Kevin Mitnick was, while he lived and even now in death, unequivocally the world’s most famous hacker. In a field where stealth is a necessity, fame can be a blessing or a curse. Kevin Mitnick turned it into something else entirely: a signature.
Mitnick, who died at 59 on July 16 of pancreatic cancer, played with fame the way he’d once played his hacking targets.
As his wife Kimberley Mitnick said on Twitter, “Not many people had the privilege of knowing Kev personally and what he stood for.” But everyone knew he was a legend.
But then, it’s hard not to be legendary when you’re the kind of hacker who can prank the FBI agents hunting you.
“He knew the FBI was on to him,” explains Frank Trezza, a phone phreak, podcaster, activist, and hacker who knew him. “He had actually set up an early warning system that pinged the phones of the FBI agents because he was the phone phreak and he knew how to do that somehow, even though that was not something really anybody knew how to do back then. [He set up] this early alert that essentially when one of the phones from the agency who was on his case, came and pinged a tower that was near him, he got an alert. So he knew.
So he went to the store and he bought a box of donuts, and he put a sign on it that said ‘FBI donuts’ and put it in the refrigerator, and then left the house for the day. They raid the place. And then once he was sure they were long gone, he came back. And you know, obviously the place was trashed.
The donuts were gone.”
Because of course they were.
“There are a lot of these stories that really sensationalize some of the things that he did, but the real things that he did, were really impressive on their own merit,” says Trezza. “You don’t really need sensationalized versions of what he did, when his real world actual achievements were very, very valid in and of themselves.”
Here he is shortly before his death from pancreatic cancer, discussing with Cybercrime Magazine the time that Teen Kevin hacked McDonalds drive-thru speakers to prank customers and cops. Good times, Kevin. Good times.
Four decades later, Mitnick’s obituary sums up his impact on those around him, near and far. “It is impossible to list all of Kevin’s close friends. He was blessed to have so many. You know who you are. Your impact on Kevin was profound. Kevin was also very grateful for the legions of fans who in the mid-to-late 1990’s fueled the global “FREE KEVIN” movement. Kevin was an original; much of his life reads like a fiction story. The word that most of us who knew him would use – magnificent.”
Yes, Kevin Mitnick was the first hacker to have a “Free Hackername” movement. There were tee shirts. Meetups. And real world impact, demystifying the scary world of hackers in hoodies and showing the justice system and the public that these are real people. Real interesting people.
Free Kevin’s great hurrah was, in authentic social engineering style, a very mediagenic hoax during his pretrial custodial period. In December of 1997, Yahoo.com was hacked and defaced with a message demanding Mitnick’s freedom. It claimed that all Yahoo! visitors were infected with a massively powerful worm that would be unleashed on Christmas Day unless Mitnick was freed.
And on Christmas Day, nothing whatsoever happened.
Yeah, it was a bluff. But a good one!
Trezza says, “if you go by like the 2600 crowd, a lot of them really loved Kevin, they tried really hard to get him out of jail when he was in jail. [Later] they kind of changed their tune, because they didn’t like anyone corporate and he started working for companies like KnowBe4, where he would, you know, push kind of commercial products that some people saw it as, like selling out. I am of the mindset that you need to adapt, overcome when you’re facing adversity.”
And adapt he did.
Loved as a mentor and booster of cybersecurity careers for reformed hackers, his life story and arc inspired two generations of hackers, from the greybeards with “FREE KEVIN” merch in the back of their tee shirt drawers, to starry-eyed teens who hope that they, too, can one day become “The world’s most famous hacker.”
There’s no question, that’s exactly who he was: the world’s most famous hacker. Much to the irritation of #2, Adrian Lamo. Rumoured to have faked his own death, Lamo’s failure to re-emerge after the death of his rival has more or less put that rumour to rest.
This is probably a good time to remind you that the true “best hacker” is the one no-one can name. Fame and success as a hacker are oppositional forces. Mitnick’s great genius was to not only align them, but to monetize them and use them as career accellerants.
He billed himself as “the #1 Authority on Hacking, Social Engineering and Security Awareness Training” which was itself an act of social engineering. A very successful one at that. By speaking the words of power often enough, in front of the right audiences, he made it so.
“Kevin is the catalyst of the information security industry, a best-selling author, renowned security speaker and the head of an elite information security firm with a 100% success rate.” Note that the success rate is according to the company he owned. But the first part of the claim is correct: it is significantly due to Mitnick’s efforts that cybersecurity and infosec as a whole were accepted as genuine professions, rather than acts engaged in by randos in hoodies, in the back corner of a coffee shop, for the lulz or for crime. It was Kevin Mitnick who socialed society into accepting infosec as a high-value, respectable, and often quite lucrative profession.
Kevin was born August 6, 1963. He died July 16, 2023 at the age of 59, his pregnant wife by his side. He was one of the original phone phreaks, and his Southern California location was ideal for connecting with like-minded phreaks in person. His hacking motivation was “trophy hunting,” simply the thrill of outsmarting big corporations and their expensive consultants and staffers. Kevin liked money, but he wasn’t in it for that. Stealing passwords, sure. Cloning software? You bet. Selling them? Nope. Not even the FBI claimed that, then or now.
His first widely known hack occurred in 1979, when he broke into DEC’s system and cloned their software. It took law enforcement years to bring him to trial for it. He was ultimately convicted in 1988, serving 12 months in custody, with three years of supervised release afterwards. It didn’t work out that way.
Of course not. It was Kevin Mitnick. Nothing was ever linear with Mitnick; he’d have been ashamed if it were.
While on supervised release, with complete freedom in sight merely weeks away, he hacked into Pacific Bell, a juicy target at the time. It was no great mystery who’d done the hack, and with the FBI on his tail Mitnick became a fugitive and, in doing so, a legend.
As he told Silicon Republic: “The government was chasing me for hacking a bunch of cellphone companies because I was fascinated with how the cellphone worked,” Mitnick said.
“I wanted to understand how it worked; made a stupid and regrettable decision to hack into these cellular manufacturers like Nokia, Motorola, and get the source code to the firmware on the chip inside, so I could study and understand how it worked.”
He remained on the run for more than two years, hacking dozens of companies as he went, and leaving a trail of cloned phones and infiltrated emails wherever he went. And donuts.
Trezza tells an entertaining story which was typical of Mitnick in the pre-legit phase of his life.
He came up with some really brilliant ways of getting people to give away information. They certainly shouldn’t. Yeah. One of my favorite Kevin stories is when he had dinner with a friend of his and he decided to go to a central call station for a telephone company, I believe was in Marbella. They didn’t have authorization and really shouldn’t have been there. And it was nighttime. Kevin knew how to get in. He got into the office, but they got caught by security guard. Kevin’s there with his friend and his friends freaking out and Kevin’s like, ‘Let me handle it.’ The guard is like, ‘Who do you work for?’ And Kevin mentions the name of like some really big upper-up in that company. And he says, ‘I’m just from visiting from out of town. I’m here with my friend and I decided to give him a tour of one of our central offices.’ And the security guard is not buying this. ‘I’m going to call your boss right now!" and it’s like two in the morning. He calls this really senior person in the company, who groggily wakes up to hear security guard being like, ‘There’s some guy who says he works for you! I don’t think this is legit. What do we do?’ And the security guard then hands the phone over to Kevin so that Kevin can talk to his supposed boss. When Kevin has this guy on the phone, he presses the phone to his ear really, really tight, so the security guard can’t hear what’s going on.
This guy is ranting and raving. ‘Who are you why you’re in my data center? What are you doing?’ And Kevin, Kevin is just cool and calm and collected and starts replying as if the guy’s asking very different questions. ‘Oh, no, sir. That project on your desk early next week? It’s going to be fine. No, no. Yeah, I’m I’m visiting. Yes. Friend of mine. I was going around. Yes, I know. I should have gotten a letter of authorization. No, it’s fine. Right, next time I’ll do better. All right, we’re good.’ And he just hangs up the phone.
Kevin, and his friend leave, they get their car drive down the road. They’re like two blocks away and they park the car, turn the headlights off. And then 10 minutes later, security guard comes running out of the building shining the flashlight looking for. Because obviously the guy had called back. And it’s just that kind of like thinking on your feet that really made Kevin very different from a lot of the other hackers."
But all good things must come to an end. On February 15, 1995 the FBI raided his apartment in Raleigh, North Carolina and he was charged with 14 accounts of wire fraud.
Trezza explains that Mitnick, normally extremely precise with his fake ID’s and not foolish enough to keep physically incriminating evidence lying around, goofed up.
He had been really meticulous in his fake IDs because he’d come up with this whole scheme where he would take the social security number of a child who was born in one state, but die in another knowing that they wouldn’t update the records in the original state. He had all these really bullet proof identities that had social security numbers and established credit. And these really unique fake IDs would actually verify, so the FBI, like, knew it was him but couldn’t really prove it. So they’re like toss in this place and there’s nothing there to link Kevin Mitnick to Ahmed or whatever name he was using at the time.
And then they find one of his ski jackets in the closet and they go through the pockets and then one of the pockets there’s a lift ticket for like a ski range and in the pocket is a lift ticket and it had his name on it, and that’s what they used to nail him.
At the time of Mitnick’s arrest, “Wire fraud” was a catch-all charge because specific cybersecurity legislation was mostly stuck in the pipeline, much to the frustration of law enforcement. It took till 1999 for Mitnick to reach a plea deal for four charges. He received a sentence of 46 months in prison for the new offences, plus 22 months for violating the terms of his 1989 supervised release.
And the hacktivist movement known as “Free Kevin” was born.
The judge counted his pretrial incarceration towards the sentence, and he was released in early 2000 on supervised release for another three years. Part of his pretrial incarceration was served in solitary confinement because LE claimed that he could start a nuclear war by whistling into a phone, confusing the movie War Games with phone phreaking; whether by accident or design, who can say? Solitary confinement, particularly when someone has not been convicted of a crime, is considered torture by many humanitarian organizations.
After his release Mitnick went mainstream in a big way. A big, “Jordan Belfort, Let Me Tell You About The Rogue I Used to Be and More Importantly Why You Need To Hire Information Security Experts” way. It cost him points with the Free Kevin crowd, but a guy has to make a living. Being Kevin Mitnick, he made a living for himself and changed the financial and social landscape for other hackers just as a side-effect.
Between speaking engagements at north of $50k-per, corporate consulting, zero-day exploit marketing (legally back then! Although it didn’t last thanks in part to pressure from LE), media appearances, and an approach to public relations which made his old social engineering efforts look lazy by comparison, Kevin Mitnick did more to mainstream the idea of information security as a legitimate career than possibly anyone else in history.
He’d show up to hacker conferences, give talks rehashing the glory days and looking ahead to when cybersecurity talent would be not only respected, but rewarded. Slowly, surely, the universe bent to his will, as it always had. Today, entry-level cybersecurity jobs are remunerating at over $90,000 USD per year.
The “Son of Sam” laws prevented Mitnick from profiting from any book or movie deals for seven years after his release, but in 2012 he and William L. Simon released Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker, with a forward by Apple co-founder Steve Wozniak.
The book is engaging, readable, non-technical, and possibly somewhat more revealing than Mitnick intended regarding his self-perception verses his actual character. For instance, the line “Kevin Mitnick was the most elusive computer break-in artist in history,” is perhaps more aspirational than accurate. The MOST elusive ones are still out there, eluding capture. But nonetheless it’s a rip-snorting read and highly worth it. If you only read one Kevin Mitnick book, make it this one. His other books (several with the same co-author) can be more technical and geared towards an audience already familiar with hacking vocabulary. If you want to legally social engineer people, if you want to disappear, or if you want to protect yourself against people who want to do those things, they’re definitely worth reading.
Trezza says, “You have Ghost in the Wires, which is like Kevin story. Then you have Art of Deception: GREAT book! The Art of Intrusion, also a great book. Then you have The Art of Invisibility, which was geared toward corporate CEO’s and not to an audience that already knew what they were doing.” Yes, reader, that is shade.
Between corporate consulting, authoring books, and public speaking, Mitnick made a comfortable living for the last couple of decades. In 2022 he settled down and married, knowing even then that his clock was ticking. He had already been diagnosed with pancreatic cancer, with a dismal projected outcome. Mortality would come calling sooner rather than later. His child is yet unborn, but already welcomed and loved.
Kevin Mitnick’s legacy is secure, as if that could ever be in doubt.
We’ll give his wife the last word on that legacy. From Kimberley Mitnick’s Twitter account:
My love. Till we see each other again, I know you are here with me. I hear your voice. Our son will know you and I am convinced he will be a mini you. I am grateful we have so many friends all over the world who will teach our son how to hack and more importantly who the real Kevin Mitnick was. Our little one …our legacy.