The war against cybercrime goes private

Organised cybergangs cost Britain £27bn a year, and tougher laws are proposed. But one 22-year-old has taken matters into his own hands
  • @peachey_paul

He takes on international criminals, refuses to be paid, and laughs in the face of danger. He has received death threats, cracked scams and helped police make arrests. Not a bad evening's work for a man who spends his day on the car assembly line.

Xylitol – the name of an artificial sweetener – is the nom de guerre of one of a new breed of civilian amateurs taking on organised cybergangs armed only with their computer expertise, a fast internet connection and a sense of purpose.

The 22-year-old is based close to the Swiss border in the north-eastern French city of Belfort – other personal details are kept deliberately vague – and his success in tackling lucrative criminal scams has shown how blurred the lines have become between state agencies, unregulated private companies and individuals tackling the criminals who cost Britain £27bn every year, according to a report commissioned by the Government.

In last week's Queen's Speech, the Government proposed tougher laws that could lead to life sentences for cyber criminals whose activities lead to loss of life or serious damage to national security. It was a sign of the growing seriousness on the part of officials to tackle the issue.

Xylitol's work was recommended by a fellow French cyber vigilante who in turn was himself identified by a senior British cyber-security official as one of the leading lights in tackling the predominantly Eastern European world of cybercrime.

A former hacker, Xylitol changed sides in 2008 after his own computer became infected by someone trying to steal his passwords. Since then, he has long battled Russian makers of ransomware, an insidious program that locks up a computer until the user pays for a code to get back in.

It has earned him enemies, including an Algerian, Hamza Bendelladj, who was extradited to the US last year over claims that he used a computer virus to steal cash from more than 250 American banks. In a post on a forum that criticised Xylitol's work, someone using Bendelladj's Bx1 alias said: "He lives in Lyon France, I already saw him and walked beside him."

Interviewed by email, Xylitol says he has only ever been threatened online and never physically attacked. "I receive death threats sometime, but that's part of the game. I never really pay attention to that," he wrote, adding that he sometimes steered clear from identifying the instigator of a scam.

"I'm not a guy who hides in a garage," he wrote. "I've always done that for fun and entertainment. I don't see myself as someone who strikes back, or someone on a crusade after a specific group. I've a sort of ethic: don't do unto others what you don't want others to do unto you.

"The things I hate are guys without morals who try to steal money, profit from personal information and ruin people's lives in general."

Xylitol, who is currently unemployed after his assembly-line contract expired and is training for private security, unravels the code used by the scammers and online fraudsters. He says he often reports the information he obtains to "competent people" within the security sector and leaves the rest to them. He says he once received $200 from someone grateful for his work, but he sent it back. "I don't spit on money, but I don't see myself making money with a computer for the moment," he said.

Working as an independent, he says that he has "more liberty than someone who works for a company or a group. Warning people by releasing information about threats is a way to know your enemies and their techniques".

But the role of people such as Xylitol raises questions about who has the right to destroy computer infrastructure based in another nation. Troels Oerting, the head of the European Cybercrime Centre, told The Independent last month that "hacking back" should usually be the role of the state.

"You will normally see coercive power as a prerogative of the state. I can beat you, arrest you, even shoot you; I can search your house because we have rules and I have this permission. We should have the same standards with cybercrime," he said.

"We will see private sector companies able to offer services to companies asking will you please make this go away. They will make it go away. They don't adhere to the same rules that we do. I think this should be done by the police in an open and transparent way that can be scrutinised... and someone can be held liable if it goes wrong."