Arranging a meeting was not easy. It had to be squeezed into his tight schedule. Antonis, 21, works as a delivery boy from 7 a.m. until midnight, seven days a week, to earn money and so he doesn’t have to think about a pending court case that has been haunting him in recent years.
He will soon testify before the one-member juvenile court for an offense that he is accused of committing as a teenager, back when he was still known online as Shadow Angel.
During a school break on January 27, 2016, he found his father waiting for him outside the principal’s office. They headed home in near silence. There, he met a prosecutor and officers from the police cybercrime squad. They asked him to switch on his computer, log into his Facebook account and hand over a hard disk.
On the desktop, investigators found a file named “vulnerable sites.” The youngster answered their questions willingly. The file, he said, contained a list of vulnerable websites. He said he used Kali Linux (the go-to operating system for security professionals and ethical hackers). He was the last member of Greek Electronic Army to be identified by the authorities.
More such operations were conducted in Attica, Thessaloniki, Patra, Karditsa and Didymoteicho. The police said the suspects were believed to have carried out cyberattacks on hundreds of public sector agencies and private firms. Most of the perpetrators were teenagers, except for a 36-year-old – the only one to be caught in the act.
It all started with an anonymous complaint sent to the cybercrime unit on August 28, 2015.
“They operate in an organized manner and they hit several sites, commercial as well as government, with the aim of collecting users’ personal data… I have learned that in the coming days they plan to present [the data] to the people they were extracted from and blackmail them into paying large sums of money,” the person said. Attached were the Facebook profiles of five alleged hackers.
However, the accusations proved baseless. Police investigators found no evidence of blackmail or efforts to obtain money by intimidation. Furthermore, they found no sign of digital vandalism. Four years later, the case is finally expected to be heard court.
Antonis is accused of hacking several sites including the Shipping Ministry and the Greek School Network. “I caused no damage. I broke into [a system], I found the security vulnerability and went out,” he says, adding that he notified page administrators whenever he came across a security flaw.
“I would like to inform you that I performed a scan on your webpage and found a cross-site scripting vulnerability allowing a client-side code injection attack,” he told the administrators of an Athens museum webpage.
Speaking to Kathimerini in 2016, the museum’s IT director confirmed Antonis’ message. “He contacted us in good will and we did not have to call in the cybercrime unit. We are now building our new website, so we did not have to make any modifications,” the official said.
Legitimate security checks are conducted by experts who simulate real attacks with the administrators’ consent. In our first meeting in 2016, Antonis said he wanted to study IT. He has since changed his mind. He has been anxious about the trial.
“This whole issue has held me back. We learn from our mistakes,” he says.
He did not keep in touch with the members of Greek Electronic Army. Most of them deleted their Facebook profiles. Antonis did not sit the university entrance exams. He got a job and completed his military service.
In August, he was given a court date and ordered to attend counseling sessions. The counselor was willing to assist him if he wanted to take the university entrance exam.
“She did not make me feel uncomfortable or guilty; the way she approached me was perfect.” Antonis adds that he wishes he had met her sooner.