Hackers of the '90s
In 1990, the turn of the decade saw a massive uptick in the number of computer hackers as the internet evolved into the tool we know it as today. While the World Wide Web didn’t become available to the public until 1993, that didn’t stop cybercriminals from taking advantage of the multitude of vulnerabilities that existed in earlier computer networks and systems. Two of these criminals went by the alias Datastream Cowboy and Kuji.
Datastream and Kuji
Really named Richard Price and Mathew Bevan, the amateur hackers and partners were best known for their affinity for sensitive government information. Both were very young when they began their exploits, many of which originated from the comfort of their own homes in the UK. Like many of the cybercriminals before them, Bevan and Pryce got their starts by phone phreaking. Bevan had a particular interest in conspiracies, as he believed that the United States government was covering up the existence of alien life and evidence of the existence of UFO’s. Pryce was more interested in gaining access to government systems to download sensitive information. He and Bevan became good friends via e-mail never revealing their real identity to one another. While Pryce did most of the in-depth hacking work, Bevan contributed to a hack that authorities say, “nearly started a third world war.” Pryce had been making his way through the Pentagon’s systems using an access code he had cracked that belonged to the highest ranking Pentagon lieutenant. The military became aware of the threat quickly, but it took an alarming amount of time to trace the hack because Pryce had routed his attack through a computer at the Rome Laboratory in an Air Force Base in New York.
The real problem came when authorities realized that Pryce and Bevan had dropped information from the Korean Atomic Energy Research Institute's database into the United States Air Force Computer system. At the time it was unclear whether this was North or South Korea’s classified information. Either way, if this was found out by the country, they would assume the theft’s source was the USAF. It was clear that this breach could have caused complete chaos if the military hadn’t taken swift action. It was later found that this data belonged to South Korea. In 1994 a 16-year-old Richard Pryce was arrested but released on bail the same night for the breach. Authorities spent the next two years trying to track down his internet partner Kuji (Bevan) who had never revealed any information about his location to Pryce. They eventually found a phone number on one of Pryce’s files that lead them to Cardiff, Wales. The 21-year-old was arrested and charged with conspiracy. Pryce was later charged with 12 counts under the Computer Misuse act, but they both got away scot-free after the charges were dropped when the UK decided the matter was no longer of public interest.
Vladimir Levin
In 1994 another series of attacks took place, this time on several corporate bank customers of Citibank. The culprit, more like culprits, turned out to be a group of Russian hackers lead by Vladimir Levin. This $10 million hack is believed to be the first online bank robbery, taking place just a year after the World Wide Web went public. Levin acted as the leader of this group, gaining access to the cash management system of blank. He made over 40 illegal transactions in less than a year. Each time a co-conspirator would withdrawal the cash from an overseas account. He had gained access by using stolen passwords for accounts that weren’t protected by encryption. The crime didn’t go under investigation until 1994 when four major accounts with the bank reported that they were missing nearly $400,000. At which time the money was traced to multiple accounts in San Francisco. The owners of the accounts being a Russian couple who had only spent a short time in the U.S. When the wife attempted to withdrawal the funds, she was arrested by the FBI. Later, both her and her husband gave the name of the man behind it all, Vladimir Levin. With the help of Russian authorities, the FBI was able to lure Levin to London, arrest him, and extradite him back to the U.S. He spent three years in prison and a large majority of the money was recovered following his arrest. Citibank made major changes to their systems after the attack, including requiring customers to create new passwords for every transfer completed using an electronic device. Many other banks followed suit, fearing that they could also be the victim of an online bank robbery.
Max Butler
Max Butler’s timeline of crime started early in his life when he stole chemicals from a lab room at his high school, for which he received probation. During his first year at Boise State University, he was charged with assault for nearly hitting someone with his car and violating a restraining order. He was a computer enthusiast from a young age but didn’t start getting into trouble online until after he was fired from his job at Compuserve. A $300,000 lawsuit was filed against him by the Software Publishers Association for his unauthorized distribution of software from the CompuServe office. It was eventually settled for $3,500, but this was just the beginning for Butler. Where the trouble really began was when he became friends with Chris Aragon, a former bank robber, and found his way to carder forums. These were basically forums used to buy and sell all sorts of illegal or stolen property. Some of these included credit card numbers, bank account numbers, paper for counterfeit checks, and magnetic print cartridges used for the checks. Butler basically began hacking the people on the forum by posing as a well-known vendor of card numbers. As he began stealing credit card information from other vendors, he would send it to Aragon who would counterfeit the cards.
Together they ran this scheme out of a hotel room recruiting at least ten “employees” who would take the counterfeit cards on a shopping spree. Later the merchandise was sold on Ebay by Aragon’s wife. Butler and Aragon eventually moved on to create their own carders forum using their own sources. This, however, was not enough for Butler. He started hacking into POS systems of restaurants to steal more credit card numbers. He ended up stealing over 1 million card numbers from restaurants across the U.S. Still not satisfied, he targeted a vulnerability the originated in the Eastern European underground. The group he was working with came up with a list of targets, all of which were financial institutions. He managed to send out a phishing attack on Capital One, in which 500 people fell victim, allowing him to access their networks. However, this wasn’t making him money fast enough. He went back to the carding business where he hacked into a multitude of carder forums stealing their entire database and converting the forums into his own carder site under the alias Iceman. This began a feud that eventually took down Butler. He was competing with the only other large crime site which was run by an undercover FBI agent. Not much is known about his arrest, but he was sentenced to 13 years in prison, the longest sentence for a cybercriminal at that time. He had stolen over 2 million card numbers and used them to make around $86 million in fraudulent purchases. He was released in 2021.
Jonathan Jones
Towards the end of the decade a new name enters the scene, Jonathan James, best known for hacking into NASA as a teenager. He later ended his hacking career by being the first juvenile incarcerated for cybercrime. At only 15 he committed his first offense by hacking into computer systems in the Miami-Dade school district for which he received probation. But a year later, in 1999, he got into more serious trouble. He accessed the computers of the Defense Threat Reduction Agency through a vulnerability on a government server. James intercepted thousands of messages between employees, collected passwords, and gained access to other government computers. One of which belonged to NASA. James found the source code for the software that ran the International Space Station’s critical modules. When the compromise was detected, it was quickly traced back to James. He was arrested and charged at only 16 years old. James was given seven months of house arrest and two years' probation without a computer for his exploits.