I was suddenly surrounded by three FBI agents and two State police officers with guns pointed at me, each shouting commands to show my hands and place them on the desk in front of me. They caught me by surprise. I had seconds to come back from my psychological whiplash and obey, feeling their guns pointed at my back from where I stood and knowing that one wrong move could spell death.
It was on the eve of Friday, June 26th, 2009, that I found myself in handcuffs and sitting in the back seat of a black SUV between two FBI agents. We were heading to Lew Sterrett County jail, which would begin the first leg of the longest journey of my life – serving time for hacking.
Earlier that evening, I showed up to work – it was my last day on the job. I had just been hired by a local Internet Service Provider as an entry-level network security analyst, a career move that was going to become a catalyst in converting this black hat to a white hat, or something close to that. At the time, I didn’t realize that none of it mattered anymore. I thought I was just going to be interrogated and released. But it wasn’t that simple.
Nope. When hacking is involved, you aren’t passing Go. You aren’t collecting $200. You’re going straight to jail. The only good thing that happened that fateful evening was that the leading FBI case agent let me use a phone to call my wife and notify her that the FBI was standing outside her door to our apartment. Otherwise, they were going to break it down.
The raids that took place against me and my place of residence were not as hostile in comparison to other hackers, like the hacktivist KYAnonymous who exposed the Steubenville rape case over a decade ago. He was stormed by 12 SWAT team agents, pointing M-16 assault rifles. According to him, he was not even Mirandized while he was detained or told his right to an attorney. He also stated that law enforcement did not provide names and badge numbers after he asked multiple times.
To emphasize the level of zeal the FBI can seemingly have when investigating a cybercrime, FBI vehicles surrounded the entire block my sister lived on, with around 20 armed agents that raided her over deleting an email from an account of mine the Feds were watching related to my cybercrime case. My sister related the events, saying that at first glance, it looked like either a family reunion or a funeral on her block. She had no idea it could be the FBI.
Crazy_C, a former carder and credit card fraudster, alleged that he was in an eight-hour stand-off with 50 members of Dallas SWAT, including the Secret Service, in connection with an access device fraud case.
Makes you think about how the FBI might perceive “computer geeks.” I guess it takes a specially trained task force to apprehend hackers. Which, when you think about it, is rather flattering because I think they sent fewer men (two dozen Navy SEALs) to try to apprehend the most wanted man in the world, Osama Bin Laden.
That is to say, the FBI deployed nearly as many agents to apprehend my KYAnonymous, Crazy_C, and my sister as soldiers that took to kill the mastermind behind the biggest terrorist plot in recent history. I mean, it makes sense when you can literally throw a computer mouse as fast as you can throw a grenade.
According to one source, a mere five percent of cybercriminals are captured, underscoring the formidable difficulties faced by law enforcement agencies in apprehending and bringing these perpetrators to justice. That is why computer hacking sentences are oftentimes over-penalized and can be draconian, especially in the United States. We’re hard to catch. But when one of us is caught, they will usually try to make an example out of us. This is what happened to me.
Felony hacking charges can carry up to ten years in prison, with insurmountable fines. This is determined by the United States Sentencing and Guidelines Commission, which uses algorithms to calculate advisory sentences. However, since these are guidelines, judges can exceed advisory sentences and stack criminal charges as opposed to running them concurrently.
For example, under the Computer Fraud & Abuse Act (CFAA), Unauthorized Access to a protected computer system under 18 U.S.C. § 1030 can range a statutory maximum between 10 and 20 years imprisonment or as low as 6 months imprisonment if a judge feels the sentence is justified and promotes respect for the law.
Search and seizures
This phase of the investigation can not begin without a judge’s consent. This means that the FBI must ask a judge’s permission to consent to search and seize specific items that are relevant to their investigation.
Therefore, if your door is being kicked in by the Feds, expect the sanctity of your dwelling to be thoroughly violated. Concerning cybercrime, anything that could be connected to the crime will be collected and entered into evidence. If it turns out the item that was seized is not relevant to the investigation, it may be returned months later, or even years.
When the FBI stormed my home, they seized a couple of computers, a stack of blank DVDs, a black composition notebook with all my hacking notes, and a three-ring binder containing a log of screenshots from many of the exploits by my hacking group and me.
This meant that the IP addresses of targets I had hacked, logins to remote desktops (RDP), and other services I had set up illegally on remote computer systems, including all my sensitive notes and private thoughts, fell into the wrong hands.
But there was a silver lining. Since the statute of limitations has well expired, I will say the FBI missed the proverbial elephant in the room. It was a blue duffle bag sitting opposite the front door, containing my detailed journal, a collection of USB thumb drives, and other interesting things. In my case, the investigation, collection, and interpretation of evidence was messy.
One of my members, who went by the name “X0N,” was also raided, and thousands of dollars' worth of server equipment was seized. This happened only days after the equipment was purchased.
The server equipment wasn't returned to him until so many years had elapsed that the gear was then obsolete, even though their prolonged possession of the equipment violated his constitutional rights of protection against unreasonable searches and seizures. The equipment was returned in pieces.
He was never indicted for any wrongdoing. Allegedly, whenever he inquired about the return of his property, he was told that if he wanted his equipment back, he would have to become an FBI informant. Since he never agreed to these terms, the gear was never promptly returned.
Because I sent a coded message from jail to another member of mine the FBI was about to raid, they largely came up empty-handed. But because they were privy to the code I sent, my prison sentence was increased for obstructing the administration of justice. Like most things in life, there are profound consequences when attempting to undermine an FBI investigation. As crazy as this sounds, it was worth it, as it kept the investigation on me and not on him.
This phase of the investigation is vital to the government, which means what you say or don’t say will impact the trajectory of your life from here on out. The reality is that at this juncture in time, there isn’t a thing you can do about the inevitable truth that you are going to jail. I didn’t know this at the time. I wasn’t privy to the reality of what ensues when you find yourself on the other side of the law, in handcuffs.
I was electronically fingerprinted. I noticed the login to the Windows NT computer system written on a yellow sticky note stuck to the side of the bulky monitor. Next, I was led to an interrogation room where I sat at a table with an FBI agent beside me and another across from me. It wasn’t like anything I’ve seen in any of those TV shows about detectives.
It doesn’t matter what the FBI wants to know about you, your activities, who you know, or who was involved. The most critical element of this investigation is that you plead the Fifth Amendment (which is your right to remain silent) and that you request to speak to an attorney. You have to remember that law enforcement is not the judge. This means that no matter what they say to try to change your mind, what happens to you is not up to them. Your guilt (if any) is not determined by them but by the judge.
I highly advise you not to cooperate or become an informant because if you find yourself in this legal predicament, you must take responsibility for your actions and not try to ruin the lives of others, regardless of their guilt. But also, you will not be embraced by the hacking community once it is all said and done because everyone will have a good reason not to trust you.
Most importantly, just because they may assure you that if you cooperate with them and give them the information they want, you could receive a more lenient sentence doesn’t mean it is within their power to do that. That can only be granted at the behest of a judge.
Therefore, there is no guarantee that it will happen, and by incriminating others, you will run a high risk of turning a simple hacking case into a case involving Conspiracy charges. The statutory maximum carries life in prison if the government determines that there is an aggravating factor. Otherwise, it carries a maximum penalty of ten years in prison.
Since hackers of all flavors typically conspire with others on joint research projects and group operations, the following is a big deal, as it can dramatically impact how hackers are charged and sentenced.
Conspiracy is defined as the collaboration of two or more individuals to formulate a plan aimed at engaging in conduct that ultimately results in the commission of an offense. Essentially, it occurs when individuals agree to undertake actions that entail the commission of a crime.
By acting as an informant in the hope of a lesser sentence, the person(s) you inform against can turn around and inform against you, in addition to dragging others into the criminal case. These can offer more incriminating information against you.
The important thing to take away from this is that felony hacking charges can be exceedingly steep. For this reason (and others), I always say, “Please hack responsibly.”
More from Cybernews:
Subscribe to our newsletter