Tweener virtual worlds: Training grounds for tomorrow's cyberschnooks

Perp: "Helgi B"

Status: Scared straight (or so we hope)

Dossier: If you need proof that youth and innocence don't necessarily go together, you need look no further than the woeful tale of a 13-year-old sociopathic script kiddie who, for reasons of privacy, we'll refer to only by his "handle," Helgi B.

Helgi B has already learned the fine art of theft of online account information through social engineering. While even moderately sophisticated adults can easily see through his clumsily crafted scams, impressionable kids have already fallen victim. His target: Habbo Hotel game account information.

If you're not a Western European middle-schooler who plays online games, then you probably don't know that Habbo Hotel is an incredibly popular online environment, a kind of blocky, pixelated, isometric Second Life designed for Euro tweens. It's not so much a game as a hangout spot, one where you can have your own "room" and decorate it with furniture (or, in Habbo lingo, "furni") you buy using the in-game currency, "coins," which you obtain using real money through Habbo Hotel's online shopping page.

Helgi B's scam is to connive other Habbo players into giving him their account information, or paying him for dodgy "hacking" programs or for what he claims are discounted coins in bulk, at impossibly low prices. Of course, anyone with your account details can log in to your account and transfer your coins or furni to an accomplice, just as if someone with your bank account information logged in and transferred your entire balance to an untraceable account in Hackistan.

When security researcher Chris "Paperghost" Boyd began digging into Helgi B's online shenanigans, he had no idea where it would lead: YouTube videos demonstrating so-called game-hacking tools; downloadable phishing kits; archives full of stolen passwords and commercial software license keys; remote access Trojans he claims to have created; and worst of all, forum posts where he brags about his 1337 h4x0r skilz.

"When did we become so jaded that we didn't just tolerate anonymous punks hacking us but gave a green light to 13-year-olds screwing us over and doing it in full view?" Boyd writes on his blog at Vitalsecurity.org. "Sigh. These kids are openly and wantonly peddling their leet hacking tools across all manner of websites -- worse, they don't even bother to do it anonymously anymore."

So Boyd took it to the next level: He began, as he describes it, "14+ solid hours of non-stop beatdowns" on all of Helgi B's Web sites that peddle illegal goods. One after another, Boyd contacted the various Web hosting providers and ISPs where Helgi had set up shop, providing them with documentary evidence, including screenshots, detailing the broad scope of illegal activities the forum was engaging in.

The only glitch: One of the service providers hosting Helgi B's stolen-passwords/license-keys forum seems reluctant to take down the site. It goes down for an hour or two and then comes back online. Four days later, the Web host finally pulls the plug permanently -- but only after Boyd threatens to report the hosting company to law enforcement.

Lessons learned: Just because you may not have reached puberty doesn't mean you can't be arrested and prosecuted for cybercrimes. It just means your parents might go to jail also/instead, or have to pay a huge fine, and then who's going to drive you to band practice or soccer games? Remember: Going to jail is like being grounded ... in a jail cell. And for you Web hosts out there: Getting another $5 or $10 from some message board operator isn't worth having your head-end ISP pull the plug on you for violating their terms of service, so turn off those illegal sites when someone reports them. Fast.

Andrew Brandt loves doing play-by-play of a good cybercriminal beatdown when he's not terminating malware with extreme prejudice at his day job.