It was a summer morning, officer Paul Hastings recalls, when he arrived at a suspected hacker’s house in the northern English city of Hull. There, police had tracked one of the people who’d signed up online for a hacking service called Lizard Stresser that was used to attack companies including Microsoft, Amazon.com, and Sony at the end of 2014. This particularly fearsome cybervigilante was asleep when Hastings knocked, so his dad answered the door.
The visit was one of about 50 U.K. police made this year to people they say used the Lizard Stresser site, many of them children. The Hull suspect, a teenager, couldn’t have done anything wrong, his dad told Hastings. He spent all his time upstairs, on his computer.
Hastings is part of the Prevent team at the cybercrime unit of the U.K. National Crime Agency (NCA). The eight-person team tries to scare offenders on the “periphery of cybercrime” about the consequences of online misdeeds before they commit a jailable offense, boss Richard Jones says. Often, that means talking to teenagers. On Nov. 25, U.K. police arrested an 18-year-old from Wales in connection with the hack of Internet provider TalkTalk, which told customers in October that about 20,000 bank account numbers had been compromised. It estimates associated costs of £35 million ($53 million). Police have arrested four other teens across the U.K. in connection with TalkTalk’s breach, though none of the five has been charged or identified.
Teen hackers have been pop culture figures since Matthew Broderick starred in WarGames, and the U.K. has a long history with juvenile black hats. In 1994, when U.S. Air Force researchers found an unauthorized user on their systems downloading data, they tracked the hacker to a North London suburb. Working with London police, they found their culprit: a 16-year-old boy in an attic bedroom, as journalist Gordon Corera recounts in Intercept: The Secret History of Computers and Spies.
In 2011 hacktivist group LulzSec accessed Sony servers, posted fake news stories on News Corp. websites, and intercepted FBI communications from a private contractor’s computer system. Two of the four members arrested in the U.K. and the U.S. that year were 18 or younger when the attacks took place. The NCA team began its cease-and-desist visits last year and says it’s made 150 house calls in 2015.
Teen hacker subcultures can be an opportunity for law enforcement, says Robert Schifreen, one of the first people in Britain to be prosecuted for cybercrime. Charged with forgery for hacking Prince Philip’s e-mails in 1985, Schifreen was acquitted in 1987—an appeals court said existing laws couldn’t cover what he did. He went on to found IT firm SecuritySmart and now works for Brighton University. “There are a lot of hugely knowledgeable, obsessive, skilled, curious young people out there who want to find out just how far they can push technology,” Schifreen says. “Spelling out to these kids just how far they can go, while remaining on the right side of the law, makes a lot of sense.”
The young hackers Jones sees come from a wide range of backgrounds, he says, but share an acuity for problem-solving. Praise from online hacking communities is a natural draw, says Grainne Kirwan, a psychology lecturer at the Institute of Art, Design and Technology in Dún Laoghaire, Ireland. The suspect in Hull, rousted from bed, didn’t make eye contact while Hastings outlined the allegations against him, the officer says. But he hasn’t come to the police’s attention since, and the Prevent team calls that a success.
The NCA is also targeting teens and their parents with an ad campaign that began running in U.K. movie theaters on Dec. 8. The dramatization shows two parents in their living room boasting about their computer genius son and his inexplicably large bank account. It cuts to two NCA officers in a police interview room, with the tag line “Cyber crime wrecks lives.” The hard sell won’t work on some kids, Jones acknowledges. “Those,” he says, “are the type of individuals we will try to arrest and prosecute.”
The bottom line: The U.K.’s National Crime Agency is trying to scare young hackers straight with door-knocks and ad campaigns.