Children as young as seven are being referred to Britain’s national cybercrime intervention programme, the Money team can reveal, as companies reel from multimillion-pound hacks.

The average age of referrals to Cyber Choices, which receives people committing or intending to commit entry-level cybercrime, is just 15 this financial year, with the youngest only seven, the National Crime Agency told Money.

The NCA is seeing a year-on-year increase in referrals, mostly gamers aged 10 to 16, at the same time as insurance payouts to hacked UK businesses have rocketed 230%.

“I was right around that age,” says Ricky Handschumacher, a former cybercriminal whose introduction to hacking on a videogame aged 15 led him to a four-year federal prison sentence for stealing $7.6m in cryptocurrency.

“They are even more vulnerable right now than back then because it’s so mainstream.”

Handschumacher, now 32, is one of two notorious crypto hackers who warned that teenagers were increasingly following the same path in exclusive interviews with Money.

“It seems to be growing more and more, it’s not stopping,” says Handschumacher, from Florida.

“You have to really pay attention to what your kid’s doing. You may think ‘my kid would never do that’, but don’t be so sure.

“Some of these 15, 16-year-olds, they’re sitting on millions.”

At least 105 referrals of all ages have been made this financial year to the Cyber Choices programme, but that’s just the start, warns Jonathan Broadbent, a senior officer at the NCA’s National Cyber Crime Unit.

“I don’t think the referrals represent the full scale of the threat,” Broadbent warns. “Cybercrime against schools – that is really quite prevalent across the country.”

Students caused 57% of insider data breaches in schools between January 2022 and August 2024, according to the Information Commissioners Office.

Escalating attacks

Britain has been given a sense of its scale in a spate of recent multimillion-pound attacks.

Marks & Spencer lost £136m to a cyberattack in April that halted online orders for weeks, while the data of 6.5m customers was stolen from Co-op.

Hackers shut down Jaguar Land Rover factories for five weeks in August, causing £1.9bn in disruption to the UK economy, according to the Cyber Monitoring Centre.

An attack on Transport for London caused months of disruption, and nursery chain Kido was held to ransom in September.

Teenagers and young adults were among the suspects in all these cases.

The gaming pathway

Gaming, which is participated in by 97% of children aged eight to 17, is a major pathway into cybercrime, according to Broadbent.

It was a route followed by both Handschumacher and another reformed hacker, Joseph Harris, 28, who was jailed for stealing $14m in cryptocurrency in 2018.

His entry to hacking at the age of 12 was Club Penguin, a children’s game where players navigate a cartoon penguin through a wintery island full of sled races, dance contests and treasure hunts.

It’s an image that is incongruous with the sight of Secret Service Agents swarming a Missouri petrol station eight years later and pointing their guns at him.

It all started in 2010, Harris says, when he found a bug in Club Penguin allowing him to force the game to loop when he collected coins, affording him rare items from the in-game shop.

Tutorials on YouTube convinced him it was quicker to phone email providers and trick his way into accounts that already owned these outfits and accessories.

“It sounds silly because it’s a children’s game, but some of those items were worth thousands of dollars,” says Harris.

And by age 13 that’s what he was making, selling the accounts to Club Penguin enthusiasts willing to give him $2,000 for the privilege.

“The thrill and the accomplishment was more of a rush for me than the actual money,” Harris says.

“I had really bad ADHD so I couldn’t focus on school, so a lot of the time I didn’t have the best grades.”

Harris, who now runs cybersecurity firm Dynamo, adds: “Hacking was such an interesting topic that I feel my hyper-fixation let me focus on it heavily.”

Neurodiversity

A link between neurodiversity and hacking proficiency has been suggested by some research, says chartered psychologist professor John McAlaney.

Approximately 17% of people referred to the British cybercrime investigation groups Cyber Prevent and Pursue between 2017 and 2020 were diagnosed with autism or self-referred as having autistic-like traits, far higher than the 1-2% recorded in the general population.

While the ability to hyperfocus or detect patterns may be relevant, there’s “quite a lot of stereotyping going on”, says McAlaney, author of Forensic Perspectives On Cybercrime.

Hackers aren’t lone wolves with limited social skills sitting in a dark room looking at a glowing screen, he says.

In fact, it is the social identity and positive reinforcement provided by hacking communities that can appeal to a teenager’s desire to find a sense of belonging, he says, “especially for someone who hasn’t felt understood in the offline world.

“You do get what can be surprisingly quite nice support networks on what may look like a criminal hacking forum.”

Sense of community

Unlike his unease at school, Harris started to feel at home on hacking forums as he looked for new targets such as Youtube, PlayStation and Xbox accounts.

Users were willing to pay $500 to $1000 for desirable usernames in the same way that motorists splash out on rare numberplates.

Aged 15, Harris exploited software bugs to steal personal data and trick customer support staff into handing over account access before selling them on.

He’d receive $2,000 a month and, more importantly, the approval of his online friends.

“I didn’t have that much confidence and finally people were praising me for getting these usernames,” he says.

“I started thinking maybe I am okay.”

This is a common experience among children referred to Cyber Choices, says Broadbent: “Often these young individuals can be isolated, they might be in a bedroom and maybe not engage with their families too much and they get that sense of community from being on things like forums.”

But, like McAlaney, Broadbent stresses there is no typical profile for a teenage cybercriminal.

Anyone can be a hacker

Take Handschumacher, who was a rising student baseball star playing Halo 3, a game sold to 12 million people, when he first encountered hacking.

A competitor on the multiplayer sci-fi combat game targeted him with a DDoS, a cyberattack that overloads a victim’s internet connection.

It’s the kind of hack that Broadbent commonly sees carried out by children referred to Cyber Choices, alongside remote access trojans, which allow hackers to access laptop cameras.

“How are they doing that? How can I do that?” Handschumacher asked himself as his helpless Halo soldier froze, allowing the hacker to kill them.

He searched gaming forums, leading to hacking forums, and soon he was stealing Xbox, Instagram and Twitter accounts just like Harris.

“In my case, it was strictly for money,” he says.

“As a teenager, you like to flex. You like to be able to buy whatever you want to buy and do whatever you want to do.”

Their motivations may differ, but so similar were the pair’s path into hacking that they met when Handschumacher stole a PlayStation account from Harris that the latter had himself hacked.

“We started by butting heads,” says Harris, but by the time they’d started stealing straight from cryptocurrency wallets in their late teens and early twenties, they were collaborating – and they weren’t the only ones.

Disorganised crime

When Handschumacher stepped outside his front door in 2018 and found “about 50 cop cars” surrounding him, he was accused of being a member of an international hacking gang named The Community.

It’s a mafia-esque description often deployed by law enforcement, the media and criminals themselves, including in the attacks on M&S, Co-op and Harrods linked to “Scattered Spider” and the attack on JLR claimed by “Scattered Lapsus$ Hunters”.

Some hackers do operate like this, says Alexandra Fedosimova, digital footprint analyst at cybersecurity firm Kaspersky.

Experienced cybercriminals will recruit greener ones over Telegram or the dark web to carry out timely grunt work for cash, like accessing a company’s online infrastructure, before stepping in themselves to steal data, she says.

But Harris and Handschumacher describe a far more fluid, loose network of teenagers and young adults who weren’t taking their crimes very seriously.

Any one “job” could include friends, friends of friends, a recommendation from an acquaintance and so on, some of whom used their real names while others remained anonymous.

“You wouldn’t have a specific group,” says Handschumacher, adding he didn’t know some of his co-defendants.

Indeed, the group “Scattered Lapsus$ Hunters” is thought to be made up of hackers formerly part of three different groups, Shiny Hunters, Lapsus$ and Scattered Spider, who themselves are said to have emerged from The Community.

Another game

Broadbent says child hackers he sees are often bored, curious or tech-talented children who wanted a community, a challenge, competition and status among their peers, and, like most teenagers, were willing to push boundaries to get it.

“It was more of the challenge, the thrill, the rush you get from getting those big numbers,” says Harris, who says he stole just under $30m in crypto the year he was caught.

Besides a few videogames, he says he never spent much stolen cash, remaining in a rented house with five roommates for $400 a month.

“Your moral compass fades,” he says. “I was thinking ‘it’s on the internet’, so I didn’t think it was that bad.”

Handschumacher, who spent $250,000 on jet skis, off-road vehicles and VIP access to clubs for his friends, agrees.

“It’s not in their house, it was just an online currency, so what is the actual crime?” he says he thought at the time.

But some of victims targeted by Handschumacher and his co-defendants lost their entire retirement savings, according to the US Attorney’s Office.

“You don’t see these people face to face, so you don’t realise the damage you’re doing, especially when it comes to crypto,” Handschumacher says.

This is called the disinhibition effect, explains McAlaney: “Online interactions feel less real to us than offline interactions, which can make us be more impulsive and more extreme online.”

Knowing there is a victim on an intellectual level doesn’t impress on hackers the consequences for the victim in the same way as sitting opposite them might, he says.

“Our brains have evolved over thousands of years and have not really caught up with the fact that online technology exists.”

Crashing down

For several years, Harris made “millions” exploiting software bugs or using password database breaches to gain access to email accounts used by crypto owners.

Meanwhile, Handschumacher was perfecting sim-swapping hacks, which meant finding enough personal data to impersonate a victim and convince their mobile network provider to transfer their number to a new sim card and bypass crypto wallet authentication.

Success would mean severing the victim’s phone connection, firing the starting gun on a race to steal the victim’s cryptocurrency before they realised what had happened.

This type of hack, carried out separately, would lead law enforcement to both Harris and Handschumacher in 2018.

Plain-clothes secret service officers “swarmed” a petrol station that Harris, then aged 21, was using.

“They pointed a gun at me. I thought I was getting robbed at first,” he says.

Read more long reads:
The 40 jobs ‘most at risk’ from AI – and 40 it can’t touch
Why millions of Britons are off work long-term sick
Britain’s shrinking families: An economic ‘timebomb’

Harris was sentenced to 16 months for money-laundering, grand theft, identity theft and hacking, he says, serving eight months behind bars.

Handschumacher, then aged 25 with a fiance and two children, was confronted by dozens of officers as he left work one morning.

“That was it,” he says. “It all came crashing down after that.”

He served 27 months of a four-year sentence handed to him in February 2022 due to pandemic delays, primarily for conspiracy to commit wire fraud.

Hacking games

The growing number of cybercriminals comes amid a global shortage of cybersecurity professionals.

Some four million staff members are needed worldwide, with 67% of organisations facing a moderate-to-critical skills gap, according to the World Economic Forum.

“The issue is the industry is really conventional in how they look at talent,” says Fergus Hay, founder of the Hacking Games (THG), an organisation trying to redirect teenage hackers towards legitimate jobs in cyber.

The cyber industry looks for staff on LinkedIn, expects computer science degrees and other official certificates and demands a large amount of work experience for its entry-level jobs.

“What they’re missing,” Hay says, “is an entire generation who are developing their skills in non-conventional areas like gaming.

“Every hacker is a gamer, and that’s because it’s puzzle-solving and logic mindsets.”

Find tips and deals in the Money blog

THG is working on a CV-like recruitment programme, seen by the Money team, that determines an applicant’s hacking aptitude using non-traditional metrics such as gaming performance and modifications to match hackers with careers in cyber.

Telling teenagers these jobs exist is part of the challenge, so THG is running education and awareness campaigns on social media, connecting reformed hackers with students in Co-op schools, and plans to roll out hacking eSports tournaments next year.

Cyber Choices is undertaking similar outreach, with visits to schools and workshops educating children about computer misuse law and promoting legal cyber opportunities.

But cold, hard cash needs to be part of the answer too, Handschumacher and Harris say.

Bug hunting

“I don’t have any cybersecurity certificates. I’m all self-taught, everything, so it’s hard to work for a normal company,” says Handschumacher.

The only way for “unqualified” hackers to apply their skills ethically is by collecting so-called bug bounties.

These are payments offered by companies for finding bugs in their systems before an unethical hacker does, but the payouts are tiny compared to the value of some of the bugs.

Harris says he found and reported a critical vulnerability in a gambling website that could have allowed a cybercriminal to withdraw “infinite money”.

He was paid $2,500 for his efforts, he says, not enough to put off a would-be teenage cybercriminal.

“They need to up payments by double to triple, in my opinion, then I think there’d be more incentive to do them,” says Harris.

Handschumacher put it plainly: “You’re going to either make a million or a thousand. I guarantee you, 99% of 16-years-olds are going to take the million.”