May 25, 2014

How much damage does one hacker do? FBI provides some estimates.

John Young points to some information on a conviction settlement for a hacker caught participating in LulzSec, which term the FBI explains as:

“Lulz” is shorthand for a common abbreviation used in Internet communications – LOL – or “laughing out loud.” As explained on LulzSec’s website,, the group’s unofficial motto was “Laughing at your security since 2011.”

Aside from the human interest aspects of the story [0], the FBI calculates some damages (blue page 8, edited to drop non-damages estimates):

In the PSR, Probation correctly calculates that the defendant’s base offense level is 7 pursuant to U.S.S.G. §2B1.1(a)(1) and correctly applies a 22-level enhancement in light of a loss amount between $20 million and $50 million 4; a 6-level enhancement given that the offense involved more than 250 victims; ...

4 This loss figure includes damages caused not only by hacks in which Monsegur personally and directly participated, but also damages from hacks perpetrated by Monsegur’s co- conspirators in which he did not directly participate. Monsegur’s actions personally and directly caused between $1,000,000 and $2,500,000 in damages. ...

That last number range of $1m to 2.5m damages is interesting, and can be contrasted to his 10 direct victims (listed on blue pages 5-6) exploited over a 1 year period.

One could surmise that this isn't an optimal solution. E.g., hypothetically, if the 10 victims were to pay each a tenth of their losses, they'd raise a salary of 100-250k and put perp to productive work, and we'd all be in net profit [1].

Obviously this didn't efficiently solve in society due to information problems. LulzEconSec, anyone?

[0] this post was originally a post on Cryptography lists.
[1] Additional comments on the 'profit' side, blue page 13:

"Although difficult to quantify, it is likely that Monsegur’s actions prevented at least millions of dollars in loss to these victims."
and blue page 16:
"Through Monsegur’s cooperation, the FBI was able to thwart or mitigate at least 300 separate hacks. The amount of loss prevented by Monsegur’s actions is difficult to fully quantify, but even a conservative estimate would yield a loss prevention figure in the millions of dollars."

Posted by iang at May 25, 2014 07:19 AM | TrackBack


I would compare it to the economics of vandalism. Its likely less costly to cleanup vandalism and prosecute vandals that were cought, than to make everything vandalism-safe. I read an economics paper about it, but I dont recall its name.

Posted by: Best regards, Philipp at May 26, 2014 07:31 AM

Yes, if we assume that the things stolen were not then distributed (sold) into the crime network.

Back in the old days, Universities were hotbeds of this sort of activity. So there was more scope for young hackers to find their place. Not these days. Is that a good thing or a bad thing?

Posted by: Iang (How the Classical Scholars dropped security from the canon of Computer Science) at May 26, 2014 07:36 AM

Federal prosecutors are notorious for grossly exaggerating damages for sentencing purposes. It would be more accurate if one could learn the actual monetary loss, in terms of stolen cash.

Posted by: Ken at June 9, 2014 08:37 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.