Historic Hacks of the 1990s, Part 1

Note: This is Part 1 of 2. To read Part 2, click here.

Cybersecurity breaches are a fact of life. Each day, more than 30,000 websites are hacked or infected with malware. More than 80 percent of U.S. businesses have experienced a hack and three-fourths of Americans have been the victim of some sort of cybercrime. If it hasn't happened to you yet, then it's only a matter of time before it does.

Cyber hacks aren't new — the first recorded breach occurred in June 1903. Famed inventor Guglielmo Marconi had booked a London lecture hall to publicly showcase his long-range wireless communication system. The event was a standing-room only crowd of scientists, dignitaries, and newspaper men.

Marconi claimed wireless messages could be sent over great distances and boasted that they were entirely private declaring he could tune his "instruments so that no other instrument that is not similarly tuned can tap my messages." Radio was still in its infancy, so it seemed like a sure thing.

Just before the demonstration started, however, a ticking noise began coming from the theatre's brass projection lantern. Someone had hacked Marconi's wireless and was transmitting a message.

The word "Rats" was repeated numerous times, then a message mocking the famous inventor, "There was a young fellow of Italy, who diddled the public quite prettily." Additional digs about Marconi and his device followed.

Marconi — who was actually not present in the lecture hall on that fateful day, having stationed himself 300 miles away to transmit the message that would be received in London — survived the public embarrassment. It was immediately made clear, however, that wireless messages were not secure.

The hacker was eventually revealed to be Nevil Maskelyne, a 39-year-old British magician. Maskelyne had taught himself Morse code to use in his act. He also dabbled with wireless technology and had conducted a number of successful experiments. Embittered at Marconi's broad patents, Maskelyne got his pound-of-flesh that June day.

While Maskelyne's hack did no long-term damage, modern-day hackers can do massive damage to their victims. According to a study by the Ponemon Institute, the 2018 global average cost of a cyber breach was $3.86 million. In addition to monetary cost, breaches can discredit a company to its customers resulting in long-term or even permanent damage to reputations.

Cyber hackers come in all varieties. Some are bored computer jocks looking for a challenge, others deranged individuals who enjoy being malicious. Some are driven by patriotic fervor, seeking to damage perceived national enemies, and then there are the flat-out crooks looking to make a quick buck off private data. Hackers have long been the bane of the IT industry and it doesn't appear that they will be going away.

While there have been various sorts of hacks since Maskelyne, the advent of the internet in the 1990s really brought cyber-attacks into the spotlight. Below are five historic hacks of the 1990s:

AIDS Trojan 1990

It's somewhat disconcerting to realize that a man who loves butterflies could also be an extortionist. Dr. Joseph Popp, an evolutionary biologist, was the mastermind behind the world's first ransomware virus. Although created in December of 1989, its damage took place in 1990.

Popp's virus didn't come as an authentic looking e-mail attachment, because e-mail hadn't yet been invented. The good doctor did it the old-fashioned way, mailing 20,000 floppy disks to medical professionals and institutions in foreign countries.

The floppies bore the label of a fictious company, "PC Cyborg Corporation," and looked official. Each disk included a working program that measured the risk of an individual contracting the AIDS virus based on their responses to an interactive survey.

The disks also contained malware, the so-called "AIDS Trojan," which would be triggered after a computer was rebooted 90 times. User files would be encrypted, and a screen pop up would tell users to turn on their printers. Once the printer was activated, a message would print out instructing the user to mail a $189 "licensing fee" to a Panamanian P.O. box in order to receive decryption software.

AIDS researchers panicked and furiously tried to protect their data. The break in solving the case came when Popp began acting strange at Amsterdam's Schiphol airport. He scribbled "DR. POPP HAS BEEN POISONED" on another passenger's suitcase, and the police were soon involved.

Upon searching Popp's bags, they discovered a seal labeled "PC Cyborg Corporation." He was arrested and extradited to the United Kingdom to stand trial.

While awaiting his day in court, Popp's erratic behavior continued to the point that the judge released him, declaring him "unfit to stand trial." Popp soon returned to the United States where he opened the Joseph L. Popp Jr. Butterfly Conservatory in upstate New York.

Aftermath — Fortunately for the course of AIDS research, Popp had used symmetric cryptography, an easily reversable form of encryption. Experts analyzed the code and developed decryption tools which were disseminated free of charge.

Lesson Learned — The takeaway here, besides seeing butterflies in a whole new light, was that software could be easily weaponized. That, and don't go sticking strange disks into your drive.

Citibank 1994

Vladmir Levin, an unassuming programmer in St. Petersburg, Russia used his office computer and Citibank's customer dial-up wire transfer service to snag a list of codes and passwords for accounts held by corporate customers. Levin used the information to wire money to accounts held by accomplices in Finland, the United States, Germany, Israel, and the Netherlands. All told, he siphoned off $10.7 million before anyone noticed.

Authorities nabbed several of his partners as they were in the process of withdrawing cash. Faced with jail, and proving there is no honor among thieves, his buddies immediately fingered him as the head of the operation.

Fortunately for Levin, Russia prohibited extradition to foreign countries. Unfortunately for Levin, he didn't stay in Russia. He was later pinched by Scotland Yard when his connecting flight landed at London's Stansted Airport.

For two years, Levin fought attempts to extradite him to the United States., but eventually the United Kingdom's House of Lords rejected his appeal and he was soon on his way across the pond.

Standing trial in New York, Levin copped a plea admitting to one count of conspiracy to defraud and to stealing $3.7 million. He was sentenced to three years in jail and ordered to pay restitution of $240,015 — an odd amount for someone who stole more than $10 million. The judge probably figured he was only ripping off a few faceless corporations.

Aftermath — Citibank realized, security wise, that they had been caught with their pants down and were soon spending millions to update their electronic security and implement encryption for accounts and passwords.

Lessons Learned — The financial industry realized the vulnerability of electronic transfers and would spend billions upping their cyber defenses. Prior to this, data breaches of financial institutions were hushed up. Levin's hack only made the news because of his fight to avoid extradition.