A Hacker's Redemption (Part 2)

specifically what it was. These little girls, I cannot allow them to go. Once forced to care, he said, okay, well you have made these crimes. We have to charge you with these crmes. Ah, So have you heard that I was a daughter? I was dead. You know I was done. So here was Hector, crammed in a small room with two FBI Asians in the very early hours of June. He thought his life was over, but then

the Asian suggested a deal. They wanted him to keep doing what he was doing as if nothing had changed, but this time with the FBI quietly watching his every move that would grant the government an unprecedented real time peek into the hacker group, an anonymous offshoot lull SEC. The Asians were after not just Hector, but his fellow hackers too. That was that anger. That was that you know, screw the government inside of me and I felt like

I was betraying myself between the coals. But he didn't have long to make the decision because the girls weren't there. I'd be like, listen, you go school yourselves. I'm gonnad a lawyer, my attorney. I'm gonna try this out. Hacking is a tweet amnabum anyway, um, but it's hard to do them when you have kids around. You know, Do I let them pay for my mistakes? Well? Just do I deal with it myself. In the morning, the FBI

took Hector to court for his initial appearance. It was a rare closed proceeding to keep Hector's arrest a secret. He was released on bail in the afternoon. He picked up his young cousins at school. They all cried, including him. You know, kids and much more than you think. Uh. The big one not to mention the name. She basically she was basically you know, I was skinny. You left us and he didn't come back home. Oh, I broke

my heart. It's like I got you. I'm not leaving you behind your crazy So over the course of less than twenty four hours in June two eleven, Hector was arrested, agreed to cooperate with the government, and got out on bail. He was allowed to go back to a sixth floor apartment, and he was able to keep the girls right away. The FBI Asians put him to work. When they arrested him. They'd seize Hector's laptop, which was so battered it was

missing a couple of keys. The Asians gave him a new computer that was installed with software so they could monitor everything he did on it. They also set up a surveillance camera in his home so he wouldn't run. So what did you do for the FBI? Just sat there and be said, bo got online. I cursed him out all day because I was angry at the FBI for what they were doing too. I mean, I felt

like it was extortion. The agents would tell him, you gotta play your position, all right, um the lord you can played his out as similar as it is, this case is over. You have your kids back, We're gonna be out of your lives. You're not gonna bother you no more So. Hector was off to a reluctant start, but prosecutors would later praise him for those nine months he spent secretly cooperating with the FBI. They would go

on to call his work extraordinary. Some days, Hector would sit in a computer room with Asians, explaining the way he researched ways to break into his targets. Other days he'd walk prosecutors through the play by play of his previous hacks, and then in the afternoon he'd go pick up his cousins at school. In the evening, he'd often log on to chat and coordinate with the other hackers, who,

of course didn't know that he was cooperating with the FBI. Today, Hector is quick to say that he himself never directly named anyone and that he never testified against his co conspirators in court, but the government said that his efforts contributed directly in the identification, prosecution, and conviction of eight separate hackers, including a guy called Jeremy Hammond, who at

one point was the FBI's most wanted cyber criminal. Hector also passed on information about attacks that other hackers were planning. The FBI estimated that it was able to disrupt or prevent at least three hundred hacks as a result, including those against the U. S. Armed Forces, NASA, a television network, and an electronics conglomerate. All of that required grueling work that sometimes kept him up all night, and it took

a toll. Hector's aunt was released from prison midway into Hector's work with FBI, and she remembers just how overwhelmed he was. The kid will break out with these massive headaches, to the point where he would cry and lay in my lap and I would like to have the massage, just simple massages. Ford put cold rags on his head and give him Tolennel and saw him. You're always gonna be all right. You're gonna get through this. But there

were lighter moments too. All the hard work forged an unexpected bond between Hector and Chris Tarbell, the FBI agent who arrested him. He will see me a lot. He would come to see me. He will drive to see me, check me out, make sure it was all right. Chris declined to sit for a taped interview because he didn't want to discuss the details of the FBI's investigation, but he was willing to talk about his own views of Hector.

Chris told me that before the rest, he knew Hector only by the demeanor he exhibited in his online persona Sabu, the cold hearted, calculated rogue who made it clear to everyone online that they should not mess with him. Over time, Chris came to see Hector in a different light, as someone who cares deeply about his family, especially his two young cousins, as someone who had to make tough moral

decisions to do right by them. Here's Hector again, and we would eat like fat bastards like it would just eat. We love to eat. He would bring me like a chipo and he would eat something else and we just sit down and talk and laugh and jog um. He's a very real guy. Of course, Hector knew they wouldn't be eating meals together like this for long. He was bracing himself for what would come next. There's a major

takedown in the war against computer crime. Authorities in the United States and Europe just rounded some alleged hackers, and federal prosecutors said six key members have been arrested. Set an offshoot of the hacktivist group Anonymous have been arrested in the US, Britain, and Ireland charged with hacking and other crimes. On March six, two twelve, with great fanfare,

US prosecutors announced charges against six hackers, including Hector. As part of that Hector's identity as Sabu was released to the public for the first time. Prosecutors outlined the twelve charges that Hector pleaded suilty too, which carried a maximum penalty of more than a hundred twenty years in prison. The government also revealed the details of Hector's secret cooperation with FBI. It was a huge victory for the bureau, which at the time still didn't have a lot of

experience solving cyber crimes. Fox News had the story first. Its article described Hector as a lazy, underachiever, complacent in his lifestyle, and a welfare recipient, which by the way, Hector says he wasn't, and The New York Times called him a party boy of the projects. The story cited unidentified neighbors who complained about the noise at night and

the smell of marijuana wafting from his apartment. And then there were the chat forms online they lit up with all kinds of diet tribes about his betrayal of Anonymous in his own police fearing neighborhood, Hector and his family faced threats for cooperating with law enforcement. March five, Everyone loves that when it was the best guy in the universe. More six, I was mad at the cardinal. There was a traitor. I was sending me to bowl Gravano. I

was I was the worst person to have exists. Reporters swarmed his apartment, and Hector and his family faced so much harassment that the FBI decided to relocate him. The girls were returned to their mother, Hector's aunt, who was newly released from prison. A little over two months after his arrest was publicized, Hector's bail was revoked for posting unauthorized material online. He had been keeping a blog in which he posted short stories which included references to the FBI.

He was sent to the Metropolitan Correctional Center in Manhattan. That's the federal jail that once held the gangster John Gotti. Last year, it took in the Mexican drug lord El Chapo. Some publications, including The l A Times, have called it the Guantana mode of New York. It was weird fo all of us because you know, not only he had he had me right, you had these big time dudes that were their murderers, just kidnappers and terrorists. And there

it was the craziest place. But Hector says he gained a lot from that time he spent in jail. Give me time to think and spend the time in my bunky really helped me because again, talking to somebody with a different perspective helps a lot of trust me. I've come to realize that the most important thing in my life right now, at least at that moment, was the kids. In December, after seven months in custody, Hector was rereleased on bail. His aunt, his father, his cousin, and his

friend came to pick him up. Hector scarfed down a hot dog, down to soda, and smoked a cigarette. But as he re acclimated to life outside of jail, he was stuck in a new kind of purgatory. I came out had nothing nothing nothing nothing, no money, no help, no job. Uh couldn't get on the incident, couldn't talk to my friends. UM, my family screwed up. They're they're they're just not working. Hector went on to stay with an uncle and all the while he wasn't allowed to

touch a computer. His sentencing hearing got delayed seven times. It was the sickest, craziest year of my life. Two thowl the embarrassment, regret, the shame. He went through a big depression phase where I asked him to do therapy, to get counseling, to try to get home, but he shows not. I was his therapist, at his counselor his side. On fourteen, Hector, thirty years old, finally stood before a U. S.

District judge for sentencing. It was almost three years since the day he was arrested, and more than a year and a half since his arrest became public. I read the transcript of the hearing and it's really everything you wouldn't expect from a criminal court proceeding. It was cordial, non confrontational, overflowing with praise for Hector from all sides.

The room was packed with journalists. Hector's lawyer started off by requesting a sentence of time already served for those seven months he spent in jail when its bail had been revoked, which is a dramatically reduced sentence for the twelve charges he pleaded guilty too. It's even less than the mandatory minimum. And then the government called Hector's cooperation quote extraordinary and recommended the same reduced sentence for Hector

of time served. The judge immediately accepted the motion. In her parting words, she told Hector he'd done as much as any human being could do to make up for his past wrongs. She told him that she looks forward to him deploying his skills for good. I sat in the court room and I began to cry. When the judge saluted him, I salute you. Hector walked out of the courtroom that day a freeman, but he would soon face one rejection after another as he tried to rebuild

his life. Welcome back. A little over a year since hector sentencing. In the summer of two thousand fifteen, text sites were a buzz about a young security researcher named Benjamin Caudill. He ran a small cyber security firm at Seattle. Benjamin had created a device that would help people get online while masking their physical locations, but then he had to abruptly cancel the project as soon as it got publicity. With very little explanation. Curious onlookers had all kinds of

theories about the projects sudden death. Well, apparently somebody didn't want Pound whistleblower, Pound and Anonymity to happen, and no one knows why. It's probably the SEC got mad at me. I kind of wondered about that if maybe it wasn't some sort of gimmick. So I just speaking, I don't know, nobody knows. That's when Benjamin got a direct message on Twitter from Hector, like doing this Adam only from a hole in the wall, But I've been through this nonsense. Um,

keep your head up, ignore the BS considering good. There's free publicity for the company. Just keep your head up, bro, and if you need me to send me up. Ironically, back when Hector was attacking all these corporations on behalf of Anonymous, Benjamin was on the other side, helping protect companies from hackers like Hector. Benjamin used to work for the aircraft manufacturer Boeing and remembers discussing with this team how they would respond if Anonymous were ever to come

after the company. And now here was one of its hackers saying, Hi, here's Benjamin. It was very I'll say it was very skeptical, very uma suspicious even, But Benjamin was also curious and responded. After some back and forth, they hopped on a call. They ended up talking for hours discussing all kinds of nerdy cybersecurity things. I wouldn't have believed it myself had I not experienced it, But he's actually a very very gentle, very nice kind person, and on all of these things kind of took me

by surprise. At the time, Hector was struggling to find a job. He made some money through bug bounty programs. These are rewards that companies offered to people who find security flaws in their systems, but it wasn't enough to pay the bills, and it wasn't enough to build a career. The rejections piled up and he was devastated. One day, Hector mentioned this to Benjamin. Benjamin said, Okay, let me

reach out to the guys I know. Benjamin would say, Hey, Joe, I got this guy that has a lot of exploit dev experience, has have been doing this for fifty has all this technical and security experience in in offensive operations, and it's looking for a role and consistently people would be, you know, jumping over the table excited for this, and then Benjamin would say, great, his name is Hector. Monster.

It was incredible how how fast they were to do not only retract their statement you know, we're not interested and just shut down the conversation, but had almost like blackballed me, almost by extension. This went on for two to three months. Benjamin City reached out to contexts, but not a single one even agreed to have an initial

conversation with Hector. You would admitted yourself, this is a skill set, a person, a capability you desperately need, and you are not even willing to have a discussion about it. You're not even willing to get more information. I think we've all heard stories about how hard it is for convicted felons to get a job, but I was still surprised to hear of the swift and unanimous rejection that

Hector got. Yeah, this is a very skilled person in a in a really hot industry that desperately needs more talent. Although I do understand why companies wouldn't want to take the risk of hiring somebody with Hector's reputation, it made me wonder if the ban was more specific to Hector, who had gained a ton of notoriety as a high profile anonymous hacker, or if the reluctance to hire convicted hackers was more widespread. I called up Tom Holt, who's

a professor at Michigan State University. His research focuses on computer crimes. Well, the risk would be that you're a known criminal quantity, So are you going to do it again? This is a really important question, and there's actually no data to predict that risk right now. According to the U S Sentencing Commission, federal offenders of drug trafficking have a particularly high rate of recidivism. It's forty two sent Those who commit fraud fo larcnity is three point nine.

But the research on cyber criminals is so early that, according to Tom, there aren't even definitive numbers on how many of them exist. I asked Tom to name the people he knew who have made the transition from criminal to legit. Oh, man, uh, it can't be that many. Um, I guess you have met Nick. You have um Adrian as a I was forget as a Lama or Lamo. So there's a couple. But yeah, not not that many. Watching Hector get rejection after rejection, Benjamin had a thought,

maybe this could be an option. Maybe we we are the ones to hire Hector. When Benjamin says we, he's referring to us from Rhino Security Labs, which deploys its legitimate research jersey to test the security of its clients networks. The idea is to have Rhino's good guys try to break in and identify the flaws before the bad guys do. The company's business was growing and there was room to expand the team. At an industry dinner party one night,

Benjamin floated the idea of hiring Hector. Nobody thought it was a good idea, but Benjamin got his chance to try it anyway. In the fall of two thousand fifteen, a repeat client had come to Rhino with a particularly difficult job. So, with the permission of that client, Benjamin asked Hector to join the project as a contractor. Very first engagement was was just was just incredible. When I first got that paycheck, you know, man, that made me complete.

I was happy. I thank them so much, said dude, you are a gentleman of a scholar, you know. Thank you for giving your word today Hector is the director of assessment services at Benjamin firm Rhino Security Labs. He manages a team of five people. Our goal is to infiltrate the clients by any means necessary and getting as

far as we can, as deep as we can. If that sounds pretty similar to what he did as a criminal hacker, that's because the work actually is really similar, except for the fact that this time companies aren't asking him to do it, and instead of wreaking havoc with what they find, Hector and his team right up a tidy report that they submit to the client. In this twist that completely surprised me, Hector today is friends with

Chris Tarbell, that FBI agent who arrested him. Chris today works for a consulting firm as a cyber security expert, which makes him and Hector industry appears. Hector says he looks up to Chris as a mentor, as someone he goes to for advice. Chris says he sees their relationship more like a work relationship that's deepen over time. Chris was kind of like a supervisor while Hector was cooperating

with FBI. Chris has met Hector's cousins, his aunt and his father, and also mentioned that they have plans for Hector to soon meet Chris's own family. Meanwhile, Hector is still the only one with a criminal record at Rhino. Benjamin said there have been three or so candidates who were inspired by Hector's transition and approached Rhino about potentially working there, but Benjamin said he since they weren't completely

committed to letting go of their former life. I ended up spending more than eight hours with Hector over the course of two separate days, and this was the point that he seemed to really want to make that he's changed over and over again. He told me that he sees his hacks differently now. So people that their information was leaked uh to my various hacks, I feel bad for them because why is their identities being used? Now? That mean there's my mistake for leaking their info? Why

did I do it? Why was I not thinking a lot of these things that you want to go back in top of fix? And it's too late, and I feel horrible about it. I wish that there was more I could do. You know, he even regrets the hacks he did to cheer on the protesters of the Arab Spring. At the time, it seemed like everything that we were doing was completely right and completely justified, and we were on the right path. You were righteous. Yeah, we got

a cause. But then you fast forward in time and you see what happened to Gaddafi is still in a state of chaos and insecurity. The Arab Spring promised so much, but the regent seems to be unraveling. From Olibya to six years on human rights organizations, Egyptians have lost basic liberties. Unhappy with the brief rule of the Muscle brothers. Did we help those people? I can't be proud of it because I think I may have made a situation worse. If you were to do your life over again, what

would you do differently? That's such a difficult question. I have no idea they'll be back in the projects. If I don't mess the computers, what would it be in the streets. And honestly, I would avoid Anonymous if I could. Anonymous was a sham and it was a big joke

and I didn't see it. Two was too late. It's it's a really cheesy cult that it's very easy to fall into a cult like that because they give your attention, and they retweet you, and theyre facebook you, and they restatus you, and they wouldmonish you and show you all the love and social media respect that you want until they don't like you no more, and then you have ten thousand death threats in your inbox, and then they're sending you pieces to your house so they're trained to

kill your family. Do you ever feel the temptation to go back to hacking. I can't afford it. I can't afford it because if I lose everything I built, then what's what's the point? Do you miss it? No? I'm actually very bored of it. I'm bored of hacking. I look at I look at security research as a job, and I try to make it as monotone as possible. I want to maximize results of my clients and uh be able to finish up my my shift and enjoy something else like Netflix. Stranger Things Too was great, by

the way, uh, Castle Gating was nothing. Show actor is thirty four now, and it's been two decades since he first got online. There's something familiar about the way his relationships with computers has changed. He's exhausted for being on a computer, like he's not in love with it anymore. You don't have that same love like when I first gave him when his first computer. Being a cyber security researcher, he worries a lot about his cousin's going online. It's

not that he doesn't trust them. They're twelve and fourteen, and he says they're really smart, but he doesn't trust the rest of the world out there. I hate to sound like an old fart, that old man or whatever, but if I had the chance, I would probably block the intem of the house, you know, kind of over it as long as together, very bad. They would hate me for sure. Still, when he needs to work when they're together, he tries to show them what he's doing.

He says cybersecurity is still a great career. The younger one, who's right around the age that Hector was when he first fell in love with computers, recently told him that she wants to learn how to code, so he's working on finding her a coding program. And that's it for this week's Decrypted. Thanks for listening. We are so excited to be back with a new season of episodes. We'll be publishing one each week, mostly on Tuesday's, including one next week. In the meantime, let us know what he

thought of today's two part story. He can send us an email or a voice memo to decrypted at Bloomberg dot net, or you can find me on Twitter. I'm at aki Eto seven and I'm at brad Stone. If you haven't already, you can subscribe to our show on Apple Podcasts or wherever you like to listen, and while you're there, please take a moment to rate and reviewer show. This episode was produced by Pierre Getkari, Liz Smith, Magnus Hendrickson,

and Christie Westguard. My article on Bloomberg dot com that accompanied these two episodes were edited by Robin and Jello. The photos of Pector were shot by Ale Malca and the illustration was created by Kevin Han. Prince spin Leady is the head of Bloomberg Podcasts. We'll see you next week.