author photo
By Bruce Sussman
Thu | Sep 17, 2020 | 8:50 PM PDT

He discovered the power of cyberattacks by accident.

You see, he was a just typical teenager who liked to game. He spent hours each day playing Call of Duty on his PlayStation.

"It was times where people were able to, like, freeze my PS3 or kick me offline. Then after that came, like, my PS3 getting frozen. Which was kind of a mega surprise. I didn't know someone had the power to do that."

And he wanted that power, too. Without it, he'd keep losing to digital cheaters in his online games.

"I felt like I had to do something to get myself back in the running, if that makes sense."

He had no idea that desire would soon lead him down a path to cybercrime. His attacks against prominent companies made him a hero, of sorts, and he amassed a huge social media following.

No, he did not really worry about getting caught. Until it happened. He turned around to find nearly a dozen police officers closing in on him. His head was spinning.

His life changed forever in that moment.

This is the story of a hacker who went to jail when he was just 14 years old. He talked to SecureWorld in hopes that teenagers will avoid his mistakes. And he makes a strong case for what cyber loving teens should be doing instead.

SecureWorld is sharing his story at part of Youth and Cybercrime Week, in partnership with the Cybercrime Support Network.

Stage 1: Revenge against 'Call of Duty' cheaters and trash talkers

How can this happen? How can a typical teenager down the street end up launching cyberattacks around the world?

In Cam's case, it started with his desire to win at Call of Duty. He was tired of other players glitching and freezing him long enough to kill him.

Sometimes it even locked up his PS3 so badly he'd have to completely reboot. 

This typically happens through what are called MODs. Some players figure out digital modifications to alter their games to do things that are against player terms and, in some cases, do things that are illegal.

It's important to note that Cam calls himself a digital tinkerer and he decided to do some research on these MODs. What could he do to level the playing field?

Before long, he figured out how to launch what you might consider mini denial of service (DoS) attacks against another player.

To get the attack started, he would socially engineer them. He would invite his targeted player to join his online party in the game. All the players online had an IP address, but he needed to find that targeted player's address so he would know where to attack.

When he talked to that player, the amount of data coming from that IP address would surge and he locked onto that IP address as his target. He'd then flood that address with so much data the player's game would freeze and glitch.

Sweet victory.

Cam, who is British, shared an example with SecureWorld:

"So basically, there's this dude who was in the same clan... like an online group of lads, we played together. My best mate invited me to the party and he [this other dude] was in there. I had never met this dude before in my life. He went to my school, but I never met him. And he was just trash talking me and trash talking me. Anyway, yeah, so I booted him offline using that method."

Cam says the moms got involved at that point, with one mom calling another over what happened. Cam told his mother he wouldn't do that again but says none of them actually understood what had happened.

And his mother also didn't know that Cam was now involved in both gaming and hacking forums. They were opening his eyes to the real power he could wield in cyberspace.

"I joined, initially, for the video game mods. So I grabbed some video game mods and then they had someone who would post something the next day saying, oh, grab yourself a free Netflix account. Yeah, why not? Like, literally nothing bad about it. And the next day someone will post something about get a modded Snapchat account. Yeah, I'll give that a go, and I just love tinkering with things already."

Stage 2: Social justice and cybercrime merge into a Sea World attack

About this time, the movie Blackfish was making a splash, and social media posts were lighting up the internet with videos of alleged animal abuse at Sea World and similar types of abuse at animal parks around the world.

Cam was angry, and he wanted to do something to get back at the perpetrators of this abuse.

He says he crossed digital paths with another hacker, linked to the Anonymous hacking group, which often cites various social justice causes for its attacks.

This person gave him free use of a stressor, a tool that when used illegally can slam websites with massive amounts of data and force them offline.

Cam knew who he wanted to attack: Sea World in San Diego. And that's exactly what he did, several times.

After the first successful attack, he wanted something longer lasting. And he created it, to target Sea World again and again.

"I basically went from a stressor to dedicated servers. So I had like a command line stress if it makes sense, with all these attack scripts, my own power.

But when you launch the attack, it doesn't have like a [display] where you can see what's going on and what's running. So I've been locked out or turned it off and just gone to bed."

That's right, he went to bed during the middle of one of his attacks on Sea World's website. A successful attack that kept the San Diego site offline.

"And I think it was one or two weeks later when I thought, like the  website's been down for a couple of weeks now. So I went to check and the attack was still running. So I quickly paused that. And that's probably my first time when I was like, Oh, this might be bad."

But Cam wasn't done with his attacks. He launched similar ones against animal parks in other parts of the world.

Why would you stop when you are viewed as an animal rights warrior? Why would you forget you're doing anything wrong?

"It easily happens because you see you can do it, and then you get these kudos and you get this following and appreciation for what you're doing. And you're like, at 14, the lines blur between what's really almost not and people are cheering you on so it must be fine. If that kind of makes sense."

At this point in his story, we find Cam, a British teen, with more than 27,000 followers on social media accounts. The animal rights activists love him for the digital justice he is serving up. 

Stage 3: one cyberattack too many and the arrest

We already know that cam doesn't like digital cheaters in video games. And he despises those who abuse animals. As it turns out, 14-year-old Cam was also annoyed by local police who kept telling he and his friends to stop loitering around town. Cam decided to teach them a lesson.

"So I just DDoS the police website. I mean, you know, because I felt like I was being sort of targeted by the police. Obviously, that wasn't the case. I didn't understand that."

As it turns out, the distributed denial of service (DDoS) attack flooded the local police department servers with data like it was supposed to. But the police followed that data back to Cam. 

He had no idea about this until a few days later, when he was walking to school in the morning.

"When it happened, it was a major shock. Like, I couldn't believe it was happening. So I was walking down the street to go into school. And like, I genuinely had no worries, headphones in, I was just chillin. And I heard some guy behind me saying my name. So I turn around.  He's like, 'you're under arrest. Stay where you are.' And then there's like two more guys in suits behind him. Then I looked over my shoulder and I kind of got this chill. There's like eight police officers across the grass with like their tasers.

It's very surreal, and I was in the car handing over my phone, handing over my keys, I put it into evidence bags and everything. 

I think one of the worst parts of it, that I'll never forget this part, we went to my house initially. And we got to the gate and my mum's hanging out the laundry on this line. So [I say to] my mum, 'can you open the gate, I've been arrested?' And she like laughed and said what he forgot. And I was like, 'No, I've actually been arrested.' They're like... they open this huge like scroll, 'we've got a warrant and we're coming in.' And like just sort of shoved past and walked up into the house.

And after that, it was it was like it switched from like this crazy, crazy time to the detective like, you know, 'do you play Call of Duty? And at the time, I didn't realize what was going on. But obviously, he was asking me those questions to see if I was the same guy doing the Call of Duty MODs, therefore backing up their evidence, you know, for the DDoS attacks and all the rest of it. So it was definitely very well planned."

The next stop for Cam was jail.

Stage 4: A call from a probation officer changes Cam's life

Fast forward to now. 

Cam has turned his life around. He works for England's data agency as a cybersecurity analyst. 

You read that correctly. The formal criminal hacker is now defending the Crown against hackers.

"So I see the attacks coming in and write rules to automatically respond to those threats. So to put mitigations in place, malware analysis, you name it, I do blue teaming. So where I was when I started, I was hacking, that's red teaming. I've completely turned the tables and ended up on the blue side."

This is just his latest job in cybersecurity; he's had others.

And it all happened because his parole officer invited him to attend a cybersecurity conference. He excelled at a capture the flag game and landed a job offer with a cybersecurity firm.

Now Cam has a warning for teenagers and young adults who might be tempted to get into criminal hacking. 

"Don't do it. The cyber response teams in both countries [US and UK] and the rest of Europe have all come a long way since all these sort of attacks, and the larger ones on the ISP and other providers, and they've come a very long way. So they work together now. They've got a lot more capability now, and they'll catch you."

They'll catch you, says Cam, faster than they caught him.

And he says the rewards of becoming a white hat hacker mean you should look in that direction, even if you are young:

"There's room for your skills in the industry, no matter how old you are. If you're over the age of 12, and you can do this hacking stuff, you can you can get paid a lot of money for using your skills on places like HackerOne.

You can jump onto HackerOne. You're not going to jump on there and make 10-grand on your first shot. You are probably better off just trying to get some low hanging fruit.

Do some training videos. Using YouTube like you would anyway, you could bag a few hundred dollars here and there. Like, that's great spending money when you're a kid.

And even I get jealous of some people on there like, the other day I had a guy who had done like four different hits of like $12,000 in one day. Could you imagine being like, 'Oh, I'm running out of money' and bang out for 48-grand in one day?"

And he says if you have a kid who spends all day locked in their room on their laptop, that could be a red flag. Or if you see a laptop hooked up to their PlayStation or Xbox, that could be a sign your kids are dabbling in MODs, which were Cam's first steps on the slippery slope to cybercrime.

Listen to the rest of our interview with Cam on our special Youth and Cybercrime podcast episode.

The podcast also includes a detailed interview with Kristin Judge, CEO of the Cybercrime Support Network. She shares ways that kids, teens, and college age young adults are targets of cybercrime.