Internet privacy and security course
About translation
Previous Next
How hackers get caught

Chapter 24

How hackers get caught

The second chapter explores how hackers and the most wanted cybercriminals get caught out. Why should I be talking about criminals? It’s quite obvious: their stories will clearly show the process of deanonymization - identifying a person on the Internet. So this part of the book will analyze the reasons that led to the arrests of known (and not so known) hackers.

After watching movies portraying hackers, many readers see the process of hackers getting caught as an intense cat-and-mouse thriller that unravels in virtual space and depicts a war of technologies, with errors occurring at the code level. But in reality, it’s not the code errors that get hackers found out. The let themselves down out of laziness, sloppiness, poor judgement or plain stupidity. Eliminating these shortcomings is the first step toward assuring your safe and anonymous work online. To lend more credibility to this assumption, let’s move on to looking at a few stories of how hackers get found out and cybercrimes are solved.


Hackers are taken down by code errors or using state-of-the-art technologies against them.


The majority of caught hackers were taken down by their own laziness, sloppiness, poor judgement and plain stupidity.

Let me get started by telling you about Jeremy Hammond, the FBI’s most wanted hacker, who, among other cybercrimes, attacked the computers of the intelligence firm known as Stratfor. Stratfor was founded in 1996 and today is commonly referred to as the private CIA, boasting the government and major corporations among its clients.

Jeremy was able to access the information about the crimes exposing Stratfor and private military contractors that tightly cooperated with the U.S. law enforcement. Hammond deleted the files from Stratfor’s servers, copied the internal emails and passed them on to Wikileaks. He used Stratfor’s clients’ credit cards to rack up $700,000 in donations, and I personally view his deeds bordering on crime and feat of courage.

However, the U.S. justice found nothing courageous about his acts, and on November 15, 2013, Jeremy Hammond, aged 28, got sentenced to ten years in prison and three years of supervised release after. But how did the FBI succeed in catching him and how did the special agency find the proof of his guilt?

The FBI revealed Hammond’s identity with the help of a hacker who infiltrated the loosely organized hacking group Jeremy was involved with. At least this kind of version was spread by the mass media. Infiltration is one of the most popular methods employed by special agencies. I don’t know how the infiltration process works specifically, but I suppose the agencies catch the most stupid hacker, and he agrees to cooperate in exchange for his freedom or a reward.

We tend to trust people we constantly work with more than strangers from the street. Even the most clever of hackers are mere humans, and the need for communication and social interaction remains an essential part of their life too. But not only hackers and criminals should fear being exposed through an accomplice, we all should stay alert when interacting with people on the Internet; your correspondence is getting saved, and it may so happen that in future someone can get ahold of your content.


When you communicate with someone on the Internet, carry on correspondence as if you are being watched over by the representatives of special agencies. I believe this is the best advice on how to best protect your correspondence.

But deanonymization – revealing the user’s identity alone is not enough. To hold a cybercriminal accountable for his acts, one should gather the evidence against him – get access to the data that stores the information about the crimes he committed.

Jeremy Hammond is a consummate professional and he, undoubtedly, encrypted his hard drive. But the problem was that the password he chose was “Chewy 123” – the name of his cat. The FBI had been watching him and knew this information, so cracking the password didn’t require that much effort for them.

Let me take a detour now to explain how a password is brute forced. First the experts will check if you used one of the several dozens of millions of common passwords (for instance, QwErTy1234567890), then they’ll draw a list that will include your address, phone numbers, relatives’ names and last names, pets’ names, your favorite soccer team, singer, professional athlete, school number. Next, they will check them with the help of a program that will tweak with these numbers adding different data. You are severely mistaken if you think that your mother’s maiden name and 123456 coupled with it make for a safe password.

Moreover, the experts will try to find out your passwords for other resources and if they see that you used Ovid’s quote as a pass for one of them, they’ll make sure to check all his quotes with different additions.


When setting up passwords, don’t use your mother’s maiden name, your name, address, the name of your favorite soccer team, phone number, pets’ names. Otherwise, they should be part of a very sophisticated password where you rely on the rest of the characters for a unique, strong password.

Passwords, their creation and storing, the methods used for their cracking and stealing are extensively covered in this course and should be thoroughly studied. We have a separate chapter exploring this theme.

What would be the biggest takeaway from the Jeremy Hammond story? Do not violate the laws of the country you live in (or better yet, don’t just violate laws). Edward Snowden exposed government secrets racking up several life sentences in U.S., but he lives in Russia and is regarded basically as a national hero there. If Jeremy Hammond was in Russia, where, traditionally, both the controversial CIA and its intelligence firm are disliked, he would probably be enjoying freedom now.

Russian cybercriminals themselves would usually keep themselves from stealing in the country of their residence. Make no mistake here, they are not bothered by a sense of patriotism or sympathy for their countrymen, cybercriminals are rarely concerned with noble ideas. They won’t engage in stealing merely for the sake of safety and to avoid prosecution in their native country.

Let’s see how the don’t-steal-from-your-own rule applies practically by looking at an example of malware development. A large amount of spyware made by Russian speaking programmers, when getting into a victim’s computer, check if the Russian language is among the languages used by the operating system. When detecting the Russian language, they remove themselves from the computer without inflicting any harm on the victim.

Let’s look at another story involving Russian hacking practices. On July 31, 2013, Russian entrepreneur, the owner of the payment processing firm Pavel Vrublevsky was sentenced to two and a half years in prison for organizing in 2011 DDoS attacks on a rival company Assist. According to the media, the resulting damage to Assist prevented the Russian airline Aeroflot from selling tickets.

DDoS attacks are the kind of attacks that attempt to wreak havoc on computer systems (for instance, from server) in order to render them unavailable or impede their normal operation. Currently organizing and performing DDoS attacks are punishable by law in the majority of countries.

The attacks led Aeroflot to incur significant financial losses and stop using Assist’s services. In addition, Aeroflot filed a suit seeking 194 million rubles in damages against VTB-24 that provided payment processing to Aeroflot through Assist.

How did the investigation aided by the FSB agency succeed in finding and proving Vrublevsky’s guilt? As the case received enough media coverage, we are going to look at it in more detail.

The first ill-advised step was Vrublevsky and his accomplices’ using the ICQ instant messaging client. ICQ is owned by Group that is known to have a tight cooperation with the FSB. ICQ is by far not a safe service to use, at least without additional encryption tools. The company doesn’t hide this fact, the following is an excerpt from the user policy taken from Wikipedia (the given information was effective at the date of the events described):

“You agree that by posting any material or information anywhere on the ICQ Services and Information you surrender your copyright and any other proprietary right in the posted material or information. You further agree that ICQ Inc. is entitled to use at its own discretion any of the posted material or information in any manner it deems fit, including, but not limited to, publishing the material or distributing it.”

Moreover, ICQ has a huge number of vulnerabilities, and its accounts are regularly hijacked by perpetrators. I don’t think there’s any doubt left as to why you should feel put off using this IM for good.


Do not use ICQ, this instant messaging service doesn’t provide proper protection for your correspondence.

According to the information available from the media, Pavel Vrublesvsky came to the same conclusions and went on to use XMPP (Jabber), belatedly. He definitely should’ve done that earlier and used PGP encryption to boot. You will find more in our separate chapter exploring safe communication online and safe instant messaging services in detail.

According to the publicly available materials, in a court ruling, the traffic of Pavel Vrublevsky and other suspects in the case were subject to thorough monitoring and analysis. To analyze the traffic, Ufasoft Sniffer and WireShark were applied; a simple search by the word “password” across the traffic logs resulted in the login and password for the botnet control panel.

Botnet (a definition) is a network of private computers infected with malicious software and controlled remotely as a group without the owners' knowledge, using the control panel. The infected computers are mainly used for sending spam, launching DDoS attacks, bitcoin mining.

This course will teach you how to safely encrypt your Internet traffic and protect yourself from interception and analysis, clear logs. Moreover, we will teach you how to analyze traffic the way special agencies do.

In the abovementioned case the botnet owners didn’t even bother to encrypt their Internet traffic! It is extremely hard to believe that such a silly oversight was able to ruin true professionals.


Always encrypt your Internet traffic, using, for instance, a VPN. This will protect you from a deep analysis of your traffic.

But there is more to Vrublesvsky’s story. The perpetrators’ services were settled using a payment system WebMoney, quite popular with Russian users. This system requires identification from user and collects the maximum information available about him or her, including their IP address. This data is stored for a long amount of time and was passed on to the law enforcement.

The abovementioned does not imply that one should stop using payment systems. But it would be absolutely erroneous to believe that these systems are anonymous. They store much more information about you than you can imagine. I hope by now you don’t believe that Bitcoin is anonymous either.

Next, you’ll find out how important it is, when it comes to online security and privacy, to choose the right VPN provider. In April 2013 Cody Kretsinger, a hacker with the group known as LulzSec, who went by the nickname “recursion”, got sentenced to one year in prison, a year of home detention and 1,000 hours of community service. The hacker who breached the Sony Pictures website, undoubtedly, took care of his anonymity and used a VPN. But…

The only thing he couldn’t foresee was that the VPN service he used collected and stored the information about him and then passed the requested data on to the special agencies. You should approach choosing your VPN very seriously if you are truly care about your anonymity. You’ll find an entire chapter in this course showing how to select and set up a VPN. You will also understand how you could get affected by a sloppy choice of VPN and learn how to set up your personal VPN service.


Select reliable VPN services or, better yet, enhance your personal VPN.
We have a few more intriguing hacker cases and valuable tips in store for you. Share this story with your friends to continue reading.

On February 2, 2011, a known Russian opposition leader and blogger started collecting money for financing an anti-corruption project “RosPil”. To collect donations, Russia’s largest electronic payment service “Yandex.Money” was used.

Just some time after the start of the campaign, the people who made donations started getting calls from a female stranger. A young woman named Yulia posed as a journalist and asked the following questions, “Why do you support Navalny?” and “Where does the money you donated come from?”. In her conversations with the contributors Yulia revealed such details about transactions that there wasn’t any doubt left she was getting the information directly from the payment system.

It became known from the publications that the information about the flow of funds in Navalny’s account was passed on by “Yandex.Money” after an official lawful request made by Russia’s security agency FSB. The identity of the mysterious caller was also discovered. According to the publicly available information, Yulia Ivanova (last name has been changed) turned out to be a member of the Pro-Kremlin youth movement. Yulia herself declined to comment.

Who else obtained the confidential history of the transactions? Where were the users’ sensitive data leaked? By who and how will they be used in future? We can only guess… Fortunately, this is the only publicly known similar incident.

Next, you’ll find out how the National Security Agency unmasks the identities of Tor’s users or, rather, attempt to be doing so as the outcome of the story we are describing below is yet unknown. If you believe that the agency employs some extremely sophisticated methods, you will be surprised. This course will guide you through all Tor’s key vulnerabilities, deanonymization methods and the ways you can protect yourself from them.

On Sunday, July 5, 2015, unknown hackers attacked Hacking Team, one of the largest spyware and malware providers to government and law enforcement agencies around the world. As a result, more than 400 gigabytes of massive internal documents were exposed, including the information about zero-day exploits, hacking tools, clients as well as emails and contracts.

They managed to make publicly available numerous zero-day exploits that are used by special agencies and that can be potentially taken advantage of by perpetrators. The source code of the spyware was also made publicly available and added to the antivirus database rendering this software useless, and developers started patching the exposed exploits.

But the most intriguing of all the leaked information was the correspondence between a Hacking Team’s employee and FBI agent that allows us to gain insight into how deanonymization works.

In September 2014, an FBI agent asked Hacking Team if its flagship Remote Control System (RCS) product, also known as Galileo, was capable of unmasking the true IP address of a Tor user. The FBI agent only had the proxy IP address of the target.

In response to the FBI’s query, a Hacking Team staff member replied that it was indeed possible to get the real IP address of the target provided the target’s computer is successfully infected with a malicious file. The internal emails revealed that the victim was to get an email with a PDF attachment

An email with a malware attachment or link is the most common way of getting a user’s identity discovered and his sensitive data – stolen. It is eagerly used both by hackers and agencies alike. The victim must open a document or click the link to become infected. However, they can discover your identity and steal your data only if you are infected. In the chapter focusing on operating systems, you’ll find out how to open files and links without taking risks. In addition, you’ll learn how to use Whonix – an operating system that offers the greatest anonymity and can withstand deanonymization attacks without using additional tools.


Opening files and documents is one of the most common ways of getting your identity discovered. If an attacker uses zero-day exploits, you won’t be able to defend yourself either with Tor, VPN or proxy.

The last case we are looking at is the Silk Road and Dread Pirate Roberts story. Ross Ulbricht, aka Dread Pirate Roberts, according to the FBI and court ruling, is the creator of the shadowy e-commerce site Silk Road.

The Silk Road is a hidden website that existed within the Tor network and mainly sold drugs. The infamous service was closed following the arrest of Ross Ulbricht. Basically, it was a huge online drug marketplace run as a hidden Tor’s service and accessible only over the Tor network.

On May 30, 2015, the US District Court in Manhattan sentenced Ross Ulbricht, 30, to life in prison, on charges of hacking-for-hire, money laundering, illicit drug dealing, six attempts to arrange murders. But how did the creator of one of the most hidden internet sites end behind the bars?

A series of events set the stage for the criminal to get caught.  We don’t know which of them enabled his identification, but it is clear that by themselves they couldn’t prove his guilt. To bring accusations against Ulbricht, the FBI needed his hard drive unencrypted.

On the last day that Ross Ulbricht would be free, the Silk Road mastermind was working at the Glen Park Branch Library in San Francisco. The mere fact that the founder of the largest darknet marketplace could be found in a public library seemed odd enough. But Ulbricht’s fatal mistake was actually sitting with his back towards the people – what he himself recommended strongly against. That allowed the agents to detain him, preventing him from closing the lid of the laptop, and decrypt the hard drives.


If your data are wanted, have commercial value or represent classified information, do not sit with your back facing people in order to have time for closing your laptop when somebody attempts to gain access to it.

The agents waited for Ulbricht to decrypt his hard drive by opening access to the forum and rushed to detain him. The open hard drive had the keys, correspondence logs, contracts – the investigation looked at all this evidence like kids in a candy store.


Don’t put all your eggs in one basket. When encrypting your main hard drive, do not keep your passwords and important documents publicly available, encrypt them in a separate place, bear Ross Ulbricht’s mistake in mind.

 You’ll find more on data encryption in a separate chapter of this course. To urgently destruct encryption keys, sensitive data and prevent unsanctioned access to them, use Panic Button. We strongly recommend you take a close look at this solution.

I already mentioned how an inadvertent slip may turn out to be fatal. The Silk Road forum had one of the top staffers who had been probing the notorious marketplace undercover. During a conversation with him, Ulbricht let slip about his trip to Thailand and posted his photo enjoying the beach on his Facebook.

The desire to stay anonymous is often stoked by the fear of some danger: some live in fear of getting arrested, some are afraid their data might be stolen by third parties, some fret about their location getting tracked down. At the same time, people are wired for sloppiness, and eventually their fears give way to laziness, and the desire to keep anonymity becomes much less urgent.

You must grow awareness of the fact that keeping yourself anonymous and your confidential data protected take work and dedicated effort. Your desire to be safe should become a regular and steady habit. How do you develop it? There are many methods out there, but I am going to focus on the one I strongly recommend you adopt in your daily routine.

Every chapter has valuable tips for you, note them down and regularly act on them, apply these recommendations to your work every day. You don’t have to use all these tips at once, you can break them down over the week. Perhaps, you don’t need all the advice given here, choose the recommendations that you specifically need.


Write down the tips from this book, follow them regularly and daily apply them in your work. Do this until you make a steady habit of them.

If you follow our recommendations every morning, you will remember them, while using them throughout the day will allow you to steadily form the necessary habit. Do not get carried away with the initial success, it’s always harder to keep up with the routine and resist slipping into laziness. Keep everything you put down, go through your notes once a month and read them all over.