Every online scam begins more or less the same—a random e-mail, a sketchy attachment. But every so often, a new type of hacker comes along. Someone who rewrites the rules, not just the code. He secretly burrows his way into your hard drive, then into your life. Is he following your every move?
“Do you want to see something scary?”
It was a Saturday night, not much happening in her Long Beach, California, neighborhood, so high school senior Melissa Young was home messing around on her computer. Her little sister, Suzy, was doing the same thing down the hall. The house was quiet, save the keyboard tapping in the girls’ rooms, when the odd little instant message popped up on Melissa’s screen—an IM from Suzy. Attached to the note was a file labeled simply SCARY.
Melissa wondered why her goof-off sister was IM’ing from the next room instead of just padding over—she wasn’t usually that lazy—so she walked over to see what was up. Suzy just shrugged. She had no idea what her sister was talking about. Yeah, the IM had come from her account, but she hadn’t sent it. Honest.
That night, Suzy’s 20-year-old friend Nila Westwood got the same note, the same attachment. Unlike Melissa, she opened it, expecting, say, a video of some guy stapling his lip to his chin on YouTube. She waited. Nothing. When she called her friend to see what she’d missed, things actually got freaky: Suzy’d never sent a thing. The girls pieced together the clues and agreed: Suzy’s AOL account had been hacked. For the next couple of weeks, the girls remained watchful for malware, insidious software capable of wreaking all sorts of havoc. But with no sign of trouble on their machines—no slow performance, no deleted files, no alerts from antivirus programs—they pretty much forgot about it.
A month passed. Suzy, Melissa, and Nila went about their lives online and off. They chatted with friends, posted pictures, and when they were tired, stretched out on their beds to rest. But at some point, each of them looked up and noticed the same strange thing: the tiny light beside their webcam glowing. At first they figured it was some kind of malfunction, but when it happened repeatedly—the light flicking on, then off—the girls felt a chill. One by one, they gazed fearfully into the lenses, wondering if someone was watching and if, perhaps now, they were looking into the eye of something scary after all. Nila, for one, wasn’t taking any chances. She peeled off a sticker and stuck it on the lens.
The more ubiquitous cameras become, the less we’re aware they’re even there. They stare out at us blankly from our phones and laptops, our Xboxes and iPads, a billion eyes and ears just waiting to be turned on. But what if they were switched on—by someone else—when you least expected it? How would you feel, how would you behave, if the devices that surround your life were suddenly turned against you?
It’s a question that James Kelly and his girlfriend, Amy Wright, never thought they’d have to entertain. But one instant message changed everything. Amy, a 20-year-old brunette at the University of California at Irvine, was on her laptop when she got an IM from a random guy nicknamed mistahxxxrightme, asking her for webcam sex. Out of the blue, like that. Amy told the guy off, but he IM’d again, saying he knew all about her, and to prove it he started describing her dorm room, the color of her walls, the pattern on her sheets, the pictures on her walls. “You have a pink vibrator,” he said. It was like Amy’d slipped into a stalker movie. Then he sent her an image file. Amy watched in horror as the picture materialized on the screen: a shot of her in that very room, naked on the bed, having webcam sex with James.
Mistah X wasn’t done. The hacker fired off a note to James’s ex-girlfriend Carla Gagnon: “nice video I hope you still remember this if you want to chat and find out before I put it online hit me up.” Attached was a video still of her in the nude. Then the hacker contacted James directly, boasting that he had control of his computer, and it became clear this wasn’t about sex: He was toying with them. As Mistah X taunted James, his IMs filling the screen, James called Amy: He had the creep online. What should he do? They talked about calling the cops, but no sooner had James said the words than the hacker reprimanded him. “I know you’re talking to each other right now!” he wrote. James’s throat constricted; how did the stalker know what he was saying? Did he bug his room?
They were powerless. Amy decided to call the cops herself. But the instant she phoned the dispatcher, a message chimed on her screen. It was from the hacker. “I know you just called the police,” he wrote. She panicked. How could he possibly know? She ran into her bathroom and slammed the door behind her. As she pleaded for the police to come quickly, she reached into the shower and cranked the water all the way up, hoping the hacker couldn’t hear her.
The campus police were in no position to handle a case like this. Whoever devised the malware—a sophisticated program capable of dodging antivirus software—clearly had a leg up on university cops. The task of hunting him down fell to agents Tanith Rogers and Jeff Kirkpatrick of the FBI’s cyber program in Los Angeles. Since its founding in 2002, the program’s cyber squads have worked out of a cluttered, bustling office on Wilshire Boulevard, a maze of cubicles that looks more like the office of a video-game company than of a federal agency. Bookshelves spill with tomes on hacking and programming. A black T-shirt on a hook bears a bloody chain saw and the words IN CASE OF ZOMBIES.
Kirkpatrick and Rogers had developed a reputation as the unit’s own Mulder and Scully, tech-savvy agents who play to each other’s strengths. Rogers, a thirtysomething who wears her blond hair pulled back in a bun, honed her skills as an interviewer during her nearly nine years as a police detective in Washington State. Kirkpatrick, a programming expert, spent over a decade working in information security in the private sector. While Rogers often takes the lead consoling victims and grilling suspects, Kirkpatrick can wade through thousands of lines of code to find the slightest abnormality. The agents had worked some of the biggest cases to come through the cyber program, taking down the stalker of ESPN sportscaster Erin Andrews and busting up Operation Phish Phry—one of the largest online fraud rings ever, which netted the crooks about $1.5 million.
But this case was unlike anything they’d encountered before. Clearly the hacker wasn’t out for money. And while sex was a factor, it wasn’t his only motivation. What did this guy really want?
At the FBI offices, the agents comforted Amy, who shook uncontrollably, unable to collect herself. She said she felt “terrorized.” After the incident, she didn’t leave her room for a week. And when she finally did go back to class, she couldn’t concentrate. Amy knew it was irrational, but she couldn’t help scanning the crowd, looking for her stalker. James wasn’t faring much better. He too had holed up alone, away from family and friends. He’d even stopped calling Amy, ending their relationship.
The hacker was fiendishly effective. He had gained remote access to his victims’ computers, allowing him to monitor their activity online and to search their hard drives. But that didn’t explain how he knew the details of their phone conversations or the physical descriptions of their rooms.
Rogers and Kirkpatrick started with the one thing they knew for certain: the hacker’s e-mail. They obtained search warrants for his Internet provider to check activity associated with his e-mail accounts and soon found dozens of victims. “We could see all of these different communications he had with several different women doing the same thing,” Rogers recalls. As the weeks ticked by, the agents gutted software and slogged through subpoenas. Then they finally got a break: A few of the domain names were registered to one Luis Mijangos.
It looked like a credible lead. Mijangos, assuming that wasn’t an alias, lived on a quiet street in Santa Ana, a suburb in Orange County not far from Disneyland. He had no California driver’s license, leading them to suspect he was an illegal immigrant. The one photo they turned up showed a 30-year-old dark-skinned Latino with a long narrow nose and bushy black eyebrows. The feds set up surveillance outside the blue ranch house on a quiet side street. They saw people coming and going, but no one matching Mijangos’s description. The silence led to guesswork: Maybe he didn’t really live there after all. Or maybe for some reason he seldom went outside.
Mijangos hadn’t always been disabled. As the child of a federal police officer in Mexico City, he’d grown up literally on the run. Whenever he heard a neighbor shout “¡Vienen!” he’d scramble onto his rooftop, watching in fear as strange men approached his front door. “I was terrified, because I knew that my father was in there,” he recalls. The men, federales, used to work with his father, but his dad tired of the corruption on the force and quit to open a seafood restaurant. Now he was just another target for extortion.