Teenage hackers pose an increasingly serious threat to organisations around the world, as they cross traditional lines in their behaviour, and they are motivated by chaos and a desire for infamy as much as they are driven by money.
This is according to Joe Tidy, dedicated cyber correspondent at the BBC and author of ‘Ctrl+Alt+Chaos’, speaking on opening day of the ITWeb Security Summit this week.
Tidy outlined his research into teenage hackers, saying young hackers come from a range of backgrounds, but are typically all gamers who later devolve into cyber criminals.
Nobody wants to admit they were hacked by a kid.
Joe Tidy
Also dubbed NPTs (new persistent threats), or APTeens, teenage hackers are increasingly collaborating in collectives such as ‘Muddled Libra’ or ‘Scattered Spider’ – an international syndicate of teens and young adults who gained notoriety for attacking major targets including Caesars Entertainment, MGM Resorts, Harrods, Co-op, and Marks & Spencer.
While teen hackers have been active for some years, the threat of NPTs has not been widely acknowledged until fairly recently, he said. “Nobody wants to admit they were hacked by a kid,” he noted. “In the years since Covid, their ethos appears to have changed, and they have started feeling invincible and crossing lines.”
“NPTs tend to be scattered and come together on an ad hoc basis,” Tidy said. “They apparently feel powerful, and some of their messaging suggests they are having a laugh at the impacts of their actions.”
“They don’t follow the normal ‘rules’ of cyber crime,” he said, citing examples of 17-year-old hackers who hacked the Kido nursery school chain in London and posted photos and personal details of children on the dark web.
Notorious cyber criminal Julius Kivimäki, who started hacking at just 13 years old, hacked Finland’s largest psychotherapy company, Vastaamo, in 2020 under the name ransom_man. He exposed confidential patient data and later contacted patients directly, threatening to expose transcripts of their therapy sessions. He was sentenced to six years in jail in 2024.
“I think the Vastaamo attack may be the cruellest cyber attack in cyber history,” Tidy said. “At least 33 000 people were impacted, and one lawyer alleged that at least two people killed themselves as a result of this hack.”
“Behind every such hack, there’s a security team on their knees, distraught victims, a company facing an existential crisis about whether to pay the ransom or not, and a kid who’s fallen down a hole and is fast becoming a cyber criminal,” Tidy said.
Share
