Security
Headlines
HeadlinesLatestCVEs

Headline

A Vigilante Hacker Took Down North Korea’s Internet. Now He’s Taking Off His Mask

As “P4x,” Alejandro Caceres single-handedly disrupted the internet of an entire country. Then he tried to show the US military how it can—and should—adopt his methods.

Wired
#vulnerability#web#mac#google#git#intel#backdoor#acer#auth

A little over two years have passed since the online vigilante who would call himself P4x fired the first shot in his own one-man cyberwar. Working alone in his coastal Florida home in late January of 2022, wearing slippers and pajama pants and periodically munching on Takis corn snacks, he spun up a set of custom-built programs on his laptop and a collection of cloud-based servers that intermittently tore offline every publicly visible website in North Korea and would ultimately keep them down for more than a week.

P4x’s real identity, revealed here for the first time, is Alejandro Caceres, a 38-year-old Colombian-American cybersecurity entrepreneur with hacker tattoos on both arms, unruly dark brown hair, a very high tolerance for risk, and a very personal grudge. Like many other US hackers and security researchers, Caceres had been personally targeted by North Korean spies who aimed to steal his intrusion tools. He had detailed that targeting to the FBI but received no real government support. So he decided to take matters into his own hands and to send a message to the regime of Kim Jong Un: Messing with American hackers would have consequences. “It felt like the right thing to do here,” Caceres told WIRED at the time. “If they don’t see we have teeth, it’s just going to keep coming.”

As he sought an outlet to broadcast that message to the Kim regime, Caceres told his story to WIRED while he carried out his attack, providing screen-capture videos and other evidence that he was, in fact, single-handedly disrupting the internet of an entire country in real time. But it was only just before going public that he decided to invent the P4x pseudonym for himself. The handle, pronounced “pax,” was a cheeky allusion to his intention of forcing a kind of peace with North Korea through the threat of his own punitive measures. He hoped that by hiding behind that name, he might evade not just North Korean retaliation but also criminal hacking charges from his own government.

Instead of prosecuting him, however, Caceres was surprised to find, in the wake of his North Korean cyberattacks, the US government was more interested in recruiting him. Caceres would spend much of the next year on a strange journey into the secretive world of America’s state-sponsored hacking agencies. Adopted informally by a Pentagon contractor, he was invited to present his techniques to high-level US defense and intelligence officials. He carried out a long-term hacking project designed to impress his new audience, hitting real foreign targets. And he pitched Department of Defense officials on a mode of US government-sanctioned cyberattacks that, like his solo North Korean takedown, would be far leaner, faster, and arguably more effective than Washington’s slow and risk-averse model of cyberwar.

Caceres worried after his attack on North Korea that the US government might prosecute him. Instead, he was surprised to find that it was more interested in recruiting him.

Photograph: Devin Christopher

Caceres’ pitch never got the green light. Now, partly due to his frustration with that experience, he’s finally dropping his pseudonym to send a new message, this one aimed at his fellow Americans: that the US government needs to wield its hacking powers far more aggressively. “Both the NSA and the DOD have a ton of talented hackers, yet when it comes to actually performing disruptive cyber operations, for some reason we as a country are just frozen and scared,” Caceres says. “And that needs to change.”

He points to ransomware actors, mostly based in Russia, who extracted more than a billion dollars of extortion fees from victim companies in 2023 while crippling hospitals and government agencies. North Korea–affiliated hackers, meanwhile, stole another $1 billion in cryptocurrency last year, funneling profits into the coffers of the Kim regime. All of that hacking against the West, he argues, has been carried out with relative impunity. “We sit there while they hack us,” Caceres says.

So Caceres is now arguing that it’s time for the US to try the P4x approach: that a part of the solution to foreign cybersecurity threats is for the American government’s own hackers to show their teeth—and to use them far more often.

Caceres and the Pentagon contractor that partnered with him—whose founder agreed to talk to WIRED on the condition we not name him or his company—spent much of the past two years advocating within the US government for that far-more-brazen approach to state-sponsored cyberattacks. They describe it as a special forces model: single hackers or small teams carrying out nimble, targeted digital disruptions, in contrast to the US’s traditionally slower and more bureaucratic approach to cyberwarfare.

“You can have an impact here, and it can be asymmetrical, and it can occur on a much faster timescale,” summarizes the founder of the hacker startup that worked with Caceres to pitch the Pentagon.

He cites a military principle that each member of a special forces unit should have the effect of 16 conventional soldiers. “With what we and P4x were doing, we wanted to increase that ratio a hundredfold,” he says. “And P4x would teach other operators how to do it.”

P4x Americana

In his public life as a security researcher, Caceres is known as a talented and sometimes brash figure in the hacker community: The second-generation Colombian-American, who used the hacker handle _hyp3ri0n long before he adopted the P4x pseudonym, is the founder of the cybersecurity startup Hyperion Gray and a frequent speaker at events like the Defcon hacker conference, where he has shared methods for lone hackers to amplify their reach and effects through cloud services and high-performance computing clusters. He’s also the creator of a somewhat controversial vulnerability scanning tool called PunkSpider, which he announced at Defcon in 2021 that he intended to use to scan every website in the world and publicly reveal all of their hackable vulnerabilities.

From the beginning of his hacker career, Caceres has never been one to shy away from the most aggressive applications of the digital dark arts. His first job out of college, while he pursued a graduate degree in international science and technology policy, was working for a subsidiary of the notorious military contractor formerly known as Blackwater, doing open-source intelligence investigations for corporate security and executive protection—what he describes as a “Google sweatshop.” Within a few years, however, Caceres and his startup Hyperion Gray were getting grants from the Pentagon’s Defense Advanced Research Projects Agency, using his growing prowess in cloud and high-performance computing to scan the dark web as part of Darpa’s Memex program devoted to advancing search technologies for national security applications.

In that dark-web scouring, Caceres says, he regularly came upon child sexual abuse materials forums and even violent extremist content. He admits that he didn’t hesitate to hack some of those sites, pulling data off their backend servers and anonymously handing it to contacts at the Department of Homeland Security. “That probably wasn’t 100 percent legal,” he says, “but I didn’t necessarily give a fuck.”

Even his startup’s name, Hyperion Gray, reflected Caceres’ sense of the murky territory in which he traveled: It combined his _hyp3ri0n hacker handle, the name of a Titan from Greek mythology, with a shade in the middle of the spectrum between ideas of whitehat and blackhat hacking.

So when North Korean hackers chose Caceres as one of their targets in 2021, it was inevitable that he wouldn’t let that slight go unanswered. In January of that year, a fellow hacker whom Caceres didn’t know approached him online through a friend and asked if he’d take a look at what appeared to be an interesting software exploitation program, offering it to Caceres to download. A day or so later, Caceres read a blog post from Google’s Threat Analysis Group warning that North Korean hackers were going after US security researchers in what appeared to be an effort to steal their hacking tools and intel. Sure enough, when Caceres checked the file he’d downloaded and run on his own computer, he saw that it included a backdoor—only the fact that he’d quarantined the program on his machine had protected him from being fully compromised.

A portrait taken of Caceres before he decided to publicly reveal his identity as P4x.

Photograph: Devin Christopher

Caceres, appalled, reported the hacking attempt to the FBI. He says the bureau ultimately did little more than a fact-finding interview with him, with no real follow-up. So after nursing his grudge for a full year, he decided to take matters into his own hands. In late January of 2022, he began running custom hacking scripts designed to target a few key North Korean routers responsible for internet traffic into and out of the country, repeatedly checking whether they were online and, if they were, amplifying his waves of malicious data requests to cause them to crash. He described the project to WIRED at the time as about equivalent in workload to a “small-to-medium” size penetration test of the kind Hyperion Gray would carry out for clients.

North Korean watchers soon began to notice that the Hermit Kingdom’s entire web, from its government portal to its state-run airline booking site, had been knocked offline for days on end by an apparent cyberattack. News outlets published stories that pointed to the country’s recent missile tests, implying that the attack was perhaps the work of another country’s cyber forces—one news site suggested the US or possibly China—to signal to North Korea that it should stop threatening its neighbors. In reality, it was all the work of one aggrieved Florida man in his pajamas.

A Cyber Army of One

The US government may have had nothing to do with North Korea’s man-made internet outage, but it quietly took an interest in it. In the weeks after WIRED published its story about P4x’s solo hacking feat, Caceres began to receive messages from hacker friends with connections to the Pentagon and intelligence agencies—sent not to P4x but to Caceres’ own true-name accounts. Several agencies, he was told, were intrigued by his work and interested in talking to him.

For those in the know, identifying Caceres had been worryingly easy: He had given away hints in posts to his Twitter account about his North Korean targeting prior to his decision to hide it behind the P4x pseudonym. After P4x’s public statements on the cyberattack, one fellow hacker had even posted screenshots of Caceres’ now-deleted tweets, though without spelling out what exactly they revealed.

One friend had discussed Caceres’ work with a high-ranking military official and told Caceres there was someone the official now wanted Caceres to talk to: a longtime military intelligence contractor who had done contract work for the Joint Special Operations Command, which oversees groups like the Army’s Delta Force and the Navy’s Seal Team Six. WIRED agreed to call him Angus, though that isn’t his real name.

A few weeks after his North Korea attack, Caceres met Angus in the offices of Angus’ Pentagon-funded hacker startup. Angus began by warning Caceres that he was potentially in danger of reprisal from the North Korean state and that he should be wary of the possibility of a physical attack that might be made to look like a mugging, or of someone tampering with his prescription medications. “Before that, I was nervous,” Caceres says. “After that, I was shit-scared.” Angus suggested the hacker ought to arm himself. (Caceres, not one for half measures, later bought three guns and multiple bulletproof vests.)

Angus quizzed Caceres about his past hacking activities, his allegiance to other governments—he said he didn’t have any—and his politics. He specifically asked Caceres if he was a Marxist. Caceres confirmed he was not. With that brief vetting out of the way, they went out for drinks and talked late into that night about what a P4x-style US special forces hacker team might look like and what sort of work they might do together to demonstrate that model to the Department of Defense.

Soon after, Angus convened a meeting of military and intelligence staff at his startup’s office, where they listened to a presentation from Caceres. Standing before an audience of officials from Cyber Command, Special Operations Command, the NSA, and the Marines’ Cyberspace Command known as Marforcyber, he detailed his North Korean hacking project as a case study and laid out principles for how it could be replicated: Aim for “easy and impactful.” Minimize the number of “cooks in the kitchen.” Iterate rapidly. He laid out a timeline for operations that suggested assembling teams of two to four hackers, with support from researchers and analysts, and taking just a few days to plan an operation.

“For the US government, any execution on target is typically a six-month process. P4x did it in two weeks,” says Angus. “The whole point was that he can show them how to do it, and if they wanted to they could fund it and see it happen.”

The response to the presentation was positive, if somewhat cynical, according to Angus. “Most of them put their faces in their palms when they realized what he’d done and how he did it, and the only thing that stopped them from doing it was bureaucracy,” he says. Caceres remembers that one audience member responded with a joke: that Caceres forgot the step where he presents a 100-slide PowerPoint deck to someone who doesn’t understand what he’s talking about and then denies him authorization.

Too Hot for the DOD

After that initial presentation, Caceres gave a similar talk at MIT Lincoln Laboratory, a Pentagon-funded R&D lab, and then was invited to speak again near DC, this time to a larger audience of military and intelligence officials. That last speaking engagement was delayed due to paperwork and would ultimately never happen—in part because Caceres was by then busy with a more hands-on demonstration.

In fact, while Angus sought funding for their project, Caceres was targeting another foreign adversary to show the full extent of the cyber mayhem a small team could inflict. Over the next year, he and another hacker who goes by the handle tu3sday undertook a broad intrusion campaign whose details they both declined to describe.

Caceres and tu3sday did much of that hacking in the offices of Angus’ startup, visiting the site dozens of times over the next year. But Caceres says that the work was never officially carried out with the company’s approval or involvement, much less the Pentagon’s. “The message I got was that it was a ‘don’t get caught, we’ll disavow all knowledge’ sort of thing," Caceres says.

Meanwhile, Angus found that he was running into roadblocks in his attempts to get more official support for their experiment. “The initial response was, ‘We should be doing that,’” he says. But as he “talked it up a very long chain, all the way to very senior people to see if they were amenable to it, most of them were not.”

Angus says he’s still not sure why their project didn’t gain traction. He believes it was only partly a considered decision by the Pentagon not to engage in the more aggressive and freewheeling hacking operations that they’d proposed. He thinks the resistance can be explained at least as much by the Department of Defense’s sclerotic management and the difficulty of convincing it to try anything new that involves risk. “There were forces that were nebulous even to me, and people wanted different things, and there was a lot of risk-aversion,” says Angus. “Bureaucracy was 100 percent a factor. They were trying to dilute liability.”

After nearly a year of Angus’ efforts to find funding for the project and failing, Caceres says he gave up and ended his visits to the startup. “We had something really powerful to share here, and something they really need,” he says of the US military. “And nothing really came of it.”

WIRED reached out to the Department of Defense, Cyber Command, and the NSA, but none responded to our requests for comment.

A Tricky Trilemma

Even after hitting that brick wall, Caceres hasn’t given up on his pitch. He has come forward, now speaking to WIRED under his own name, in an attempt to rekindle the idea of American “special forces” hackers: He still imagines small teams who make the lives of ransomware gangs hell by repeatedly targeting and destroying their servers and personal computers, or breaking into the wallets of North Korea–linked hackers to steal back the hundreds of millions of dollars in cryptocurrency that they routinely take from US victims. He also suggests that US cyber forces could easily, like P4x, take down North Korea’s internet for extended periods in response to every major theft until Kim’s state-sponsored thieves are forced to stop. “Like, every time they steal a hundred million dollars we shut down their internet for a year,” says Caceres. “Let’s figure out what kind of disruption makes them think twice about doing this.”

Caceres even argues that this sort of deterrent response could be used in answer to Russian or North Korean misbehavior in the physical world, such as war crimes or human rights abuses. Most radically, he argues that US cyber targeting shouldn’t be confined to military, government, or even criminal targets: that civilian infrastructure should be fair game, too. He says the effects of those attacks should be thought of not as “cyberwar” but as simply another kind of trade embargo or sanctions. “Exactly as we’re withholding certain goods and businesses from Russia right now,” Caceres says, “we could be withholding the internet.”

On his right arm, Caceres has tattoos of his pre-P4x hacker handles. On his left, he has a cryptographic hash—a long string of numbers and letters—that encodes a word. He invites WIRED readers to try to crack it.

Photograph: Devin Christopher

Those with a less run-and-gun approach to cyber policy, of course, cite some valid reasons why the Pentagon might hesitate to adopt the P4x model of state-sponsored hacking. If US Cyber Command took up Caceres’ notion of attacking civilian targets, for instance, it could be accused of war crimes, just as some have said about Russia’s cyberattacks against Ukraine, argues Jacquelyn Schneider, a cyber conflict researcher at Stanford’s Hoover Institution. Not only would indiscriminate attacks on civilians be arguably immoral, she points out, they’d potentially invite other countries to do the same, or worse.

“That’s not nice, and it’s not a good norm,” says Schneider. She says that much of the US government’s slow approach to cyberattacks stems from its care to ensure it avoids unintentionally hitting civilians as well as breaking international law or triggering dangerous blowback.

Still, Schneider concedes that Caceres and Angus have a point: The US could be using its cyber forces more, and some of the explanations for why it doesn’t amount to bureaucracy. “There are good reasons, and then there are bad reasons,” says Schneider. "Like, we have complicated organizational politics, we don’t know how to do things differently, we’re bad at using this type of talent, we’ve been doing it this way for 50 years, and it worked well for dropping bombs.”

America’s offensive hacking has, by all appearances, gotten less aggressive and less nimble over the past half decade, Schneider points out. Starting in 2018, for instance, General Paul Nakasone, then the head of Cyber Command, advocated a “defend forward” strategy aimed at taking cyber conflict to the enemy’s network rather than waiting for it to occur on America’s turf. In those years, Cyber Command launched disruptive hacking operations designed to cripple Russia’s disinformation-spouting Internet Research Agency troll farm and take down the infrastructure of the Trickbot ransomware group, which some feared at the time might be used to interfere in the 2020 election. Since then, however, Cyber Command and other US military hackers appear to have gone relatively quiet, often leaving the response to foreign hackers to law enforcement agencies like the FBI, which face far more legal constraints.

Caceres isn’t entirely wrong to criticize that more conservative stance, says Jason Healey, who until February served as a senior cybersecurity strategist at the US Cybersecurity and Infrastructure Security Agency. He responds to Caceres’ cyberhawk arguments by citing the Subversive Trilemma, an idea laid out in a 2021 paper by the researcher Lennart Maschmeyer: Hacking operations have to choose among intensity, speed, and control. Even in earlier, more aggressive years, US Cyber Command has tended to turn up the dial for control, Healey says, prioritizing it over those other variables. But he notes there may in fact be certain targets—such as ransomware gangs or hackers working for Russia’s no-holds-barred GRU military intelligence agency—who might warrant resetting those dials. “For those targets,” says Healey, “you really can release the hounds.”

P4x Is Dead, Viva P4x

As for Caceres himself, he says he’s not opposed to American hacking agencies taking a conservative approach to limiting their damage or protecting civilians—as long as they take action. “There’s being conservative,” he says, “and then there’s doing fuck all.”

On the argument that more aggressive cyberattacks would lead to escalation and counterattacks from foreign hackers, Caceres points to the attacks those foreign hackers are already carrying out. The ransomware group AlphV’s catastrophic attack on Change Healthcare in February, for instance, crippled medical claim platforms for hundreds of providers and hospitals, effects about as disruptive for civilians as any cyberattack can be. “That escalation is already happening,” Caceres says. “We’re not doing anything, and they’re still escalating.”

Caceres says he hasn’t entirely given up on convincing someone in the US government to adopt his more gloves-off approach. Ditching the P4x handle and revealing his real name is, in some sense, his last-ditch attempt to get the US government’s attention and restart the conversation.

But he also says he won’t be waiting for the Pentagon’s approval before he continues that approach on his own. “If I keep going with this alone, or with just a few people that I trust, I can move a lot faster,” he says. “I can fuck shit up for the people who deserve it, and I don’t have to report to anyone.”

The P4x handle may be dead, in other words. But the P4x doctrine of cyberwarfare lives on.

Wired: Latest News

Drug Dealers Have Moved Onto Social Media