Our PracticeTeamPricingConsultingInvestorsGet Started
← All Field Notes
May 30, 2026 · by Ravsecurityethicsharm-reductionincident-response

I Talked to the Person Who Hacked Me. He Was Seventeen.

After someone broke into our server, I did the thing you're not supposed to do — I messaged him. What I found wasn't a criminal mastermind. It was a teenager running tools other people built. Here's what that taught me about who actually gets caught in this, and what we owe them.

There's a standard script for getting hacked. You find the intrusion, you clean it, you harden, you move on. You do not open a chat window and message the person who did it. That's the part everyone tells you not to do.

I did it anyway. I want to tell you why, and what I found, because it changed how I think about the whole problem.

The message

When the miner came back a second time, it stopped being an abstraction. Whoever this was had walked back into a house I'd just finished locking, and left the lights on so I'd know. So I sent a message. I told him what I had — the wallet, the toolkit, the logs, the whole forensic picture — and I asked him, more or less, what do you want?

He answered. And the first thing he did was correct me.

He admitted the break-in flatly — yes, that was him. But the mining? Not him, he said. Different attack. And when I looked at the timeline again, that actually held together: the original intrusion and the miner didn't have to be the same hands. Access gets resold. A door someone else opens is a door anyone can walk through. The person who picked my lock and the person who set up shop inside may genuinely have been two different people.

That distinction matters more than it sounds, and we'll come back to it.

Who I was actually talking to

The picture that came together over the next couple of hours was not the one the word "hacker" puts in your head.

He was a teenager. He'd just finished school. The thing he was genuinely proud of — the thing he'd actually built himself — was a scanner: a program that crawls the internet looking for websites with weaknesses. He wrote that. The kernel exploit he ran on my box? Downloaded from a public code repository, compiled, executed. The scanning tools? Off the shelf. The one original piece of engineering in the whole operation was the part that, on its own, isn't even illegal.

Sit with that for a second. A vulnerability scanner is a vulnerability scanner. In a teenager's hands it produces a list of victims. In a security company's hands it produces a list of clients who need help. The exact same program. The line between the two isn't the code — it's whether you walk through the door the code finds. He walked through. That's the crime. The scanner wasn't.

He was, by his own evidence, not an elite. He was a kid running mostly other people's weapons, sloppy enough to leave his own contact details sitting on my server. Capable enough to write a useful tool. Reckless enough to point all of it at strangers.

The thing I caught myself considering

Here's the part I didn't expect about myself: my first serious instinct, once I knew who he was, wasn't to destroy him. It was to hire him.

Because the skill is real, even if the judgment isn't. Someone who can write a scanner that finds vulnerabilities can write a scanner that finds clients. The capability that made him a problem is the same capability a legitimate security business runs on. The only thing that needed to change was which side of that very thin line he stood on.

I thought hard about it. A real contract. A real prohibition on the illegal parts, with the legitimate parts — actual authorized testing — allowed. And then I ran into the wall that ends that fantasy: he's seventeen. International. The machinery for turning a teenage intruder into a contractor across borders is not machinery I have, and pretending otherwise would have been its own kind of recklessness.

Why I didn't "hack back"

The other instinct — the revenge one — I also thought about, and also didn't act on. Not purely out of virtue. Out of a realization that stopped me cold.

Our server had been used to attack other people. Millions of targets scanned, real systems compromised downstream. If I'd gone on the offensive against the infrastructure attacking me, I might have been attacking another victim's hijacked machine, not the attacker's. You can't tell from the outside whose box it really is. That's not a small caveat — it's the entire reason the law draws the line where it does.

And even the gentler instinct — I'll just go fix the vulnerable systems I can see — runs into the same wall. You can see into a window from the street; that's allowed. You cannot climb in and repair the broken latch, even if you're doing it for free, even if you're right that it's broken. Consent isn't a formality. The most you can ethically do is knock and say: hey, I have information, here it is, and if you want help, we can help.

That sentence turned out to be a business model. But that's another note.

How it actually ended

No vigilante ending. The responsible one.

We preserved everything — the rule from the first minute of this whole incident was contain, but do not delete the evidence — and we handed the complete forensic package to the hosting providers involved, who are obligated to refer it to the appropriate authorities. That's where it belongs. Not in my hands, not in a revenge fantasy, and not buried because the person on the other end turned out to be a kid. Preserved, reported, done by the book.

What I actually took from it

Here's the part that stuck, and it isn't the sympathetic version. He knew exactly where the line was. The scanner — the one thing he actually built — didn't start as a weapon. He wrote it to find vulnerabilities, tell people about them, and get paid to fix them. That's a business. It's my business, more or less — the white-hat version of his own idea. It just didn't work for him. Not because the tool was bad, but because he couldn't get anyone to care.

And that's the ugly thing this whole episode rubbed my face in: almost nobody values their own security until it's already a breach. The people who reliably care about vulnerabilities are the people paid to care about them — and everyone else treats "you have a hole" as someone else's problem until it isn't. So a kid with a genuinely useful tool and a legitimate idea couldn't find a single buyer for the legal version of it. The same tool, pointed at the open internet, paid that same night. He didn't cross the line because no one showed him where it was. He crossed it because the legal side had no customers and the criminal side had instant ones. That's not an excuse for him. It's an indictment of the rest of us.

I caught him. I considered hiring him. I reported him. None of those are contradictions — they're the same instinct: the goal isn't to win, it's to reduce the harm. Close the hole, preserve what actually happened, hand it to the people whose job it is, and — where you can — show the person on the other end that the legitimate version of their talent might actually have a buyer.

He didn't leave the lights on to confess — he left them on to be seen. He wanted to be known, so I told him he was: I'd traced him to his own doorstep. And I told him the rest of it, too — the talent was real, I'd have hired him, I'd have paid him for what he found. Then I hit the wall that's the actual scandal of this story: I couldn't. You cannot legally reward someone for finding your hole if they found it by climbing through it. The most valuable thing he made — millions of weaknesses mapped, the exact one he walked through — became worthless to him the second he used it instead of selling it. He didn't need a lesson about right and wrong. He needed a market that doesn't exist for people like him. That's the thing worth being angry about.