Below, Joe Tidy shares five key insights from his new book, Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet.
Tidy is the BBC’s first cyber correspondent and a leading voice on cybercrime. He has covered major global cyberattacks and produced widely watched international documentaries, including a high-profile investigation into Russia’s most wanted cybercriminal.
What’s the big idea?
Teen hackers are quietly reshaping cybercrime. They are not film geniuses, but persistent, socially connected and often addicted. They cause real damage through data breaches and fuel a cycle that leads to increasingly serious attacks.
Listen to the audio version of this Book Bite – read by Tidy herself – below or in the Next Big Idea app.
- Data breaches can really harm people.
Data breaches – from a company to your social media accounts – are something whose magnitude is difficult for us to estimate. Everyone wants to know: should I worry? You might think that your phone number, email address, and real address are certainly already known, so maybe it’s not that big of a deal. But whether you should worry about a data breach is a very difficult question to answer. In some cases they can cause serious damage.
The cruelest cyber attack in history took place at the Vastaamo Psychotherapy Center in Finland. Vastaamo was a large and important organization with dozens of pop-up mental health centers across the country. In 2018, hacker Julius Kivimäki found a way into the servers of the Vastaamo Psychotherapy Center chain and stole all the data he could find. He stole the usual types of information – names, addresses, phone numbers, social security numbers – but he also stole the patient notes; 33,000 people had their data stolen in this way.
I can’t think of a worse data set in the hands of a criminal extortionist than what I tell my therapist. Keep in mind that the people affected were already vulnerable. They suffered from psychological problems. Some of them were depressed or anxious when Kivimäki snuck in one night and stole all that data. He tried to extort Ville Tapio, the CEO of Vastaamo, for 100,000 euros worth of Bitcoin.
When the CEO refused to pay, Kivimäki did something extraordinary. He took the data and started publishing it on the darknet. People in Finland began to worry that their notes might be next, and he consciously chose particularly salacious and dramatic therapy notes. He looked for things like sex fantasies, adultery or anything else that would really cause the individuals a lot of heartache and trouble. Then he did something that rarely happens in cybercrime: he contacted the victims. He sent them emails saying, “I have your notes. Pay me or I’ll publish them online.” The impact on those affected was enormous.
Some of his victims still suffer from post-traumatic stress disorder. I spoke to a woman who described receiving that email as “psychological rape.” Her notes include information about her marriage, problems with her job and the heartbreak of raising two disabled children. You can imagine the shock wave that swept through Finland when people received these emails. Data breaches can have devastating consequences for the people involved.
- Hacking can be addictive.
Kivimäki was 27 years old at the time of his Vastaamo hack, but he had been carrying out cyber attacks since he was a teenager. What we learn from Kivimäki’s story is that hacking is addictive.
Many hackers just couldn’t stop. They would hack, get arrested and have all their devices taken away, but then they would just keep hacking as soon as they could. In particular, we saw that teenage hackers could not be discouraged by police threats or activities. They wouldn’t stop. I’ve learned that if you’re both quite intelligent and quite technical, the challenge of breaking into an organization becomes addictive and intoxicating.
When you add in the attention you get from bragging about it on social media (which a lot of these people do), you get the endorphins from the likes, retweets and followers. For the growing, underdeveloped brains of teens, this makes it very difficult to quit. Hacking is an addictive activity.
- We’re all in denial about what child hackers are.
It continually amazes me that we continue to be shocked by teenage hackers. As a society, we continually underestimate and underestimate them as a problem. You can see this in the 2010s when there was a resurgence of teen hacking groups and a shift towards a much darker side of hacking.
The hacking gangs of the ’80s, ’90s and early 2000s were different. They wanted to expose Big Tech for having bad code and enjoyed embarrassing them. There was a lot of ego, but there wasn’t really a sinister culture. Among the teenage cybercrime gangs that formed in the 2010s, we saw the Kivimäki types emerge.
Most cybersecurity experts ignored all of this. They wanted to talk about the major drawbacks of cyber hacking groups such as Fancy Bear from Russia, Lazarus Group from North Korea and Volt Typhoon from China. No one ever wants to admit they were hacked by loaded kids. So you get a denial situation where no one wants to talk about it.
But one researcher, Allison Nixon, noticed something was going on with these teens. She came up with a term we could use to talk about it: NPTs, or new persistent threats. This is a very clever joke. If you are in the cyber world, you are familiar with the term APT, which stands for advanced persistent threat. Nixon said they are not “advanced” because these kids don’t have the advanced skills we see in other groups, but they are “tenacious” and a “threat” that should be taken seriously.
- Hacking isn’t like the movies.
NPTs are not that advanced. They have not progressed. And the way people think about hackers, especially teenage hackers, is that they’re these computer coding masterminds who put on a hoodie and sit alone in their dark bedrooms. That’s not my experience, and that’s not what my research told me. Cybercrime is a team sport. These are people who are often very social and come together on platforms such as Discord and Telegram. They all bring their own skills – often very basic things like social engineering.
- The cycle has continued.
In recent years we have seen another explosion of teen hacking groups. Particularly in Great Britain, this problem has been highlighted and widely discussed.
Britain has seen a wave of cyber attacks against retailers. There was Marks & Spencer, a famous and long-standing department store chain. Then there was the Cooperative. Then there was Harrods. These attacks occurred over a few weeks in the spring of 2025 and caused massive disruption and damage. Marks & Spencer, for example, lost around £300 million. The public also got a real shock as store shelves suddenly became empty after companies could not continue their logistics operations without functioning computers. Those company computers were either completely filled with ransomware or taken offline by the company as a precaution.
There were many arrests of teenagers in this case. This cycle continues. What’s happening now is that we’ve seen some of these NPT groups join well-organized, long-standing Russian-speaking cybercrime groups that are carrying out serious attacks. My prediction and concern is that we will see more attacks like the one on Marks & Spencer. Unless we find a way to deter children from this dark path of cybercrime, it will not go away.
Enjoy our complete library of Book Bites – read by the authors! – in the Next Big Idea App.
This article originally appeared in Next Big Idea Club magazine and reprinted with permission.
#Teen #hackers #rise #theyre #dangerous