Lapsus$. 16 years
The Lapsus$ hacking collective rose to prominence by breaching major organizations, including NVIDIA, Microsoft, Vodafone, and Samsung. In investigations, cybersecurity researchers identified a 16-year-old individual living near Oxford, Britain, believed to be the group’s leader and ideological driving force.
Online disclosures from rival hackers reportedly exposed his home address and family details. The person, referred to by the aliases White and breachbase, was described as exceptionally skilled, to the point where experts suspected some attacks were run by automated systems. Additional details about the young figure at the center of these global intrusions were anticipated to emerge over time.
christopher 5 years
In 2014, a kindergartener from San Diego, Christopher von Hassel, uncovered a significant vulnerability within Microsoft’s system. This claim to fame marked him as one of the youngest individuals to expose a security flaw by bypassing Xbox Live security and accessing his father’s account without knowing the password.
During an unsuccessful login attempt, the child triggered a sequence that allowed entry into games he was not supposed to play. The father, Robert Davis, an engineer in the security field, noticed unusual activity as his son demonstrated the vulnerability to him.
Microsoft had recently launched a rewards program offering compensation for reporting weaknesses. Upon learning of von Hassel’s discovery, the company acknowledged him with four free games, a $50 reward, and a free annual Xbox Live subscription. His name was added to the roster of security researchers who contribute to strengthening Microsoft products.
Betty Davis. 7 years
Betsy Davis, a seven-year-old from Britain, did not start in hacking circles until 2015 when she participated in an experiment by a television program and a VPN provider. The exercise required locating steps to hacking open Wi‑Fi networks and exploiting them.
During the demonstration, she showed how easily a fake open network could be created and how data from connected devices could be captured without prior knowledge. The process, witnessed in a YouTube tutorial, took just over ten minutes to complete.
Ruben Paul. 9 years
In 2015, at nine years old, Reuben Paul pursued ethical hacking with a goal of making the digital world safer. He captured attention by illustrating how data such as contacts, messages, and call logs could be extracted from an Android device within a short window of time.
He later founded Prudent Games, a studio focused on educational software. Within hacker communities, he was known by the handle RAPst4r. Reuben has dedicated himself to teaching cybersecurity around the world as an ambassador for safer computing.
syphi. 10 years
The tale of a girl known as CyFi began in 2011 when she grew bored with a FarmVille-like mobile game and decided to push boundaries. At that time she was ten years old.
The true identity behind CyFi remains uncertain. In the same year, she addressed Defcon Kids, describing how she grew tired of time-consuming gameplay and looked for ways to bypass anti-cheat measures. The method described involved manually adjusting a smartphone’s clock to advance in the game.
ACK!3STX. 15 years
In 2012, Austrian authorities arrested a fifteen-year-old suspected of probing 259 companies over a three-month span. The suspect admitted seeking vulnerabilities and bugs in websites and databases with the intent to exploit them later.
He joined a hacker forum that rewarded successful attacks with points. Within three months, he ranked among the top 50 of nearly two thousand members. Details about his fate after the arrest remained unclear.
mafia boy 15 years
In 2000, a Montreal teenager named Michael Kals, nicknamed Mafiaboy, launched a string of high-profile intrusions against major sites such as Yahoo!, Fifa.com, Amazon, Dell, eBay, and CNN. The incidents caused substantial financial losses for many companies.
Interest from law enforcement began when Kals boasted online about the attacks. He gained attention after claiming responsibility for taking down a major Dell site, a claim later noted by authorities. He initially denied wrongdoing but later confessed to most charges and received an eight-month sentence from the Montreal Juvenile Court in 2001. The case later opened doors to opportunities in the cybersecurity field.
Graham Ivan Clark. 17 years
Graham Ivan Clark, a Russian-American based in Tampa, was part of the group behind a historic Twitter breach. At the time, he was seventeen years old. The operation compromised around 130 high-profile accounts, including those of elected leaders, business leaders, and celebrities, and aimed to solicit cryptocurrency through a so-called “bitcoin distribution” scheme.
The operation gathered roughly $117,000 in cryptocurrency before legal action concluded. By the time a verdict was delivered, Clark had turned eighteen and received a prison sentence extending over several years. The case underscored how youth and ambition could intersect with bold cyber intrusions and the legal consequences that followed.