At dawn on 10 July, a clutch of Britain’s most wanted cybercriminals were arrested in their pyjamas at their parents’ houses. Dozens of National Crime Agency officers descended on a quiet Staffordshire cul-de-sac, armed with battering rams, and smashed their way into an ordinary family home. They were there to arrest a 20-year-old woman suspected of orchestrating cyberattacks that cost Marks & Spencer £300m and left Co-op shelves bare nationwide.
The woman’s neighbours told reporters she seemed unremarkable. But she is suspected of being part of an international cybercrime network and of participating in one of Britain’s most damaging hacks – all from her bedroom. Three other arrests followed: men – or, rather, boys – aged 17, 18 and 19 were detained in London and the West Midlands.
On 31 August, within months of the M&S hack, the same group, which calls itself “Scattered Spider”, claimed credit for an even more audacious assault, this time on Jaguar Land Rover (JLR), another household name and jewel in the British economic crown. Production was halted for weeks, prompting a £1.5bn government bailout and intervention by the National Cyber Security Centre. With losses estimated at up to £2bn for JLR and the government loan needed to prevent supply chain collapse, it may prove to be the most costly hack in British history.
Earlier this year, the Netflix show Adolescence dramatised how a teenage boy could be radicalised by online incel ideology. But the real crisis among British teenagers today is far less understood: “The grooming of kids by cybercriminals through gaming,” as Fergus Hay, founder of the ethical hacking initiative the Hacking Games, put it to me. Through the subterranean networks of video games and online forums, young men are being to put work, extorting national institutions for their own ends – and the aims of others.
The conditions are ripe for teenage cybercriminals, with an online generation emerging into a despondent landscape of shrinking opportunities and easy access to criminal tools. Traditional routes to prosperity cannot compete. Graduate salaries are squeezed, job openings down, the prospect of owning your own home retreating into a distant dream. More than half a million men aged 16-24 are out of education or employment; 85 per cent of them are gamers. Why not turn your passion into a profession – all without leaving your chair?
Investigators at the National Crime Agency (NCA) – “Britain’s FBI” as it has become known – have mapped out the progression of such hackers. Computer gaming leads to online gaming; then to gaming cheats, modifications, hacking forums; from there to minor cybercrime such as selling stolen accounts or defacing websites for financial gain; and then to the final checkpoint of serious cybercrime.
It’s a rabbit hole any smart teen can fall into. The computer security researcher Marcus Hutchins, known by his alias MalwareTech, stopped the 2017 “WannaCry” ransomware attack that hit the NHS. But his journey began very differently. As a curious 14-year-old, working from his bedroom in Ilfracombe, Devon, he wrote password-stealing malware later used in serious financial crimes. “I fell in with the wrong kind of community,” Hutchins told me from Los Angeles, where he now lives. At the time, there wasn’t a big legal cybersecurity community, so he found himself on hacking forums where everyone was engaged in malware creation and credit card fraud.
Eight years later, Hutchins progressed from malware creator to cyber hero. He was working as a cybersecurity researcher when he accidentally discovered the “kill switch” that stopped WannaCry, earning him a Wired magazine cover as “the Hacker Who Saved the Internet”. Days after he was celebrated at the hacker convention Def Con in Las Vegas, the FBI arrested him for his teenage creations.
The barrier to entry is so much lower for young hackers today than it was for Hutchins when he was a teenager, he told me. “Anyone can Google a how-to guide on creating ransomware.” Holly Foxcroft, from the software company OneAdvanced, argues that autistic teenagers are particularly susceptible recruitment targets for hackers. “Autistic minds are analytical and data-driven, spotting patterns others miss,” she told me. “The vulnerability lies in inquisitiveness; it’s like an itch you cannot scratch. Hacking is basically a puzzle with a reward: social acceptance.”
Daryl Flack, a partner at the cybersecurity firm Avella Security and a government adviser to the Department for Energy Security and Net Zero, agrees. Young people are drawn to hacking platforms where progression mirrors the video games they already play. “It’s like levelling up in a computer game,” Flack explained. “They’re constantly thinking: how can I unlock the next level? What’s the next challenge?” The same dopamine hit that keeps them gaming for hours translates easily into hacking – each successful breach is another achievement unlocked, another skill mastered.
Consider Julius Kivimäki, the cherubic Finn who began experimenting with computers aged three and discovered hacking through Minecraft cheats at the age of ten. By the time he turned 17, his Lizard Gang had launched a massive attack on Sony and Microsoft, leaving 150 million gamers unable to play over Christmas in 2014. In 2020, he hacked the mental health records of 33,000 Finns and attempted extortion. “It was all just for the excitement and felt like a video game,” he later admitted.
Daryl Flack has outlined the ways hackers are infiltrating this despondent, digital world, one that is disconnected from the physical one. There are two types of cybercriminals, he told me: organised gangs that operate like corporations, with HR departments and employee benefits, and more ragtag groups in which people work together but may not know anything about each other. Both actively scout for talent on gaming platforms and social media, much like real companies recruit graduates, but with more sophisticated targeting.
These cybercriminals operate in a manner distinct from traditional state-sponsored cybercrime, where professional intelligence operatives working for governments, systematically target infrastructure, state agencies or defence contractors. Instead, teenage hackers may be undertaking state-sponsored activities without realising it, via third parties. A teenager on Discord might be hired to breach a UK firm’s network, believing they’re working for a criminal gang, when in reality the job has been commissioned by a hostile government seeking access to industrial secrets.
Joe Tidy, BBC cybersecurity correspondent and the author of Ctrl+Alt+Chaos, a book on teen hackers published in June, described how recruitment typically takes place on Discord or Telegram, with “frenetic texts back and forth, people having a go at each other, laughing, messing about”. These are not sophisticated criminal organisations in the traditional sense, but digital playgrounds where the boundaries between gaming, showmanship and serious international crime blur.
There is a compulsive aspect to many of these crimes too. While on bail and confined to a Premier Inn in Bicester in 2023, with all internet access supposedly blocked, 18-year-old Arion Kurtaj – who is severely autistic and founded the Lapsus$ cyber-extortion collective – still managed to hack the video-game publisher Rockstar Games using an Amazon Firestick, a TV and a phone. He downloaded the company’s files on the unreleased game Grand Theft Auto 6, then leaked clips to the public. The attack cost Rockstar Games $5m.
Marcus Hutchins’s trajectory shows redemption is possible. Following his FBI arrest, he faced the threat of five years in prison and a $250,000 fine for his teenage malware creation. He received only time served when a judge recognised he’d already “turned the corner” by finding and killing malware rather than creating it. But many of those I spoke to said tackling teenage cybercrime will require a fundamental shift in how we think about gaming culture and youth behaviour online.
The NCA is already working to divert technically gifted teenagers before they drift into illegality through its “Cyber Choices” programme, which pairs at-risk young people with “capture the flag” competitions – ethical hacking challenges where participants compete to find vulnerabilities in simulated systems – and cybersecurity training courses. But the scheme is tiny compared to the scale of the problem.
Oli Buckley, a cybersecurity professor at Loughborough University, told me that the current approach from law enforcement should be reversed entirely. “Traditional methods wait until someone commits a crime before offering alternatives – backwards thinking that tries to undo habits already formed.” Instead, Buckley argues, we should embed cybersecurity pathways directly into gaming culture, creating competitions that feed the same psychological needs as criminal hacking but channel them towards protection. “We need to meet these kids where they already are, in the games they’re already playing, before they ever encounter a criminal recruiter.”
The challenge is that legitimate pathways into cybersecurity have traditionally required university degrees or professional certifications – barriers that exclude the self-taught, neurodivergent teenagers who often make the best hackers. “There’s no clear path from a schoolkid interested in cybersecurity to getting a real cybersecurity job,” said Hutchins, identifying the structural gap that pushes talented young people towards crime.
Fergus Hay of the Hacking Games discovered this crisis three years ago when a colleague invited him to meet with hackers. “I walked out fuelled with parental paranoia,” he recalled. But he believes these potential cyber-poachers can be turned into gamekeepers: “The same skills they use for cheating, modding and gaming excellence are exactly what we need to make society safer.”
The JLR attack exposed the extent to which Britain’s critical infrastructure has become vulnerable. The breach exploited JLR’s “smart factory” model, where virtually all operational systems are interconnected. When one part of the network was compromised, the entire system collapsed.
It’s not only giant global multinationals affected either. The children’s nursery chain Kido was hit earlier this year, with photographs and private information of thousands of children stolen in an attempt to extort the company. Before that, a laboratory which provided blood tests to the NHS was shut down following a major cyberattack. Just this month, the government released new information which revealed six out of ten secondary schools in the country have been hit by a cyberattack or breach in the past year.
The pipeline that produced all these attacks, meanwhile, remains intact. “We’re dealing with kids who found something they’re brilliant at, but nobody showed them how to use it for good,” Hutchins told me.
The question is no longer whether this generation will be weaponised, but whether we’ll weaponise them first.
[Further reading: The truth about the small-boats crisis]
Content from our partners
Related
This article appears in the 08 Oct 2025 issue of the New Statesman, The truth about small boats