José Robbe was leaving her place of work in Rotterdam when she saw a man and a woman walking towards her. It was a Tuesday afternoon, 20 March 2012. “Are you Mrs Robbe?” She nodded. The woman, who was wearing jeans and a black windcheater, explained that she was with the police. “I’d like to talk to you for a minute. It’s about your son, Edwin. We’re arresting him.” José stared, frozen. The woman asked if she would accompany them. Warily, José agreed.
At the police car, the officer told her they intended to surprise her son at the family home in Barendrecht, just south of Rotterdam, and arrest him on the spot. She asked if José wanted to be there for her son’s arrest. “No,” she replied grimly. It felt as if she had just betrayed her son. To stand by and watch would make it even worse. The police asked José for her house keys and dropped her off at a plaza by the local supermarket a few blocks from her house. She felt terrible as the officers drove away to arrest her eldest child, just a troubled 17-year-old. A little while later, three officers emerged from the house, escorting Edwin between them. He offered no resistance.
Edwin was taken to a detention centre in Houten, near Utrecht. Once he was gone, José finally re-entered her house. She sat on the living-room sofa, watching as officers rummaged through cabinets, filed up and down the stairs and bagged up flash drives, CD-Roms and telephones.
Several years later, I visited José and her husband, Ruud, in their terrace house in Rotterdam, where they told me about Edwin, and I explained to them how I had contacted him.
I had tracked Edwin down through a source, obtained his telephone number and eventually made contact with him after repeated attempts. At first, he didn’t respond to the WhatsApp messages I sent. When he finally did reply, it was from a different number. What I wanted to know was why he had attacked the Netherlands’ biggest telecom company and plunged it into chaos. I wanted to know how he’d learned to do what he did – and what had happened to him after his arrest.
Our chats were erratic. One day he’d be effusive and engaging, then he’d become remote. Sometimes, days would pass before he answered a message. It would turn out he was in Asia. We also talked on Skype, once. I wanted to meet. He did, too, he said.
But we never would. Edwin died a few months before my visit to his parents. As we talked, grief over the loss of their son reared up suddenly several times. Ruud had been the last person to see Edwin alive, and it still weighed heavily on him.
Edwin was less than a year old when he was taken from his biological mother. She was on her own and unable to care for an infant. For months, she didn’t even touch him. José and Ruud fostered Edwin. José worked in healthcare, and Ruud was a chemical engineer at a company that processed ores for pigment. They wanted to give baby Edwin a loving home.
But he was a troubled child. “I always thought his anxiety started when he was still very little. He just couldn’t bond with other people,” José recalled. He often complained of stomach aches. There were countless visits to the doctor and to hospital. Each time there would be medical tests. “Honestly, I think it was psychological,” said José. “Edwin had a lot of anxiety, but the doctors focused on physical causes.”
Edwin wasn’t like other kids. His parents saw it, and so did his teachers. One time, at a parents’ evening, a mentor asked: “What’s actually wrong with him? He has almost no friends.” Whenever he was around other people, Edwin became tense, clammed-up and withdrawn.
He almost never did any sport or played outside. Instead, he preferred to sit at the computer in his room upstairs. His parents let him, relieved that at least he had this one hobby. They knew hardly anything about computers. They used one to send the odd email or look for holidays, but that was about it.
After graduating from a vocational high school, in 2010 Edwin enrolled in an IT course at Albeda College in Rotterdam. He said he wanted to do something with computers. His parents let him buy a PC that he put together himself. It had a big memory card and a lot of processing power. He set it up in his bedroom. Looking back, José thinks “that may have been our biggest mistake”.
Edwin was obsessed with his new toy and only came downstairs for meals. Occasionally, his parents caught glimpses of what he was doing. Mostly, he played games, especially the kind in which people are violently killed – such as by building amusement parks and then throwing people off the rides. There were also lots of shoot ’em ups. “He took classes in ethics at school,” said Ruud, “so we thought it would be all right in the end.”
In the autumn of 2010, the Robbes received a letter from their internet provider, KPN, informing them that their internet access had been blocked. KPN said it had observed “malicious activity” on the family’s IP address. When asked about it, Edwin brushed it off as nonsense. To José, he answered in jargon, saying somebody had cracked his “WPA2 key” and exploited their internet connection. Baffled, José let it go.
KPN, however, did not let it go. The company’s abuse team carried out its own investigation. This revealed that Edwin had used a rented server to mount an attack on a website offering movie and TV downloads. When confronted with the evidence, Edwin’s justification was that he didn’t like the site’s administrators.
Edwin had bombarded the website with so many data packets that it crashed – something known as a DDoS attack. This kind of attack is a crime. “Edwin is very active on the internet, as are some of his friends. In some instances they’re described as a hacking ring,” someone at KPN wrote to Ruud in an email. “We wonder if he understands what kind of consequences his actions can have. We urge you to talk to him about this.”
Ruud spoke to Edwin, and wrote back: “I’ve had a long discussion with him. He is a sensitive kid and is gradually coming to see that what he did is a serious offence.” Ruud and Edwin had agreed the computer would be off limits for three months, and that he’d get it cleaned by a professional. “I don’t know anything about computers,” Ruud concluded his email. “Do you have any suggestions on who could help me clean up his computer?” KPN never replied.
Edwin’s parents could tell that something was brewing. He was on edge and hardly ever left his room. As soon as the computer ban was lifted, he was back on his PC for as long as 12 hours a day. School wasn’t going well. His course was heavy on classroom and group work, which didn’t suit him at all. He preferred to do things on his own. He was dismissive of his teachers. “I know more about computers than all of them put together,” he told his parents one evening. Also, the stomach aches had returned, and he was taking an anti-anxiety drug, oxazepam, to help him relax and sleep.
With his parents’ consent, in the summer of 2011 Edwin transferred to a computing course at Zadkine College in Rotterdam, where students were given more freedom and could work independently on projects.
It didn’t help. José and Ruud didn’t know precisely how Edwin was spending his time. Occasionally, he mentioned someone he knew in England or Australia, so they assumed he’d made friends online. “At least he’s finally socialising,” they said. Still, he seemed joyless. They told each other he needed space, that surely there were some things that gave him pleasure, and that he had a knack for computers. But on days he never left his screen, it was hard not to despair. More than once they wondered: “Should we pull the plug?”
If computers were merely tools for his parents, for Edwin they were a gateway to adventure, to understanding and, most of all, to recognition. They let him do whatever he wanted. If he felt like gaming, he’d boot up Windows. But more often he chose Linux, his go-to operating system. From there he opened different virtual devices so that he could adopt multiple personas.
On forums he met like-minded kids his age from all over the world who spent entire days at their computers and made the kinds of social connections online that they couldn’t in the real world. Quiet and reclusive kids, mostly. Cloaked in made-up identities, they chatted about computers, girls and going out, and devised tricks to infiltrate private computer networks.
Online, Edwin was either xS or YUI – the latter a nod to the Japanese singer Yui, of whom he was a big fan. As YUI, he was different. Bolder, more self-assured. Online, quiet Edwin with the shy smile came alive. On chat channels he met an Australian, “Dwaan”, and an American, “Sabu”, in 2011. The three talked about hacking, and his new friends showed Edwin places they had managed to break in.
Sabu, as it happens, was a big shot in the digital world. He was the leader of LulzSec, a collective whose six members attacked a range of organisations and hacked the websites of big companies in 2011 to expose their shoddy security. Though teasing in some cases, in others their antics had serious consequences, such as when the group stole data belonging to more than 70,000 US contestants on the popular TV show The X Factor, in retaliation for an alleged insult to the rapper Common. Also targeted by LulzSec were the Sony PlayStation Network and the website of the CIA.
Several investigation agencies were hunting for Sabu but, like Edwin, he took care to cover his tracks. All the kids went by aliases on chat channels, some of which also required passwords to get in. Plus, they never logged on directly from their home connections, but, rather, through a secure virtual private network (VPN). Edwin connected to a VPN server first, then went online anonymously. It took some discipline. Forgetting to use VPN just once would instantly make his home IP address visible for anyone to see.
After a while, Edwin found his way into chat channels where the serious hackers converged. Winning their trust was a first and crucial step, because police were also lurking, trying to infiltrate using fake identities. At 16, Edwin was orbiting LulzSec as well as a looser collective called Anonymous. Though not a member himself, he hung out on their chat channels. These were exciting times in the hacking world. Members of Anonymous had been targeting a succession of organisations and declaring their solidarity with WikiLeaks, which was publishing hundreds of thousands of US diplomatic communications. When Julian Assange’s whistleblower website was blocked by the payment services PayPal, Mastercard and Visa, cutting off lots of donations to WikiLeaks, Anonymous struck back with a DDoS attack that took out the payment services’ websites and inflicted an estimated $5.5m in losses. One member would ultimately end up doing 18 months in prison in the UK.
Edwin’s contacts abroad gave him a confidence boost. He spent hours chatting with people from all over the world about ways to hack websites. Edwin often mocked “normal” life and western society. He denounced materialism and superficial concerns. But most of all they talked about hacking. Dwaan bragged about some of the places he’d been. To them, it was all a prank: getting in and out just to prove they could bypass a site’s security. They never stole. All they wanted was to look.
In December 2011, when he was 17, Edwin had an online exchange with “Phed”, who showed him an “exploit”. An exploit is a piece of code that takes advantage of vulnerabilities in a network’s security to gain entry somewhere, like a key that opens old locks. Computer networks, especially at large organisations, rely on lots of different software. All software has one or two holes – some known, others still undiscovered. Whenever software makers discover such a vulnerability, they quickly take steps to create a patch and provide an update. Hackers, meanwhile, are snooping around for those very same weaknesses and working just as quickly to make a key – an exploit – to get inside.
Edwin was trawling the internet and scanning networks to see who might be using software with a known hole. In this case, it was HP Data Protector. He searched sites manually using Google, entering “Data Protector” as the search term alongside a specific web or IP address. In early December 2011, Edwin struck gold. He found a university in Norway, NTNU, that was using the software and hadn’t yet installed the update containing the patch. Edwin grabbed his exploit, executed it, and he was inside. Looking around the university’s network, he discovered he had six computer servers at his command. On a roll, Edwin next gained control of a “supercomputer” at the University of Tromsø. He nosed around for a while and then installed a “backdoor”. Now he could access the university’s computer server remotely whenever he wanted to.
Edwin pulled off his stunt without a hitch and earned himself hacker cred with his new friends. Dwaan responded to Edwin’s feat with enthused fist pumps and exclamations of “Loooooooolll” and “OMG!”. This only whetted Edwin’s appetite. He went in search of new targets in other countries. His next victim was the University of Twente in the Netherlands, then a website in Iceland, and after that a university in Japan. He was unstoppable. As long as he took care to connect to a VPN server in Russia first, he left no tracks to follow.
It was while running another scan that Edwin noticed some outdated software at KPN. Holland’s biggest telecoms company was using HP Data Protector and hadn’t installed the update yet. Here was an open window. Did he dare sneak in? Why not take a quick peek inside his own internet provider? After all, KPN was a big fish and would earn him massive credit. Edwin took the gamble. He entered a random KPN IP address, ran his exploit and then, using a detour through the Japanese university, slipped inside KPN’s network.
He found himself in a far corner of the network, which is to say he was in, but still needed to open some doors. For instance, he couldn’t send commands directly from his own computer to KPN. Nor did he have full rights across the whole network. He couldn’t just walk around, because a firewall was blocking his way. But all this was child’s play. By moving a programme from his own PC on to the KPN computer, Edwin could bypass the wall. Now he was free to do as he pleased.
Stupid KPN, he thought to himself. The whole place was riddled with holes. Scanning the rest of the network from the KPN machine he’d accessed, Edwin saw the obsolete software being used in hundreds of places. Almost every computer server in the telecom provider’s vast network had a window open. The kid from Barendrecht strolled around unimpeded, and what he saw astonished him. He could control 514 computer servers. He could even access the core router, the backbone of KPN’s entire network. He could see the data of 2.1 million KPN customers. He could block hundreds of thousands of people from connecting to the national emergency telephone line. He could redirect internet traffic so that people who wanted to visit, say, a news site, would wind up somewhere completely different. Edwin could do whatever he wanted and KPN wouldn’t know a thing.
Excitedly, he told Dwaan of his conquest. At first, Dwaan refused to believe him. To prove he’d gained command of KPN, Edwin logged on to the chat channel from the KPN network. “WTF!” Dwaan responded. Edwin was thrilled with his newfound status. He dropped out of his computing course. At home, the tension eased. Relieved, his mother emailed a friend to say that “Edwin has been feeling better. He’s been exempted from attending classes this year and now he’s doing a high school English course from home.”
Meanwhile, up in his room, Edwin was expanding his latest coup. “I’m hacking my ISP,” he announced to “Combasca”, a Korean student. Combasca didn’t believe him and demanded evidence. Again, Edwin entered the chat channel from the KPN network. He urged Combasca: “U should become a hacker too.”
As Edwin gained plaudits online, a group of men and one woman sat in a high-rise off the A12 motorway outside The Hague, staring at each other in dismay. Dozens of people had set up shop in a vacant office one floor up from the studios of the radio station Fresh FM. They had installed desks, laptops and network cables. To someone who didn’t know what was going on, it would have been a curious sight: people rushing up to the top floor early each morning and not re-emerging until past midnight. Delivery services dropping off dinner in the evenings. Between 80 and 100 workers had been holed up like this for days, many of them engineers and technicians from KPN and researchers from Fox-IT, a Dutch security company that monitors systems and networks for client companies around the world.
It had all started with a message from someone calling themselves Combasca in South Korea. Combasca said he’d been chatting with a guy calling himself YUI, who claimed to have hacked KPN. And he had evidence. After letting YUI boast about what he’d done, Combasca had turned around and contacted KPN. By now, two weeks on, there was genuine panic. Clearly, somebody was inside KPN’s network. It could be a loner, or it could be a foreign state. Nobody knew. Nor could KPN or Fox-IT get a handle on the extent of the damage. They had to tread lightly, examining computers while keeping systems running so as not to disrupt service to millions of customers.
On scanning internet traffic, it became apparent that hundreds of points in the KPN network were connecting to locations outside. Window and doors were flapping open all over the place. On 20 January 2012, KPN raised its alert level to orange. Its business operations were in grave danger.
A week later, on 27 January, there was an even bigger discovery. The hacker had also broken into the core router, effectively taking control of the whole network, and could do whatever they wanted: snoop on internet traffic, turn off TVs, take out the national emergency hotline. The alert level was raised to red. With the country’s most important telecoms provider under threat, KPN notified the National Cyber Security Centre (NCSC) and the national police’s high tech crime unit. The next morning, one of KPN’s board members filed a police report for computer invasion.
The situation triggered widespread alarm. The fragility of a network on which millions of people relied had been laid bare. Following the hacker’s trail, the police team, Fox-IT and KPN finally identified the computer server through which he’d entered the network. But after that, the puzzle became trickier, because the hacker was shielding himself using VPN connections. The police team flew to South Korea to talk to Combasca, and later to Japan, where a university network had been breached by the same individual.
Investigators could see the hacker was using a Russian VPN server whose IP address showed up more than once in KPN’s network. Frustratingly, though, this information didn’t really help the team, because VPN servers mask a user’s identity. There was one last thing they could try: to follow traffic from the VPN server to an individual computer in KPN’s network.
That computer turned out to host a website, on which a KPN customer shared downloaded movies. On that site’s server, the investigators also found hacking files. The email address of the site’s administrator was firstname.lastname@example.org. When they looked it up, the investigators uncovered another lead: the same email address had been used earlier in correspondence with KPN about a blocked IP address. In 2010, an IP address belonging to email@example.com had been blocked temporarily on account of “malicious activities”. That IP address was linked to a house in Barendrecht, just south of Rotterdam.
Finally, the hacker made a mistake. He skipped the VPN and entered a hacked KPN computer server directly from his home connection. With that, he exposed his home address.
Police had a wiretap on the hacker’s home, to gather some last bits of evidence. One day their entire internet feed vanished, leaving the police staring at a blank screen. Their tap in Barendrecht was active, but no data was coming in. The problem, police discovered, was that KPN had accidentally blocked the suspect’s internet connection.
A little more than two months after receiving Combasca’s message, the police finally had enough evidence to pull Edwin from his computer. Two agents were sent to intercept his mother and get her house keys. Then they sneaked up to the upstairs room where Edwin sat, unsuspecting, taking the internet by storm as “xS”. Suddenly, uniformed men burst into the room. “Police! Get your hands off the computer!”
José Robbe put a plate of biscuits in front of me and poured coffee. Ruud sat beside me. As we talked, he pulled a handkerchief from the pocket of his jeans a couple of times, pushing aside his glasses to dry his eyes.
After his arrest, Edwin was detained for 42 days, found guilty of hacking and given a suspended prison sentence of 240 days plus community service. He didn’t want to do community service, however, so did the time instead. Afterwards, Edwin was even more withdrawn. He self-medicated with sedatives and experimented with a variety of drugs. His dad would come home to find the house strewn with leaves and plants that Edwin was using to cook up some psychedelic brew.
Edwin was delusional by this point, and took exception to everything. To his parents, the situation seemed hopeless. Even professionals at the rehabilitation clinic where he was admitted, De Bouman in Rotterdam, sent him packing after a week, saying his behaviour made him impossible. Edwin asked Ruud if he could move back home, but his dad didn’t feel up to the task of taking in his now 22-year-old son.
As Edwin stood on his doorstep, Ruud turned him away with a heavy heart.
“Come on,” Edwin pleaded. But Ruud was at the end of his tether. “We can’t,” he said. “I’m sorry.”
Edwin left with a backpack. His parents had no idea where he’d go.
After several weeks with no news, Ruud tried to get in touch through WhatsApp and email. Edwin only responded to one email, saying: “Sure, everything’s fine. I’m in Pyongyang, North Korea.” Attached to the message was a photograph. It showed Edwin dressed all in black, with eye-catching chains on his jacket. Standing next to him was a Korean soldier. He had posed in front of a picture of the North Korean leader Kim Jong-un (probably, in fact, a tourist attraction in South Korea). Edwin closed his email with: “They monitor things like WhatsApp and phones. But at least they have computers.”
It was one of his very last messages. Ruud bowed his head. “Should I have let him come back home?” he wondered. “Should I have given him one more chance? I’d reached my limit. I just couldn’t do it.”
I’d wanted to hear the story from Edwin himself. The one time we Skyped, he’d been in a hotel room in South Korea. Eight minutes into our call, he signed off with a smile and a peace sign. After that we chatted sporadically over WhatsApp. His final messages were laced with despair. “I don’t like it here,” he wrote, and “They’ve got guns”, and “I want to get out of here ASAP.” He stopped responding to my questions about KPN. A few days later I was contacted by a source. “Did you hear about Edwin?” He’d been found dead in a hotel bathtub, not far from Seoul’s international airport. The door of his room had been barricaded from the inside with furniture and pillows.
At their home, José and Ruud pulled out pictures of Edwin and told me about his complicated youth. They asked about my last conversation with him, about which Ruud observed: “That was just before he died.”
Edwin’s arrest and incarceration were a tipping point, they told me – after that, it was all downhill. And questions linger: if it’s that easy to break in somewhere, isn’t there a much bigger societal problem we ought to address?
It certainly didn’t help that his parents had only a hazy grasp of what Edwin actually did. The technical jargon authorities used in the case against Edwin meant nothing to them. According to the public prosecutor, it constituted “one of the most serious hacks in the Netherlands’ history”. Edwin’s work was “ingenious” and the “impact on KPN and thus on society at large, immense”. By KPN’s own reckoning, it cost them €3m.
After the hack, KPN took measures to ramp up security in its systems. Although Edwin immediately pleaded guilty to all charges in court and cooperated with the judicial inquiry, the public prosecutor was scathing in his condemnation. Edwin’s actions, he charged, had been “malicious and deliberate” and caused “imminent danger to life”.
“We really had no idea what he was up to,” Ruud said. It brought home to him just how vastly different the risks of the digital world are from those of the real world. “It never even occurred to us that he could cause something like this.”
“I’m more anxious about computers now,” Ruud admitted. When he fills in his tax returns and can’t get the site to work, he gets stressed out. “Sometimes I’m afraid someone might be using my identity. I’m forced to depend on technologies I can’t understand, and that worries me.”
This is an edited extract from There’s a War On But No One Can See It, published by Bloomsbury and available at guardianbookshop.co.uk
Huib Modderkolk will be in conversation with Luke Harding for a Guardian Live online event on 17 November. Book tickets here