The volume of hacking cases and the amorphous definition of the word
"hack" itself makes it difficult to enumerate the biggest or most
destructive hacks of all time. But the cases listed here have this in common:
each marks a significant step in the evolution of hacking. These hacks show
how the law has had to bend or change to catch up with technology, and/or how
hackers have achieved new breakthroughs in what they can do.
In 1988, a 23-year-old graduate student at Cornell University, Robert Morris,
released the internet's first worm. Morris, the son of a National Security
Agency (NSA) computer security expert, wrote 99 lines of code and released them
into the internet as an experiment. Quickly, Morris discovered that the program
was replicating and infecting machines at a much faster rate than he had
anticipated. Invisible tasks were overloading machines around the country and
preventing users from using the machines effectively, if at all. Computers were
crashing or becoming unresponsive to commands. To curtail the spread of the
infection, many system administrators were forced to cut off their machines
from the internet entirely.
In 1990, a federal judge sentenced Morris to 400 hours of community service and
a $10,000 fine. While Morris maintained that he did not intend to cause harm
to the networks, he conceded that he did intend to gain access to the affected
computer systems. Under the Computer Fraud & Abuse Act of 1986, Morris was
found guilty of unauthorized access to a "federal interest computer," which the
law defines as a computer that is used exclusively by the federal government or
by financial institutions.
An international group, dubbed the "Phonemasters" by the FBI, hacked into the
networks of a number of companies including MCI WorldCom, Sprint, AT&T, and
Equifax credit reporters. The FBI estimates that the gang accounted for
approximately $1.85 million in business losses.
"They had a menu of activities they could perform," says Richard Power,
author of Tangled Web, a book chronicling tales of digital crime. "They
had Madonna's home phone number, they could hack into the FBI's national crime
The Phonemasters reportedly forwarded an FBI phone line to a sex-chat line,
racking up $200,000 in bills. They snooped in confidential databases to see
whose phones the FBI and federal Drug Enforcement Agency were tapping. They
hacked into the computer systems of several companies and downloaded calling
card numbers and personal information about customers and created telephone
numbers for their own use.
The FBI was first tipped off to the Phonemasters' actions in 1994. A
federal court granted the FBI permission to use the first ever "data tap" to
monitor the hackers' activities. Through the tap, the FBI was able to capture
the Phonemasters keystrokes as they exchanged stolen credit card numbers. After
an extensive investigation that involved Texas, Pennsylvania, Ohio, Colorado,
California, Oregon, New York, Florida, Canada, Switzerland, and Italy, the case
was finally laid to rest.
In September 1999, the members of the group were convicted of theft, possession
of unauthorized access devices and unauthorized access to a federal computer.
Corey Lindsly in Philadelphia, regarded as the mastermind, was sentenced to
over 41 months in prison, one of the longest sentences for a hacker in U.S.
history. Calvin Cantrell of Dallas was sentenced to 24 months. John Bosanac got
The Phonemasters case is the first time that Title III of the Omnibus Crime
Control and Safe Streets Act of 1968--originally passed to allow law
enforcement to intercept wire and oral communications--was interpreted to
allow a datatap over a computer network.
The Citibank case marks the hacker community's first foray into big-money
banking. In 1994, Russian hacker Vladimir Levin engineered a heist from
Citibank, tricking the company's computers into distributing an estimated $10
million to him and his accomplices in several countries. When Levin pled guilty
in January 1998, he admitted using passwords and codes stolen from Citibank
customers to make transfers to his accounts. While Citibank spokespeople have
indicated that Levin gained access to the company's cash management system
through valid accounts that weren't protected by encryption, there has been
speculation that someone inside Citibank served as Levin's accomplice. Citibank
denies such claims and evidence to the contrary has never surfaced.
According to published reports, Citibank's security system flagged two
transfers in August 1994, one for $26,800 and another for $304,000. Bank
officials then contacted the FBI, who tracked Levin as he trespassed on
Citibank's system and made more illegal transfers. After determining where the
transactions originated, telecommunications employees in Russia helped U.S.
officials track the illegal fund transfers to St. Petersburg and finally to
Levin. He was apprehended in London at Heathrow Airport in March 1995.
When Levin was extradited to the U.S. in 1997, he was described in the
newspapers as the mastermind behind the internet's first-ever bank raid. Some
security experts dispute that claim, however. Levin, they say, used
telecommunications systems, not the internet, to break into Citibank. He was
able to intercept Citibank customers' phone calls and, as the customers
authenticated their accounts by punching in their account numbers and PINs,
obtain the information he needed to commit the fraudulent transactions.
Citibank was able to recover all but $400,000 of the $10 million that was
siphoned from its accounts. In January 1998, Levin pled guilty in federal court
to charges of conspiracy to commit bank, wire, and computer fraud. Finally, in
February 1998 a U.S. judge sentenced Levin to three years in prison, and
ordered him to pay Citibank $240,000.
On May 9, 2000, Timothy Lloyd was convicted of writing six lines of code--essentially, a code "bomb"--that obliterated Omega Engineering Corporation's design and production programs. Since Omega makes components for clients such as NASA and the U.S. Navy, those systems were the company's rainmakers. Lloyd knew
Omega's systems well. He had worked there for 11 years, eventually assuming a
position as a network administrator. According to published reports, Lloyd was fired in 1996 because he was unable to get along with his co-workers.
Three weeks after Lloyd was fired, a worker at Omega's manufacturing plant
in Bridgeport, New Jersey, logged on to a computer terminal. It was July 31,
1996, the date that the bomb was set to detonate. By logging in, the worker
unleashed the aberrant code that instructed the system to delete the software
running Omega's manufacturing operations. The Secret Service said that Lloyd
had committed the largest ever act of worker-related computer sabotage, causing
Omega nearly $10 million in lost sales.
A jury convicted Lloyd of computer sabotage in May 2000. However, the
conviction was short-lived. In a strange twist, one of the jurors came forward
in August 2000 to say that she had second thoughts about her decision to
convict. According to Grady O'Malley of the U.S. Attorney's Office, the juror
had seen a news story about the "Love Letter" worm and its attendant havoc and
couldn't decide whether the story had had an effect on her decision to convict
Lloyd. The U.S. District Court judge who tried the case overturned the
conviction. The U.S. Attorney's Office in Newark filed an appeal. A decision is
expected by late March 2001.
One researcher traced the rise of "hacktivism"--the use of technology and
hacking skills to achieve social or political ends--to the Zapatista rebels
in southern Mexico. The group has been credited with revolutionizing modern
political interaction through its use of the internet.
On New Year's Eve in 1993, the day before the North American Free Trade
Agreement went into effect, the Zapatista National Liberation Army declared the
southernmost state in Mexico an autonomous region for the indigenous Mayan
Indian population. This secession sparked a rebellion that is still being waged
in the region today. According to the Journal of International Affairs,
the insurgency in Mexico and its use of modern technology has led to what one
researcher dubbed "The Zapatista Effect," which suggests that the very nature
of political interaction is being rewritten, thanks in part to the internet.
Though the rebels are under constant surveillance by the authorities, they use
hastily laid phone lines, laptops, modems, and other gear to disseminate
information about their uprising to the public. First, the communications are
transmitted to support agencies and other sympathisers in the region. And then
the communications go worldwide to a network of peasants, church groups, and
One such group of activists labeled themselves the Electronic Disturbance
Theater (EDT). In what was supposed to be a show of solidarity with the
Zapatista rebels, the EDT launched a web attack on the Frankfurt Stock
Exchange, the Pentagon, and the web site for Mexican President Ernest Zedillo
in September 1998. According to the communiqué distributed in newsgroups
and on EDT's web site, participants in the online "sit-in" were instructed to
use FloodNet, a tool the group developed enabling users to overload web
servers. The Pentagon, which had been alerted to EDT's plans, fought back. All
of the requests from EDT activists were redirected to a Java applet programmed
to issue a counteroffensive. The activists' browsers were flooded with graphics
and messages, and their computers crashed. The web site for Mexican President
Ernesto Zedillo, however, reportedly buckled and crashed under the pressure of the 18,000 protestors who launched FloodNet.
From the time the Morris worm struck the internet until the onset of the
Melissa virus, the internet was relatively free from swift-moving, highly
destructive "malware." The Melissa virus, however, was rapacious; damages have
been estimated at nearly $400 million. It marked a turning point, too: Melissa
was the first incident of its kind to affect the newly commercial internet.
According to news reports, the earliest evidence of Melissa was in a posting
to the alt.sex newsgroup from an America Online (AOL) email account. One of
AOL's servers had served as a conduit for the virus, which was contained in a
file named "list.zip." The victims, who had expected list.zip to contain
a list of sexually oriented web sites along with user ID and password
combinations, downloaded the file and ran the program it contained. In doing
so, they served as propagators of the virus.
The Melissa virus spread like a cancerous chain letter, exploiting a hole in
Microsoft Outlook, a popular email software. Once the virus penetrated a
computer, it gained access to the Outlook email system and started
self-replicating, sending email to as many as 50 correspondents in the user's
email address book. Since the virus acted so quickly, many email systems were
overwhelmed by the traffic. Experts said that email infected by Melissa
incapacitated computer networks at about 300 corporations.
Luckily, AOL "tagged" the newsgroup postings on its servers, including the
messages on alt.sex. The tag provided investigators with information on the
message itself and the equipment used to post the message. These tags helped
pinpoint the New Jersey internet service provider (ISP) used to post the
original message to alt.sex. The ISP was able to provide investigators with
information to determine the actual telephone that made the call, which led
them to the suspect's house.
David L. Smith, 30 years old at the time, said he named the virus after an
exotic dancer he met in Florida. While his lawyer likened Smith to a "graffiti
artist" rather than a cyberterrorist, Smith was ultimately charged under both
state and federal laws. In December 1999, Smith pleaded guilty to federal and
state charges that he authored and circulated a destructive and costly virus
and agreed to causing nearly $80 million in damages. He was later sentenced to
five years in prison.
Though the Melissa virus reportedly caused nearly $400 million in damages,
federal sentencing guidelines allow for a maximum of $80 million in damages.
In his book Tangled Web, author Richard Power writes, "The
Melissa case had reached the outer limits of what was even conceived of in the
federal sentencing guidelines."
In February 2000, some of the internet's most reliable sites were rendered
nearly unreachable by distributed denial-of-service (DDoS) attacks. Yahoo took
the first hit on February 7, 2000. In the next few days, Buy.com, eBay, CNN,
Amazon.com, ZDNet.com, E*Trade, and Excite were taken down by DDoS attacks.
Though damage estimates vary widely, the FBI estimates that the companies
suffered $1.7 billion in lost business and other damages.
In a denial-of-service attack, the target system is rendered inoperable. Some
attacks aim to crash the system while other denial-of-service attacks make the
targeted system so busy that it can't handle its normal workload. The attacks
on Yahoo and the other companies were distributed denial-of-service
attacks, where one attacker can control tens or even hundreds of servers. After
installing the denial-of-service script on several computers, a coordinated
attack can be orchestrated from a remote location.
The attacks may have been avoidable. On November 18, 1999, Carnegie Mellon's
Computer Emergency Response Team (CERT) issued an
alert that two distributed denial-of-service tools had already been installed
on unwitting hosts. Six weeks later the FBI's National Infrastructure
Protection Center (NIPC) issued a similar warning and offered free software
that system administrators could use to scan for evidence of DDoS tools.
On April 18, 2000, a juvenile in Canada, known online as "mafiaboy," was
arrested and charged in connection with the DDoS attacks. Prosecutors alleged
he broke into several computers, mostly at U.S. universities, and used them to
launch the attack against the web sites. According to police, mafiaboy boasted
in internet chat rooms about the attacks and was tracked through traces he left
of his computer activity. On January 18, 2001, the 16-year-old computer hacker
pled guilty to 56 charges, including mischief and illegal use of a computer
service. He will be sentenced in April 2001, and could spend up to two years in
a juvenile detention center.
For more accounts of notorious hacks, see the Discovery Channel's "Hackers Hall
of Fame" and
Wired.com's recent "The Greatest Hacks of All Time."
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation