15-year-old arrested for hacking 259 companies

15-year-old arrested for hacking 259 companies

Summary: A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of three websites per day.

SHARE:
TOPICS: Security
24

Austrian police have arrested a 15-year-old student suspected of hacking into 259 companies across the span of three months. Authorities allege the suspect scanned the Internet for vulnerabilities and bugs in websites and databases that he could then exploit. As soon as he was questioned, the young boy confessed to the attacks, according to Austria's Federal Criminal Police Office (BMI).

The boy allegedly stole data and published it publicly after breaching the security infrastructures of 259 firms. He also defaced many company websites and boasted about his accomplishments on Twitter, where he also posted links to his data dumps.

The firms were attacked between January 2012 and March 2012, and they were not limited to just Austria. He didn't seem to target specific types of industries: everything from sports companies, to tourism services, to adult entertainment, to search services were attacked.

The young man reportedly admitted to being responsible, saying that he was bored and wanted to prove himself. He was described as anti-social, and so looked to the online world for praise and affirmation, possibly being inspired by reports about the hacktivist group Anonymous.

After finding a hacker forum that gave members points for successful attacks, the boy went to work. Three months later, the 15-year-old was in the top 50 hackers of the approximately 2,000 users registered on the forum.

The teenager used various hacking tools widely available on the Internet, including software that helped him remain anonymous. Now and then, he left messages in the systems he hacked, or simply signed them with the hacker name ACK!3STX (a search for the handle on Twitter gave me no results).

Eventually, however, ACK!3STX's anonymizing software failed him and his IP address was visible to BMI's C4 (Cyber Crime Competence Centre) unit. C4 had been receiving multiple complaints from companies since the beginning of the year, so they started monitoring the hacker. At the end of last month, the unit traced his location to a residence in Lower Austria, and then obtained a search warrant.

Authorities said they could not detail the damage ACK!3STX caused, because their investigation is still ongoing. Europol is trying to quantify his attacks both at home and abroad.

I'd like to thank Sebastian Gruber for tipping me on this story as well as providing the above screenshot of a site defaced by ACK!3STX.

See also:

Topic: Security

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • So why don't we just...

    ...paste our bank information on Facebook? Instead of making you prove that you have been a target of identity theft, banks should ASSUME that you have, and then prove you have not.
    Tony Burzio
  • Yeah, you'd better keep using different proxy servers.

    Otherwise, you'll lose!!!
    Grayson Peddie
  • Bet they were all Windows..or the majority.

    Prove me wrong!
    http404
    • I bet they were all Linux...or the majority

      prove me wrong!
      William Farrel
    • If you are going to make a claim...

      back it up with facts, your whole prove me wrong, shows how weak you really are, and without merit.
      Snooki_smoosh_smoosh
    • Really?

      How about proving your own assertion?
      use_what_works_4_U
      • The other day he said something like that about another group of

        hacked sites, and someone pointed out that some of the servers where Linux based.

        He got red faced, I imagine.
        William Farrel
    • Nothing to do with Windows, Linux, or Mac OS X.

      It could be Apache, IIS (Internet Information Services/Server), WordPress, phpBB, XSS (Cross-Site Scripting), SQL Injection, SQL Server, MySQL, or anything that the article did not list. Just imagine writing this:

      [pre]<script>alert("Hello, Javascript!")</script>[/pre]

      ...inside a textbox in ASP.net and hitting a submit button.

      OOPS!!! You'll get this:

      [quote]A potentially dangerous Request.Form value was detected from the client (txtName="<script>alert("...").

      Description: HTTP 500. Error processing request.

      Stack Trace:

      [pre]System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (txtName="<script>alert("...").
      at System.Web.HttpRequest.ThrowValidationException (System.String name, System.String key, System.String value) [0x00000] in &lt;filename unknown&gt;:0
      at System.Web.HttpRequest.ValidateNameValueCollection (System.String name, System.Collections.Specialized.NameValueCollection coll, RequestValidationSource source) [0x00000] in &lt;filename unknown&gt;:0
      at System.Web.HttpRequest.get_Form () [0x00000] in &lt;filename unknown&gt;:0
      at System.Web.UI.Page.DeterminePostBackMode () [0x00000] in &lt;filename unknown&gt;:0
      at System.Web.UI.Page.InternalProcessRequest () [0x00000] in &lt;filename unknown&gt;:0
      at System.Web.UI.Page.ProcessRequest (System.Web.HttpContext context) [0x00000] in &lt;filename unknown&gt;:0 [/pre]

      Version information: Mono Runtime Version: 2.10.8.1 (Debian 2.10.8.1-1ubuntu2); ASP.NET Version: 4.0.30319.1[/quote]

      So grow up and quit your trolling.

      Everyone, please don't feed the troll.
      Grayson Peddie
      • (Retracted.)

        .
        Grayson Peddie
      • Javascript

        A JavaScript trace yes it can also be used if the ip of the computer is fake but if java script access is disabled or java is not installed or windows 8 it will not work in windows 8 it can work if the user allows it. Please don't mind anything I just told Grayson Peddie I am just a student of class 8 16+years old
        Sayan Basak
    • Bet

      He used hacking software searching for unpatched systems/unprotected. So hes not even a real hacker and he got into unpatched systems that's not an OS problem its a lazy IT problem.
      Stan57
  • Get'em a job

    Convince him to use his skills to secure websites and networks. WE are getting creamed in the infosec war. We could use him!
    dubbsix
    • High Security Prison

      For the rest of his natural borne life. Let's see if he can hack his way out of there. Being soft on crime will not solve it!!
      eargasm
    • script kiddie

      From the scant information in the article, it sounds more like he was not a cracker, but just a script kiddie who used prefab materials in order to do the job. Knowing how to use metasploit does not make one a "hacker".
      ultimitloozer
  • ... and in Chapter Two ...

    I hope someone looks into the sites the boy hacked in another six months. I would be willing to bet that at least half of them are still vulnerable to the same attack. There is a point where you have to stop feeling sorry for the victims.

    If there a "Darwin's List" for web sites?
    lars626
  • A script kiddie and they arrested him?

    They should have arrested the C-levels of all 256+ companies he hacked, along with their I.T. department heads.

    I'm quite sure the stockholders would be VERY interested in how well their investments were secured.
    Dr_Zinj
    • Most Hackers are Script Kiddies

      @ Dr_Zinj
      Most hackers are Script Kiddies, and that's what makes the Internet such a wild place. It is not necessary to have any IT skills to launch attacks that cripple major corporate Web sites when the hacks are available for free download from a variety of Web sites, torrents, and darknets. I don't have hard stats on this, but I would say less than 10% of hackers have any high level skills. These guys discover the exploits and create the mal-ware that script kiddies deploy to the detriment of the rest of us in Cyberspace.
      DCGideon
      • Re: Most Hackers are Script Kiddies

        No they aren't; they are two different animals. Hackers know the equipment, systems, software, etc. It still pisses me off how people keep using the bastardized media usage of the term instead of learning what it really means.
        ultimitloozer
      • You are incorrect

        ultimitloozer, You are incorrect on this one. Script kiddie is defined as an amateur hacker by both lay and IT professionals.It is not a bastardized term but the term IT professionals use to refer to hackers who do not have the technical skills to create the hacks they employ. Perhaps you should be better informed before making such dogmatic judgments. While we are trying to be so technical, a more accurate term here would be cracker rather than hacker. From a legal perspective, this 15 years old script kiddie is a hacker, as the legal definition of hacking simply means unauthorized entry into a computer network. Whether the hacker is professional or amateur is irrelevant.

        I guess you will have to continue to be tired of people referring to script kiddies as amateur hackers, as this is the correct term.
        DCGideon
  • Defending the Indefensible and Knowing Right from wrong

    I find it amusing, and at the same time realize what a sad state of the world to defend hacking and defacing by any individuals or groups. I can't overstate enough no matter how many locks or state of security you use on a buildings entrances or its' website, someone or some group will still break into it or its' encryption. To steal goods or services and,(or) deface intellectual property should be a crime. Defending their behaviors is reprehensible and only exemplifies the poor state of peoples' morals and modern times. Shame on all you arrogant nerd (a@@h@les) defending the hackers. The IT departments have a hard enough time as it is! Opinions such as Dr_Zinj are only reasonable assuming the antivirus and malware companies can become unnecessary due to malicious activity ceasing on the web. The best servers with the highest security are all fair game and it's only time before his assets are hacked or defaced as well. PROSECUTE 'EM ALL then let GOD sort them out!!!
    partman1969@...