He says he hacks for justice, taking down websites of Nazi sympathizers and bigots. But he may also help hackers steal your credit card information. He’ll sell hacking tools on the dark web to just about anyone — except the government. He says he’s hacked into thousands of companies but draws the line at hacking his girlfriend.
In the hacking community, there are people who use their skills for good. They’re called White Hat hackers. Then there are those who use their hacking skills illegally, selling tools allow that hackers to bypass antivirus software and steal valuable data. They’re called Black Hat hackers.
CNN was connected to this “Gray Hat” hacker through a respected security consultant. Much of his work is illegal and is sparked by his own code of ethics.
CNNMoney: Would you consider yourself a hacktivist?
Hacker: It’s more or less that I see things and then I take action against them. When I see something on the news or something happening around me, I take it into my own hands to try and help them as much as possible.
Can you give me an example?
[There] was a very large Nazi forum that was all about white power, getting groups together to basically do horrible things. We [found] a vulnerability [and] used it to compromise the whole account, find out where they were holding the meetings, to do simple things like call cops on the meetings — trying to cause as much disruption and chaos as possible.
What makes you want to hack?
I read a lot of philosophy. One of my favorites is Albert Camus, and the way that he talks about the power of the people and the will of the land, rather than just being overly powerful and being able to take control of people. I believe that everyone can do something. I had a particular skill set, and I was able to use it to help people.
How do you make money?
I worked as a security researcher for a long time. Nowadays, really I just sell exploits. I sell different types of code based on whatever request I get.
Do you ever know what these people are using the exploits for?
No, not really. The only thing that I don’t ever want to do is sell to government. Outside of that, I don’t really ask questions about what they do with it. It’s really the only way that I can end up making income for a while.
Your nonnegotiable is the government?
Right. While one person can use an exploit to steal credit cards, [the government] could use it to infiltrate a political group and completely take them down and arrest them.
How much do you think you’ve made selling some of these tools?
Usually, it’s just $1,000 for a one-day [job], just so they can bypass current security products. For anything that’s [new], that might be $40,000. That’s on the low end of the spectrum, considering if you did sell it to government, they’d be giving you about $200,000 for the same type of bug.
Does it ever keep you awake at night thinking, “What if I did the wrong thing? What if I sold [hacking tools] to a pedophile?”
Yeah. Unfortunately, I can’t get a normal job. I can’t get a normal income. That was my choice: sell something to someone that I don’t know, or not have food and a place to eat.
What’s it like when you have access to something that you shouldn’t?
First couple of times, it’s very adrenaline filled. [Then] you start doing companies and you start doing servers, there’s much more of a thrill, much more of adrenaline.
Nowadays, it’s like, “yes you did it,” and then that’s really where the work starts, because getting in, getting through the perimeter, is just half the battle. Traveling to other computers, being able to plant malware that’ll go under the radar of any kind of security product that they have — that’s where the real game starts.
How many companies would you say you’ve breached?
Probably tens of thousands. Sometimes when you compromise something, you have access to a lot of other things in that same IP address space. You might have gained access to one thing, and a thousand other companies are available in the same address space.
Are you ever afraid you could go to jail?
Absolutely. Eventually, everyone will have to pay for what they’ve done. While you’re doing it, you know you’re helping people. To say that I’m afraid of what’ll happen to me … I don’t really think it’s good to worry about that.
What are you fighting for?
I like having access to all kinds of information. For example, there are a lot of paywalls for really interesting articles out there. If you don’t have the money or you don’t have a college ID to get through, then you don’t have access to that new information, which could be something really interesting.
Are you a good hacker or a bad hacker?
I would like to think I was a good one. It’s all based on your perception, I guess.