Teen cyber cartels: when world’s most prolific cybercriminals are minors

source:  cybernews.com  |  image: pixels.com


As the announcement of two teenagers charged in relation to the Lapsus$ extortion group broke, we began to wonder: how do youngsters join the world’s biggest cyber gangs in the first place?

“Youth of cybercrime” is a relatively new yet quickly spreading phenomenon. It’s becoming increasingly less uncommon to discover that children were behind notorious hacks. Elliott Gunton, for example, was only 16 when he breached the UK telecoms operator TalkTalk, compromising the details of hundreds of thousands of customers. Another “self-proclaimed Apple fan” from Australia (who cannot be identified for legal reasons) was 13 when he first hacked into Apple’s private networks and stole 90GB worth of data. Both of these teenagers received jail time related to various cybercrimes.

Of course, such cases are not limited to hacking into big tech corporations. Jonathan James, a 15-year-old from Florida, managed to install a backdoor in US military servers and access the source code of the International Space Station (ISS). Other kids simply use malware to pull pranks on each other without fully recognizing that it’s still illegal.

“These kids grew up in an online world, and some become proficient in programming and cyber skills well before they reach their teens,” John Gunn, CEO of Token, told Cybernews.

What attracts teenagers to cybercrime?

In many ways, teenagers find themselves as attracted to cybercrime as they are to most unknowns of the big and yet so unfamiliar world. That’s why Kent Landfield, Chief Standards and Technology Policy Strategist at Trellix, considers the boom in “youth-led cybercrime” to be a cultural issue as much as a public policy one.

“There is the challenge of hacking The Man, the excitement of potentially getting caught, the promise of prestige and even fame among their peers should they succeed. Add to this the prospect of money in their pockets, and you can see how irresistible cybercrime might be to many young people,” said Landfield.

Ray Walsh, Digital Privacy Expert at ProPrivacy, has a different perspective on teens’ motivation to commit cybercrime. In his view, it’s the pursuit of “moral justice” that drives youngsters into the realms of online criminality.

“Teens often become involved in hacking because they feel strongly about underlying social, political, economic, and environmental causes. This drives them to seek friends in the hacking community in pursuit of moral justice. When tech-savvy young people notice injustice or behaviors that they consider detrimental to society, they may seek to take power into their own hands by joining other young people who they perceive to be on a similar moral crusade.”

Walsh further explains how feelings of frustration, alienation, and the burden of problems carried over from past generations create a sort of detachment. They breed an environment in which other people can easily be dehumanized, pushing teenagers into a type of crime that might not feel as “criminal” as others.

“There is a large catalog of hacking tutorials and information available online, which creates the opportunity for young people to learn to script and download software that allows them to practice perimeter testing and network penetration. Unfortunately, the educational content available online is creating an epidemic of young people who can begin acquiring the skills needed to engage in online crimes,” Walsh explained.

Whatever it is – whether it be the thrill of forbidden experiences, a sense of political or social injustice, patriotism, or a desire for quick cash – these feelings do not seem to be unique to teenagers.

While some cyber gangs are motivated by money, others are driven by their own views of morality. As such, the infamous cyber group Anonymous, known as “digital superheroes,” has conducted high-profile cyberattacks with the aim of dispensing their own justice when law enforcement has failed to step in. The gang started on the English-language message board 4chan, where teenagers gathered to discuss politics, and eventually turned into a full-scale rebellion against what they see as abusers of power.

“Whatever the reason, it is essential to remember that teens are often vulnerable to being pulled into cybercrime. They may not fully understand the implications of their actions or the potential consequences for themselves and others. This is why it is crucial for parents, guardians, and educators to be aware of the signs that a teen may be involved in cybercrime and to provide support and guidance to help them stay on the right track,” Idrees Shafiq, SEO Analyst at AstrillVPN, told Cybernews.

How are teenage cybercriminals typically recruited?

When talking about teens in cybercrime, it’s hard to avoid mentioning the infamous Lapsus$ group, allegedly responsible for cyberattacks on OktaNvidia, and Samsung. Seven people – all between the ages of 16 and 21 – were recently captured by the UK police in connection with the Lapsus$ investigation. One of their leaders is believed to be a 16-year-old from Oxford, who lives with his mom. This leads to speculation that the extortion group is primarily comprised of youngsters – although that has never been confirmed.

But how do kids find themselves in such environments? Well, it seems like many criminal groups openly advertise their positions and do not shy away from accepting anyone capable, regardless of age.

“[They are recruited] through dark-web job boards, hacker forums, and other hidden service sites, and it is not uncommon for interested candidates to answer these ads. This all can be done anonymously, with interviews being conducted using Skype audio with Tor to scramble the connection, and real-time voice-changing apps like Voicemod,” Armond Caglar, Principal Consultant at Cybeta, told Cybernews, adding that the latter program is typically used by gamers or to make funny memes on TikTok and Twitch.

Walsh adds that young hackers may be recruited via online hacking forums, Discord groups, private messages on Reddit, anonymous forums like 4chan, gaming forums, or even while communicating with others in multiplayer games. And more often than not, finding a job in cybercrime doesn’t happen by accident – it’s a result of “individuals purposefully seeking out opportunities by hanging around in deep-web discussion and messaging boards.”

Teens who get involved in cybercrime this way tend to have a very vague idea of what the future might hold. From activities they’ll have to participate in to real-life repercussions – nothing screams “opportunity” as much as impressive earnings promised all over illegal job ads.

“A lot of these teens don’t realize they could face jail time if caught, and cyber gangs love to use teens because of the lighter sentences imposed on juvenile criminals,” Volodymyr Shchegel, VP of Engineering at Clario Tech, told Cybernews.

He adds that teens on the verge of signing up to a life of cybercrime should bear in mind the Computer Misuse Act, which states that it’s illegal to access or modify data without permission. Such an offense can potentially lead to fines, internet bans, and jail sentences of up to 10 years. He has another warning: once you start, it might be tough to stop.

“There is a danger that becoming involved in a hacking gang will lead to ongoing pressure to engage in cybercrime, which could lead to anguish, fear, and potentially even mental-health issues.”

Protecting teens: change the policy and upgrade your defenses

It’s hard to overstate the harm kids can bring upon themselves by engaging in cybercrime. According to a DQ Institute survey of 63% of the global population in 2020, six in 10 children aged 8-12 have already been exposed to various cyber risks. In the US alone, 95% of children aged three and upwards have internet access, providing potential criminal recruiters with a virtual breeding ground.

“The government should work closely with schools and the education system to help inform young people and their parental guardians about the potential consequences and implications of becoming involved with cybercriminal gangs,” said Walsh. “It is vital that the government works harder to educate children about the consequences and repercussions of cybercrime, and that they understand how a permanent criminal record can affect future career prospects and the ability to travel overseas.”

Caglar echoes him, saying that the government needs to do more to communicate: cybercrime is as much of a crime as any other and will be treated accordingly.

“The government can protect those who might be disproportionately inclined to commit a crime by increasing the perception that criminals – regardless of age – will be caught and punished.”

Education is also extremely important since many teenagers do not realize what even constitutes cybercrime. Some might believe they are doing a good deed – for example, seven-year-old Betsy Davies showed how one could crack into somebody’s laptop using insecure local internet networks, which led to YouTube taking down over ten thousand similar videos.

With the lines between ethical and unethical hacking so blurred, it can be all too easy to stumble into a life of cybercrime, especially given that teenagers do not always understand that what they are doing is illegal.

“They may think selling a modified version of a game or hosting a stream of a sporting event is normal practice and even legal, for instance, and won’t be well versed in copyright law,” said Aaron Drapkin, Senior Writer at Tech.co. “They may not fully understand the ramifications of creating a fake identity, particularly if they use a pseudonym on social media and game under aliases.”

He added: “It’s hard enough to work out the right thing to do when you’re young in the real world, and these are just two examples that illustrate how judgments can become easily clouded in online spaces.”

But it’s not just a governmental issue: Walsh stresses that corporations must do everything in their power to make themselves a hard target.

“Improperly secured networks and data repositories sitting around in plain text without necessary protection make it too easy for young people to steal sensitive business or consumer data that can be ransomed or sold on the dark web,” he said. “It is vital that organizations do not provide conditions in which they are a training ground for children to stumble on useful data that they can steal.”

And, of course, teens need to be reminded that their exceptional hacking and IT skills can be used legally and might even pave their way to lucrative professions in the future. They can join communities where they will belong – without having to worry about accidentally harming someone or getting caught.

“Teenagers who have cyber skills should be encouraged to begin studying for accreditation or qualifications, to seek out apprenticeships, and to take part in competitions like CyberLand and CyberCenturion hosted by Cyber Security Challenge UK – or similar cyber challenges hosted by [British intelligence organization] GCHQ,” said Walsh.