Below, Joe Tidy shares five key insights from his new book, Ctrl + Alt + Chaos: How Teenage Hackers Hijack the Internet.
Tidy is the BBC’s first cyber correspondent and a leading voice on cybercrime. He has covered major global cyberattacks and produced widely viewed international documentaries, including a high-profile investigation into Russia’s most wanted cybercriminal.
What’s the big idea?
Teenage hackers are quietly reshaping cybercrime. They are not movie-style geniuses, but persistent, socially connected and often addicted, causing real harm through data breaches and fueling a cycle that leads to increasingly serious attacks.
Listen to the audio version of this Book Bite, read by Tidy himself, below or on the Next Big Idea app.
1. Data breaches can really hurt people.
Data leaks, from a company to its social media accounts, are something whose magnitude is difficult for us to measure. Everybody wants to know, Should I be worried? You might be thinking that your phone number, email address, and real address are probably already available, so maybe it’s not a big deal. But whether you should care about a data breach is a really difficult question to answer. In some cases, they can cause serious damage and harm.
The cruelest cyberattack in history took place at the Vastaamo Psychotherapy Center in Finland. Vastaamo was a large and important organization with dozens of temporary mental health centers across the country. In 2018, hacker Julius Kivimäki found a way to access the Vastaamo Psychotherapy Center chain servers and stole all the data he could find. He stole the usual kind of information (names, addresses, phone numbers, Social Security numbers), but he also stole patients’ notes; 33,000 people had their data stolen in this way.
I can’t think of a worse set of facts than what I tell my therapist in the hands of a criminal extortionist. Please note that the people affected by this were already vulnerable. They were struggling with mental health issues. Some of them were depressed or anxious when Kivimäki snuck in one night and stole all that data. With it, he tried to extort Ville Tapio, the CEO of Vastaamo, for 100,000 euros in Bitcoin.
When the CEO refused to pay, Kivimäki did something extraordinary. He took the data and started posting it on the dark web. People in Finland began to worry that his notes might be next, and he deliberately chose particularly lewd and dramatic therapeutic notes. I was looking for things like sexual fantasies, adultery or anything that could really cause individuals a lot of headaches and problems. Then, he did something rarely seen in cybercrime: he reached out to the victims. He sent them emails saying, “I have your notes. Pay me, otherwise I’ll post them online.” The impact on those affected was enormous.
Some of his victims still suffer from post-traumatic stress disorder. I spoke to one woman who described receiving that email as a “psychological rape.” Her notes contained information about her marriage, problems with work, and the anguish of raising two disabled children. You can imagine the shockwave that went through Finland when people received those emails. Data breaches can be devastating for the people involved.
2. Hacking can be addictive.
Kivimäki was 27 years old at the time of the Vastaamo attack, but he had been carrying out cyberattacks for about 10 years, since he was a teenager. What we learn from Kivimäki’s story is that piracy is addictive.
Many hackers simply couldn’t stop. They would be hacking, they would get arrested and have all their devices taken away, but then they would continue hacking as soon as they could. We saw, in particular, that teenage hackers could not be deterred by threats or police activity. They wouldn’t stop. I have learned that if you are smart enough and technical enough, the challenge of breaking into an organization becomes addictive and intoxicating.
If you add the attention you get from bragging about it on social media (which many of these people do), you get the endorphins from likes, retweets, and followers. For a teenager’s growing, underdeveloped brain, this makes it very difficult to stop. Hacking is an addictive activity.
3. We all deny the existence of child hackers.
I am continually amazed that we continue to be amazed by teenage hackers. As a society, we constantly underestimate and underestimate them as a problem. This can be seen in the 2010s, when there was a resurgence of teenage hacking groups and a shift towards a much darker side of hacking.
The hacker gangs of the 80s, 90s and early 2000s were different. It was about exposing big tech companies for having bad code and they enjoyed shaming them. There was a lot of ego in it, but there wasn’t a lot of sinister culture. In the teenage cybercriminal gangs that formed in the 2010s, that’s where we started to see Kivimäki types appear.
Most cybersecurity experts were unaware of all this. They wanted to talk about the great evils of cyber hacking groups like Russia’s Fancy Bear, North Korea’s Lazarus Group, and China’s Volt Typhoon. No one ever wants to admit that they have been hacked by loaded children. So you get this situation of denial where no one wants to talk about it.
But one researcher, Allison Nixon, noticed something is happening with these teens. He came up with a term for us to talk about: TNP, or new persistent threats. This is a pretty clever joke. If you are in the cyber world, you will know the term APT, which means advanced persistent threat. Nixon said they are not “advanced” because these children do not have the sophisticated skills we see in other groups, but they are “persistent” and a “threat” that must be taken seriously.
4. Hacking is not like in the movies.
NPTs are not that sophisticated. They are not advanced. And the way people think about hackers, especially teenage hackers, is that they’re these computer coding masterminds who put on a hoodie and sit alone in their dark rooms. That’s not my experience and that’s not what my research told me. Cybercrime is a team sport. These are people who are usually very sociable and who meet on platforms such as Discord and Telegram. Everyone brings their own skills, often really basic things like social engineering.
5. The cycle has continued.
In recent years we have seen another explosion of teenage hacking groups. In the UK in particular, this issue has come to the fore and people are talking about it in a big way.
The UK has suffered a wave of cyber attacks against retailers. There was Marks & Spencer, which is a famous and long-established department store chain. Then there was the Cooperative. Then there was Harrods. These attacks occurred over a couple of weeks in the spring of 2025 and caused enormous disruption and damage. Marks & Spencer, for example, lost around £300 million. The public was also very surprised because store shelves were suddenly empty, as companies could not continue their logistics operations without working computers. Those company computers had either been completely riddled with ransomware or had been taken offline by the company as a precaution.
There were many arrests of teenagers over this matter. This cycle continues. What is happening now is that we have seen some of these NPT groups joining well-organized and long-established Russian-speaking cybercrime groups that are carrying out serious attacks. My prediction and concern is that we will see more attacks like the one on Marks & Spencer. Unless we find a way to keep children away from the dark path of cybercrime, this will not go away.
Enjoy our complete library of Book Bites (read by authors!) in the Next Big Idea app.
This article originally appeared on Next big ideas club magazine and is reprinted with permission.