Black-hat hackers: bad to the bone or just victims of society?


Cybercriminals come across as out-and-out villains most of the time. They’ve bilked blockchain out of billions, held major corporations to ransom, and even killed people. They live in the shadows, and many industry experts believe they enjoy cordial relations with rogue states like Russia and North Korea. But who are the unethical hackers really, and is there more to their backstory than first meets the eye?

Are black-hat hackers sociopaths? This is the question I pose to Harsh Bothra, a white-hat or authorized hacker based in India who works for infosecurity firm Cobalt, and in his time has encountered some of the shadier members of his profession.

ADVERTISEMENT

“I would say that they are misunderstood if we call them psychopaths or sociopaths – because most black-hat hackers are very intelligent,” Bothra tells me. “They have a clarity of what they want to do. Usually, sociopaths and psychopaths are not clear in their vision.”

Bothra suggests that this lack of clarity would in fact be detrimental to an unethical hacker, who has to plan meticulously to stay one step ahead of the law. The smartest of them, he says, reinvest proceeds of their crimes into future jobs, using one success to pave the way for another.

At first glance, there does appear to be some evidence to bear out Bothra’s assertion that the mindset of the unethical hacker is incompatible with that of a sociopath. In his landmark study, The Mask of Sanity, published in 1941, Hervey Cleckley identified 16 core traits of the psychopath, one of which is a failure to have a clear life plan. Robert Hare, another godfather of psychopathology, seems to agree – his Psychopathy Checklist of twenty core traits, developed several decades later, includes a lack of realistic, long-term goals.

But at this stage, I’m still not convinced. Because Cleckley and Hare also listed traits such as antisocial behavior, parasitic lifestyle, and lack of empathy as key sociopathic traits – and the kind of people who use ransomware to shut down hospitals so they can extort them for millions strike me as fitting that bill pretty snugly.

But there are differences within the black-hat community, Bothra insists. “Groups like Anonymous, we can call them intelligent hackers who believe they can change the world,” he says. “Most black-hat hackers think they are changing something. Let's say I don't like what my government is doing, I'll try to break into their stuff and say that this should be visible to the public. Or let's say this bank is storing tons of money, and this should be distributed to the people.”

Robin Hood hackers, for real? Bothra seems to think they exist: “Many black-hat hackers, what they generally do is hack for something [and] distribute it to the people. But again, that's one side. On the other hand, there are people who work just for their own profits.”

And how does this wealth redistribution work, exactly? In a word, cryptocurrency. “This is the biggest advantage for black-hat hackers,” says Bothra. “Before, they used to take money in PayPal, but now they've strictly switched to Bitcoin and other kinds of cryptocurrency. They are not traceable, so basically, you cannot track them down. So if I am stealing money through ransomware and I have my cryptowallet, I can start giving that money to people, chunk by chunk.”

By converting digitally ill-gotten gains into conventional currency, what Bothra calls “white money”, these so-called Robin Hood types are able to simultaneously launder their proceeds while giving a portion to those they consider deserving.

ADVERTISEMENT

“To convert the money, they divide it among different people who need it,” he explains. “So let's say I send you ten bitcoins. You keep half a bitcoin and you transfer me back the nine and half of white money. This is how it happens – because big transactions are always tracked, but it is very hard to track each and every small transaction. Hackers are taking advantage of this loophole in the system.”

A darker path

But what about the other type of black-hat hacker Bothra refers to, those who are purely motivated by self-interest? Here a rather darker picture begins to emerge. What Bothra has just told me about Robin Hood hackers came as a surprise, but what he says next shocks me.

Most black-hat hackers come from violent criminal backgrounds, he tells me, and would probably be doing other forms of crime if they weren’t involved in cybercriminal activities. So much for the nerdy hacker hiding behind his console – these cyber thugs don’t sound like the altruistic hacktivists Bothra has just described, but they do sound as though they might be displaying Hare’s psychopathic trait of criminal versatility.

“I won't name anyone, but I know a few guys, black-turned-white-hat hackers, who are very good bug bounty hunters, and they have been in jail several times because of their violent nature,” he tells me. However, Bothra stresses that socio-economic background plays a key part in determining whether this is the case.

“On the contrary, I have also known some black-hat hackers from India who are totally pacifist,” he adds. “They really don't want to walk out of their den, they just want to sit in front of the system and hack – and that's all. So demographics play a really important role – I would say that seven in ten black-hat hackers are violent in nature. If they have committed cybercrime, they have also committed some sort of other crime, it can be fighting with somebody or just going to jail for maybe anything.”

Bojan Simic, a white-hat hacker who works for multifactor authentication specialist HYPR, came to the US in the 1990s with his family as a refugee from the Balkan Wars. He agrees with Bothra that demographic background plays a key role in determining a hacker’s psychological makeup.

“Let's say I was still in Bosnia, where there is 50% unemployment for people in their thirties, and I have a computer, and I know how to use it,” he posits. “I'm not able to get a job remotely writing software – for not that much money honestly – for some Western company. If I knew how to hack into systems and could get a couple of Bitcoin a month by deploying some ransomware or phishing somebody, I would probably do it, if I needed to take care of my family and my parents were growing old. And that's the position a lot of these people find themselves in.”

Again, Simic and Bothra – though living and working on opposite sides of the globe – seem to be in alignment here. Feelings of resentment at economic exclusion, coupled with a burning desire to have their talent recognized, can often spur poor but tech-savvy kids to put the black hat on. “It's a mixed share of backgrounds,” Bothra says, “but most often they come from underprivileged families where they lack resources, and they always feel that they lag behind society.”

This motivation to be noticed can ultimately lead down a darker path, with hackers starting out as idealists railing against injustice, but becoming gradually corrupted by their own actions. “So they want to prove their point and do something that can change society,” says Bothra. “Their mindset evolves in a way that they tend to think of themselves as a hacktivist – but eventually break the law and turn themselves into black-hat hackers.”

ADVERTISEMENT

Nor is being born wealthy a guarantee that you won’t succumb to temptation: “I have seen hackers as well who are from very wealthy families and just do it for fun. Tinkering with the software, it's a hobby for them.” But these dilettante hackers are a rarity in Bothra's opinion, and most black-hat types – whether they see themselves as hacktivists or criminals – tend to be born on the wrong side of the rails.

“They're individuals who are very smart, but don't have the opportunities that we have growing up in places like the UK and the US,” agrees Simic. Echoing Bothra’s observation about the slippery slope many of these bright young hackers find themselves on, he adds: “They have all of the intelligence, drive, and curiosity – and they find themselves, one step at a time, getting into that space.”

Once they’re on that slope, it’s a fast route downwards – and very hard to turn yourself around. Not only is the money a huge temptation in itself, but the ease with which it can be stolen or extorted also becomes increasingly hard to resist.

“It is always [a case of] once you taste the success, you want to do it more and more,” says Bothra. “They start to enjoy it. They see it as an easy way to get money – all you have to do is socially engineer your particular victim. Things grow with time, it's a place where you cannot get out once you get in.”

An addictive game

Those that do try to “go straight” end up walking a mental tightrope, what I myself have heard some recovering alcoholics refer to as the “white-knuckle ride.” And just as those recovering from more conventional forms of addiction can find abstinence every bit as challenging as indulgence, hackers trying to mend their ways end up living in fear of a relapse.

“Talk to guys who are black-turned-white-hat hackers, it is very hard for them even now to control,” says Bothra. “They go to rehab centers and try to fall into other activities, to get into different things.”

Perhaps it comes as no surprise then that many black-hat hackers also end up hooked on other things – gambling seems to be the most prevalent, but earthier addictions like sex, drink, and drugs are common problems as well.

“It can be from chain smoking to anything,” says Bothra. “Because they feel privileged for having the money: 'I came from a background where I had nothing, and now I have a fortune, so why not?'”

“Any money that is earned that easily, that fast, is typically equally [quickly] blown,” agrees Simic. “And that's just the mindset: ‘Hey, I made it that fast once, I can make it that fast again. So why not spend it?’ That is true whether you're in a casino in Las Vegas or extorting some company for Bitcoin.”

ADVERTISEMENT

Substance abuse among unethical hackers need not be purely recreational either: like some unscrupulous athletes, they can also turn to stimulants to enhance their performance on the job. “I have seen that some hackers use drugs to boost their thinking capacity and sit for long hours and hack,” says Bothra. “So eventually they get bad addictions and their skill sets wane – they are no longer as good as they were. As you go along and you develop an addiction, you lose your game.”

The wages of sin

But as unsavory as the personal habits of unethical hackers may seem to some, they aren’t what concern me the most. I want to know if there’s a difference between cybercrime and more conventional forms of lawbreaking in terms of the knock-on effect it has on the perpetrator – because most cybercriminals never confront their victims, dealing harm from afar, does this make it easier or more difficult for them psychologically?

“It desensitizes them,” says Simic. “I think a similar thing can be said about drone pilots. They sit there and bomb places in war – it looks like you're playing a video game, but those are actual lives down there. Look at it from that side, why would you feel empathy, regret? It is a lot easier to just turn away and not let it affect you. There was a Canadian hospital that got hit by ransomware last year, and it ended up in people losing lives because critical systems were down. If that person, wherever they were, actually sat down and talked to the family of those affected individuals, I guarantee you they would probably never do something like that again – but they didn't.”

Despite this – or perhaps precisely because of it – Simic appears to agree with Bothra that cybercriminals are not as fundamentally cold-hearted as many might believe.

“I don't think they're sociopaths,” he says. “If most of them had other avenues to use their skill set they would. A lot of them honestly just don't know any different – I'm talking about the ones in Eastern Europe or China. It’s cultural, where if you break into some healthcare company in Canada and tell your friends, it's a celebratory thing. It is not something you will get in trouble for with your local government, so why don't you do it? Those people, they're just a product of their environment.”

But surely there has to be more to that environment than just country of origin? I ask Bothra and Simic whether the Eastern “offensive” hacker versus the Western “defensive” cybersecurity analyst is a dangerous stereotype.

“Someone is always trying to expose another country so they can take advantage of it,” says Bothra. “Every country is preparing for cyberwarfare, which is happening. Every country attempts to sponsor hackers – some are into the limelight, and some are not. That pretty much defines it, I guess. Every country is doing it, it's just some of the big countries have been highlighted more.”

“It's just the nature of it,” agrees Simic, adding that different attitudes to information sharing have distorted the cyber narrative in terms of East versus West. “We have what we call free speech – you can write whatever the hell you want, whenever you want, for the most part. Whereas if some hospital system in Russia got hacked tomorrow by some person in the US, chances are that's not going to make the news – because it makes the country look bad. So this stuff is happening all the time, but it's just not spoken of in those other places where they have more totalitarian ways of managing their population.”

That said, Simic does agree that most unethical hackers have probably strayed into more violent forms of conventional crime. But the distinction he draws between those who have and those who haven’t throws up yet more questions about the ethical dimensions of the black-hat underworld.

ADVERTISEMENT

“I put them into different categories,” he explains. “There are a lot of unethical black-hat hackers – really just scammers. They take off-the-shelf tools and they weaponize them against some adversary. No real innovation is required, no deep technical expertise. Those absolutely have a criminal or violent background.

“But there's the other category of unethical hackers that are just like nerds. They are actually building the software that those people use. The guy during the gold rush in the 1840s in California that made the most money is the guy that sold the pickaxes. The guys that are building the pickaxe equivalent and selling it on the dark web are the really smart technical individuals who are pushing the needle and innovating. And then there's the seven out of ten that are just thugs – they take the pickaxe, and they go to somebody and hit them over the head with it.”

It’s a mixed metaphor but no less illuminating for all that. It puts me in mind of the moral arguments against munitions companies – in effect, who sins more, the people that use the firearms, or the people that manufacture them?

“That is the modern-day equivalent,” says Simic. “Somebody going to the dark web, paying a couple of thousand dollars for a piece of ransomware that they know nothing about how or why it works [and aiming it] at a small healthcare company in Kentucky, and having a lot of success.”

He agrees that the gun analogy is a sound one: “I think a lot of people that are getting arrested today are the seven out of ten. Smith & Wesson, the gun manufacturer, has probably killed more people than all the people in jail combined, but they're not going to jail – and that's the philosophical argument, who is really the bad guy? Let's say you have a young, very smart hacker, who builds some piece of software and sells it to a bunch of people that end up causing havoc with it – and then that person ends up getting noticed and picked up by a nation-state. And now they work for the FSB [Russian intelligence agency and successor to the Soviet-era KGB] or the Chinese government. Are they the bad guy – or is the government [they work for] the bad guy?”

And the guns aren’t always being pointed by the East at the West either, Simic adds, recalling one malware program thought to have been designed by US and Israeli intelligence services that ran amok a few years ago: “Look, we like to sit here and talk about Russia and China and North Korea doing this type of stuff, but let's not forget things like Stuxnet. There is a lot more that we're not reading about that's happening – going in the other direction.”

Resisting temptation

Leaving aside the thorny questions of allegiance to diverging causes and who is ultimately more responsible for what, I am curious to know what stops white-hat guys like Simic and Bothra turning to the “dark side.” One thing that jumps out at me is that both these men have solid family lives. Bothra posts on his blog about spending time with his wife and family; when I interviewed Simic he had just returned from paternity leave. Though well remunerated for their skills, perhaps they’ve realized there is more to life than just cheap thrills and fast money?

“The more you earn, the more you want to earn,” admits Bothra. “This happened to me as well. When I earned $10,000 a year, I wanted to earn $50,000… I make $50,000, I want to go beyond, to one lakh [$100,000]. So this thing will never stop. You have to define your goals, how much money is good for a luxurious life and your savings – that even if you go one day, that money can look after your family. You have to plan everything. Even I stopped at a particular point.”

“I think it's just a sense of right and wrong,” says Simic, who was himself a victim of hacking during his previous job as a software developer. “I've been on the receiving end of it in the past, and it's not a good feeling. And I like consistency in my life. I'm very fortunate to live in modern society. I have a certain skill set, whereas my dad worked in a factory most of his life. I'm never going to have to do physical manual labor. And so that's my baseline – if I can do better than that every year, a little bit, I'm good to go.”

ADVERTISEMENT

But Bothra and Simic are both grown men who’ve had the chance to flourish in their chosen professions and cultivate balanced lifestyles that they find satisfying and fulfilling. As a last port of call, I want to talk to a younger person with hacker skills about the pitfalls of temptation one can encounter in the cyber field.

Simic offers to put me in touch with his nephew, Daniel Railic. At 19 years old, he has already been a certified white-hat hacker for five years – like many in his field, he discovered and developed his talent for computers from an early age. Railic has thrown his hat into the white ring – but does he worry about the psychological effects the power of hacking can have on teenagers, given the brain is still developing during formative years?

“Yes, for sure,” he allows. “I think a large part of it is how hacking is portrayed in the media. In movies, the hackers always look super cool and smart, which definitely appeals to the younger crowd.” But Railic points out that teens seeking thrills by running counter to the law is nothing new, and in most cases – in his experience – it amounts to little more than harmless fun. “The idea of potentially breaking into things and getting into some gray areas is appealing when you're a kid, for the same reasons it always has been,” he says. “Now personally, neither I myself nor anyone I ever came across got into hacking because they had some malicious purpose in mind. It's the knowledge that they can do malicious things that they find appealing – it's just fun and cool to think about.”

Talking to Railic, it strikes me that he and his friends and associates probably fall into the “three out of ten” category of intelligent hackers that his uncle was talking about, or perhaps even the Robin Hood type described by Bothra. Whatever your take on that, Railic doesn’t seem to think the effort and smarts required to become a true innovator in the field tally with somebody displaying Hare or Cleckley’s criminal traits.

“Every hacker I know does it because they just find it fun,” says Railic. “They are usually some kind of geek or nerd who spends a lot of time in front of the computer, usually starting with an interest in programming or networking or some other computer science field, then transitioning into cybersec. Personally, I got into it after learning how to make video games. For most hackers, it is just like solving puzzles. It requires tons of studying, effort, and self-discipline to get anywhere. I don't think the average rebellious teen, ‘rich kid,’ or criminal would be interested in putting in the work.”

My one big takeaway from this is that the black-hat community is itself a gray area, and putting such a broad cross-section of people under a single umbrella defined by breaking into digital systems without express permission simply isn’t nuanced enough. There are cyber thugs using the virtual guns to stick up corporations and hospitals, and there are the true innovators – and depending on the circumstances into which they were born, these can end up working with the thugs, being employed by a rogue nation like Russia, or crossing the line to join the white-hat community (“the people that you want working for you on the other side,” as Simic puts it).

It seems then that unpicking the psychology of black-hat hacking is every bit as complex as understanding the technical requirements of the field itself. As with all forms of crime, cultivating a more inclusive society seems to be the best deterrent against it, but even that is no guarantee that someone won’t choose to put on the black hat anyway.

Or, as Bothra puts it: “As long as you care about your identity, and about being in the public, you will choose things for the good. As I mentioned, most of these guys are people who are left out from society. They might not have family, or even know who their family is. But there are people who are motivated by the potential of earning from black-hat hacking. It's always hard to control the intentions of somebody, you cannot reach out to every single audience.”