Over at Graham Cluley’s blog, news out of England that two suspects have been arrested by the British police:

Britain's Police Central e-crime Unit (PCeU) have announced today that they have arrested two men as part of an eight month investigation into what is said to be the world's largest English-speaking online cybercrime forum.

The underground website consisted of online forums where up to 8000 malicious hackers traded stolen bank account details, PIN details, phished passwords, offered to rent out botnets for the purposes of distributed denial-of-service (DDoS) attacks, and openly sold data stolen by the insidious Zbot (also known as Zeus) family of malware.

The two men, aged 17 and 18, were arrested by appointment at a central London police station and currently remain in custody.  The police clearly believe that they have arrested two men who are major players in the operation of cybercrime forums. What may surprise some is that the men arrested aren't hardened conventional criminals, but young men still in their teens. A clear message needs to go out to people of all ages that just because you are committing a crime via the internet, doesn't make it any less of a crime.

17 and 18 years old is quite young, younger than I would have thought the typical cyber criminal is but not by much.  If you ever get a chance to read Joseph Menn’s Fatal System Error, he tells the story of cyber criminals in Eastern Europe who launched DDoS attacks on several sites based in Costa Rica. The people behind those and similar attacks were in their early 20’s, not much older than these people in England.

I have a theory -  the younger you are when you are involved in cyber crime, the more easy it is to get caught.  I say for the following reasons:

  1. When you are at that age, you don’t have the experience to think about covering your tracks.  When you have been involved in security for a long time, along the way you acquire new experiences and through pattern recognition, your subconscious brings them up.  For example, veteran athletes learn to recognize certain patterns in other teams quicker and can adjust for them, and achieve greater success.  When you’re a hacker and are that young, you just don’t know how authorities will trace you.  You lack the foresight required to cover your tracks and therefore law enforcement can use standard techniques to track you down.

  2. When you are at that age, bravado and hubris can be your undoing.  This is related to my first point.  If you’re going to be involved in cybercrime it makes sense to keep your identity hidden.  This has been the key to the Conficker worm, for example.  We still don’t know who’s behind it.  We also don’t have clear insight behind the Russian Business Network.  As you get older, you tend to think things through and realize that anonymity can be a plus in some circumstances.

    But when you are younger, the testosterone kicks in and you want to brag and show off to your friends.  Emotions kick in and you get careless.  For example, in 1998, David Beckham got red-carded against Argentina in the World Cup and England ended up losing to them.  But in subsequent World Cups, a more disciplined Beckham behaved much more like an in-control leader rather than a young hot-head (heck, Beckham even scored the game winning goal against Argentina in 2002). 

    When you get careless, loose lips sink ships, to borrow an old World War II saying.  That’s not to say that all young people are like this, but the young are more likely to get hot headed and make a mistake (or series of mistakes) allowing authorities to trace them easier.  If you brag to someone that you’re behind it all in an effort to impress others, then the prestige of running cybercrime outstrips the prestige of making money.   More experienced criminals understand this and keep their emotions in check.  Younger ones don’t have that expertise yet.

That’s my theory.