to hone real skills until you get to college age. That kind of gets people going and looking for their own ways to get better and learn. One of the ways that is quite attractive is hacking forums, because that’s where all the super technical coders and hackers hang out. So they usually end up finding their way onto some hacking forums.
Do you think there are ways to guide teen coders toward more productive projects?
I don’t know because there’s not really much of an outlet for it yet. Obviously, they can’t really legally work, so it’s a case of there just really isn’t much you can do at that age. There’s coding programs and that kind of stuff, but it’s all very theoretical and not as fun. I know I got very bored in IT classes. Even in the high-end IT classes, I found myself very, very bored.
How do you view the moral culpability of these hackers given that they’re minors? Do you worry that the punishments could be too severe given their ages?
The UK is known for going particularly light on underage hackers, whereas the U.S. can be a lot more ruthless. The prefrontal cortex doesn’t fully develop until early twenties. They’re really not so good with seeing consequences. Or not necessarily for seeing them, but caring. In a lot of cases, they do know what they’re doing is wrong and they do know that there’s consequences. They just, at that age, don’t particularly care.
There’s a lot of stories of teen hackers eventually giving up crime and using their skills more productively for cybersecurity. What do you think of that trajectory? Is it a net good for society?
No. It’s not a good way to get started. Obviously, there’s a lot of better ways which don’t involve doing crime in the first place. It does seem to be a somewhat common trajectory, but I think we need to focus on finding a better common trajectory.
Do you think teen hacking is going to be an issue for big companies for the foreseeable future?
It’s very hard to put an end to teen mischief without putting them in jail, and no one wants to see teens in jail, especially not myself. It’s very hard to think of any way that’s enough deterrence to stop them from doing it without just being completely overboard.
I personally can’t think of any punishment that would have stopped me at that age that wasn’t way over the top. It’s a very hard problem to solve.
So what would you say to a teen programmer who wants a better outlet for honing skills?
Some sort of mentorship program where they can get a tangible benefit from applying their skills. I think that would probably be the solution.