Ep 4. The Kids Who Hacked the CIA & FBI
Teenagers, secrets, and the breach that shook U.S. intelligence to its core.
🔹 Also available on 🎙 Spotify
🔹 Want to see the story unfold? 🎧 Watch the full YouTube episode ↓
They didn’t need weapons, money, or power—just a Wi-Fi connection, a fake name, and a bit of nerve. That’s how the walls of the CIA came down.
— The Exploit Files
Full Transcript The full, unfiltered story as heard in this episode.
Consider for a moment the most heavily fortified digital strongholds on Earth. We’re talking, you know, the networks designed to protect national secrets, the very core of government intelligence.
Right. The kind of places you assume are locked down tight.
Exactly. Now, imagine these supposedly impenetrable fortresses breached not by uh sophisticated state sponsored actors or shadowy crime syndicates, okay? But by teenagers operating from their bedrooms.
That sounds like uh like a plot from some cyber thriller, doesn’t it?
It really does. Yet today, we’re pulling back the curtain on two astonishing real world cases where, well, youthful digital prowess fundamentally challenge the very notion of government cyber security.
Astonishing is the right word.
This deep dive will explore the startling methods, the uh complex motivations and the undeniable lasting impact of these surprising breaches.
So, our mission today is really to unpack the intricate details of these operations.
Precisely. Understand the tools and techniques used and try to delve into the minds of those who dared to pull back the digital veil on some of the world’s most powerful intelligence agencies.
It’s a story of infiltration, disruption, and well, the unexpected power wielded from a keyboard.
It forces us to confront a vital question really,
which is
what does it truly mean to be secure in an increasingly digital world when the most unexpected adversaries can uncover the deepest vulnerabilities?
A chilling question.
So, how did these supposedly impenetrable digital fortresses fall. Our first case file introduces us to a young man named Kane Gamble. Just 15 years old from Leicester, UK.
Okay.
What’s particularly striking about Kane Gamble is that his methods weren’t, you know, typical hacking, not complex coding or zeroday exploits.
Right? So, what was he doing?
He employed a sophisticated art of manipulation. It’s known as social engineering.
Ah, social engineering. That’s a crucial distinction, isn’t it? It’s not about breaking the code.
No. Oh,
it’s about exploiting um human trust, human vulnerabilities. Gamble meticulously collected information, right? Sometimes public stuff, sometimes gathered bit by bit.
Yeah. And then use it to trick people, actual human beings,
into giving away sensitive data or granting access they absolutely should not have.
It really exposes the human element as well often the weakest link in any security chain.
Definitely the person, not the program.
And Gamble became a master of this deceptive art. His reign of chaos, as it was later called, spanned about 8 months, June 2015 to February 2016.
Eight months. And his targets,
some of the highest ranking officials in the US intelligence community.
Wow. Okay. Look who
his initial and perhaps most audacious target was John Brennan,
the director of the CIA at the time.
That’s the one. Gamble started by posing as a Verizon employee, just gathering initial details about Brennan’s internet account.
Mhm. Just fishing for info.
Then armed with that little sliver of information. He called back this time impersonating Brennan himself.
Impersonating the CIA director to Verizon. That’s bold.
And incredibly, he almost failed. He couldn’t name Brennan’s first pet.
Huh, the classic security question.
But persistence was key. On later calls, he somehow managed to convince call handlers to change pins, change security questions.
No way.
Yeah. And eventually, he gained full access to Brennan’s Verizon internet account.
Okay. So, once he had that Verizon access
Yeah.
That’s Sounds like the foot in the door.
It created a devastating domino effect. It let him access Brennan’s AOL email account.
AOL
his contacts, his iCloud storage, even remotely control his wife’s iPad.
That’s incredibly invasive. And the information he got
staggering. The reports say extremely sensitive accounts. Referring to military operations and intelligence operations in Afghanistan and Iran.
Oh my god. Actual military and intelligence operations.
That’s what the reports indicate.
Yeah. And Then he brazenly posted some of this sensitive information on Twitter and Wikileaks, openly taunting officials.
They’re taunting them. The audacity is just
chilling, like you said.
But he didn’t stop there. Gamble used similar social engineering tricks to hack the home broadband of Jeh Johnson.
Secretary of Homeland Security. Another huge target.
Exactly. He could listen to Johnson’s voicemails, send texts from his phone. But then it got weirder, more psychological.
He apparently bombarded Johnson and his wife with calls direct asking her, “Am I scaring you?”
That’s terrifying. Pure psychological warfare.
And at one point, he managed to make a message appear on their family television screen,
on their TV. What did it say?
Just three words. I own you.
Chilling. That psychological aspect. It reveals this um profound understanding of human fear and vulnerability. It’s not just data theft.
No, it’s deeper. Around October 2015, Gamble turned 16. His focus shifted again. Mark Giuliano, the FBI deputy director.
Another one. Same method.
Pretty much impersonated him, gained access to his home accounts. But with that foothold, he accessed something else. The FBI’s law enforcement enterprise portal. LEO. ((Law Enforcement Online))
LEO. What is that exactly?
It’s described as uh a gateway providing law enforcement agencies, intelligence groups, and criminal justice agencies access to beneficial resources.
It was inside a core federal intelligence network as a 16-year-old.
Literally inside. And this included criminal intelligence, details of police officers, government employees.
Unbelievable. Did he realize how big this was?
Oh, he wasn’t shy about it. He boasted. Apparently, this has to be the biggest hack. I have access to all the details the feds use for background checks.
And the FBI must have locked it down immediately. Right.
He changed the password. Yes. But what’s truly alarming is that Gamble managed to regain access by again pretending to be Giuliano to a help desk.
He just called them up again after they knew they had been breached.
Seems so. It highlights this um systemic fail in human centric security protocols, doesn’t it? Sometimes the easiest way back in is just to ask convincingly
or demand maybe.
Yeah,
that’s incredible persistence.
It is. And the real world impact was immediate and severe.
Like what?
Gamble stole and posted online personal details of officer Darren Wilson,
the officer from the Ferguson shooting.
That’s the one. And the Giuliano family. They were forced to seek intelligence agency protection. An armed guard was placed at their home.
So this wasn’t just digital m anymore. It was tangible danger. Real people affected.
Absolutely. And his attacks kept escalating. John Holdren, Obama’s senior science and technology adviser, his house was swatted.
Swatting — That’s the dangerous hoax call that sends an armed police team. Right.
Exactly. He accessed private calls and emails of Averil Haynes,
who later became director of national intelligence,
and FBI special agent Amy Hess. On Hess’s computer, he apparently downloaded films like Hackers and V for Vendetta
symbolic choices
and also pornographic titles and he even changed an equipment list to use derogatory terms. The sheer breadth of his intrusion was just vast.
It’s like he was exploring every corner he could reach.
And he didn’t spare James Clapper, the director of national intelligence at the time.
What happened there?
All of Clapper’s home phone calls were diverted.
Diverted where?
To the Free Palestine movement.
Wow. Okay. So, there’s a clear political threat emerging.
It certainly seems that way. This was a targeted, deeply personal campaign against some of the most powerful people in the US government
and it culminated you said in February 2016
yes he accessed the US Department of Justice’s network for several days
the DOJ itself
he obtained details of 20,000 FBI employees various case files including sensitive info on the Deepwater Horizon oil spill
the scale is just hard to grasp 20,000 FBI employees details
the potential damage from a breach like that is difficult to over state.
So, what was driving this 15, 16year-old from a quiet town in the UK to wreak this kind of havoc?
What compelled him? Well, Gamble founded a group called Crackus with Attitude or CWA in 2015.
Okay.
He told a journalist, “It all started by me getting more and more annoyed about how corrupt and cold-blooded the US government are, so I decided to do something about it.”
So, explicitly political motivation, anti-US government
seems so. He often used the hashtag #free Palestine, claimed his actions were because the US government was killing innocent people.
Right. And this reign of chaos. How did it end?
Abruptly. February 2016. He was arrested at his home in Leicester
at the request of the US.
At the direct request of the FBI and US Secret Service. They were deeply concerned over the sheer volume and sensitivity of the material he’d accessed.
I can imagine. So what happened to him legally?
In April 2018 at the Old Bailey in London, he was 18. By then, Gamble pleaded guilty. 10 offenses under the computer misuse act
and the sentence
two years in a youth detention facility. The judge Charles Haden Cave called it an extremely nasty campaign of politically motivated cyber terrorism. He emphasized the victims would have felt seriously violated
understandably and Gamble’s own perspective on all this.
Well, this is particularly chilling. His defense argued he was on the autism spectrum, had the mental development of maybe a 12- or 13-year-old. After his arrest, he reportedly told doctors it was kind of easy. Yeah. And that he had little consequences of his actions in his bedroom on the internet thousands of miles away.
Wow. That disconnect. A very casual perspective that just doesn’t square with the significant real world impact.
Not at all.
So while Kane Gamble’s story really throws a spotlight on social engineering, right, the human weaknesses.
Yeah.
Our next case shifts gears a bit.
Okay.
It involves a different kind of digital mastery and it began even earlier. This is about Mustafa Al-Bassam, a true child prodigy.
Mustafa Al-Bassam, tell me about him.
Born in Baghdad, 1995, immigrated to the UK with his family aged six. His fascination with computers started incredibly early, age eight.
8 years old.
Yeah. And by 9, he performed his first cyber hack.
At nine, what did he hack?
He was doing math homework, found an online calculator website with a security hole, and he discovered he could rewrite its entire computer code.
He rewrote the website’s code. code as a 9-year-old.
Exactly. A literal child prodigy manipulating digital systems, apparently driven just by curiosity at that stage.
That’s extraordinary. Did he get into trouble?
Not then. His skills progressed rapidly, though. At 13, he hacked his own school’s web server.
His school. What did he find?
Teacher salaries, student grades. The school maybe surprisingly didn’t really take it very well initially, but ultimately let him off.
Yeah.
They believed he just wanted to practice hacking.
That early leniency. Maybe it fostered this belief that boundaries were just, you know, challenges to overcome.
Could be. He then sought out online hacker communities only to realize pretty quickly that he was better at hacking than the majority of the people online, even the ones that were older than him.
So he finds his tribe, realizes he’s top of the pack. Where does that lead?
This is where he stumbles upon Anonymous.
Ah, Anonymous, the the activist collective,
right? He quickly got involved in Operation Payback in 2010. This was retaliation humiliation against companies like Mastercard who’d blocked donations to Wikileaks
supporting that anonymous ideal of free access to information.
Exactly. And then came something Mustafa calls his first taste of the real world impact of cyber hacking.
What was that?
Operation in Tunisia December 2010. Anonymous joined the Tunisian revolution against President Ben Ali.
How did they get involved?
Cyber attacks on government websites, exposing censorship, even providing hacking software to the Tunisian people.
And the outcome,
Ben Ali fled. country.
Wow. So, a tangible realworld political result from digital action.
A powerful one. And this definitely highlights those blurred, often volatile lines, right, between activism and illicit cyber activity
for sure. So, where does Mustafa go from Anonymous?
At 16, he co-founds LulzSec or LulzSec with five others.
LulzSec. I remember them. They claimed to be different from Anonymous, didn’t they?
Yeah. They said they were ostensibly hacking just for entertainment for the LulzSecs. Right. But their actions felt more targeted than that sometimes.
Well, despite the stated motive of entertainment, LulzSec quickly became known for Operation Anti-Security or # Andesc. This was basically a hacking spree targeting government’s organizations exposing classified info
and each attack grew more extreme
progressively. Yes. Their first major target was HB Gary, an FBI security contractor.
Okay. Why that?
HB Gary CEO, guy named Aaron Bar, publicly threatened to expose LulzSec members. Ah, so he painted a target on his own back
pretty much. And here’s where Mustafa’s skills came in again. He discovered Bar used the same password from multiple personal and company accounts.
Oh, the cardinal sin of cyber security.
Exactly. Bar basically played himself right into Mustafa’s hands. It didn’t take long for Mustafa to log into Bar’s company email
and leak over 70,000 confidential emails.
70,000? What happened to Bar?
Severe consequences. Lost his job. received death threats, had to move house. But this was, like you said, just the beginning for a little sec.
Who was next?
They turned their attention to InfraGard, an FBI affiliate.
Why InfraGard?
They declared war on them after President Obama declared war on cyber criminals. LulzSec engaged in pranks first, like calling the FBI pretending to be Obama.
Okay, that’s kind of juvenile.
Yeah. But then they hacked and vandalized InfraGard’s website, famously writing, “Let it flow, you stupid, stupid FBI battleships.”
Right. And did they get data?
They got lo details of infrogard users including a white hat hacker named Kareem Hijazi. LulzSec thought he held a gold mine of classified FBI information.
So they tried to leverage that.
They tried to blackmail him. Threatened to leak his data unless he paid up, but he just he refused. He went public, exposed their threats.
Good for him. Did that slow LulzSec down?
Doesn’t seem like it.
This public defiance seemed to only fuel their ambition.
Leading them where?
To their biggest target yet, the CIA.
The CIA. What do they do?
LulzSec launched a distributed denial of service attack, a DOS attack on the CIA website.
Okay. DOS. Can you break that down simply for us?
Yeah. Basically, it’s like flooding a website server with so many requests, just tons of bogus traffic that it literally crumbles under the traffic. It gets overwhelmed and just shuts down.
So, like a digital traffic jam grinding everything to a halt.
Exactly. And that’s what happened to the CIA site. The attack took the website and apparently all of the CIA’s internal databases offline for 4 hours.
4 hours. The CIA’s main website and internal databases.
That’s the claim. It caused massive embarrassment for the US government. LulzSec even tweeted about it. Something like, “Good night, Twitter. The CIA anti- lizards will probably rise while we rest our shining power field arrays.” Very theatrical.
A huge blow to the CIA’s public image. Surely
absolutely. However, unbeknownst to Mustafa and the other LulzSec members, the CI A hack was already compromised from the inside.
What do you mean?
A co-founder of LulzSec, Hector Monsegur, known online as Sabu, had actually been arrested by the FBI after the InfraGard hacks.
Sabu was arrested before the CIA hack.
Yes. And to avoid serious jail time, Sabu became an FBI informant.
Wow. So he was working with LulzSec,
including on the CIA hack
while secretly feeding info back to the FBI.
Exactly. Collecting data, chat logs, the works. It turns the whole whole thing into this fascinating almost theatrical interplay of activism, betrayal, and law enforcement.
So, Sabu eventually gave them up.
It seems that way. Mustafa’s time eventually ran out. UK police raided his childhood bedroom, charged him with 880 crimes.
That was the initial number. During a long interrogation, he famously refused to give any information, just said no comment to every single question.
Then, released after 24 hours,
but the legal battle was far from over.
What were the eventual charges?
In May 2013, He pleaded guilty to computer misuse, eventually charged with just two counts of cyber hacking.
And the sentence, compared to Gamble’s two years detention,
Mustafa got a 20-month suspended sentence for 2 years plus 300 hours of community work.
Suspended, so no jail time unless he reoffended.
Correct. He was also given a serious crimerevention order. Had to inform police about computer purchases. Couldn’t delete browser history.
But knowing Mustafa’s ingenuity,
he found a loophole. As he involved it. He just used private browsing.
Huh. A bit ironic, isn’t it? So, what happened to him after that? Is he still involved in hacking?
No, he’s no longer associated with LulzSec.
But his story takes this really unexpected turn.
Okay.
From teenage cyber villain to cyber security expert.
Yeah. Mustafa went on to earn a PhD. His research was in scaling cryptocurrencies and blockchain technology.
A PhD.
And in 2021, he founded Celestial Labs, a web 3 security company. He was even named on Forbes’s 30 under 30 list of tech entrepreneurs.
So he went legit in a big way,
hugely. Ironically, he now advises companies and governments on cyber security, the very entities he once targeted.
And his net worth
estimated between 5 and 10 million.
5 to 10 million. Quite a journey from digital rebellion to mainstream tech success.
It really is.
So as we connect the threads of these two just astonishing cases, a clear pattern emerges, doesn’t it?
Yeah. You have Kane Gamble and Mustafa Al-Bassam. Both young, incredibly digitally skilled individuals
driven by different motivations, maybe political anti-establishment for gamble, maybe more entertainment or notoriety initially for Mustafa Al-Bassam
perhaps, but both were able to penetrate highle government systems.
And we see that stark contrast in their methods too,
right? Gamble relied almost entirely on social engineering. Yeah.
Exploiting the human element, the deception.
While Al-Bassam, though he used some social engineering too, ultimately employ employed more technical methods. That powerful DOS attack on the CIA
and that difference really highlights something crucial about cyber security, doesn’t it? It isn’t just about code. It’s profoundly about people and their vulnerabilities, both human weaknesses and systemic flaws.
Absolutely. And the stakes in both cases were just astronomically high.
Mhm. Exposure of incredibly sensitive intelligence ops, theft and public posting of personal data,
and those real world consequences. Armed SWAT team officials needing physical protection. These weren’t harmless pranks. They had profound dangerous impacts.
Which brings us to that critical question of well, justice and redemption and the seemingly very different paths taken.
Yeah. One teenager, Kane Gamble, gets two years attention, a criminal record condemned by a judge for cyber terrorism.
And the other, Mustafa Al-Bassam, co-founder of a group that took down the CIA’s website, goes on to become a millionaire cyber security consultant, advising the very governments he once targeted.
So, what defines a hacker in these context. Is it just the act itself, the intent behind it, or the eventual outcome, how they choose to use their skills later on?
It’s a really tricky question. No easy answers.
And that leads us to the broader kind of lingering question of digital freedom versus cyber crime.
Yeah.
Where do we as a society draw that line, especially when individuals believe they’re acting for a cause, even if those actions disrupt national security?
It’s a constant tension in the digital age.
These deep dives dives into the lives of Kane Gamble and Mustafa Al-Bassam leave us with a profound maybe unsettling thought
which is
in an era where digital power can be wielded by anyone with a keyboard and enough ingenuity. Are these figures criminals who simply got caught or are they perhaps a modern-day form of digital resistance exposing vulnerabilities challenging the status quo?
It’s a provocative way to frame it. Criminal or digital resistance fighter.
What does their story tell us about the true nature of power in the digital age? And how do we as individuals As a society navigate these evershifting boundaries of digital ethics, security and freedom.
Episode 4 – The Kids Who Hacked the CIA & FBI
Sources
These are the most relevant and trustworthy sources used in the creation of this episode:
Two years for teen ‘cyber terrorist’ who targeted US officials – BBC
Report on Kane Gamble’s sentencing after accessing US intelligence accounts.Leicester teen tries to hack CIA and FBI chiefs’ computers – BBC
Early coverage of Gamble’s hacking activities and investigation.The CIA director was hacked by a 13-year-old – The Guardian
Opinion piece on surveillance and the irony of the CIA director being hacked.Teen Who Hacked CIA Director’s Email Tells How He Did It – WIRED
Direct interview with the hacker detailing his tactics and motivations.Teen says he hacked CIA director’s AOL account – New York Post
Article outlining how the teen claimed responsibility and why.U.S. investigating report email account linked to CIA director hacked – CNN
Coverage of U.S. government response to the reported breach.CIA director hack by teen spotlights US cyber-frailty – Al Jazeera
Analysis on what the breach reveals about national cyber defense.How Two Kids Hacked CIA and Leaked Everything – Vocal
Narrative summary of the events and leaks triggered by the attack.How This 16-Year-Old Hacked the CIA – YouTube
Short documentary-style video on the techniques and timeline.UK teen who hacked CIA chief gets two-year prison term – Phys.org
Legal aftermath of Gamble’s conviction and sentencing.British 15-year-old gained access to intelligence operations – The Telegraph
Report on how Gamble posed as the CIA chief to gain access to intelligence.Hacked by teenager, the CIA director still wants public data – Dawn
Commentary on the privacy debate following the email breach.British teenager who ‘cyber-terrorised’ US intelligence officials – Independent
Detailed court report on Gamble’s motivations and impact.Was the Head of the CIA Hacked By a High School Student? – YouTube
Visual recap of the breach and the media response.Pro-Palestinian High School Students Hacked CIA Boss – HackRead
Context around the political motivations behind the attack.Teenagers who hacked CIA chief hit White House official – The Hill
Broader scope of the breach and additional compromised individuals.Teen Hackers: A ‘5-Year-Old’ Could Have Hacked Into CIA Director’s Emails – VICE
Harsh critique of the lax security practices that made the attack possible.British teenager hacked top ranking US officials – Help Net Security
Focus on how social engineering techniques were used with precision.Kane Gamble – Wikipedia
General background on the hacker, trial, and affiliations.UK teen Kane Gamble gets two years for hacking CIA ex-chief – DW
Further coverage of the sentencing and public reactions.Teen Hacker Sentenced for CIA Breach – Security Affairs
Cybersecurity analysis of the case and how it was handled by authorities.