osé Robbe was leaving her place of work in Rotterdam when she saw a man and a woman walking towards her. It was a Tuesday afternoon, twenty March 2012. “Are you Mrs Robbe?” She nodded. The woman, who was wearing jeans and a blackness windcheater, explained that she was with the constabulary. “I’d like to talk to you for a minute. Information technology’s about your son, Edwin. We’re arresting him.” José stared, frozen. The adult female asked if she would back-trail them. Warily, José agreed.
At the police automobile, the officer told her they intended to surprise her son at the family home in Barendrecht, only due south of Rotterdam, and arrest him on the spot. She asked if José wanted to be at that place for her son’s abort. “No,” she replied grimly. It felt every bit if she had merely betrayed her son. To stand past and watch would make it even worse. The police asked José for her firm keys and dropped her off at a plaza by the local supermarket a few blocks from her house. She felt terrible equally the officers drove away to arrest her eldest child, just a troubled 17-year-old. A little while subsequently, three officers emerged from the business firm, escorting Edwin between them. He offered no resistance.
Edwin was taken to a detention eye in Houten, near Utrecht. Once he was gone, José finally re-entered her house. She sabbatum on the living-room sofa, watching equally officers rummaged through cabinets, filed up and downwards the stairs and bagged up flash drives, CD-Roms and telephones.
Several years later, I visited José and her husband, Ruud, in their terrace house in Rotterdam, where they told me about Edwin, and I explained to them how I had contacted him.
I had tracked Edwin down through a source, obtained his telephone number and eventually made contact with him after repeated attempts. At first, he didn’t respond to the WhatsApp messages I sent. When he finally did reply, it was from a dissimilar number. What I wanted to know was why he had attacked the netherlands’ biggest telecom visitor and plunged it into chaos. I wanted to know how he’d learned to do what he did – and what had happened to him later his arrest.
Our chats were erratic. One day he’d exist effusive and engaging, then he’d become remote. Sometimes, days would pass before he answered a message. It would turn out he was in Asia. We too talked on Skype, once. I wanted to meet. He did, too, he said.
But we never would. Edwin died a few months earlier my visit to his parents. As we talked, grief over the loss of their son reared upwardly suddenly several times. Ruud had been the last person to run across Edwin alive, and it all the same weighed heavily on him.
Edwin was less than a twelvemonth former when he was taken from his biological mother. She was on her own and unable to intendance for an baby. For months, she didn’t even touch him. José and Ruud fostered Edwin. José worked in healthcare, and Ruud was a chemical engineer at a visitor that processed ores for pigment. They wanted to requite baby Edwin a loving home.
But he was a troubled child. “I ever thought his anxiety started when he was still very petty. He only couldn’t bond with other people,” José recalled. He often complained of tum aches. There were countless visits to the doctor and to infirmary. Each time there would be medical tests. “Honestly, I think it was psychological,” said José. “Edwin had a lot of anxiety, just the doctors focused on concrete causes.”
Edwin wasn’t similar other kids. His parents saw it, and then did his teachers. Once, at a parents’ evening, a mentor asked: “What’s really incorrect with him? He has about no friends.” Whenever he was around other people, Edwin became tense, clammed-up and withdrawn.
He almost never did whatsoever sport or played outside. Instead, he preferred to sit at the computer in his room upstairs. His parents allow him, relieved that at to the lowest degree he had this ane hobby. They knew hardly anything almost computers. They used i to send the odd email or look for holidays, just that was most it.
After graduating from a vocational high school, in 2010 Edwin enrolled in an IT course at Albeda College in Rotterdam. He said he wanted to do something with computers. His parents allow him buy a PC that he put together himself. It had a big retentiveness carte du jour and a lot of processing power. He set it upward in his sleeping room. Looking back, José thinks “that may have been our biggest mistake”.
Edwin was obsessed with his new toy and merely came downstairs for meals. Occasionally, his parents caught glimpses of what he was doing. Mostly, he played games, particularly the kind in which people are violently killed – such as by building entertainment parks and then throwing people off the rides. At that place were likewise lots of shoot ’em ups. “He took classes in ethics at schoolhouse,” said Ruud, “so we idea it would exist all right in the terminate.”
n the fall of 2010, the Robbes received a letter from their internet provider, KPN, informing them that their net admission had been blocked. KPN said it had observed “malicious action” on the family’s IP address. When asked about it, Edwin brushed it off as nonsense. To José, he answered in jargon, saying somebody had croaky his “WPA2 key” and exploited their cyberspace connection. Baffled, José permit it go.
KPN, withal, did non let it go. The visitor’s abuse team carried out its ain investigation. This revealed that Edwin had used a rented server to mountain an set on on a website offering movie and TV downloads. When confronted with the prove, Edwin’s justification was that he didn’t like the site’s administrators.
Edwin had bombarded the website with and then many data packets that it crashed – something known equally a DDoS attack. This kind of attack is a crime. “Edwin is very active on the internet, as are some of his friends. In some instances they’re described equally a hacking ring,” someone at KPN wrote to Ruud in an email. “We wonder if he understands what kind of consequences his deportment can take. We urge you to talk to him near this.”
Ruud spoke to Edwin, and wrote dorsum: “I’ve had a long discussion with him. He is a sensitive kid and is gradually coming to see that what he did is a serious offence.” Ruud and Edwin had agreed the computer would be off limits for three months, and that he’d get it cleaned by a professional. “I don’t know anything about computers,” Ruud concluded his e-mail. “Do y’all accept any suggestions on who could help me clean upwards his computer?” KPN never replied.
Edwin’s parents could tell that something was brewing. He was on edge and hardly always left his room. Equally soon as the calculator ban was lifted, he was back on his PC for as long as 12 hours a day. School wasn’t going well. His course was heavy on classroom and group piece of work, which didn’t suit him at all. He preferred to practise things on his own. He was dismissive of his teachers. “I know more near computers than all of them put together,” he told his parents one evening. Besides, the stomach aches had returned, and he was taking an anti-anxiety drug, oxazepam, to assist him relax and slumber.
With his parents’ consent, in the summer of 2011 Edwin transferred to a computing form at Zadkine College in Rotterdam, where students were given more freedom and could work independently on projects.
It didn’t help. José and Ruud didn’t know precisely how Edwin was spending his time. Occasionally, he mentioned someone he knew in England or Commonwealth of australia, and so they assumed he’d made friends online. “At least he’s finally socialising,” they said. However, he seemed joyless. They told each other he needed space, that surely at that place were some things that gave him pleasure, and that he had a knack for computers. But on days he never left his screen, it was hard not to despair. More than once they wondered: “Should we pull the plug?”
f computers were merely tools for his parents, for Edwin they were a gateway to run a risk, to agreement and, most of all, to recognition. They permit him do any he wanted. If he felt like gaming, he’d boot up Windows. Only more often he chose Linux, his get-to operating system. From in that location he opened different virtual devices so that he could prefer multiple personas.
On forums he met agreeing kids his age from all over the world who spent entire days at their computers and made the kinds of social connections online that they couldn’t in the real world. Tranquility and reclusive kids, mostly. Cloaked in fabricated-up identities, they chatted about computers, girls and going out, and devised tricks to infiltrate individual computer networks.
Online, Edwin was either xS or YUI – the latter a nod to the Japanese singer Yui, of whom he was a big fan. As YUI, he was unlike. Bolder, more cocky-assured. Online, quiet Edwin with the shy smiling came live. On chat channels he met an Australian, “Dwaan”, and an American, “Sabu”, in 2011. The three talked most hacking, and his new friends showed Edwin places they had managed to break in.
Sabu, as it happens, was a big shot in the digital world. He was the leader of LulzSec, a collective whose six members attacked a range of organisations and hacked the websites of big companies in 2011 to expose their shoddy security. Though teasing in some cases, in others their antics had serious consequences, such as when the grouping stole information belonging to more than 70,000 United states contestants on the pop TV show The X Factor, in retaliation for an alleged insult to the rapper Mutual. Likewise targeted by LulzSec were the Sony PlayStation Network and the website of the CIA.
Several investigation agencies were hunting for Sabu but, similar Edwin, he took intendance to cover his tracks. All the kids went by aliases on chat channels, some of which also required passwords to go far. Plus, they never logged on straight from their domicile connections, but, rather, through a secure virtual private network (VPN). Edwin connected to a VPN server kickoff, then went online anonymously. It took some discipline. Forgetting to use VPN just once would instantly make his home IP address visible for anyone to run across.
After a while, Edwin found his way into chat channels where the serious hackers converged. Winning their trust was a first and crucial pace, because law were also lurking, trying to infiltrate using fake identities. At 16, Edwin was orbiting LulzSec as well as a looser commonage chosen Anonymous. Though not a member himself, he hung out on their chat channels. These were exciting times in the hacking globe. Members of Bearding had been targeting a succession of organisations and declaring their solidarity with WikiLeaks, which was publishing hundreds of thousands of Usa diplomatic communications. When Julian Assange’s whistleblower website was blocked by the payment services PayPal, Mastercard and Visa, cutting off lots of donations to WikiLeaks, Anonymous struck dorsum with a DDoS attack that took out the payment services’ websites and inflicted an estimated $v.5m in losses. Ane member would ultimately end up doing 18 months in prison house in the UK.
Edwin’s contacts abroad gave him a conviction heave. He spent hours chatting with people from all over the world about ways to hack websites. Edwin often mocked “normal” life and western guild. He denounced materialism and superficial concerns. Simply most of all they talked about hacking. Dwaan bragged about some of the places he’d been. To them, it was all a prank: getting in and out just to prove they could bypass a site’s security. They never stole. All they wanted was to look.
In December 2011, when he was 17, Edwin had an online commutation with “Phed”, who showed him an “exploit”. An exploit is a piece of code that takes reward of vulnerabilities in a network’s security to gain entry somewhere, like a key that opens former locks. Reckoner networks, especially at large organisations, rely on lots of different software. All software has one or two holes – some known, others however undiscovered. Whenever software makers notice such a vulnerability, they quickly accept steps to create a patch and provide an update. Hackers, meanwhile, are snooping around for those very aforementioned weaknesses and working just every bit rapidly to make a primal – an exploit – to become inside.
Edwin was trawling the cyberspace and scanning networks to see who might be using software with a known pigsty. In this example, it was HP Information Protector. He searched sites manually using Google, entering “Data Protector” as the search term aslope a specific web or IP address. In early December 2011, Edwin struck golden. He found a university in Norway, NTNU, that was using the software and hadn’t notwithstanding installed the update containing the patch. Edwin grabbed his exploit, executed it, and he was inside. Looking around the university’s network, he discovered he had six computer servers at his command. On a scroll, Edwin next gained command of a “supercomputer” at the University of Tromsø. He nosed around for a while and and then installed a “backstairs”. Now he could admission the academy’south computer server remotely whenever he wanted to.
Edwin pulled off his stunt without a hitch and earned himself hacker cred with his new friends. Dwaan responded to Edwin’southward feat with enthused fist pumps and exclamations of “Loooooooolll” and “OMG!”. This but whetted Edwin’s ambition. He went in search of new targets in other countries. His next victim was the University of Twente in the Netherlands, and then a website in Iceland, and subsequently that a university in Japan. He was unstoppable. As long as he took care to connect to a VPN server in Russian federation commencement, he left no tracks to follow.
t was while running another scan that Edwin noticed some outdated software at KPN. The netherlands’south biggest telecoms company was using HP Data Protector and hadn’t installed the update nevertheless. Hither was an open window. Did he dare sneak in? Why not take a quick peek within his own net provider? After all, KPN was a big fish and would earn him massive credit. Edwin took the gamble. He entered a random KPN IP address, ran his exploit and then, using a detour through the Japanese university, slipped within KPN’s network.
He found himself in a far corner of the network, which is to say he was in, simply still needed to open some doors. For instance, he couldn’t send commands directly from his own computer to KPN. Nor did he have total rights across the whole network. He couldn’t just walk effectually, because a firewall was blocking his mode. But all this was kid’due south play. Past moving a programme from his own PC on to the KPN computer, Edwin could bypass the wall. Now he was free to exercise as he pleased.
Stupid KPN, he idea to himself. The whole place was riddled with holes. Scanning the rest of the network from the KPN machine he’d accessed, Edwin saw the obsolete software beingness used in hundreds of places. Nigh every computer server in the telecom provider’s vast network had a window open up. The child from Barendrecht strolled effectually unimpeded, and what he saw astonished him. He could command 514 computer servers. He could even access the cadre router, the backbone of KPN’s entire network. He could see the data of 2.1 million KPN customers. He could block hundreds of thousands of people from connecting to the national emergency telephone line. He could redirect internet traffic so that people who wanted to visit, say, a news site, would air current upwardly somewhere completely unlike. Edwin could practise whatever he wanted and KPN wouldn’t know a thing.
Excitedly, he told Dwaan of his conquest. At get-go, Dwaan refused to believe him. To bear witness he’d gained command of KPN, Edwin logged on to the chat channel from the KPN network. “WTF!” Dwaan responded. Edwin was thrilled with his newfound condition. He dropped out of his computing course. At dwelling house, the tension eased. Relieved, his mother emailed a friend to say that “Edwin has been feeling better. He’due south been exempted from attention classes this year and at present he’southward doing a high school English class from home.”
Meanwhile, upwardly in his room, Edwin was expanding his latest coup. “I’m hacking my ISP,” he announced to “Combasca”, a Korean educatee. Combasca didn’t believe him and demanded testify. Again, Edwin entered the chat channel from the KPN network. He urged Combasca: “U should become a hacker too.”
due south Edwin gained plaudits online, a grouping of men and one woman sat in a loftier-rise off the A12 motorway outside The Hague, staring at each other in dismay. Dozens of people had set shop in a vacant office one flooring up from the studios of the radio station Fresh FM. They had installed desks, laptops and network cables. To someone who didn’t know what was going on, it would have been a curious sight: people rushing upward to the summit floor early each morning and not re-emerging until past midnight. Delivery services dropping off dinner in the evenings. Betwixt fourscore and 100 workers had been holed up like this for days, many of them engineers and technicians from KPN and researchers from Fob-Information technology, a Dutch security company that monitors systems and networks for client companies around the world.
It had all started with a message from someone calling themselves Combasca in South Korea. Combasca said he’d been chatting with a guy calling himself YUI, who claimed to have hacked KPN. And he had prove. After letting YUI boast well-nigh what he’d washed, Combasca had turned around and contacted KPN. By at present, two weeks on, there was genuine panic. Clearly, somebody was inside KPN’s network. It could be a loner, or it could be a foreign land. Nobody knew. Nor could KPN or Play tricks-IT get a handle on the extent of the damage. They had to tread lightly, examining computers while keeping systems running then as not to disrupt service to millions of customers.
On scanning cyberspace traffic, information technology became apparent that hundreds of points in the KPN network were connecting to locations outside. Window and doors were flapping open all over the place. On 20 January 2012, KPN raised its alert level to orangish. Its business operations were in grave danger.
A week later on, on 27 Jan, at that place was an even bigger discovery. The hacker had also broken into the core router, effectively taking control of the whole network, and could practice whatsoever they wanted: snoop on net traffic, turn off TVs, take out the national emergency hotline. The alert level was raised to cerise. With the state’s most of import telecoms provider under threat, KPN notified the National Cyber Security Heart (NCSC) and the national police’south loftier tech crime unit. The next forenoon, one of KPN’s board members filed a police report for computer invasion.
The state of affairs triggered widespread alarm. The fragility of a network on which millions of people relied had been laid bare. Following the hacker’s trail, the police team, Fox-IT and KPN finally identified the figurer server through which he’d entered the network. But after that, the puzzle became trickier, because the hacker was shielding himself using VPN connections. The police team flew to Republic of korea to talk to Combasca, and later to Nihon, where a university network had been breached by the same private.
Investigators could encounter the hacker was using a Russian VPN server whose IP address showed upwardly more than once in KPN’s network. Frustratingly, though, this data didn’t really assist the team, because VPN servers mask a user’south identity. In that location was one last thing they could endeavor: to follow traffic from the VPN server to an individual computer in KPN’s network.
That estimator turned out to host a website, on which a KPN customer shared downloaded movies. On that site’s server, the investigators also found hacking files. The e-mail address of the site’s administrator was firstname.lastname@example.org. When they looked it upwards, the investigators uncovered another lead: the same email address had been used earlier in correspondence with KPN nigh a blocked IP accost. In 2010, an IP accost belonging to email@example.com had been blocked temporarily on account of “malicious activities”. That IP address was linked to a house in Barendrecht, just south of Rotterdam.
Finally, the hacker made a mistake. He skipped the VPN and entered a hacked KPN calculator server directly from his home connection. With that, he exposed his habitation address.
Police had a wiretap on the hacker’due south dwelling, to get together some last bits of evidence. One twenty-four hours their entire internet feed vanished, leaving the police staring at a blank screen. Their tap in Barendrecht was active, but no data was coming in. The problem, police discovered, was that KPN had accidentally blocked the suspect’s internet connection.
A little more than 2 months afterward receiving Combasca’south message, the police finally had enough evidence to pull Edwin from his reckoner. 2 agents were sent to intercept his mother and get her house keys. Then they sneaked up to the upstairs room where Edwin sat, unsuspecting, taking the net by tempest as “xS”. Suddenly, uniformed men burst into the room. “Police! Get your hands off the figurer!”
osé Robbe put a plate of biscuits in front of me and poured coffee. Ruud sat abreast me. Equally we talked, he pulled a handkerchief from the pocket of his jeans a couple of times, pushing aside his spectacles to dry out his eyes.
Subsequently his abort, Edwin was detained for 42 days, institute guilty of hacking and given a suspended prison house sentence of 240 days plus community service. He didn’t desire to practice community service, still, so did the fourth dimension instead. Subsequently, Edwin was even more withdrawn. He self-medicated with sedatives and experimented with a variety of drugs. His dad would come habitation to find the house strewn with leaves and plants that Edwin was using to cook upward some psychedelic mash.
Edwin was delusional by this point, and took exception to everything. To his parents, the situation seemed hopeless. Even professionals at the rehabilitation clinic where he was admitted, De Bouman in Rotterdam, sent him packing later on a week, maxim his behaviour made him impossible. Edwin asked Ruud if he could movement back home, just his dad didn’t feel up to the chore of taking in his now 22-year-old son.
As Edwin stood on his doorstep, Ruud turned him away with a heavy heart.
“Come on,” Edwin pleaded. Simply Ruud was at the stop of his tether. “Nosotros tin’t,” he said. “I’m sorry.”
Edwin left with a backpack. His parents had no idea where he’d go.
Later several weeks with no news, Ruud tried to go far touch through WhatsApp and e-mail. Edwin only responded to one electronic mail, saying: “Certain, everything’due south fine. I’m in Pyongyang, Democratic people’s republic of korea.” Fastened to the message was a photograph. It showed Edwin dressed all in black, with middle-catching bondage on his jacket. Standing next to him was a Korean soldier. He had posed in front of a picture of the N Korean leader Kim Jong-united nations (probably, in fact, a tourist allure in Republic of korea). Edwin closed his email with: “They monitor things similar WhatsApp and phones. Just at least they take computers.”
It was one of his very last messages. Ruud bowed his caput. “Should I take let him come up back dwelling?” he wondered. “Should I have given him ane more than take chances? I’d reached my limit. I just couldn’t do it.”
I’d wanted to hear the story from Edwin himself. The one fourth dimension we Skyped, he’d been in a hotel room in South Korea. 8 minutes into our telephone call, he signed off with a smile and a peace sign. Later that we chatted sporadically over WhatsApp. His final messages were laced with despair. “I don’t like it hither,” he wrote, and “They’ve got guns”, and “I want to become out of here ASAP.” He stopped responding to my questions about KPN. A few days later I was contacted by a source. “Did you hear almost Edwin?” He’d been found dead in a hotel bathtub, not far from Seoul’s international airport. The door of his room had been barricaded from the within with furniture and pillows.
At their home, José and Ruud pulled out pictures of Edwin and told me almost his complicated youth. They asked about my final chat with him, about which Ruud observed: “That was just before he died.”
Edwin’s arrest and incarceration were a tipping betoken, they told me – after that, it was all downhill. And questions linger: if it’s that easy to break in somewhere, isn’t at that place a much bigger societal problem nosotros ought to address?
It certainly didn’t assist that his parents had merely a hazy grasp of what Edwin actually did. The technical jargon authorities used in the case against Edwin meant nothing to them. According to the public prosecutor, it constituted “i of the nearly serious hacks in the netherlands’ history”. Edwin’southward piece of work was “ingenious” and the “impact on KPN and thus on society at big, immense”. By KPN’due south own reckoning, it cost them €3m.
After the hack, KPN took measures to ramp up security in its systems. Although Edwin immediately pleaded guilty to all charges in court and cooperated with the judicial enquiry, the public prosecutor was scathing in his condemnation. Edwin’s actions, he charged, had been “malicious and deliberate” and caused “imminent danger to life”.
“We really had no idea what he was up to,” Ruud said. Information technology brought home to him just how vastly different the risks of the digital earth are from those of the existent world. “Information technology never fifty-fifty occurred to the states that he could cause something similar this.”
“I’m more broken-hearted near computers at present,” Ruud admitted. When he fills in his tax returns and can’t get the site to work, he gets stressed out. “Sometimes I’one thousand agape someone might be using my identity. I’thousand forced to depend on technologies I can’t sympathise, and that worries me.”
This is an edited extract from In that location’due south a War On Only No One Can Encounter Information technology, published by Bloomsbury and available at guardianbookshop.co.united kingdom
Huib Modderkolk volition be in conversation with Luke Harding for a Guardian Live online event on 17 Nov.