The Hacker is Watching

Written by David Kushner, GQ

Tuesday January 17th, 2012

Every online scam begins more or less the same—a random e-mail, a sketchy attachment. But every so often, a new type of hacker comes along. Someone who rewrites the rules, not just the code. He secretly burrows his way into your hard drive, then into your

“Do you want to see something scary?”

It was a Saturday night, not much happening in her Long Beach, California, neighborhood, so high school senior Melissa Young was home messing around on her computer. Her little sister, Suzy, was doing the same thing down the hall. The house was quiet, save the keyboard tapping in the girls’ rooms, when the odd little instant message popped up on Melissa’s screen—an IM from Suzy. Attached to the note was a file labeled simply SCARY.

Melissa wondered why her goof-off sister was IM’ing from the next room instead of just padding over—she wasn’t usually that lazy—so she walked over to see what was up. Suzy just shrugged. She had no idea what her sister was talking about. Yeah, the IM had come from her account, but she hadn’t sent it. Honest.

That night, Suzy’s 20-year-old friend Nila Westwood got the same note, the same attachment. Unlike Melissa, she opened it, expecting, say, a video of some guy stapling his lip to his chin on YouTube. She waited. Nothing. When she called her friend to see what she’d missed, things actually got freaky: Suzy’d never sent a thing. The girls pieced together the clues and agreed: Suzy’s AOL account had been hacked. For the next couple of weeks, the girls remained watchful for malware, insidious software capable of wreaking all sorts of havoc. But with no sign of trouble on their machines—no slow performance, no deleted files, no alerts from antivirus programs—they pretty much forgot about it.

A month passed. Suzy, Melissa, and Nila went about their lives online and off. They chatted with friends, posted pictures, and when they were tired, stretched out on their beds to rest. But at some point, each of them looked up and noticed the same strange thing: the tiny light beside their webcam glowing. At first they figured it was some kind of malfunction, but when it happened repeatedly—the light flicking on, then off—the girls felt a chill. One by one, they gazed fearfully into the lenses, wondering if someone was watching and if, perhaps now, they were looking into the eye of something scary after all. Nila, for one, wasn’t taking any chances. She peeled off a sticker and stuck it on the lens.

···

The more ubiquitous cameras become, the less we’re aware they’re even there. They stare out at us blankly from our phones and laptops, our Xboxes and iPads, a billion eyes and ears just waiting to be turned on. But what if they were switched on—by someone else—when you least expected it? How would you feel, how would you behave, if the devices that surround your life were suddenly turned against you?

It’s a question that James Kelly and his girlfriend, Amy Wright, never thought they’d have to entertain. But one instant message changed everything. Amy, a 20-year-old brunette at the University of California at Irvine, was on her laptop when she got an IM from a random guy nicknamed mistahxxxrightme, asking her for webcam sex. Out of the blue, like that. Amy told the guy off, but he IM’d again, saying he knew all about her, and to prove it he started describing her dorm room, the color of her walls, the pattern on her sheets, the pictures on her walls. “You have a pink vibrator,” he said. It was like Amy’d slipped into a stalker movie. Then he sent her an image file. Amy watched in horror as the picture materialized on the screen: a shot of her in that very room, naked on the bed, having webcam sex with James.

Mistah X wasn’t done. The hacker fired off a note to James’s ex-girlfriend Carla Gagnon: “nice video I hope you still remember this if you want to chat and find out before I put it online hit me up.” Attached was a video still of her in the nude. Then the hacker contacted James directly, boasting that he had control of his computer, and it became clear this wasn’t about sex: He was toying with them. As Mistah X taunted James, his IMs filling the screen, James called Amy: He had the creep online. What should he do? They talked about calling the cops, but no sooner had James said the words than the hacker reprimanded him. “I know you’re talking to each other right now!” he wrote. James’s throat constricted; how did the stalker know what he was saying? Did he bug his room?

They were powerless. Amy decided to call the cops herself. But the instant she phoned the dispatcher, a message chimed on her screen. It was from the hacker. “I know you just called the police,” he wrote. She panicked. How could he possibly know? She ran into her bathroom and slammed the door behind her. As she pleaded for the police to come quickly, she reached into the shower and cranked the water all the way up, hoping the hacker couldn’t hear her.

···
The campus police were in no position to handle a case like this. Whoever devised the malware—a sophisticated program capable of dodging antivirus software—clearly had a leg up on university cops. The task of hunting him down fell to agents Tanith Rogers and Jeff Kirkpatrick of the FBI’s cyber program in Los Angeles. Since its founding in 2002, the program’s cyber squads have worked out of a cluttered, bustling office on Wilshire Boulevard, a maze of cubicles that looks more like the office of a video-game company than of a federal agency. Bookshelves spill with tomes on hacking and programming. A black T-shirt on a hook bears a bloody chain saw and the words IN CASE OF ZOMBIES.

Kirkpatrick and Rogers had developed a reputation as the unit’s own Mulder and Scully, tech-savvy agents who play to each other’s strengths. Rogers, a thirtysomething who wears her blond hair pulled back in a bun, honed her skills as an interviewer during her nearly nine years as a police detective in Washington State. Kirkpatrick, a programming expert, spent over a decade working in information security in the private sector. While Rogers often takes the lead consoling victims and grilling suspects, Kirkpatrick can wade through thousands of lines of code to find the slightest abnormality. The agents had worked some of the biggest cases to come through the cyber program, taking down the stalker of ESPN sportscaster Erin Andrews and busting up Operation Phish Phry—one of the largest online fraud rings ever, which netted the crooks about $1.5 million.

But this case was unlike anything they’d encountered before. Clearly the hacker wasn’t out for money. And while sex was a factor, it wasn’t his only motivation. What did this guy really want?

At the FBI offices, the agents comforted Amy, who shook uncontrollably, unable to collect herself. She said she felt “terrorized.” After the incident, she didn’t leave her room for a week. And when she finally did go back to class, she couldn’t concentrate. Amy knew it was irrational, but she couldn’t help scanning the crowd, looking for her stalker. James wasn’t faring much better. He too had holed up alone, away from family and friends. He’d even stopped calling Amy, ending their relationship.

The hacker was fiendishly effective. He had gained remote access to his victims’ computers, allowing him to monitor their activity online and to search their hard drives. But that didn’t explain how he knew the details of their phone conversations or the physical descriptions of their rooms.

Rogers and Kirkpatrick started with the one thing they knew for certain: the hacker’s e-mail. They obtained search warrants for his Internet provider to check activity associated with his e-mail accounts and soon found dozens of victims. “We could see all of these different communications he had with several different women doing the same thing,” Rogers recalls. As the weeks ticked by, the agents gutted software and slogged through subpoenas. Then they finally got a break: A few of the domain names were registered to one Luis Mijangos.

It looked like a credible lead. Mijangos, assuming that wasn’t an alias, lived on a quiet street in Santa Ana, a suburb in Orange County not far from Disneyland. He had no California driver’s license, leading them to suspect he was an illegal immigrant. The one photo they turned up showed a 30-year-old dark-skinned Latino with a long narrow nose and bushy black eyebrows. The feds set up surveillance outside the blue ranch house on a quiet side street. They saw people coming and going, but no one matching Mijangos’s description. The silence led to guesswork: Maybe he didn’t really live there after all. Or maybe for some reason he seldom went outside.

···

Mistah X, a.k.a. Luis Mijangos, didn’t get out much, but his program let him see as far as New Zealand

 

 

 

Luis Mijangos was an unlikely candidate for the world’s creepiest hacker. He lived at home with his mother, half brother, two sisters—one a schoolgirl, the other a housekeeper—and a perky gray poodle named Petra. It was a lively place, busy with family who gathered to watch soccer and to barbecue on the marigold-lined patio. Mijangos had a small bedroom in front, decorated in the red, white, and green of Mexican soccer souvenirs, along with a picture of Jesus. That’s where he spent most of his time, in front of his laptop—sitting in his wheelchair.

Mijangos hadn’t always been disabled. As the child of a federal police officer in Mexico City, he’d grown up literally on the run. Whenever he heard a neighbor shout “¡Vienen!” he’d scramble onto his rooftop, watching in fear as strange men approached his front door. “I was terrified, because I knew that my father was in there,” he recalls. The men, federales, used to work with his father, but his dad tired of the corruption on the force and quit to open a seafood restaurant. Now he was just another target for extortion.

“I remember seeing black cars, like Grand Marquis, approaching the house, like six cars, full of federal agents,” Mijangos recalls, “just getting into the house and grabbing my father—you know, all the commotion.” One day the men loaded his father into a car and disappeared. Luis doesn’t know how long he was gone (a day? a week?), but when he returned, battered and bruised, he said he’d been taken to the mountains and tortured. The beating left scars and, more insidiously, somewhere deep inside, a blood clot, which led to his death when Luis was 7.

The boy kept running. An agile athlete, he became a starting forward on his soccer team, good enough that people were talking about the pros. But when his mother found out he was skipping school to practice, she sent him away to live with her sister in Santa Ana. She wanted her 16-year-old son off the streets that had claimed her husband. Luis’s new neighborhood had its own problems, though—gangs, mainly—and while Mijangos swears he never joined, he couldn’t escape their violence. As he was riding through the neighborhood in the backseat of his friend’s car one day, two rival gangs burst into the streets shooting, and he got caught in the cross fire. Mijangos found himself in the hospital; a bullet had severed his spinal cord. “I remember the doctor came to my bed and he said, ‘You are going to be paralyzed for the rest of your life,’ ” Mijangos recalls. ” ‘You’re still young, you have a lot of things to do.’ And he just walk away. Just like that.”

Mijangos was rudderless. He dropped out of school and hid out in his aunt’s house. He had special needs now. Medical equipment. Constant care. He couldn’t even shit without suppositories. In his darker moments, the self-pity would morph into something else—a smoldering anger at the healthy world. What was he supposed to do with his life now? Mijangos thought long and hard. He had been physically gifted before, but he was more than a jock. Math and problem solving had always come naturally to him. Pulling himself together, he enrolled in classes at a local community college to learn computer programming. Then, ever industrious, he got a head start online, teaching himself to code.

Mijangos wasn’t looking for trouble, not at first at least, but information on coding is just a few clicks from sites on criminal hacking. One group specialized in stolen credit card numbers; a few show-offs had even posted the numbers freely. Mijangos punched the illicit digits into a shopping site just to see what would happen. It hardly seemed real: The victims were faceless, nameless. But that was before the very real boxes of electronics and computer equipment started showing up at his door. Suddenly, the son of a cop who’d never done anything more illegal than come to America was getting a crash course in criminality.

Mijangos had one thing to help make him an expert hacker: time, and plenty of it. He spent all day in his wheelchair, digging deeper online. Hackers coalesced as teams, just like his old soccer club, and Mijangos printed up a T-shirt with the name of his squad, cc power (as in credit card). Working with one guy in particular, code name Manhattan, the scam went like this: Using a stolen Social Security number and other personal information, Mijangos would open a bogus merchant account at a bank. He’d then contact Manhattan, who’d charge money to the account using stolen credit card numbers. All the pair needed to do was withdraw cash at will from an ATM and split the profits evenly.

He wasn’t getting rich, but Mijangos says he earned enough to buy a $5,000 titanium wheelchair that he tricked out with $400 wheels. He felt reborn. “When it comes to hacking, yes, I’m not going to deny it—it’s like you feel like you accomplish something,” he says. “Like you feel proud of doing something that not many people can do.” In the early days of cybercrime, hackers had to code their software from scratch, but as he searched the Web, Mijangos found dozens of programs, with names like SpyNet and Poison Ivy, available cheaply, if not free. They allowed him to access someone’s desktop but limited the number of computers he could control simultaneously. Bragging to his peers, Mijangos says he found a way to modify an existing program that supported roughly thirty connections so that it could handle up to 600 computers at once.

With his increased reach, Mijangos knew, came an elevated risk of getting caught. He couldn’t simply take control of someone else’s machine and start moving files around without taking precautions. Then it hit him. What if he could see when the computer’s owner was away? Hackers had been accessing cameras here and there for a while. But Mijangos started thinking big: He decided to weaponize them on an unprecedented scale. After puzzling through the code, he went online and sent out thousands of e-mails, direct-marketing style, to find his test subject, and sure enough, someone bit—a Latina woman about 20 years old. As soon as she opened the file, Mijangos was in—he had access to her every file, every photo, and could even keep a log of every keystroke, which meant every password. But that wasn’t all. Mijangos hit a few buttons, then watched in awe as his screen filled with an image taken by her webcam. There she was, in her bedroom, singing and dancing as she vacuumed the floor, completely unaware that he was watching. In an instant, Mijangos knew this was far bigger than a credit card scam. “Wow,” he said to himself, “I can see everything.”

···
Kiki Soufflé was an attractive blonde prostitute in her thirties. She liked classic rock from the ’80s, skiing, and camping with her kids. She had a thing for BMWs, specifically the 7 Series. Based on the photos he discovered in her in-box, Mijangos thought she looked great naked.

He’d found Kiki on a social network for prostitutes called Humaniplex. Infecting her was a breeze. Kiki required all her new clients to send a bio, so Mijangos simply e-mailed her a Word document embedded with malware. With full access to her PC, he studied her life—her likes, dislikes, friends, enemies—and made an appointment. When they met at a seedy hotel near John Wayne Airport, Mijangos thought the buxom European blonde looked even better in person. He gave her $300, and she took off her clothes. “I was like, well, I’ve already seen this,” he says. It was Mijangos’s first night with a prostitute—he claims he is fully capable of having sex—and afterward he tried to impress her. Rifling through his mental hard drive, he thought of the one bit of data that would have the most impact.

“You know, I’m driving a BMW 750i,” he said casually.

“Oh, really?” she replied.

At home, he logged on to her machine to see if his intel had paid off. “Oh, I met this nice guy,” Kiki wrote to a friend. “He’s driving a very nice car, I think he’s rich.” For a moment, Mijangos felt all-powerful. He booked his second appointment for the next week. Yet his confidence, so easily earned, was fleeting. Who was he kidding? He wasn’t rich; the only wheels he owned were connected to his chair.

On the night of his next session, he flaked—a no-no in the world of prostitution. Kiki posted his name on Humaniplex to warn her friends about the no-show. Mijangos responded in kind. Furious, he anonymously e-mailed her a nude photo he had stolen from her computer, along with a threat. “You have three kids and an psycho ex [sic] but hat I don’t care,” he wrote, “if you don’t want this pics and the rest I have from you to be published this is what I want. A porn vido of you ‘you can blur your face;’ if don’t get the video ina day I will publish thse images and let your family know about your dark side as a hooker so you better do that video send it tome via email and you will never hear from me ever.” When the video didn’t come, he fired off another message. “am not playing you have six hours,” he wrote, “and don’t be stupid changing your emails or myspce passwords won’t change a thing.”

Kiki didn’t cave, and Mijangos lacked the nerve to follow through. No matter how menacing his online character became, he seemed incapable of carrying out his harshest threats. Besides, thanks to social-networking sites, he always had plenty of fresh targets. “Facebook,” Mijangos says, “is like gold when it comes to hackers.” Once inside someone’s machine, he would simply log on to her page and peruse her friends list for attractive targets. “Once you have one victim infected, it’s like a chain,” he says. “You pretend to be that person and you send their friends stuff. You know that they’re going to believe you, they’re going to trust you.”

An infection that had started with one victim spread to hundreds. For a guy stuck in a chair, it was like playing a real-life game of The Sims. He spent his days alone, watching up to four webcams, each one trained on a different victim. Sex became just a part of the thrill. He saw them crying, studying, or sitting on the can (apparently a lot of people take laptops into the bathroom). Eavesdropping on the everyday moments of their lives, in a way, felt most intimate of all. “Those people that I was able to watch on a daily basis,” he says, “I felt that they become like my friends.” Mijangos watched for hours as women slept or read; he was living his own twisted version of Rear Window, the lonely guy in a wheelchair staring out his glowing portal.

With his newfound obsession, Mijangos tired of his old credit scam and took on another day job: Peeping Tom for hire. He began hanging out on a Spanish-language hacker website called Indetectables, a hub for criminal voyeurs and spies. He says it didn’t take long for word to get out that he was the go-to guy for anyone looking to spy on a girlfriend or wife. For $150, he’d infect the target’s computer, then send his clients links so they could snoop themselves. Mijangos knew a few of his clients were “just perverts” spying on some unsuspecting stranger, but their money was just as good.

It was all going smoothly until he was hired to find Gina Sanchez. It started off as the usual gig; her boyfriend suspected she’d been unfaithful. Mijangos hacked into her machine and began clicking through her files. Click. Sanchez was 33. Click. A single mom. Click. An attractive Latina. Click. A West Coast DJ well-known to clubgoers.Click. A photo of Sanchez sucking off a guy—who wasn’t her boyfriend. “Well,” Mijangos said to himself, “I got what I needed.”

But as he sifted through her e-mails, Mijangos found something else: threatening messages from the guy who’d hired him. Mijangos froze. Messing with someone from a hundred miles away was one thing. But inciting physical violence was a step too far. In all his snooping, Mijangos says he never stole money from his female targets. Clearly this guy would do much worse. Mijangos looked down at his wrist, where he’d inscribed a tattoo with the Chinese symbols for BLACK HAT HACKER, an insider term for a criminal programmer. This is not the real me, he thought.

Knowing it could ruin him, Mijangos sent Sanchez an e-mail with the subject line “who hacked your account READ it!!!” He claimed he wanted to protect her, to warn her about her boyfriend. But when she didn’t respond, he tried to force her hand. “im going to post those all over, facebook, myspace.” He wrote in another message, “here’s the pic.” He attached a naked photo he had stolen from her computer. “im in control of your computers right now.”

With no other option, Sanchez agreed to chat with him over Yahoo! Messenger. Online, Mijangos recounted his story, claiming he’d been hired by her ex. Sanchez was stunned; this guy knew everything. She copied the transcript of their IM chat to her friend Eric, looking for advice, but when she did, Mijangos IM’d angrily back, his temper raging. “i’ll get my cash and whatever happends i don’t care anymore bye,” he wrote Sanchez. “and one more thing, tell your friends to back off, you dont wanna mess with a team of hackers.” Shortly after, Eric noticed his webcam light mysteriously flicking on and off; then a nude photo of Sanchez appeared on Eric’s MySpace page. Sanchez had had enough. She phoned the cops from a safe spot. When Rogers and Kirkpatrick interviewed her, she was clearly shaken. Her life, she said, had been taken away; simple things like surfing Facebook, paying her bills, swapping photos, even falling asleep with her laptop on were unthinkable now. Huddled over and crying, she vowed never to keep anything personal on her computer again.

···
When Mijangos heard the commotion early on the morning of March 10, 2010, he thought one thing: surprise party. It was his thirty-first birthday, and his friends were probably gathering to celebrate. But the surprise went bad fast. A team of armed FBI agents, including Rogers and Kirkpatrick, stormed through the front door, sending his dog into a panic and his mother into tears. The date was just a coincidence. After casing the place for weeks, the feds had finally attained a warrant to search his home. They took everything they could find: four laptops, scattered thumb drives and memory sticks, and a BlackBerry. The archive of voyeurism was staggering: over 15,000 webcam-video captures, 900 audio recordings, 13,000 screen captures. In total, he had infiltrated more than 230 victims, including juveniles. At least one was as far away as New Zealand. Kirkpatrick was floored by Mijangos’s reach. “I hadn’t seen anything to that degree,” he says. Rogers knew that this marked a new wrinkle in the changing landscape of cybercrime. It was, as she put it, “the first sextortion case we’ve had.”

The victims of this massive peep show had to wait eighteen months to face their tormentor, until on September 1, Mijangos was wheeled into a courtroom for sentencing. Sanchez, now 35, recounted the harassment. “He haunts me every time I use the computer,” she told the court. “You don’t have to be in jail to feel trapped.” Another woman described her attempts to outrun the fear: “I moved away from the LA/OC area, but even here the thoughts never left me.” As the judge weighed in, Mijangos, dressed in a V-neck sweater and a tie, fidgeted anxiously: “Society has to understand that if you engage in this type of behavior, it’s no joke. You are going to jail and going to jail for a long time.” The sentence handed down, six years, was precedent-setting.

For the agents of the cyber squad, the case’s legacy is clear: Despite billions spent on technology that lets us broadcast our daily lives, all it takes is one guy, a self-taught hacker with no college degree, to turn that power against us. What’s less certain is the question investigators set out to answer: What did Mijangos want? Opinions vary. Some think his hacking was all an elaborate scheme to help him get off (despite what Mijangos says, however, his family isn’t sure he is capable of an erection). Others, like Rogers, think Mijangos was motivated by something more deeply rooted, his desire to overcome his own feeling of powerlessness. “I think it’s all about his ability to control his victims and have a sense of power over them,” she told me.

In October, shortly after he was sentenced, I visited Mijangos. The single-story home had been repainted from blue to beige, a symbolic fresh coat, and inside, his extended family milled about, spending what time they could with Luis before he was sent away to prison. Dressed in red-checkered pajamas and with his poodle in his lap, Mijangos hardly looked the picture of evil. And at first, he talked like a guy who had simply gotten in over his head. “At the beginning, mostly it was because I was frustrated, depressed, and…stupid,” he told me. But as we continued talking, another side of Mijangos emerged, the man who was born after that drive-by years ago. Every young person he spied on, he said, was another person who seemed to be living the life he had been denied. “These people were having fun,” he said. “They were making plans for prom, to go to parties. I never had that. So I decided to send those e-mails, thinking, Oh, you have all these wonderful things. Why don’t you have a bad day just like me?”

After two years online, Mijangos had lost himself in a dizzying hall of mirrors, conflating victims and memories, until even he couldn’t keep track anymore. In our conversations, he mixed up names and dates and the sequence of events. By the end, he knew only one thing for certain: He wanted out. “I was just thinking, Well, if it’s going to happen, well, it can happen now,” he said.

It’s a good thing the FBI discovered the scam when they did, too. Mijangos told me that he’d figured out how to turn off a camera’s LED, cloaking himself completely. What’s more disturbing, he said he’d devised a program that could infect and control BlackBerrys and iPhones via text message. “I can see your pictures, your text messages, everything,” he said.

The FBI says it found no evidence of this more advanced cell-phone-hacking plan. Then again, the bureau hadn’t seen this kind of webcam hijacking until it heard about Mijangos. Now agents are taking their own precautions. “I’m telling my friends and family to put a sticker over their webcams, just in case,” Rogers says. “It doesn’t hurt.”

Sitting at home, Mijangos brushes off quick fixes to hacking. Webcam tools like his are readily available online. Anyone with time and determination can put them to criminal use, infiltrating people’s lives—converting webcams to eyes, microphones to ears. “Nothing is secure,” Mijangos says simply. “If we’re going to hack you, we’re going to hack you.”