This article is adapted from The Hacker Diaries: Confessions of Teenage Hackers, published by McGraw-Hill.

Tracking Mafiaboy

When a teenage computer hacker paralyzed a number of the world's major online services, it was a Montreal RCMP officer who cracked the case

Dan Verton

National Post

Andre Forget, The Canadian Press

As the technology bubble neared its bursting point in 2000, a 14-year-old Montrealer calling himself Mafiaboy disabled much of the Internet economy, alarming the White House and the financial markets. He is a leading character in The Hacker Diaries, a book by Dan Verton, an investigative reporter with Computerworld in Washington. Was Mafiaboy a genius? Was he normal? And why that name?

[Disabled "much of the Internet economy"? Does that mean half a dozen e-commerce sites represent "much" of the economy? Hardly; rather this is a sensational opening to get attention for an article that is not compelling without such stretches.]

Alarming the White House? Why does this sound like fiction? So the White House took interest in Yahoo being down because they couldn't do a search for "foreign politics", oh my! Why not say the FBI or security companies or someone else was interested/worried?

A leading character in "The Hacker Diaries"? So a packet monkey that had a couple days of ./packet action and a month of media attention is a leading character in a book about hackers? And people wonder why we laugh at the hacker vs cracker debate among other things?


The main Unix server had been obliterated and was inaccessible. The maintenance programs that were reserved for use by the technicians were gone. More than 3,000 files had been deleted. Dozens of user accounts had vanished as well. The intruder had installed a sniffer program designed to capture insecure passwords and a mail relay system, effectively turning Outlawnet into a free e-mail relay station. Soon telephone calls began pouring in from anxious customers who were worried about the impact of the virtual blackout on their businesses. This was a serious incident that required an immediate phone call to the local police.

The attacker deletes user accounts, then tries to sniff passwords, when users can't log in? This entire attack sounds like the work of someone barely able to understand compromising a machine and certainly not sophisticated to maintain control of it. Deleting 3,000 files on a server is somehow worthy of time in a book called 'The Hacker Diaries'?

The case was quickly passed to the Portland field office of the FBI. The Bureau's response was instantaneous. Outlawnet was a small-town ISP, but as far as the FBI was concerned, this was a crime with far-reaching implications. Launching a denial-of-service attack was a felony that could land you in prison.

[This is not typical of the FBI. An ISP with 1000 customers is nothing. Unless they showed close to 10,000 dollars in damage, it wouldn't be a pressing matter unless this office was bored to tears. Is information missing from what happened here I wonder..]


But even with account information, there was no way to tell for sure who was sitting in front of the computer at the time of the Outlawnet attack. And moving in too fast could blow any future case Gosselin might be able to make against the hacker, whom he presumed was a minor, based on his experience. But there were tens of thousands of teenage boys in the Montreal area who probably had the skill to conduct such an attack. And the evidence was thin. For the time being, Gosselin didn't have the proof that would enable him to get what he really needed, which was a wiretap.

[Tens of thousands of boys in Montreal, thin evidence and this investigator jumped to the conclusion it was a teen-age boy? That sounds like sloppy detective work and guessing.]


It was clear Yahoo! was dealing with a hacker who knew what he was doing and who took the time to learn about his target and plan the attack. There was no way that what Yahoo! administrators were witnessing was the work of a kid who wanted simply to find out whether the scripts he had downloaded from the Internet actually worked. This attack was the work of a pro, who probably had help. By the time it was over, the Yahoo! attack alone would involve enough data to fill 630 pickup trucks with paper.

["An attacker who knew what he was doing" doesn't really match any of the description before this. Subsequent articles and opinions disagree with this assessment.]


Within four days of the setup of the DNRs, investigators discovered another Totalnet account registered to Mafiaboy. This time, however, the account belonged to the company owned and operated by Mafiaboy's father. Despite the cancellation of the previous accounts two years earlier, it was now obvious Mafiaboy had multiple ways of connecting to the Internet and identifying himself to others. There were hacked accounts, legitimate accounts and accounts that ostensibly belonged to family members. Though the RCMP had narrowed down the search to a single residence, a major challenge still lay ahead.Who was sitting in front of the computers during the attacks? Again, Gosselin and the FBI were confronted with a dilemma: Move in too soon and the case would collapse. Mafiaboy would go free.

[The use of "registered to", "belonged to" and "owned" in the context of accounts is incredibly confusing and suggests Verton doesn't really understand basic security lingo.]


On Mafiaboy's active days, he often operated until 3 or 4 in the morning. Currie set up his system to conduct the daily download of raw data intercepts shortly after 4 a.m., when Mafiaboy was known to quit for the night. When the operation ended 43 days later, Currie had collected 7.6 gigabytes of raw data.

[Some 3 gigs less than the prosecution used in the case against Kevin Mitnick years earlier.]

Most of Mafiaboy's online activity involved Web surfing, online gaming and boisterous IRC chat sessions. During one session, agents watched him in real time as he attempted hacks and had to retype commands three, four, or five times before he got them right. In addition, he always seemed to be accessing accounts using log-ins and passwords that other hackers had given to him.

[Yet Verton and/or yahoo! said he was "an attacker who knew what he was doing"?!]


Currie yanked a few of the data packets from the stream and made a live copy to analyze. If you know what to look for, you can learn a lot from the raw data packets. If it's HTML, or Web traffic, you can tell that. And although it's more difficult, you can also tell if it's e-mail.

[This is absurd. Admins had been sniffing e-mail traffic for decades before HTML / Web traffic was invented. It is not more difficult at all.]


Then Currie watched him tinker with some of the hacker tools he had used in the original attacks in February. But just when the teenager looked like he was getting back on track with his hacking activities and possibly starting to learn something, Currie noticed, on March 21, that he had launched a limited ICMP attack against himself. Kids. They never seem to learn.

[Again, how is this the sign of a sophisticated attacker that knew what he was doing?]

main page ATTRITION feedback