Below, Joe Tidy shares five key insights from his new book, Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet.
Joe is the BBC’s first Cyber Correspondent and a leading voice on cybercrime. He has covered major global cyber-attacks and produced widely viewed international documentaries, including a high-profile investigation into Russia’s most wanted cybercriminal.
What’s the big idea?
Teenage hackers are quietly reshaping cybercrime. They’re not movie-style geniuses, but persistent, socially connected, and often addicted—causing real harm through data breaches and feeding a cycle that leads to ever more serious attacks.
1. Data breaches can really harm people.
Data breaches—from a company to your social media accounts—are something we have trouble gauging the magnitude of. Everyone wants to know, Should I be worried? You may be thinking that surely your phone number, email address, and real address are already out there, so maybe it’s not that big of a deal. But whether you should care about a data breach is a really difficult question to answer. In some cases, they can cause serious harm and damage.
The cruelest cyber-attack in history was on the Vastaamo Psychotherapy Center in Finland. Vastaamo was a big and important organization with dozens of pop-up mental health centers around the country. In 2018, hacker Julius Kivimäki found a way into the servers of the Vastaamo Psychotherapy Center chain and stole all the data he could find. He stole the usual kinds of information—names, addresses, phone numbers, Social Security numbers—but he also stole the patient notes. 33,000 people had their data stolen in this way.
I can’t think of a worse data set to be in the hands of a criminal extortionist than what I tell my therapist. Bear in mind, the people who were affected by this were already vulnerable. They were struggling with mental health issues. Some of them were in depression or anxiety when Kivimäki snuck in one night and stole all that data. With it, he tried to extort Ville Tapio, the CEO of Vastaamo, for 100,000 euros worth of Bitcoin.
“I can’t think of a worse data set to be in the hands of a criminal extortionist than what I tell my therapist.”
When the CEO refused to pay, Kivimäki did something extraordinary. He took the data and started publishing it on the darknet. People in Finland started worrying that their notes could be next, and he deliberately chose particularly salacious and dramatic therapy notes. He searched for things like sex fantasies, adultery, or anything that would really cause the individuals a lot of heartache and problems. Then, he did something rarely seen in cybercrime: he reached out to the victims. He sent them emails which read, “I’ve got your notes. Pay me, otherwise I’ll publish them online.” The impact on those affected was enormous.
Some of his victims are still suffering from PTSD. I spoke to one woman who described receiving that email as “psychological rape.” Her notes had information about her marriage, problems with work, and the heartbreak of raising two disabled children. You can imagine the shockwave that ran through Finland as people received those emails. Data breaches can be devastating for the people involved.
2. Hacking can be addictive.
Julius Kivimäki was 27 years old at the time of his Vastaamo hack, but he had been carrying out cyberattacks for about 10 years already, since he was a teenager. What we learn from Kivimäki’s story is that hacking is addictive.
For many hackers, they just couldn’t stop. They would be hacking, get arrested, and have all their devices taken away, but then they would just carry on hacking as soon as they could. We saw, in particular, that teenage hackers couldn’t be discouraged by police threats or activity. They would not stop. I’ve learned that if you’re both quite intelligent and quite technical, the challenge of breaking into an organization becomes addictive and intoxicating.
“They would be hacking, get arrested, and have all their devices taken away, but then they would just carry on hacking as soon as they could.”
If you add in the attention that you get from bragging about it on social media (which a lot of these individuals do), then you get the endorphins of the likes, retweets, and follows. For the growing, underdeveloped brain of a teenager, this makes it really hard for them to stop. Hacking is an addictive pursuit.
3. We are all in denial about kid hackers.
It continually stuns me that we keep being shocked about teenage hackers. As a society, we constantly underappreciate and underestimate them as a problem. You can see this back in the 2010s, when we saw a resurgence of teenage hacking groups and a shift toward a much darker side of hacking.
The hacking gangs of the 80s, 90s, and early 2000s were different. They were all about exposing Big Tech for having bad code and took joy in embarrassing them. There was a lot of ego in that, but there wasn’t much of a sinister culture. In the teenage cybercrime gangs that formed in the 2010s, that’s where we started seeing the Kivimäki-types appear.
Most cybersecurity experts were ignoring all this. They wanted to talk about the big bads of cyber—nation-state hacking groups like Fancy Bear of Russia, Lazarus Group of North Korea, and Volt Typhoon of China. No one ever wants to admit that they’ve been hacked by loaded kids. So, you get this denial situation where no one wants to talk about it.
“No one ever wants to admit that they’ve been hacked by loaded kids.”
But one researcher, Allison Nixon, noticed that there’s something going on with these teenagers. She came up with a term for us to talk about them: NPTs, or new persistent threats. This is a quite a clever joke. If you’re in the cyber world, you’ll know the term APT, which stands for advanced persistent threat. Allison was saying they’re not “advanced” because these kids haven’t got the sophisticated skills we see in other groups, but they are “persistent” and a “threat” that needs to be taken seriously.
4. Hacking is not like in the movies.
NPTs are not that sophisticated. They’re not advanced. And the way that people think about hackers, especially teenage hackers, is that they’re these masterminds of computer coding that put on a hoodie and sit alone in their dark bedrooms. That is not my experience, and that is not what my research told me. Cybercrime is a team sport. It involves people who are often very sociable coming together on platforms like Discord and Telegram. They all bring their own skills to the table—often really basic stuff like social engineering.
5. The cycle has continued.
These past few years, we have seen another explosion of teenage hacking groups. In the UK, in particular, this problem has been brought to the fore, and people are talking about it in a big way.
The UK has seen a wave of cyberattacks against retailers. There was Marks & Spencer, which is a famous and long-running department store chain. Then there was the Co-op. Then there was Harrods. These attacks occurred over a couple of weeks in the spring of 2025 and caused enormous disruption and damage. About 300 million pounds were lost from Marks & Spencer, for example. The public also got a real shock because suddenly, shelves in shops were empty after the companies couldn’t continue their logistics operations without functioning computers. Those company computers had either been completely filled with ransomware or taken offline by the company as a precaution.
“Unless we find a way to keep kids off this dark path of cybercrime, this won’t go away.”
There were lots of arrests of teenagers in this matter. This cycle keeps continuing. What’s happening now is that we’ve seen some of these NPT groups joining well-organized, long-established Russian-speaking cybercrime groups that are carrying out serious attacks. My prediction and worry is that we will see more attacks like the one on Marks & Spencer. Unless we find a way to keep kids off this dark path of cybercrime, this won’t go away.
Enjoy our full library of Book Bites—read by the authors!—in the Next Big Idea App:
