Latest news with #hacker
Yahoo
2 days ago
- Business
- Yahoo
Attacker Swipes $4.5 Million From Credix Using Unbacked Stablecoins
A hacker swiped $4.5 million worth of crypto from decentralized finance protocol CrediX on Monday, according to blockchain security firm CertiK. The funds, which still appear to be under an attacker's control, were then bridged from Sonic, a layer-1 network that debuted last year, to Ethereum, CertiK said in a post on X. CrediX acknowledged on X that a security breach had occurred, and that its website had been taken offline. It then promised that 'all funds will be recovered in full' within the two days. As of 11 a.m. Eastern Time, CrediX's website was still offline. And within CrediX's official Telegram channel, some users clamored for advice on how to withdraw funds. The attacker was able to gain access to an administrative account that allowed it to mint unbacked stablecoins on CrediX, according to Peckshield. Using these funds, the attacker was able to withdraw other assets that users had posted to CrediX as collateral, it said on X. The attacker was given special privileges on CrediX six days ago, according to blockchain security firm SlowMist, which confirmed on X that the protocol had been drained. CrediX bills itself as an aggregator and optimizer allowing users to engage with multiple DeFi protocols in one location, such as Compound and Aave. On X, CrediX said last month that users can earn an annual interest rate of over 10,000% by lending assets on the platform. In 2022, the former Securities and Exchange Commission Chair Gary Gensler warned there may be 'a lot of risk' behind yields that sounds 'too good to be true.' His comments followed the collapses of Voyager Digital and Celsius network at the tail-end of pandemic-era crypto boom. XRP, Ethereum Lead Crypto Market Rebound as Trump Reignites Trade War Sonic's mainnet debuted in December, not long after the network was rebranded from Fantom. Around $437 million worth of assets are currently used in DeFi protocols, according to crypto data provider DeFiLlama. CrediX has detailed plans for an airdrop centered on its upcoming CREDIT token, however, it hasn't been released yet. On Monday, Sonic's native S token rose 1.6% to $0,30, but the token's price has decreased 39% over the past month. Sign in to access your portfolio
Yahoo
4 days ago
- Business
- Yahoo
Arkham Says $3.5B LuBian Bitcoin Theft Went Undetected for Nearly Five Years
A crypto wallet tied to a little-known Chinese mining pool may have been the victim of the largest bitcoin theft ever recorded, according to new findings from Arkham Intelligence. In an Aug. 2 thread on X, the onchain analytics firm said it had uncovered evidence that 127,426 BTC — worth $3.5 billion at the time — was stolen from LuBian Mining Pool in late December 2020. Neither LuBian nor the suspected hacker has ever publicly acknowledged the breach, and Arkham said it is the first to report the incident. LuBian was one of the largest bitcoin mining pools globally in 2020, reportedly controlling nearly 6% of Bitcoin's total hash rate as of May that year. The hack, if confirmed, would eclipse the scale of other high-profile exploits like Mt. Gox and Bitfinex by nominal value at the time of loss. Arkham's analysis indicates that on Dec. 28, 2020, more than 90% of LuBian's BTC holdings were drained. Two days later, another theft involving about $6 million worth of BTC and USDT occurred, linked to a LuBian address operating on the Bitcoin Omni layer. The company appears to have moved its remaining 11,886 BTC — then worth hundreds of millions — into recovery wallets by Dec. 31, 2020. A notable detail in Arkham's report is the presence of OP_RETURN messages — special transactions that allow data to be embedded in the Bitcoin blockchain — sent from LuBian to the hacker. According to Arkham, the mining pool spent 1.4 BTC across over 1,500 transactions attempting to contact the thief, urging them to return the stolen funds. This effort suggests the messages were genuine and originated from the rightful wallet owner. Arkham believes the vulnerability may have stemmed from LuBian's use of a flawed private key generation algorithm that left it susceptible to brute-force attacks. The stolen BTC has apparently remained largely dormant, with the last major movement being a wallet consolidation in July 2024. Due to the price appreciation of bitcoin since 2020, the current value of the stolen assets is estimated to be $14.5 billion. That makes the wallet associated with the LuBian hacker the 13th largest BTC holder tracked by Arkham — surpassing the holdings linked to the Mt. Gox breach. As of today, both the hacker and LuBian are believed to still control their respective BTC balances. Arkham has published wallet trackers for both parties, but no additional details about the identities involved have been disclosed. Sign in to access your portfolio
Fast Company
6 days ago
- Fast Company
How your org can avoid being a victim of the next 'SharePoint'
Few cybersecurity threats generate as much alarm as remote code execution, or RCE. This type of flaw allows an attacker to run malicious code on someone else's device—no physical access required. It's a chilling scenario: a hacker, potentially halfway across the world, gains the ability to infiltrate systems, steal data, or disrupt operations. What makes RCE vulnerabilities so dangerous isn't just the immediate impact—it's the unknown consequences that can follow. In just a matter of days, a recently disclosed RCE vulnerability in Microsoft SharePoint, the enterprise platform many companies rely on to store and share internal documents, sent shockwaves of concern throughout organizations, leaving many searching for answers as to what they need to know and how they can protect themselves and their customers. Why did this thing get so big so fast? The SharePoint vulnerability received a severity score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), which is a standardized framework used to assess and prioritize security flaws. A score that high signals a critical risk, meaning affected organizations should apply the available patch immediately. The extreme severity, paired with SharePoint's widespread use in enterprise environments, helped the threat (and the headlines) spread rapidly. When an attack of this scale occurs, it's natural to look for something or someone to blame. Outdated or neglected systems are often among the first to be blamed in cybersecurity, but in this case, legacy infrastructure wasn't the issue. SharePoint is actively maintained, and a patch was already available. The challenge was that security teams typically don't know what's vulnerable until a flaw is publicly disclosed—and from there, it becomes a race to assess risk and apply the fix before attackers can take advantage. Protecting company secrets The SharePoint RCE vulnerability is a reminder that protecting sensitive information starts with controlling who has access to it. One of the simplest ways to keep intruders out is by using multi-factor authentication—the process of confirming your identity with more than just a password. Yes, it can be a hassle to enter a code from your phone, but that small extra step makes it much harder for attackers to break in. SharePoint comes with built-in tools that let organizations control who can see and edit files. But those tools only work if they're used wisely. For example, not every employee needs access to every document. Keeping sensitive files limited to just the people who need them helps reduce the risk if someone does manage to sneak into the system. It's also important to watch for unusual behavior—small signs that something might be wrong. If someone's account suddenly tries to access files they don't normally use, logs in from an unfamiliar location or gets blocked repeatedly when trying to open restricted content, those are red flags. Many organizations use tools like Security Information and Event Management (SIEM) platforms and user and entity behavior analytics (UEBA) to catch these early warning signs. SIEM tools help security teams monitor activity across the network, while UEBA uses patterns and data to flag behavior that's out of the ordinary. Together, they can help stop an attack before it causes serious damage. Now what? Incidents like the SharePoint vulnerability highlight just how quickly a virtual flaw can turn into a real-world problem—exposing sensitive data, disrupting operations and shaking trust. These events offer organizations a moment to revisit the fundamentals: making sure employees know how to recognize phishing attempts, limiting who has access to critical documents and using safeguards like multi-factor authentication to keep intruders out. But the real key is consistency. Cybersecurity has to be built into the culture of the organization. That means clear policies, ongoing awareness, and fast action when something feels off. The companies that fare best in the face of threats like RCEs aren't always the biggest or most high-tech—they're the ones that stay alert, respond quickly and prioritize cybersecurity as an essential part of the business.
Yahoo
27-07-2025
- Entertainment
- Yahoo
The AOL hacking tool that invented phishing and inspired a generation
If you were a teenager on America Online in the mid-'90s, there's a good chance you got it. Unlike a lot of the files flying around the early warez scene, this one wasn't a piece of pirated software like Photoshop 3.0 or a beta of Windows 95. It was a small Windows add-on program for AOL, and it wasn't made by a software company, but by a hacker calling themselves 'Da Chronic.' When you launched it, the title screen depicted the giant disembodied head of AOL CEO Steve Case floating in a sea of flames, set to a funky excerpt of Dr. Dre's 'Nuthin' but a 'G' Thang.' The title, rendered in 3D, spelled out just how far outside of the known, pixelated world you had come: 'AOHell.' Number of housing markets with falling home prices jumps sharply to 109—up from 31 in January The Trump administration is pushing to open new coal mines that will likely never turn a profit Here's exactly how much you'll save on your 2026 taxes, by income bracket: Trump's One Big Beautiful Bill benefits In 1995, AOL was how most people in America were getting online, most of them for the very first time. Dialing in over landlines on 14.4 or 28.8 kbps connections, what you heard when you logged on was 'Welcome!' and 'You've got mail!'—as if the internet was your new home away from home. And yet, while it began offering access to the nascent World Wide Web that year, AOL itself wasn't really the internet; it was more like a walled, manicured garden, with a set of cheery web-page-like brand-filled spaces known as 'keywords' and a growing warren of official and unofficial chatrooms. Its blinkered vision of the internet made it, as some have noted, the Facebook of its time. This story is part of 1995 Week, where we'll revisit some of the most interesting, unexpected, and confounding developments in tech 30 years ago. AOHell, initally released in November 1994, was the first of what would become thousands of programs designed by young hackers to turn the system upside down. Built with a pirated copy of Microsoft Visual Basic and distributed throughout the teen chatrooms, the program combined a pile of tricks and pranks into a slick little control panel that sat above AOL's windows and gave even newbies an arsenal of teenage superpowers. There was a punter to kick people out of chatrooms, scrollers to flood chats with ASCII art, a chat impersonator, an email and instant message bomber, a mass mailer for sharing warez (and later mp3s), and even an 'Artificial Intelligence Bot.' Crucially, AOHell could also help users gain 'free' access to AOL. The program came with a program for generating fake credit card numbers (which could fool AOL's sign up process), and, by January 1995, a feature for stealing other users' passwords or credit cards. With messages masquerading as alerts from AOL customer service reps, the tool could convince unsuspecting users to hand over their secrets. Da Chronic and his collaborators, The Rizzer and The Squirrel, called this technique 'fishing,' or, using the hacker spelling, 'phishing.' According to Da Chronic, this was a form of protest. As he explained in his Read Me file (and told reporters who managed to reach him), AOL regularly cracked down on hacker chatrooms, but seemed to do little about the many 'pedophiles and child abusers' who were using its platform to trade GIFs and prey on its young users. Outraged by the hypocrisy, he wanted to send a message to the internet's first corporate overlords. 'I think having 20,000+ idiots using AOHell to knock people offline, steal passwords and credit card information, and to basically annoy the hell out of everyone is a good start,' he wrote. Of course, Da Chronic—actually a 17-year-old high school dropout from North Carolina named Koceilah Rekouche—had other reasons, too. Rekouche wanted to hack AOL because he loved being online with his friends, who were a refuge from a difficult life at home, and he couldn't afford the hourly fee. Plus, it was a thrill to cause havoc and break AOL's weak systems and use them exactly how they weren't meant to be, and he didn't want to keep that to himself. Other hackers 'hated the fact that I was distributing this thing, putting it into the team chat room, and bringing in all these noobs and lamers and destroying the community,' Rekouche told me recently by phone. 'And in my eyes, that's the exact opposite of what's happening… They're script kiddies—but so what? We were in their shoes a couple years ago, and one of these little fuckers is going to end up creating something cool anyway.' Still, he wasn't really thinking about where this was all going. He couldn't anticipate the fame that would come with being AOL's most famous hacker—and later, the fear and paranoia. (This was the year that Hollywood released The Net and Hackers and the FBI arrested Kevin Mitnick.) At the time, as phished accounts circulated among young hackers like currency, AOL blamed Da Chronic's program for millions of dollars in losses and fraud. It would be another fifteen years before Rekouche would discover that his program had also pioneered the technique of automated phishing, and coined the term for one of the cornerstones of modern cybercrime. 'It's messed up,' he says. 'Psychologically, how do you explain that?' Rekouche also couldn't have imagined what else his program would mean: a free, freewheeling creative outlet for thousands of lonely, disaffected kids like him, and an inspiration for a generation of programmers and technologists. By the time he left AOL in late 1995, his program had spawned a whole cottage industry of teenage script kiddies and hackers, and fueled a subculture where legions of young programmers and artists got their start breaking and making things, using pirated software that otherwise would have been out of reach. 'AOHell made me want to learn to program,' Steve Stonebraker, a cybersecurity expert and host of the podcast AOL Underground, told Klint Finley in 2022. 'It was the starting point for this whole generation.' (He interviewed Rekouche on his podcast that year.) In 2014, Case himself acknowledged on Reddit that 'the hacking of AOL was a real challenge for us,' but that 'some of the hackers have gone on to do more productive things.' When he first met Mark Zuckerberg, he said, the Facebook founder confessed to Case that 'he learned how to program by hacking [AOL].' Rekouche's relationship with his creation, and a lot of the digital world, remains complicated. It's not hard to feel nostalgia for the early AOL scene, with its pseudonymity and sense of possiblity, where 'we were just exploring the internet for the first time, and causing chaos and being delinquent and finding friends.' He's spent many years reckoning with his program's creation, (including writing a paper about early phishing) and wrestling with his own offline demons. But these days, he tries not to dwell too much on the legacy of AOHell, or what's become of the internet, and the algorithmic hellscapes where criminals and conglomerates are still finding new ways to manipulate users. 'If I did,' he says with a laugh, 'I might have to go rogue and start destroying again.' This interview has been lightly edited and condensed for clarity. When did you first get online? I got on AOL in early '94 when they were still on version 1.1 of Windows. It was me and my sister—she rented the computer and we shared it. AOL had a public rooms list, and then a customs rooms list where people can make their own rooms. That's how I found the Tips and Tricks room. What was it like to be in there? I don't think I'd ever been in a chatroom before, maybe once on a bulletin board. I was kind of like a loner social outcast anyway, so it was my groove. I liked it because it was social, yet you still had some distance from everyone. But I just fell in love with it, finding kids on there that were like me, that were kind of smart and nerdy and just into the things that I'm into. And it was a blast. I was just learning about computers. I didn't know anything about them. We had an old slow computer, and so I had to learn all kinds of tricks just to get my thing to work. What was one of the coolest tricks you learned? It was called IM stealing, and basically what you would do, on a Windows keyboard, you'd hold the alt key, and you'd type in 0 1 2 8, and then release the alt key. And that would create this special character, an eight bit Unicode character, that AOL's backend system wasn't built to properly filter. So you know buffer overflows? A lot of exploits on the web have to do with parsing problems, where you can insert code into a field, and if the parser doesn't parse it right, then the code is actually executed. That's exactly what was happening back then, in '94, except through AOL's proprietary system. They never expected somebody to type in an eight bit unicode character like that. And what would happen was the most wild thing: apparently every IM that was sent on AOL at that particular second would get rerouted to your computer. And so as soon as you sent that character, a dozen IMs would pop up on your screen, with all these people talking to you, in the middle of their conversations. The person they were talking to, their name would turn into your name. The first time I did it, this guy's like, You son of a—I'm reporting you hackers! You did this again—this is the last time! [laughs] It's like, get off my lawn! Looking back, I think that's what hooked me, that thrill. I was very, I wouldn't say antisocial but anti-authoritarian. I quit high school at 15. The way I looked at school—at least the North Carolina Public School system—is that it was a prison. And my family life wasn't great. And so, without going into a lot of personal stuff, I always had this whole anti-authoritarian attitude. So getting onto AOL and doing this stuff and seeing these tricks and finding these other mischievous kids like me, it was just a great fit. I don't know if you remember, but to get on AOL, you only had those 10 hour [floppy trial] disks. Me and my sister figured out that you can get 'em through magazines at the bookstore. And after you spent your 10 free hours, of course you had to start paying $2.95 an hour. And to me back then, that was way too expensive. But it was like crack. I mean, I loved it so much, it became an obsession: Okay, how do I get more of these 10 hour disks? This was before AOL started sending disks and then CDs to almost every home in America. So: at some point, your free hours run out. How did the more serious hacking start? As far as illicit activity in general, it started with creating an account with a false name and a fake bank account number to get free hours—you could create an account by just putting in your routing number and your checking account number, because I hadn't yet discovered how to generate credit cards. How did you get from there to AOHell? We stopped hanging out in Tips and Tricks and started creating our own public rooms, with various names of hackers. And TOS Advisor [the screenname for AOL administrators] would just come around and shut us down. So my friend Rizzer says, Hey, why don't we just all agree to go into private room hack? And so we did, and all our friends—it was about 15, 20 people tops that would rotate in and out of this room—we would have macro programs that would perform tricks for us. Mostly it was scrolling ASCII art. One day Rizzer shows me this thing that he made. It was basically a Windows form with a button on it. You enter in someone's screen name and what you want the person to say, and you just hit a button. It performed text manipulation for you. And text manip was a way to talk using someone else's name in the chat room. I'm like, 'Dude, this is awesome. How did you make this?' And he told me it was something called Visual Basic. And so I download it, and all I can think of is: okay, all the tricks that we do—Text manip, ghost [a trick that cleared a chat room of all conversations], all that stuff—we need to have functions for all of it. And I want to get this out there. I want to make a cool-ass program everybody can use, and distribute it. I released AOHell version 1 beta 1 by myself, but I learned from Rizzer's beta code. And then I'm like, Hey, why don't we just work on AOHell together? And then we just had feature after feature. What kind of response did you get from the l33t hacker scene on AOL? There was pushback. There were people who would tell me, these are our secrets! There were people that just hated the fact that I was distributing this thing, putting it into the team chat room, and bringing in all these n00bs and lamers and destroying the community. And in my eyes, that's the exact opposite of what's happening. Like, we're creating a cool place and yeah, these little 14-year-olds are coming in—they're script kiddies, but so what? We were in their shoes a couple years ago and one of these little fuckers is going to end up creating something cool anyway. And then there was my original core group of friends from AOL who didn't give a shit about AOHell at all, because they just basically moved on to [Internet Relay Chat] and other things. And ironically, those are the people that I ended up putting in the greets of AOHell [laughs]. So, after they all basically migrated to IRC, I would have my social life there, and then on AOL my whole idea there was just to build this tool. Where you were already a legend. Once you start getting, like, fame—everybody knew who I was—then you start getting hundreds and hundreds and hundreds of people. I couldn't be myself. I couldn't even identify myself. If I go into a chat room with my name, first of all, nobody would believe me. Second of all, if they did, it would just be a bunch of chaos. [laughs] The media was starting to write about it, too. I subscribed to PC World and I remember getting the magazine in the mail and them having a short article on AOHell. And when I saw that physically in print for the first time, that's really when it hit me. But it was all surreal. It was wild, dude. Were you concerned that AOL was going to come after you at some point? I became more paranoid about that later, as things really got big, and I realized just what the hell I had done. But at first, not so much. I just didn't give a shit. Like: what do I have to lose? I didn't have any prospects of doing much anyway. Well, you were learning so much at the time. What was that like? The very first coding stuff I picked up from Rizzer, and then I would download books and try to read the help files. It was mostly a trial and error process. I was not one of these types that sat down and learned how to program and then learned all the proper formalities, and then go and try to tackle a problem. I came at it from the reverse end where, Okay, this is a problem, or I want to do this particular really cool thing. How do I do that in this code? Let's experiment. And then I had to learn error handling and certain things like that. But it's like spaghetti: I understand kind of what this does; let's throw some shit together and see what happens. But it worked. There were people making high level programs that were on the scene at the same time as me, and they would look at my code and snicker. But the thing with me was, I didn't give a shit. Because it only mattered what the end user sees. Does this feature work? Is it cool as fuck to look at? Yes. Does it take two seconds longer to function because I'm a shitty programmer? Yes. But does that matter in the long run? Does the 14-year-old on the other side of the screen give a shit, because he's able to flood all his friends offline and act like a God? Yes, it took two seconds longer because I'm not an efficient programmer, but I came up with this cool idea, and made it work, and this kid's a God in front of his friend's eyes—or whatever kids get off on. That's the way I looked at it, at least. What was your favorite part of AOHell? I didn't really use it that much. I was just into developing it. The thing I used was the Phisher. Obviously, that was a tool that I needed for myself first and foremost. The other stuff, to be honest with you, the whole spamming of chat rooms, doing the ghost tricks and all that stuff, that was over for me. I cared about creating a tool to do it and getting people on it, and getting people to like it and finding out new cool things to do. The ability to modify your online experience, to have freedom and control in a place like this, that was revelatory. And yet on the internet now, that feels so . . . distant. I can't imagine somebody doing that on Facebook today. They'll kick you off if you create a Google extension that helps you in the slightest bit on Facebook, or an extension that keeps your privacy or does a little cool thing here and there. That's totally not allowed. How did you guys get into phishing? My friend Dave [Lusby aka Soul Crusher], he was using a 286 computer and the DOS version of AOL because he couldn't even afford the Windows version. He's like, Dude, this is how you can get online for free. You just send these new members this IM telling them you need your, their, you need their password for X, X, X, Y, and Z. And then I'm like, what? [Laughs] And, oh, that totally makes sense. Because they have no experience online. When you were using the Phisher, or Fisher as you sometimes called it, how many passwords could you get in one night from the new member chatrooms? I want to say I'd open up the text file and see about 50 of 'em in there. That's a busy night. [laughs]. I mean, it's not like today, where everybody knows what phishing is, unless you're really naive. Yeah, though some phishing has grown really sophisticated. And now of course you got the AI stuff, and that is putting a wrench in the mix too. True. You also had an 'Artificial Intelligence Bot' in AOHell, right? I mean, it's not a large language model. It's a kind of classic AI that Marvin Minsky talked about in the sixties at MIT, where you tried to get certain computer automation happening. That was my favorite part of AOHell actually. That was the most complicated, and the one I put the most time into. And it was probably the least used and buggiest feature of the whole thing! How did it work? It was a system that would read the chat room and read your IMs, then perform functions based on events. An event could be, Bob41 IMs you. When that event happens, you can send him an IM back, you can send an email, you can send something to the chat room, you have three or four different options. So it was programmable in a way, where you get dozens and dozens of different combinations of things that could happen. That was inspired by the scripts on IRC. IRC was very much automated like that, so that if somebody comes into the chat room, they could be auto greeted, you could send the person a file automatically with a script, stuff like that. But there was absolutely nothing like that for AOL, of course. I'm sure it was buggy because it was pretty complicated. There was a mass mailer too. That worked on the same kind of technology. Basically, you could advertise what files you had to people in the chat room, and then somebody could say, I want such and such. And then AOHell would go into your email and send those files to each person in the queue. That was really freaking complicated, and it was buggy as shit, but it did work for the most part. I built the proof of concept, but it was something that other people perfected, because the whole warez community relied on that kind of thing. How do you feel about this era of AI and large language models? It's like any tool. There's good and bad aspects to it. First of all, AI is a major fraud in the sense that they're projecting this thing to be 'sentient' in a few years. Anybody who has any kind of real minute understanding of philosophy or linguistics or artificial intelligence is going to tell you that this stuff is hype. But I think it's going to be funny, because AI is always going to be super stupid In some ways that are going to be super obvious, and in other ways, it's going to slip through the cracks and be able to fool people. But I have used it a little bit, including for coding. There's a lot of stuff that's coming out where I think, I should look at this like I looked at Visual Basic. Back in '93 and '94, that was really a game changer. If you didn't write a Windows program in VB, before that it was Visual C ++. And there's no way I would've ever been able to build anything with Visual C ++, with my level of understanding of computers back then. So when I see these AI coding tools I think, this might be like today's Visual Basic. They take out a lot of the grunt work. And as you said, large language models are making phishing , too. I was looking into a little bit of that, how you can basically use an LLM with an add-on a search function add-on to be able to crawl the web and pick up, I guess we call it open-source intelligence, and then use that data to craft dynamic phishing emails. Oh wow. But of course. It's weird, because you have to understand psychology and you have to understand how computers work fairly well to build something that does that. It's hard to really profile the kind of person that's going to build something like this, because who was I? I was just some dropout high school kid, you know, on a computer that I couldn't even afford. I didn't have any qualifications or anything like that. So you don't know who your adversary is going to be, who's going to understand psychology in some nuanced way, who's going to understand how to put some technological pieces together, using AI, and build some really wild shit. This social engineering ability: what is that? I think people have certain knacks for it. I was basically raised by two women: my mom, who was a social worker who knew a lot about psychology, and my sister, who was seven years older than me, and very smart. Growing up, there was a lot of acrimony and stuff in my family, and me being so young. My cousins were a decade older than me, my sister's seven years older than me, and we're all attacking each other, and I'm trying to survive. Plus, my mom would have these psychology books on her bookshelf. And I remember being like 10 years old, picking them out and reading them. I didn't understand everything obviously, but I understood, I think a fair amount of it. Also I remember being about 8 years old, and my mom telling me things like, you know that boy at school, who's picking on you? They're doing that because they feel bad about themselves. They have a self-image problem. And so I was always kind of reading into things in the background. How did that impact how you perceived people? As a matter of fact, I'd say a lot of my life has been spent in self-discovery and figuring out who I am, what happened, why I became the way I was, who I really am, how I stand in, in contrast to what, what I was, what I experienced. Let's face it, what I did with AOHell, there's obviously some psychological shit going on with somebody who writes something like that, and releases it to everybody. Like, I didn't have all my moral ducks in line, so to speak. How did you end up leaving AOL? I released the last beta of version three in September of '95. And I was already getting burned out by it. And my life was changing in other ways. You gotta remember, I started in November of '94, and I stopped the following September. So for 11 full months, this was my life. And I knew it was getting too big. When I started, it was the only program, and then I built on it, and then AOL just started growing and growing so fast. And suddenly within a few months, there's like a hundred different programs and all these people in the community. AOL was also starting to crack down on the community, too. The month you left, the hacker Happy Hardcore—who would soon be for authoring his own Mac program, AOL4FREE—released an internal AOL email indicating that the company was working with federal law enforcement to find you. I didn't even see that until years later. In '98 or '99 I ended up going to California and meeting this kid who was into the AOL scene. He was the first one to tell me about Happy Hardcore and that he got busted. And he had a scan of the $50,000 check that his dad had to write for him. And I'm like, whoa, I had no idea about any of that. I was just tripping balls. I was just grateful that I wasn't busted like that, because we didn't have any $50,000 to pay. [laughs] But for awhile after I left AOL, it was scary. In some ways, it became just too much. I'm like, this is beyond reality. And I can't talk about it in real life. And none of the people I know in real life know about it, for the most part. So it's like a separate world that I had to keep compartmentalized in a certain area of my brain. And it was like a hot stove. Going there brings up some shit. It also sounds like you found a way to understand and accept that part of your life. I'd already gotten over a lot of it. And then around 2009 I discover: holy shit, this is where phishing comes from? What do I do now? I proverbially shit my pants. It's like psychologically, how do you explain that? There's so many different dimensions to it. I do a lot of self study, and I understood the gravity of it, and how big this was. And yet, you know, I'm just little old me. I was also concerned with how I was going to come out with it, and how people I had relationships with were going to react to it. And most importantly, how the intelligence services of the United States were going to react to it—Homeland Security, NSA, whatever. I had all this weighing on my mind, and it was not small. How did you get through that? I did the best I could. I was enrolled in college, and I decided to write a paper about it. I figured, I'm going to write a very technical academic paper that's as unbiased, as technical, as truthful as I can be about it, and just put it out there and whatever happens, happens. I gotta get this off my chest. I kind of expected it would get more attention. But I was also kind of relieved that it didn't, because I was kind of afraid of that. I do believe it caught the attention of Homeland Security, but I think they realized pretty quickly that I was not a threat. [laughs] How do you think about your relationship to 'phishing' now? I see it as a very complicated thing. I feel good about where I've come to. I dealt with guilt for a lot of years. And that was only after I was able to overcome an aspect of myself that didn't want to think it was that bad. There was an aspect of myself that was proud of it, that was proud of AOHell in general. And I didn't know how to differentiate being proud of one aspect and acknowledging how horrible and awful this other thing was. And so there was a period of years where I learned to deal with that, and have a nuanced understanding of it and of myself, of who I am today and who I was then. I know I'm a decent person. I'm a good person. I created a tool. I did it as a kid, as part of a fun thing, with a bunch of other fun things. I knew it was wrong morally, but I had no idea it was going to spiral into this atrocity, or whatever word you want to use. That was just all happenstance and outta my control. So I don't blame myself. It's not like I created phishing, this abomination to the world, and that's my contribution, and I burn in hell. I don't think of it that way. Because I also think about how kids learned to program from it. All the way to Mark Zuckerberg getting on there and becoming a hacker. I'm more into tripping out over the fact that you could have an impact on the world just being some dude. I'm just some dude. That's trippy to me. Don't you think that if you hadn't included a system for phishing in AOHell, someone else would have built something like it? When I think back, that is kind of how I thought of it. It was kind of a way for me to escape the guilt and just be like, well, it would've happened anyway. But I'm not convinced that it would have. There's no evidence that it would have, that's been studied. We don't really know how it transitioned over [to the internet] very well. It's not something I want on my gravestone, but I'm cool with it. But I had to do a lot of personal growth and soul searching, and a lot of trial and error. There was a culmination of just getting that phishing stuff out of the way, that paranoia out of the way, not worrying about whether the NSA is looking over my shoulder and having that monkey off my back, coming clean, getting clean with my diet, all that stuff. And then, just understanding my family of origin, why I am the way I am. And over the last 10 years, just studying this stuff, thinking about it—I have notepads, just hundreds and hundreds of pages of notes about psychology, about things that happened in my life—I just worked through it. And I'm just at this point now where life is pretty decent. It's almost like you hacked yourself. Yeah, man. I look forward to what's coming next. This post originally appeared at to get the Fast Company newsletter:
Forbes
22-07-2025
- Forbes
FBI Warning—Do Not Install These Apps
It starts with a message — it ends with you losing your life savings. 'It starts with an unsolicited message,' the FBI warns, 'and it ends with you losing your savings.' Attacks are now surging across the U.S., targeting citizens with malicious texts, emails and popups. And per the latest warnings, with dangerous apps as well. 'The threat is growing fast,' the bureau says, as citizens across the U.S. are contacted by their banks with messages urging them to 'call tech support for assistance.' When you respond, you're told your money is at immediate risk from a hacker who has broken into one of your devices, and that you will be guided through a process to keep it safe. But the 'hacker' is a phantom. The real threat comes from the person you're speaking with on the phone — or rather the people. You will speak with more than one. Because you've been 'hacked,' tech support will help you install an app to allow them to verify the security on your device. Once that app is installed, they will ask you to check your bank accounts for fraudulent transactions. But as you do so, the attackers can see what you have and where it is. The scammers will then continue to 'help' you move all that money to a safe account, out of reach of the phantom hacker they have invented. That safe harbor is their own account or crypto wallet. Your money is then gone. You should not engage with the text or email or popup in the first place. But even if you do, you must never install any apps or software when asked to do so like this. As the bureau warns, 'if someone you don't know contacts you and asks you to download software, no matter who they say they work for, don't do it.' It is that simple. In recent days we have seen new warnings for citizens to beware these phantom hacker attacks and to beware fake calls from government agencies — including the FBI — that can spoof field office phone numbers to make scams harder to detect. As ever, the good news is that staying safe is all down to 100% adherence to golden rules. In this instance — never install apps when asked to do so in unsolicited calls, texts or emails. But the same is true with calls from supposed law enforcement on missed jury duty or unpaid fines. And with links in texts about unpaid tolls or motoring fines. And with tech support numbers that pop up on your screen, asking you to call. These attacks are good and believable. Scammers are polished on calls. They have heard every objection and question before — and they're ready to handle yours. You really do need to adopt a zero tolerance approach to all such unsolicited calls and messages. If you don't engage, you don't get scammed. Just keep that in mind.
