How Criminal Hackers Turn Legit
Three former cybercriminals talk about making money, going to jail, and staying on the straight and narrow.
Image: Hugh Manon/Flickr
Cal Leeming is exhausted. Black crescent moons underscore his reddened eyeballs as he slumps in front of a screen to talk over Skype. “I was up til around 3 AM coding ... I feel pretty fucked.”
In a past life, Leeming’s late nights were filled with a more nefarious activity: Pilfering credit card data, which he used to buy electronics that he later sold on eBay. According to news reports on court hearings brought against him in 2006, Leeming stored over £100,000 ($160,000) from his ill-gotten eBay sales in his girlfriend’s bank account. He was caught in 2005 after having bought £750,000 ($1.2 million) worth of goods with over 10,000 stolen identities, and handed a 15-month jail sentence. After serving his time, he gave up criminal hacking and defected to the other side of digital crime, helping companies with their cybersecurity and developing some of his own projects.
Curious how and why hackers made the transition from black hat to white hat, I had decided to track down a few people who had made headlines with their cybercrime pasts to ask. Leeming seemed like a good person to start with.
I first met him back in 2012, when he was well into his new white hat career as a programmer, consultant, and a co-founder of several startups. HP had invited him to speak during a dinner on the HMS Belfast museum ship in London, which would have been a far drier event without his presence. He was amiable, erudite, verbose—all traits an interviewer expects from interviewees at a vendor-hosted meeting.
But his life wasn't always such a glossy affair. In later conversations with him over Skype and email, and with his investigating officer from the mid-2000s, I learn he had an unpleasant upbringing: an absent father, and a mother with various disruptive boyfriends who often put drugs before her son. “I think my mum choosing to buy drugs instead of buying food was a tough one. We got into a fight over that on several occasions,” he said.
Former hacker Cal Leeming. Image: Cal Leeming
As he tells it, this contributed in part to his involvement in carding (the online trade of credit card details), which he became aware of after meeting people already involved in the illicit activity in IRC chat rooms.
“I actually used to buy shopping from Tesco and ASDA with stolen cards,” he says. “Imagine this scenario: you're a 13-year-old kid, there's no food in the house, your mum is ill because she needs drugs, no one is there to help you or guide you morally. A few taps on a keyboard and all your problems go away. What would you do?”
He was also into class-A drugs himself. Before being sent to prison at 19, he’d been caught in possession of heroin and cocaine as a juvenile. He tells me he was smoking crack by the age of 13, a year in which he was convicted of three hacking offences for attempts to secure unauthorized access to a computer to get at card data.
“Cal had a horrid childhood. Some of the things he witnessed you wouldn’t wish on your worst enemies as a child,” says Clive Read, the investigating officer who looked into Leeming’s case. He took a shine to the young hacker, and helped support his transition into legitimate computer work.
It wouldn’t have been difficult for Leeming to regress into a life of digital crime, at which he was adept and could earn a decent living, after his relatively brief stint in prison. But when he got out, he was searching for more stability, away from a chaotic childhood, and toward more solid ground after years in the messy seas of criminality.
He worked on a range of security consultancy gigs before settling on building things of his own. In the past few years he’s set up a couple of businesses, his most recent being VoiceFlare, which is creating a VoIP application to rival Skype. The other, Simplicity Media, is an IT support firm.***
But hackers don’t always come from troubled homes, and their reasons for going legitimate aren’t necessarily the same.
Whilst Leeming’s childhood was hugely disruptive, Jake Davis, formerly known as Topiary of the hacktivist collective LulzSec, lived a quiet life on the Shetland Islands, an archipelago just off Scotland. It was so quiet, in fact, that it drove him to hacking and knocking websites offline after he helped set up the crew in bored conversations over IRC.
Former Lulzsec hacker Jake Davis (Topiary). Image: Jake Davis
“My past involvement with Anonymous/LulzSec boils down to idle hands being the trolls' playthings. Shetland combined blinding beauty with blinding boredom. Without the resources available to leave the islands, it becomes a sort of Wicker Man situation,” he said over email. “Many young people get sucked into the internet at an unhealthy level, and living remotely greatly amplifies the chances of that happening.”
As part of LulzSec, Davis played his part in taking down major sites belonging to the likes of Sony Pictures, the CIA, and the British Serious Organised Crime Agency in 2011, and received a two-year jail sentence for his trouble. Yet now he’s had a taste of the destructive life, he too has chosen to concentrate on more constructive endeavours—ones that won’t bore him but won’t land him in prison again either.
Even when he was inside, his priorities began to change. “During my short period behind bars I just spent my time helping other inmates read and write, especially with letters to and from their families,” he said. He’s now doing “consultancy, writing, and strategy for movies, TV, opera and theatre,” though he's under non-disclosure agreements to say precisely whom he’s working for.
And he’s not the only Lulzsec hacker to turn to a legitimate life. LulzSec co-conspirator Mustafa Al-Bassam, previously known as Tflow, has also emerged from his conviction with a similar desire to build things, rather than take them apart. Al-Bassam said over email (he was unwilling to speak on the phone, nor offer full answers over Jabber) that he joined LulzSec in 2010 at the age of 15 because of its “libertarian, anti-authoritarian, anti-censorship, pro-freedom-of-speech” bent. “But more so, it was backed up by the thrill of doing something exciting and new," he said.
BBC's Newsnight connected Al-Bassam with an analyst who helped catch him
After his brief period of legal transgression, Al-Bassam opted for a more traditional route through life, and is taking up a computer science degree at Kings College London. He’s also benefiting from a number of perhaps unexpected positives that came from his conviction. “I've met amazing people who are now perhaps friends for life, without which I would never had been afforded certain opportunities that allow me to legitimately pursue technologies and philosophical issues that I care about from a career perspective," he wrote.
Despite some pressing, he wouldn’t offer any detail on his upbringing. “I'd rather not be psychoanalysed for an article,” he said.***
Many convicted hackers have benefited from the corporate world’s current yearning for technical skills, Leeming being a prime example. Committing sophisticated internet offences requires a decent level of coding skill, as well as high-quality exploitation and penetration testing talents, which are in high demand.
“Post-release there is a way to market the skills you have in a security venue,” says Tom Holt, assistant professor of criminal justice at Michigan State University. “There is a recognition that if you have a criminal skill set there are ways to apply it in a legitimate business environment.”
Holt, who specialises in cyber criminology, cites bug bounty schemes as an example of how exploits can be sold through official channels to earn legitimate money. “You can do criminal hacks and also get paid for them in another setting. That might be driving some individuals away from spending all their time on illicit hacks to find a way to get legitimate income," he said.
Not that everyone is willing to hire those with criminal histories. Many employers are simply restricted by their own policies. “From a commercial entity standpoint, depending on your specific business, you may not be able to hire any felons—including convicted hackers—even if you're open to it. Your customer, business partners, or industry regulations can, and often do, prohibit doing so,” said Jeremiah Grossman, CTO and co-founder of web security company WhiteHat Security. “However, other organisations without those restrictions have been able to hire computer criminals with varying degrees of success.”
"There is a recognition that if you have a criminal skill set there are ways to apply it in a legitimate business environment"
Davis and Al-Bassam, who are both now minor internet celebrities, are not fretting about future employment. “The organisations who are less likely to employ me because of my past instead of considering my current experience and status are generally organisations that I likely don't care for anyway,” said Al-Bassam. “So far my history hasn't been a problem when being involved in projects that involve me communicating with people who work with organisations in some of the areas that I care about—encryption, security, privacy and other technologically-related projects.”***
Leeming gives some of the credit for his transformation from cybercriminal to security worker to the police officer who worked on his case, investigating officer Read. “He massively helped me, gave references in some cases … I owe a lot to that guy,” he said. “I honestly can’t thank him enough for that. I hope one day I can return the favour for him.”
Read introduced Leeming to Barclaycard shortly after his release in 2006, where the reformed hacker talked the bank through vulnerabilities he exploited to “get away with a lot of fraud,” some of which he claims remain unfixed.
Leeming was a unique case, however. Few receive similar treatment. He was picked out because of his talents and his troubled history, and by an officer who was sympathetic to his situation. “You look at his past experience and it was worthy of the effort, it really was,” Read said.
Al-Bassam had a very different experience with the authorities. He remains bitter about the actions taken against him by the authorities, including a two-year ban from the internet during a critical time in his schooling, when he was aged 16. In a post on Ask.fm, he said a “vast portion of [policemen and women] seem to get a thrill out of throwing a person in jail or taking away their freedoms—not stopping unethical activity.”
Cal Leeming now works to warn people about the dangers of hacking, as in this BBC broadcast.
There is no widespread mechanism that encourages police to assist those they arrested after they leave prison; they only get involved if they take it upon themselves. Read would like to see more positive stories of officers helping convicts back into society. “But the sad fact is the majority of people will reoffend. It’s a way of life these days,” he added.
Whilst police actions can in some cases help prevent reoffending, it's clear from all three of these example cases that personal attributes are critical in the decision to permanently put down the black hat. At least to some degree, their consciences urged them away from criminal life.
According to Davis, one of the core reasons he left LulzSec, which he says he disavowed two weeks before his arrest, was a disagreement over what data to leak. “I quit because other hackers, one of which I now know was working for the FBI at the time, wanted to release the personal information of police officers in Arizona under the motto ‘Off The Pigs,’ and endangering lives is something I strongly disagree with,” he said.
Leeming tells me he has a child to look after, which played a role in him going above-board. “My daughter faced being taken away by social services. Abandoning [her] was not an option, so I made that decision to change my life,” he said. “If it wasn’t for my daughter, I probably would still be on the run today. I’d been arrested countless times before then, even been to prison once before for two weeks. But kids change everything.”
As cheesy as it sounds, that innate sense of responsibility, to be a positive force either for society or for family, or both, appears to be at the heart of what makes a black hat pursue a cleaner living. Without that, those perpetrating online crimes have little reason to give up, whatever the expense to the rest of the internet’s denizens.
There's also a key theme that links these three hackers: they were all caught. That's certainly not an insignificant factor in hackers' decision to turn good; going back to a life of digital crime after arrest would not only be difficult from a legal standpoint (hiding from authorities is doubtless a lot harder when they know you've got history) but also from a practical point of view. Cyber crooks who are arrested are generally banned from dark web forums, for instance, owing to fears of law enforcement informants operating on the sites.
Not that all those in legitimate employment are necessarily so scrupulous. “I've met some god-awful ‘legit’ people in my time after prison, people with absolutely no morals, guilt or remorse,” said Leeming. “Yet somehow they are considered more trustworthy than me because they've never been to prison. I'm probably one of the most honest, legit people you could meet, yet I'm still treated like a criminal. Pisses me off.”