:format(avif))
:format(avif))
Businesses still imagine hackers as hoodie-clad programmers hiding away in server rooms, writing endless lines of code to breach their targets. But the entire cybercriminal field has transformed almost unrecognizably. Hacking has gone from a counterculture hobby to an industry involving business and politics.
Adrianus Warmenhoven, cybersecurity advisor and spokesperson for Nord Security, has some experience with white hat hacking himself. We spoke to him about how hacking has changed in the past few decades, what drives cybercriminals, what the impact of the recent AI developments has been, and why the real threat lurking in the shadows is not humans but bots.
Let’s start by talking about who and what hacks target. Small businesses, for instance, often have the idea that they’re too small to interest cybercriminals. What would you say to them?
A: At the end of the day, hacking is a business. No hacker wakes up thinking, “I’m going to make someone’s life really interesting today.” What they really want is money. If they can get 5 cents from a million people, that’s still 5 million cents.
The techniques hackers use might differ according to the target’s size, but the interest remains the same—everyone is a potential victim. With large companies, hackers usually target administrator accounts, but for individuals, they use things like phishing.
Is the price for business and personal account information on the dark web the same?
It’s not so much about the price as what you can do with the information. Business accounts are usually more valuable, but they’re also short-lived and volatile—the security team can remediate the problem and reset the accounts once they notice a breach.
You can get about 10,000 verified email addresses for $5, they’re really cheap. Likewise, passwords are extremely cheap—you can get a couple of thousand for one or two dollars. It really depends on what you can do with the information.
Would you say most hackers are in it for the money?
Yes. In fact, a lot of hackers nowadays working for criminal organizations don’t even know that’s what they’re doing. They basically just work as developers.
We used to see hacktivists, but their identity has shifted over time. They used to protest oil companies and the like. Nowadays, we see more hacktivists align themselves with nation-states to get their sponsorship. It’s still about the financial gain, but politics are starting to creep in.
In Europe, you also see the drive to get recognition from your peers—from other hackers. A friend of mine, for example, doesn’t care about money anymore—he has enough—but he’s busy with Microsoft, so he can say, “I hacked the Xbox network,” and that would give him credentials.
Is the line between white hat hacking and black hat hacking blurry?
The whole white-hat-white-hat thing is difficult and gets worse with things like coordinated vulnerability disclosures. Companies state, “If you find a bug and tell us, we pledge a reward.” Nord does this as well. Many hackers make money bug hunting for companies like Microsoft and Apple—a single bug discovery can be worth a couple hundred thousand dollars.
Bug hunters aren’t in it for the money, they’re in it for the thrill. They’re very technically skilled and get bored really quickly. You want to keep an eye on those hackers so they don’t switch over to the dark side.
In the Netherlands, hackers, businesses, secret services, military, law enforcement—everybody knows everybody, and it’s just part of the culture. If a hacker called law enforcement, they wouldn’t say, “Well, you’re a hacker; we won’t listen to you.” Everyone helps each other in the home security field. I hope the rest of the world can catch on to this.
The European law has been very favorable here. You’re protected by the law if you can prove you’ve hacked something with good intentions. In the Netherlands, it offers even more protections: if I inform the manufacturer or the hacked person immediately, there can be no legal repercussions. The Dutch government actually gifts you a t-shirt that says, “I hacked the Dutch government, and all I got was this lousy t-shirt.” It’s really highly sought after because it’s like a badge of honor you can brag about. In the US, the government hands out medals. These trinkets of recognition are really valuable to hackers.
Increase your online security
Identify breaches before they harm your business
Does this motivate hackers to switch sides?
Yes, and nowadays, we see a lot of hackers working at security companies. But this has been part of the hacking culture since the 1990s when you’d hack someone, and they’d hack you back. It’s all about who’s the smartest kid on the block.
Let’s talk about hacking-as-a-service. Can businesses hire hackers to sabotage their competitors?
They can, and they do. There are even auctions for vulnerabilities, with businesses and nation-states bidding alike. If you go on the dark web, you can find plenty of “I can hack” listings, but also more niche ones, like “I can delist your competitor from Google” or “I can give your opponent 10,000 negative ratings.” If you have enough money, you can buy just about anything.
Is there an ultimate way to protect yourself from hackers, or can you just do the best you can with the tools at your disposal?
There is—go offline. I’m joking, of course, but digital identity is something I try to explain to people all the time. People think that the physical person is the important part, but it really isn’t. Your digital identity is worth more than you are. If you were to drop dead right now—and I really hope you don’t—your digital identity would still make transactions, it would still receive messages, it would hold value in the world. Once the physical body is disposed of, it’s terrible, but that’s it. But your digital identity is part of you, and you need to take care of it. It hangs on even if you go offline or pass away, it continues to do stuff. All your profiles, banking accounts, notifications—whatever you have, it’s still part of you, like your avatar in the digital world, and it continues to function.
Does AI help hackers guess and steal passwords?
Guess? No. Steal? Yes. Let me explain.
An AI can’t guess passwords due to how they’re stored. Passwords are just complex combinations, and their difficult depends on their length. Brute-forcing them with AI is a mathematical impossibility, especially since AI can’t make better guesses than the optimized mathematical formulas that already exist.
That said, there’s nuance to it. If you always use the same type of password, an AI can predict the pattern of your password use. Hackers don’t start with AAAAA, they start with the most likely passwords for the user. Basically, a hacker can buy all your passwords from a breach. I add some extra information, like your social media accounts, and let the AI predict what the first million password tries would be. So, an AI can help you make these guesses, but it can’t guess the password better than the algorithms in use so far.
As for stealing passwords, AI can be very helpful. People develop all sorts of malicious code using AI without knowing a single programming language; all they need to do is copy and paste it. You can also use AI for impersonation by analyzing how you communicate on social media and who you talk to.
Let’s say you talk to a trusted person on social media. If I trained AI using this person’s responses, I could write like them. Then, I could try spearphishing you by sending an email that would sound exactly like that person to lower your suspicion.
Does that mean AI can be used to predict a password pattern?
Yes. For instance, if you use a musician’s album name as your password, the AI can predict that once a new album is released, you’ll use it as a password. That’s why you should use a password generator—it creates random line noise with nothing to predict, taking AI out of the equation completely.
True or false: the old-school image of a hacker in a hoodie is now dead. The victims are at the mercy of bots.
The funny thing is, I personally never wore a hoodie; I find it really uncomfortable to work with. Joking aside, this idea of a hacker in a hoodie really originated from movies, but that’s beside the point.
You’re right to say that the singular hackers are pretty much gone now. Sure, you can find them here and there, but they’re not a structural threat. They’ll hack a school or a neighbor they don’t like. At this point, it’s basically like getting punched in the face by somebody on the street.
Regarding bots, criminals—especially criminal organizations—have discovered that many steps can be automated. As you automate, you can scale up: the 5 cents I mentioned at the beginning can now be taken not from a million people but a billion. You need a lot of bots to achieve this, and that, once again, puts a target on everyone. You probably won’t be targeted by a single hacker unless you’re their specialty. Even hacking a hospital is a whole formal process now. Say, someone hacks a hospital. The hospital sends in a ransomware negotiator, while the hackers have their own negotiator who doesn’t know who the real hackers are. It’s creating new cybersecurity jobs as well. It’s all a business, and bots are just another tool—like a forklift for heavy loads.
Is supply chain hacking the go-to thing these days?
It depends. In the Netherlands, the secret services ran an encryption service that all the criminals were buying from, and the Dutch police just sat back and laughed as all the purchase information came to their servers in plaintext.
Supply chain hacking will certainly be the go-to thing for nation-states in the near future. It can carry an aftershock of consequences. Let’s say you hacked a crucial piece of hardware—like ASML, a Dutch company that manufactures parts needed to create chips—to ransomware not just the manufacturer but its customers as well. Intel, Apple, Nvidia—all the companies reliant on ASML would be in disarray because they couldn’t produce new chips anymore. You can bet they’d all be chipping in to find you, and the secret services would join the hunt as well. You’d become the focal point of just about all law enforcement around the globe.
Supply chain poisoning—putting malware somewhere in the chain—will become more prevalent thanks to all the cheap stuff we buy online. There’s maybe eight factories on the planet that manufacture all the dropshipping stuff we buy—all they do is slap a different label on it, but it all comes from the same source. A hacker can pay those suppliers and say, “For each of those USB sticks you ship with my firmware on it, I’ll pay you a dollar.” Then people buy those USB sticks, plug them into their devices, and every machine gets hacked; it’s as easy as that.
I imagine hackers will do more targeted things. For now, cybercriminals haven’t monetized it yet or figured out how to do it efficiently without making much noise, but it will become important. The physical and digital business worlds are inescapably intertwined now. Take the port of Rotterdam, for example. They spend inordinate amounts of money on cybersecurity because drug dealers in the Netherlands cause disruptions all the time. Just this year, some people were arrested trying to extract a container with supplies.
So, supply chain attacks are not the go-to yet, but I’m pretty sure they will be in the next few years, especially due to the influence of nation-state hackers.
What’s more profitable for hackers: stealing and selling data or asking for ransom?
Ransomware does both. It used to be just ransom or just stealing, but the malware covers everything now. Hackers send all stolen files to remote storage while encrypting them. Then, they can resell the data if the victim doesn’t pay the ransom—that way, you’re not stuck having wasted all this effort for no money.
The bigger malware groups actually stick to a sort of “honor among thieves” principle. If you pay the ransom, they will actually decrypt your disk and delete the backup files on their end because—and I know this sounds counterintuitive to trust the criminals—trust is the one thing that makes people pay more easily.
Another reason to steal is to avoid putting decryptors in their malware. For instance, companies in Europe can route free decryptors using nomoreransom.org, a Europol tool. Once they find flaws in the encryption code, they can figure out how to decrypt it for free. The police then share those decryptors. If your malware doesn’t contain decryptors, it can’t be analyzed. Even if you mess up the encryption, you can still have a backup in your own storage. If someone ends up paying, you just send them the backup.
Many still don’t pay their ransom because of this old policy where everyone claimed that if you didn’t pay, the criminals would stop. But criminals don’t just turn around and go, “Foiled again, let’s just do something else.” Even if they do something else, they make sure to get their money any which way.
You’ve mentioned some people don’t know they’re working with cybercriminals. How do hackers find these unwitting accomplices?
There’s a whole field of study into the psychology of cybercriminals that looks into how they get people. For instance, call center employees who handle support for ransomware often don’t know they’re working for criminals. They’re just hired as cheap labor to sit behind a chat screen and follow a script like it was any other legitimate product. They don’t know who they’re working for, and they don’t really care—today, they’re doing support for a hacker, tomorrow they’ll handle calls for IBM or wherever the paycheck takes them.