Between Two Nerds: The kid to criminal pipeline - Risky Bulletin

Summary6 min read

**Risky Business News: Episode Summary
Title: Between Two Nerds: The Kid to Criminal Pipeline
Release Date: December 2, 2024
Host: Risky.biz
Description: Regular cybersecurity news updates from the Risky Business team.

Introduction

In the December 2, 2024 episode of Risky Business News, hosts Tom Uren and Gruuk engage in a deep dive titled "Between Two Nerds: The Kid to Criminal Pipeline." This episode explores the troubling trend of young individuals transitioning from online gaming communities into serious cybercriminal activities. Drawing from real-life cases and personal insights, the hosts dissect the underlying factors that contribute to this pipeline and its broader implications for cybersecurity and society.

The Kid to Criminal Pipeline

The discussion centers around a specific case inspired by a YouTube video about a young individual named Noah (last name unspecified). Noah's trajectory from playing Minecraft to engaging in sophisticated cybercrimes highlights the rapid escalation possible within just a few years.

Noah’s Journey:
Tom introduces Noah's story, detailing his progression from a Minecraft enthusiast to involvement in sim swapping and cryptocurrency theft. By age 21, Noah was arrested, exemplifying a swift descent from harmless online activities to significant criminal behavior within a span of three to four years.

“He starts doing the hardcore aggressive Minecraft sim swapping type thing around 16 or 17 and by 21 or so he's arrested, which is speedrunning any percent Minecraft to jail.”
[01:56]

Comparison with Older Hacker Cultures

Gruuk contrasts Noah's experience with the hacker culture of 20-30 years ago, emphasizing the shift from curiosity-driven exploration to financially motivated crimes.

Hacker Ethos Then vs. Now:
Gruuk reminisces about the traditional hacker image—curious individuals breaking into systems to learn and explore, not necessarily for financial gain.

“People who are curious, people who find solutions in clever ways... there’s a whole lot of hackers who don’t know how anything works and do sim swapping and stuff like that.”
[02:39]
Evolution of Motivations:
The hosts note that while older hackers sought recognition and problem-solving satisfaction, modern cybercriminals like Noah are more driven by financial incentives, facilitated by advancements in technology such as cryptocurrency.

Motivations Behind Young Criminals: Social Status and Competition

A significant portion of the conversation delves into the psychological and sociological drivers that push young men towards cybercrime.

Innate Competitive Nature:
Gruuk posits that the competitive drive among young males for social status channels into cyber activities, whether for recognition or financial gain.

“These kids are not criminals in the sense of they're out to make a lot of money... it's more like the money came along with them just doing the thing they liked.”
[03:32]
Social Recognition Over Financial Gain:
The immediate pursuit often revolves around gaining kudos and status within their peer groups rather than the proceeds of their illicit activities.

“The sense I got from the video was that it was much more about kudos and status than it was about the proceeds of crime.”
[03:53]

Consequences and Rehabilitation

The episode highlights the impact of arrests on young cybercriminals, often serving as a turning point towards rehabilitation.

Life-Changing Arrests:
Arrests, though sometimes resulting in minor legal consequences, can be life-altering, pushing individuals towards more constructive paths. Gruuk shares insights from a UK case where the apprehension led to a sense of relief and a cessation of criminal activities.

“I remember a kid that got caught in the UK... he was like, I just, I feel a lot better now that it's sort of over with.”
[18:06]
Positive Influence of Law Enforcement:
In some instances, like the Mirai botnet case, law enforcement officers have played a role not just in arresting but also mentoring young offenders, steering them towards legitimate careers in cybersecurity.

“They got arrested by the FBI, a life-changing event... that particular agent had a positive influence.”
[16:10]

Role of Online Communities

Tom and Gruuk discuss how online platforms like Minecraft, Discord, and Telegram serve as breeding grounds for both positive interactions and malicious activities.

Community Influence:
Engaging in communities trending towards illegal activities can facilitate the escalation from minor infractions to significant cybercrimes through mechanisms like "purity spirals," where members continuously up their game to achieve higher status.

“If you have a community that's trending towards doing edgy, slightly illegal things, then it's very easy for that group to escalate.”
[19:15]
Balancing Good and Bad:
While online communities offer immense positive value, providing support, education, and collaboration opportunities, they also pose risks when influenced by negative peer pressure and the allure of quick financial gains.

“It's hard to say that online communities as a whole are a bad thing... there's a lot of good stuff and then there's some bad stuff as well.”
[20:24]

Technological Facilitation and Escalation

Advancements in technology have made it easier and more lucrative for young individuals to engage in cybercrimes, reinforcing the pipeline from minor misdemeanors to major offenses.

Ease of Access and Impact:
Modern technologies enable actions like sim swapping and cryptocurrency theft to be executed with minimal technical expertise, yet with significant financial repercussions.

“It’s a lot easier to do something really damaging... now you can steal all of Microsoft source code and gaming companies and extort them for money.”
[21:16]
Lack of Off-Ramps:
The current lack of accessible, legitimate pathways for technically inclined youths to channel their skills into productive endeavors exacerbates the issue, making crime a more attractive option for status and financial gain.

“There isn’t a way that they can do edgy things harmlessly and then the financial incentive is actually to commit more crime.”
[21:16]

Conclusion: A Natural Outgrowth with Modern Challenges

The hosts conclude that the "kid to criminal pipeline" is a natural progression influenced by inherent social dynamics among young males and the amplified opportunities presented by contemporary technology. However, the lack of effective off-ramps and the high stakes of modern cybercrimes necessitate urgent attention from both cybersecurity professionals and societal institutions.

Final Takeaways:
- Inevitability of Cybercrime Among Young Males:
  Gruuk asserts that as long as opportunities for dubious activities exist, young men will exploit them, driven by their competitive nature.
  
  “If there's a stupid thing to do, there's a man who's going to do it.”
  [06:04]
- Need for Secure Systems and Positive Reinforcement:
  Enhancing cybersecurity measures and creating more avenues for positive reinforcement in technical fields can help mitigate the pipeline.
  
  “If everything was secure then these kids wouldn't be able to steal.”
  [21:10]

Overall, the episode underscores the critical intersection between youth culture, online communities, and cybersecurity, advocating for a balanced approach that fosters positive engagement while mitigating risks of criminal escalation.

Notable Quotes

On Competitive Nature:

“If there's a stupid thing to do, there's a man who's going to do it.”
Gruuk, [06:04]
On Social Status and Crime:

“The sense I got from the video was that it was much more about kudos and status than it was about the proceeds of crime.”
Tom, [03:53]
On Rehabilitation:

“He was like going to nightclubs and spending $200,000 a night on bottle service.”
Gruuk, [13:45]
On Technology's Role:

“If everything was secure then these kids wouldn't be able to steal.”
Gruuk, [21:10]

This comprehensive discussion in the Risky Business News episode sheds light on the complex pathways leading young individuals from online gaming and social platforms into the realm of cybercrime, emphasizing the need for robust cybersecurity practices and supportive interventions.

Loading summary

Transcript88 lines

[00:04]
A
G'day everyone. This is Tom Uren. I'm here with the Gruk for another Between Two Nerds discussion. How are you, Gru?
[00:10]
B
I'm good, Tom. And yourself?
[00:12]
A
I'm well. This week's episode is brought to you by Push Security, which make an in browser identity and threat protection system. So it seems this week we've reached the old man shouting at cloud phase of Between Two Nerds where we talk about how the young kids these days are just so bad and terrible.
[00:36]
B
I mean, back in my day.
[00:37]
A
Yeah, yeah. So this is all inspired by a video that you found on YouTube which was about a kid called Noah. I can't remember his last name. Anyway, he's been arrested in the US and the video talks about his journey from being a kid who played Minecraft. And we spoke about the telegram to crime pipeline, but this actually starts further back and it's.
[01:07]
B
This is the Minecraft.
[01:10]
A
So discord, I think telegram is still involved, but Minecraft discord, telegram to crime. And the story is that he gone into a. I don't think fringe is the right word, but a Minecraft server where there were some people who were doing things like sim swapping that led him to like a music discord where other people were stealing unreleased music from artists. Apparently this is a thing and you buy and sell it and then cryptocurrency, sim swapping to steal cryptocurrency and then eventually arrested.
[01:50]
B
Right. And from beginning to end there was like a three year or four year journey.
[01:54]
A
Yeah, it's not a long time, is it?
[01:56]
B
Yeah, he starts doing the hardcore aggressive Minecraft sim swapping type thing around 16 or 17 and by 21 or so he's arrested, which is speedrunning any percent Minecraft to jail.
[02:12]
A
That's right, yeah. And we thought we'd contrast that with. With how hacker types were brought up, the environment they were in maybe 20, 30 years ago.
[02:26]
B
Yeah. So like the thing that I was thinking about immediately was the whole my crime is curiosity. I'm out there and I'm breaking into systems and then learning how they work and exploring and yeah, hacker in the.
[02:40]
A
Sense of someone who plays around and experiments.
[02:43]
B
Right. Like the very old sense that people are always insisting is what hacker really means. Like it's not, you know, it's not criminals, it's, you know, people. People who are curious, people who find solutions in clever ways. And I'm not discrediting that, but there's certainly a whole lot of hackers who don't know how anything works and do sim Swapping and stuff like that. The thing that I found sort of particularly interesting is, so there was this kid and he had huge amounts of money at a very young age. Like he was 20 years old or something, and he had millions from all this crypto stuff, and he didn't know what to do with it. And that strikes me as this kid, he was not a criminal in the sense of, like, he set out to make a lot of money.
[03:32]
A
Right.
[03:33]
B
And so how do I make a lot of money? What's a crime I can do? Let's do this crime and make the money. It's more like the money came along with him just doing the thing he liked. Right. So he was hanging out with friends. They were sort of doing these, like, competitions between each other to see who could, you know, scam the most. Or they're basically counting coup between each other.
[03:53]
A
Yeah. The sense I got from the video was that it was much more about kudos and status than it was about the proceeds of crime. And I guess that is a similarity to the old days. Like, people did hacker things because they got recognition and status from it, but there was no serious crime aspect that was financially lucrative.
[04:21]
B
You weren't hacking an ax box at a computer lab and also getting $200 million in crypto. That's right. So about 10 or 15 years ago, I gave this talk on cyberwar, and one of the key things that I was pointing out was that you're never going to get rid of hackers because the core demographic for people getting into hacking is going to be your young teenage male. And that's an age where men are competing with each other for relative social status. So within the group that you are part of, you will compete to see who's like, the best of that group. Right. So if you are in the military, then there's a. That's channeled and there's certain pathways that they have to exploit that, that drive among men to get you to do various things. If you're doing bikes or skateboards or whatever, you will try to learn tricks or whatever skills to show that you have high status in that group. If you're dicking around with computers, you will try to hack and show that you can do things that your friends can't do. You know, write exploits and so on. And it's. It's still that same drive that is making, you know, young men do this. My point was that this is like an innate human trait that is channeled through this technology into this sort of activity. Not everyone, but it certainly it exists as a pathway and as long as it's possible to do something, men are going to do it. Because young men are dumb.
[06:05]
A
As I think it's more. As long as it's possible to do something stupid.
[06:11]
B
As long as there's a dumb thing to do, men are going to do that dumb thing.
[06:14]
A
Yeah, yeah, yeah. And just to be clear, women can do many things, they're just less likely to do the dumb things.
[06:24]
B
Absolutely. Like, I think that the takeaway is, like. I think it needs to be like, Tom's Law, like, if there's a stupid thing to do, there's a man who's going to do it. So I think that that's the biological sociological driver behind this. It's that, you know, these kids are not criminals in the sense of they're out to make a lot of money and they've. They tried kidnapping and it didn't work for them. And, you know, they did a bit of bank robbery and it just. It wasn't really their jam. So they went into crypto scamming and sim swapping and, you know, draining Coinbase accounts because that just sort of. That felt more them, you know, that really spoke to their. Right. I mean, it's. It's that they're. They were basically hanging out with people who were doing sim swapping to, like, steal their opponent's Minecraft accounts or something along that line. It was sort of. It was criminal, but it was sort of innocuous. And then one of their group is like, I do sim swapping and I made, you know, $10,000 by stealing from an actual person as opposed to a child.
[07:34]
A
Yeah. I guess the slightly older story I've heard about is the. The bloke who wrote Mirai, I think there was three of them and, like, the actual circumstances are slightly different, but the dynamic is the same. And they were. I think, again, it was Minecraft, but it was DDoS attacks, stressors and Buddhas, and they were taking down other servers by launching DDoS attacks. And that's how they got involved in writing Mirai, the botnet, of course.
[08:06]
B
Right, yeah.
[08:07]
A
So the dynamic was the same. It was social status within a subgroup or a culture or whatever. The exact specifics were slightly different.
[08:17]
B
So I think we've identified two Minecraft to criminal pipeline that exists. You know, parents check your computers for Minecraft.
[08:28]
A
Yeah. I guess one of the things is that back in the day you'd have hacker types, they'd do legal stuff, but there were never. Most of the time, the vast majority of the Time there were never any consequences because the stuff that was illegal didn't actually amount to all that much. Like you couldn't steal hundreds of millions of dollars. And so those people eventually grew up.
[08:56]
B
Got cybersecurity jobs you could grow and.
[09:00]
A
Are now scis.
[09:03]
B
And are now getting arrested and put in jail for doing bad stuff with sizes. I think you're onto something because like I know several people who did stuff got caught, some of them got prosecuted and what would say like a slap on the wrist, which, you know, still, I think it's still quite a lot for like a kid mucking around on a computer.
[09:27]
A
Right? Yeah, those things are life changing regardless of how seriously you're punished.
[09:32]
B
Right. But it's not the same as like stealing $100 million.
[09:38]
A
Right.
[09:38]
B
Like the consequences just they're not comparable in any way. And I think that that's a problem these days in that the ability to do the stupid things that you can do now have much higher consequences because the money is so big.
[09:58]
A
Right.
[09:59]
B
People are always going to do dumb. Well, men, young men are always going to do dumb things. And as long as those dumb things aren't life changing, they'll grow out of it. And I think there's too many dumb things that are life changing now. And I like, I think that that's a problem.
[10:16]
A
Yes. This is a wolf man chatting at Cloud Portion.
[10:22]
B
Yeah, I feel it's a problem that it provides an easy opportunity for people to make irreversible mistakes and I wish that that didn't exist, that they weren't tempted to make those mistakes, those opportunities to make that sort of life altering decision didn't exist. Like I think it would be better that these kids could do their dumb stuff, grow out of it and then be productive as opposed to like.
[10:47]
A
Yeah, I mean that would be better. I mean you said life altering decision, but I don't think they even make a decision. Right. It's just.
[10:52]
B
Right, right.
[10:54]
A
You know, it's a sort of pathway that seems like a good idea at the time.
[10:58]
B
Yeah, I mean they absolutely do fall into it. You know, it it's, I mean you could see from that video it was just a straight escalation, one step after another where everything that he was doing was just that little bit more than before. So he'd go from sim swapping and stealing accounts on Minecraft to sim swapping and doing something slightly more aggressive and then a little bit more than that. And within a few years he's draining crypto accounts and at no point did he go all right, I'm going to steal millions of dollars.
[11:35]
A
Yeah.
[11:35]
B
It wasn't a thing that he decided to do at any point. It was just this natural progression of every step. Just a little bit more edgy than the last one, a little bit more hardcore. There seems to be quite a few of these hacker groups where there's these 20 year old, 19, 20, 21, who have done something that got them huge amounts of money and they don't really know what to do with it. If you're 19 and you go from living with your parents to having $100 million, you don't have any life experience to draw on. To be like, this is how I'm going to invest and I'm going to be careful to not get caught by spending too much and drawing attention. They have none of that experience. So there was a Twitter threat from Zack, XBT like a month ago. I think that was very interesting. So he's sort of tracking this group and they had a Discord server where they were playing, like they were videotaping themselves, like doing this hack. Like collectively they were like making a record of the hack where they stole like $250 million in crypto.
[12:54]
A
Yep, yep. Where status trumps opsec.
[13:02]
B
Absolutely. And so they stole all of this money and one of them is like, oh, lol. We're going to be hunted by the feds now. This is big. Oh, the FBI are after us. Ha ha, ha ha ha. And like a month later, they're all arrested, of course. But you know, at the time, it's all fun and games. Yeah. Like, he just, he followed this one kid who took all the money. He went to Vegas and like, he didn't know what to do. Like, he was trying to be cool. So he was like going to nightclubs and spending $200,000 a night on bottle service. And people just thought he was an asshole. I think that might be another thing is that the niche groups that these guys are part of are not like the cool kids, Right?
[13:45]
A
Yep.
[13:46]
B
And so when they suddenly have money and they're like, okay, now I can be cool, they don't know how to actually be part of those communities. And so they screw up again by like trying to buy their way in and just seeming off putting to everyone else. But, like, the funniest thing about this kid in Vegas was when he bought a pink Lamborghini and like a $20,000 handbag and he sent a pict to this girl saying, I got you a present. And her response was, I have a boyfriend.
[14:20]
A
I mean, that goes to show how uncool you've got to be. Right. Like, if you were moderately cool, I think most people would not shut you down like that. They'd at least.
[14:30]
B
They'd probably take the Lambo at first and be like, so anyway, at least.
[14:35]
A
Take it for a spin.
[14:40]
B
Basically. I think the conclusion is there is a real pipeline. There is this real. If you start sim swapping and doing aggressive online stuff now, you will escalate and like, it doesn't stop.
[14:54]
A
Right.
[14:55]
B
Or maybe I'm wrong. Maybe.
[14:56]
A
Well, I think there is a pipeline, but I don't think it applies. Obviously it can't apply to everyone on.
[15:01]
B
Those servers because if you snort a pot once, then you will be smoking the heroines on your Mirai server with the Minecraft. I'm pretty sure that's how it works. I mean, I think you're right. I mean there's obviously people who can like, they sim swap and they grief and they do booting and they can take it or leave it. And then at some point it's just, it's boring kid stuff and they do other things with their lives without ever progressing all the way down that path.
[15:31]
A
Right, yeah. So I was thinking about the Mariah kids again. And so one of the stories I think might have been Andy Greenberg wrote it up in wide was the story of how they got arrested. And in at least the way he writes it up, the FBI agent actually seems like a bang up, decent bloke and he managed to in the process basically turn their lives around and in a way became a mentor to at least some of the kids. And so I think some of them are now working in cybersecurity firms and stuff like that. And so getting arrested by the FBI, life changing event.
[16:11]
B
Best thing that ever happened to them.
[16:14]
A
Well, like that is funny, but maybe it is. And I think it certainly seemed like that particular agent had a positive influence throughout that whole, I guess, journey for them. But it seems like they were not so far gone like that. It seemed like they were redeemable, which is, I don't know, maybe that's true for even these kids.
[16:39]
B
Yeah, I don't think they're hardened criminals, but after being in jail and prison, then I guess we'll see. But yeah, I mean, I think that the Mirai kids went very much from booting and stressing to like doing Mirai as just an extension of that, as opposed to they didn't go into like crypto theft and they weren't stealing from other people.
[17:03]
A
Yeah, yeah. The personal injury Was not there.
[17:06]
B
I mean, I think that that absolutely plays a part. That's definitely.
[17:09]
A
It seems more nowadays, even though Miria was not that long ago, that you can fall into groups where people are physically violent or swatting and hiring hitmen or people to beat up other people.
[17:23]
B
Yeah, that whole violence as a service thing.
[17:26]
A
Yes, that's the word I was looking for.
[17:27]
B
Yeah. Which also came up in that video.
[17:30]
A
I mean, in this particular story, the kid involved Noah. He was worried about the FBI, and he was also worried about being physically attacked by other people. And so he. If I remember rightly, he was like, couch hopping or Airbnb hopping Airbnb because he had money.
[17:53]
B
Yep.
[17:56]
A
But that still wasn't enough to get him to stop. Stop. Yeah. It wasn't until the FBI turned up and arrested him that he stopped.
[18:06]
B
Yeah. So, I mean, I remember there is a. There's a kid that got caught in the uk and one of the things he said was that it was a huge relief. Like, basically he had been so stressed about when he was going to get caught, he couldn't stop doing what he was doing. Like, he was basically addicted to the rush of it or whatever. But when he finally got caught and he could confess, and I was just like, I'm done now. Like, I don't have to worry about it anymore. It's like, you're still going to jail and things like that. But all of those stressors that he'd had before, like, left. He was like, I can, you know, I just. I feel a lot better now that it's sort of over with. Which I thought was a little bit interesting.
[18:48]
A
So there's good evidence, or at least looking back at my own life, I wasn't really fully an adult until about 25. And in Australia, there's this proposed law. I don't know if it'll go anywhere to stop kids from using social media until they're 16, but in the context of this discussion, that's just way too young. Should ban it until they 25.
[19:15]
B
Yeah, absolutely. Social media is fine. It's Minecraft. Minecraft and Telegram. Those are the problems, you know. But, yeah, like, Minecraft makes sense as a thing. That would be problematic simply because it gets you involved in a community. And if you have a community that's trending towards doing edgy, slightly illegal things, then it's very easy for that group. I think we talked about it before, Purity spirals.
[19:46]
A
Right.
[19:46]
B
Where it's sort of like everyone's trying to be the ideal member that they envision, and the Ideal member is like the guy who's a little bit more criminal than they are right now. So they sort of self drive and not every community does this obviously. Like they can pursue any number of things. Like the purity test that they have could be anything. But if it's sim swapping and just doing crimes to people then it's going to escalate because that's just the purity thing that they're on.
[20:24]
A
Yeah, but I mean it's hard to say that online communities as a whole are a bad thing. Right. So it's just maybe, yeah, that's the, there's a whole lot of good stuff and then there's some bad stuff as well.
[20:36]
B
So yeah, it's one of those things.
[20:38]
A
Of like $250 million in crypto theft is just the price we pay for Minecraft.
[20:47]
B
So yeah, I mean I think that the good far outweighs the bad. I don't want it to seem like I'm saying that, you know, online communities are a problem. I'm saying that any group of dumb young men is a problem or is a potential problem, but not all of them are. And you know, I think online communities have been overall very, very positive.
[21:08]
A
I mean, how could it be different? Right?
[21:10]
B
Well if everything was secure then these kids wouldn't be able to steal. So that's our take home message.
[21:16]
A
Well, I sort of felt like the conclusion was that this is just a natural outgrowth of the way the world is. And I suppose the real problem is that there isn't a way to, that they can do edgy things harmlessly and then the financial incentive is actually to commit more crime. Rather than in the old, the good old days the financial incentive was to grow up and get a real job.
[21:47]
B
Right.
[21:49]
A
And so you've got this dynamic where it's both easier and more lucrative and it reinforces the social status. Whereas in the past only one or two of those things was true and eventually people would self correct. And so that seems to be the fundamental problem coupled with the fact that it's a lot easier to do something really damaging. So yes, I guess back in the day it wasn't possible to be a hacker and steal all of Microsoft source code and gaming companies and extort them for money. Like that just wasn't a thing you could have done. Just wasn't possible.
[22:34]
B
Yeah, it should be pointed out that these kids, like the snow kid that's doing the sim swapping stuff, they're not particularly technical, they're not really on the hacker pathway of finding bugs and exploiting things and then making money from that. Right. They were just doing crime things that involved computers. But I think for people who are technical and who are getting into doing edgy stuff, there is an off ramp, which is quite like. It's attractive because it, you know, it has status as well. Right. Like the leaderboards and all of these other, you know, there's like the YouTube communities that exist around it.
[23:15]
A
Right.
[23:16]
B
And all of this stuff. So I think that it's better now as well than it used to be. When we were that age, there weren't bug bounties, like legitimate pathways where you could hack someone and also get paid for it. Right. Where you could do those edgy things and achieve status and money. Yeah. So I think things have changed and some of those changes have been very positive. There are a lot more communities that you can join. Only a small percentage of them are going to go into crime. And there's a lot of opportunities to do, to pursue hacking type things in ways that are positively reinforced.
[23:58]
A
So what you're saying is the hackers are all right. It's just the rest of the kids that are terrible.
[24:08]
B
Thanks a lot, Tom. Thanks.