Summary
This episode explores the true cybercrime story of Michael Calce, also known as Mafia Boy, who was responsible for taking down major websites like Yahoo, E-Trade, eBay, and more during the dot com bubble. Michael's journey into hacking began when he received his first computer at the age of six and became fascinated with the idea of controlling and commanding it. He joined an elite Russian hacker group called TNT and used their resources to carry out his attacks. Despite covering his tracks, Michael was eventually caught due to his bragging in IRC chat rooms. He was sentenced to probation and has since become an ethical hacker, raising awareness about cybersecurity.
Chapters
- 00:00 Introduction: The Early Years of Michael Calce
- 06:39 Joining the TNT Hacker Group
- 18:29 The Takedown: Bringing Down Major Websites
- 23:26 The Arrest and Aftermath
- 28:10 The Changing Landscape of Hacking
- 29:05 Conclusion: From Cybercriminal to Ethical Hacker
Topics: how cyber criminals are like mafia, how cyber criminals publish manuals, how employees can create insider threats, behind scenes cyber criminals,, mafia boy, Michael calce, best ways to protect business from cyber crime, best ways to protect people from cyber crime, how to limit liability from cyber attacks, how to limit liability from data breach,
Dino Mauro (00:02.478)
Michael Calce was born in the West Island area of Montreal, Quebec in 1984. He's refused to speak about the incidents discovered until only recently in the past few years. This episode explores our research into Michael Calce and the incidents that took down the internet. His parents separated when he was five years old. Michael primarily lived with his mother during the week and attended school like most kids back in the 90s. For Michael, the separation was hard on him and he would
Spend alternate weekends with his father at his dad's condo in Quebec proper in his book How I cracked the internet and why it's still broken published by Penguin publishing in 2008 Michael Calce Said he felt isolated from his friends back home at his mom's house and was troubled by the separation from his parents His father was a successful businessman and Michael points out that he wanted his boy entertained when visiting so his dad basically had two rules
Don't bother my cigars and don't bother me when I'm eating. Remember that later in the story. So to keep his son entertained, his dad bought him his very own computer at the ripe old age of six. It instantly took a hold on Michael. Michael's quoted as saying, I can remember sitting and listening to it beep, gurgle and churn as it processed commands. I remember how the screen lit up in front of my face.
There was something intoxicating about the idea of dictating everything the computer did, down to the smallest of functions. The computer gave me, a six -year -old, a sense of control and command. Nothing else in my world operated that way. That's from his book. That gave him solace for the moment. And he would play the limited games that came with the computer, which were pretty lame in Michael's opinion. He wanted to play more fun and exciting games. And where were those?
Back then, those were online. And when he first went online, at the age of six or seven, he was amazed. He described it as a community. It was a place to both connect and communicate live with other people, and yet still keep a sense of safety in anonymity. Today, some 20 years later, things are essentially the same in that sense. Though in most ways, they've become much more dangerous. And in many ways, thanks to Michael Koshy.
Dino Mauro (02:31.022)
As the years progressed, Michael Kalsche was around 10 years old and accessing online the way we all used to. Through AOL, America Online, they would provide access to the internet and it would come in the mail, if you recall those. It would come in a CD -ROM or a floppy disk. And what did it offer? It offered a 30 -day free trial. After that, you had to pay. Literally, you to pay to be online. In fact, nearly...
50 % of all the CDs manufactured back in that day were made for AOL's internet use in the direct mail campaigns. It was very popular and almost everybody was doing it. Michael Koshy said that paywall though, after the 30 days expires, this requirement to pay, to get online and to have access to the video games, that paywall was his turning point into what initially as a child,
Dino Mauro (03:31.246)
most young boys he wanted two main things to play video games and to have free online access. Back then he couldn't. He faced two main obstacles. He was unsure whether his dad would pay for the video games he wanted. Clearly he couldn't do it for all the games that were out there. And he couldn't get online access beyond the AOL's 30 -day free trial. One thing he knew is step one he needed online access in order to even access the video games. So he found
online AOL chat and was asking around on ways to get video games and more online access before his 30 days ran out. He got into a tiff with a guy online and met the effect. In response, Michael said to the guy, so what are you going to do about it? And suddenly, without warning, boom, the guy had knocked Michael offline. He'd done something. He'd taken him not only out of that chat room, but completely offline. Michael
was taken aback. He was shocked. He was blown away by that. That assault, that power exercised online against Michael by forcing him and knocking him offline impressed him. He thought that was powerful. That power, along with Michael's two driving needs for the free online unlimited use of the internet and number two, the ability to download free video games, movies and music that he wanted, would result in Michael
becoming one of the most famous hackers and most wanted criminals of the day, engaging 16 different FBI groups, the president of the United States, the U S attorney general, Janet Reno, the RPMG Canada's FBI, and made him wanted for taking down CNN, eBay, Yahoo, and more at the height of the dot com bull market
what many believe led to the dot com bubble burst causing stocks to crash and an estimated one point seven billion dollars in damages from the acts of Michael Kalche. This is his true cybercrime story. The cybercrime story of mafia boy, the boy who broke the internet.
Dino Mauro (05:53.794)
Lucky to work for a great group of people you really believe in. Find yourself making an impact. Technology is a river that flows through every aspect of an organization and today is different. We put ourselves and our organizations literally at risk of complete destruction every single time we get online. One click, one distraction is all it takes. Hi, cybercrime junkies. This is your host, David Morrow, along with co -host Mark
Come join us as we explore our research into these blockbuster true crime stories. Along with interviews of leaders who built and protect great brands.
Dino Mauro (06:39.778)
So Michael Calce jumped back online and
Dino Mauro (06:45.518)
In less than 30 minutes, he apparently found it. It was called AOHell. Here's a little rabbit hole side note on AOHell. You can look it up online, and it was the real deal back then. It had the ability to punt someone else offline. AOHell was the first of what would become thousands of programs designed for hackers created for use with AOL. But again, 94, 17 -year -old hacker, Coachella Racusche from Pittsburgh, Pennsylvania.
known as, he had an online username of Decronic. He used Visual Basic to create a toolkit that provided a new DLL for the AOL client, a credit card number generator, an email bomber, an IM bomber, a punter, and a few basic set of instructions. It was billed as an all -in -one nice convenient way to break federal fraud law, violate interstate trade regulations, and rack up a couple of good old telecommunications infractions.
in one fell swoop. When the program was loaded, it would play a short clip from Dr. Dre's 1993 song, Nothing But a G -Thing. Most notably, the program included a function for stealing passwords of America Online users. And according to its creator, it contains the first recorded mention of the term phishing. AOHell provided a number of other utilities which ran on top of the America Online client
But most of these utilities simply manipulated the AOL interface. Some were powerful enough to let almost any curious party anonymously cause havoc on AOL. The first version of the program was released in 1994 by
and his buddy known as the squirrel. And now back to Michael Calce So Michael Calce had found the puncher tool. So now he could punch people offline who make him mad. Michael thought cool, but that didn't solve his problems. His first 30 days was still running out and he wanted video games, music, being able to download all those things. So in the mind of this crafty
Dino Mauro (08:58.382)
He started cooking and in that tool that had the punt trick, there was an admin function. And what he found, that tool afforded him the ability to appear as an admin of AOL. Think about that for a second. This time he's 11 years old. He was able to impersonate an admin of the largest
Dino Mauro (09:26.19)
So he went on AOL chats and contacted four different people right away. He appeared as an AOL administrator and said, due to a power outage, I would need to verify your AOL credentials. He has four people and four people in a row gave him his credentials. He learned the mastery of social engineering for the first time at the age of 11. It worked four out of four times. So the stage was set. With that, problem one was solved.
He now had unlimited use of the internet for life. And now he had to solve problem two. So he needed unlimited use of the internet and access to all the free video games. He figured out problem one. Now problem two, the problem facing him still was that to get access to all these downloads of the music, the games, all that good stuff where you can get all this stuff for free, albeit illegal.
You had to wait in line. There was a queue. And you had to wait in line and these chat rooms were run by criminals. Everybody had wanted that software. You could remember Napster back in the day and things like that. This was even pre that. And it would provide cheats and access to free video games, etc. So what do you think he did? Being the ripe old age of 11, he looked around to find a way to skip the line. Right?
So how do you skip the line when this whole process and this whole platform is being run by criminal hackers? Well, he reached out to the main hacker in charge of the whole platform. Michael Koushie noticed that in this IRC chat he was on, at the top it said they were currently recruiting to join their hacking group. And so he sent the message to somebody he thought was in charge.
And the response from that is, sorry, look, we're only looking for experienced hackers already. We're not interested in noobs, which means, you know, something that doesn't know what they're doing. Something that doesn't have experience. But he was determined and he said, look, give me two weeks, give me a trial period. I'm a fast learner. I promise I won't disappoint you. So the guy did. So the guy gave him a series of tests that he passed because Michael Calce was good. And keep in mind, he was
Dino Mauro (11:53.632)
So this group that he was impressing was the TNT hacker group. For those that understand hacker history, that's an elite Russian hacker group. They were for real. And as I mentioned, he wrote in his book and in the book reviews, there are even people who contest parts of Michael's book and claim that they were part of the TNT hacker group and that they contributed to some of his main
Take downs of those big sites. You can go look at all of that online all of the reviews there are literally Review after review where they're like, look I was part of the TNT hacker group and here's how don't they really did it back and forth pretty interesting I'm posting for those in our premium membership group and those that are able to see the video
of those reviews of the people that claim to be part of that TNT hacker group. So in these forums, Michael tells us this. In a podcast interview with Phoebe Judge and criminal years back, Michael describes this group of elite Russian hackers as friends. He says, while there's paranoia there, they were people that he was learning from, mentoring with, and it was a sense of community.
They would also not just talk in these chat rooms, they would also talk on the phone. Someone would steal a conference call card, right, or a credit card number, and they would have conference calls on Friday nights. It was like a Friday night thing he describes. Someone would post a phone number, post a pin, and a bunch of hackers would get on this conference call line. He tells the story about one time when there's 20, 30 hackers, they're
talking back and forth, almost like locker room chat, they're bragging, they're talking, they're swearing at each other. At one point, he remembers a story where one American hacker on one end and a Russian hacker on the other end were mouthing off to each other. And the American was threatening to divulge the Russian's personal information. Remember, everybody here is anonymous, right? And while there's friendship or kinship, they don't disclose
Dino Mauro (14:18.27)
because of what they do. And that disclosure is called doxing. They do it, you know, to demonstrate their own hacker prowess, their own skill in doing that. But they were going back and forth. And the Russian hacker, you know, and all the other hackers in this conference call were egging him on. He's like, let's go, let's see what you've got, let's see what you can do. And he kept going, he's like, I'm getting closer, I'm getting closer. yeah, you know.
10, 20 minutes into this conversation, with everybody going back and forth, he goes, yep, I'm just about to do it. And then suddenly, the Russian hacker got really silent and he said, you don't need to do that anymore. He said, what are you talking about? And then right there, the Russian starts going off listing his parents' name, his home address, his social security number, and the Americans started admitting defeat and started being like, please stop, stop, stop, stop disclosing this.
All the people on that call were all these international hackers. He said, no, no, no, no. You were talking a big game. Now let's see what's going to happen. And then suddenly he goes, OK. All of a sudden you hear him. Remember, this is a conference call, right? They're not online in the chat room. It's a conference call. And all of a sudden you hear the guy scream. Like, what did you just do? What did you just do? And the Russian said, bye bye. Kiss mommy good night for me. And
He screamed out, goes, you turned off the power to my house. He had the Russian hacker had not only doxed him and disclosed everything, he'd shut off the power to the guy's house. And with that, like was just blown away. And this guy is American guy who was talking trash in the beginning was sitting there in the dark on the phone line. He was just freaking out losing his mind that he was really impressed and in
with what they were capable of doing. So what was happening in this group is Michael Kalche would break into university networks, colleges, universities, well -known colleges and universities, Yale, UCLA, Harvard, Stanford, you name it, right? Over 30 of them, he would break into these schools, he would take command over their internet bandwidth, right? And their processing
Dino Mauro (16:45.166)
He described it as kind of a master -servant engagement, meaning he created a master network and he would leverage all of these 20, 30 university networks and all of their power and he would control it through one master network. And with that, he was able to do a lot of things. So as the months and couple years go by, a lot of
doing one -up -smanship. mean, this is the culture back at that time. wasn't hackers weren't about ransomware and money and capitalizing. They were about their skill sets. It was about claims to fame, street cred. It's about their ability to do these things. so Michael Kalche felt like he had to prove himself. So he had created this master servant network.
Again, keep in mind, you know, at this time he was ego driven, it was dangerous. He wanted to just proceed and show everybody what he was able to
Dino Mauro (18:01.294)
So by early 2000 this was Michael's time to show his capabilities to his hacker community. And so he had created this model with the master network and then the servant networks made up of all of these 20, 30 large university sites that he had broken into and had harnessed all of their bandwidth and processing power. And he aimed it directly at the most popular, most well -trafficked site at the time, Yahoo.
He proceeded to do this and when he launched that first one, he actually even put a timer on his computer so that it wouldn't happen while he was sitting there. It actually happened when he was at school. Because after all, he was only 15 at the time. And throughout the day, throughout the evening and the days after, it was all over the news. This was big. It had ramifications that were really widespread. And
Michael went loose with it and proceeded to take down the biggest sites online period. E -Trade, so many people during this time during the dot com bubble, everybody was day trading and trading and buying futures and options and puts and all this. were everybody at the time.
It was the most popular site. Everybody was going to E -Trade. Everybody was using buy .com. Everybody was using eBay at the time. So many people were watching CNN, Fox News, Amazon, right? Michael proceeded to take down the E -Trade site. He had already taken down Yahoo. He took down buy .com, eBay, Dell, CNN, and Amazon. All.
within a seven to eight day period, all while working from the bedroom of his father's condo at the age of 15.
Dino Mauro (20:07.96)
This made news around the globe. Investment banks, Wall Street had been taken to their knees and the President of the United States, Bill Clinton at the time, as well as the Attorney General, Janet Reno, all got the attention of this
Every day this week, major websites have been outmaneuvered and outmuscled by someone who wanted to take them down. Wall Street, the cyber attacks helped drive down the prices of the target companies. think it was an alarm. I don't think it was Pearl Harbor. So after Michael Kalche had taken down these major sites over the seven day period, the stocks began to crumble and the dot com bubble actually had burst.
The toll was estimated to be $1 .7 billion in lost revenue just from these sites being down each month for a matter of just a couple hours each. But because back at the time, these were the sites, right? There weren't as many websites. There weren't as much traffic as there is today. And these were the things that everybody was looking
So the FBI, the Royal Canadian Mounted Police, all began a massive investigation. In fact, there were 16 different FBI units investigating this. And what's interesting, here is this mafia boy, which is the online acronym that Michael Kelsey used, was never caught because of any digital footprints that he
He covered his tracks. He wasn't caught because they had been able to determine the root cause and reverse engineer it and track his IP or anything like that. He was caught because he was a kid who bragged. After it happened, the FBI and the RCMP began noticing and monitoring these IRC chat rooms.
Dino Mauro (22:27.34)
What they noticed is this person by the moniker of Mafia Boy was bragging about him. That lots of people were claiming, just like any terrorist attack, that there's a bunch of different groups that claim that they did it because they all have the same enemy. Well here, he was claiming it, and he was bragging and claiming to have brought down Dell's website. What was significant about that is that hadn't been publicized at the time.
There were a couple different hackers and if you go back to those book reviews of some of those other hackers that I mentioned earlier too, there was a hacker or two in those chat rooms that even assisted the FBI and the RCMP. They either doxed him, meaning they disclosed who he really was, as well as saving all of these
and information about Michael Kelchee that led to his arrest. Investigators of Montreal arrested Mafia Boy and conducted a search of his residence. For years after his arrest and his ultimate punishment, Michael Kelchee never went public with it. Until about 2008 -2009 he published his book. He's gone on a series
Interviews that you can find online. There's his book that I mentioned earlier And he tells a story in one of these that's really interesting Not only did they not catch him Using forensic or digital means right it was because of his own bragging But they never got his heart He had actually the core hardware the piece of evidence He had actually hammered into bits. He had doused it in liquid magnets and drove to a
bridge and threw it over the bridge. They never even caught it. He wrote this book. He feels bad about it. He's expressed remorse repeatedly and he is actually a ethical hacker now and presents on cybersecurity awareness all over the world. He can be found online everywhere. What was interesting is how he describes his arrest and how his father took it. Michael Calcha has
Dino Mauro (24:53.794)
told the story several times about how he had told his dad one Sunday afternoon when his dad and he were home alone at his dad's condo. again, if you remember his dad had two rules, don't play with his cigars and don't bother him when he's eating. So on that Sunday afternoon when he was sitting at the kitchen table, he had made a homemade panini and Michael was very nervous. So while his dad was eating,
went up to him and he said, I've got something to talk to you about. And he stopped eating, he said, okay. He was violating one of the rules. He said, you know those attacks that have been in the news that the president was talking about in Chattarino? Did he, yeah. He said, I'm the one that caused it. His dad leaned back, looked at Michael, focused back on his panini, and continued eating. Then he got up and he said, all right, we've gotta prepare.
gotta go see an attorney and that's actually what they did they had met with an attorney three four times Michael explains even before the night that he was arrested Michael explains that he was very appreciative of the way that his dad handled it his dad didn't lecture him didn't yell at him he just dealt with the situation
Dino Mauro (26:18.22)
jail or going to whatever
Dino Mauro (26:25.166)
his dad handled it and handled it professionally. The night of his arrest, he was actually over at a friend's house watching, ironically, the movie Goodfellas, and he got a call at 3 a .m. in the morning when he was sitting there with his buddies, and it was his dad. And he looked down, and all his dad said is, they are here. And he could tell by the tone of the voice and what was said what he meant. And he was nervous, and he said, so what do I do?
And said, they want you to walk down to the corner and wait. And I'll call the attorney.
Dino Mauro (27:04.302)
They brought him in, he initially denied it because he was a kid and then he admitted to it. And he ultimately pled guilty, was given about 18 months or so in a detention hall because he was 15 at the time. Had he been 18, he would not.
But because of his age, he was put on probation, given essentially the juvenile detention, restricted computer use
Dino Mauro (27:41.87)
At the time Michael Calce had termed his attack, he called it Revolta. And Revolta is Italian for rebellion. And today, as he helps organizations, because he claims as many do, how best to understand the risks than to consult with and engage with people that actually know how to do it. And today he points out the fact that 20 years ago,
There was maybe 20, 30 ,000 lines of code, but today there's millions. And a hacker is merely looking for a line of code that can make that mistake. And then a lot of products are rushed to market. All the care bots rushing to market with holes in their code. And that how the hacking community has changed a lot internationally and that a lot of it is drawn monetarily now as opposed to back then when it was more about what they can show that they could do, the skill sets, the bragging,
street cred. But it points out that everyone today thinks that they're not a target. And you even mentioned you don't need to even be a target. So the moment you get online you're granted an IP address and that alone is worth something. Whether it's for your internet bandwidth so we can launch a bigger attack or for your online banking.
Thank you for listening, has the true cybercrime story of the boy who
The next episode will begin right now.
