On June 23, DataBreaches published the first of a series of interviews with Pepijn Van der Stap, aka “Umbreon.” Van der Stap, 21, was arrested in January and remains in detention, awaiting trial on charges that include hacking, data exfiltration, extortion, sale of stolen data, and money laundering.
At the end of the first article, DataBreaches invited people to submit questions for Pepijn. The first question, posed by one of his former colleagues, relates to the Hack_Right program and why Pepijn never really talked about it with them. For those not familiar with Hack_Right, it is a government diversion program intended to discourage cybercrime reoffending in young people who have already gotten into trouble and to encourage ethical hacking. The program’s partners include the Police and Public Prosecution Service (OM), Halt (the Netherlands’ juvenile crime agency), the Dutch Probation Service, and the Child Care and Protection Board. When the program opened in 2018, a number of companies volunteered to provide internships for Hack_Right participants.
Pepijn was reportedly one of the first young people to enter the Hack_Right project. But before we get to his experience with Hack_Right, the colleague’s question, and Pepijn’s thoughts on getting out of the scene when it feels impossible, we need to back up, because Hack_Right wasn’t Pepijn’s first encounter with the law stemming from illegal internet activities.
This interview was conducted in English by telephone over a one-week period. The transcript has been edited for length and clarity.
Dissent Doe (D): How old were you the first time law enforcement came knocking on your door?
Pepijn (P): I was about 12 when they made their unexpected visit. Memories of it only recently came back to me from EMDR therapy. I remember being in my living room and seeing the police looking in the window. I told my mother and we let them in. They met with her for a while, and I guess they were trying to explain to her what I had done. Then they met with me.
D: What had you done?
P: I believe it started over an argument on Skype. I got angry at someone and I used 40 websites that I had previously shelled to DoS him. But it turned out that his father ran a business from their home and my actions were affecting his father’s business. Our internet service provider had even sent a message to us a few weeks before the police showed up, saying there was unusual activity from our home network. Of course, my mother had no idea what that was about.
When the police came to talk to me, they told me that usually when they would go to a child’s house to talk to them, it would be for something like theft. They said this was the first time in their lives that they came to talk to a child about something on the internet.
D: You had shelled dozens of websites by age 12? How did you learn to do that and why did you even want to learn to do that at that age?
P: I pretty much taught myself when I was around 10. But at an even earlier age, I had gotten curious about things. Like when I noticed that when I logged in to a website, I could see my name in the corner of the screen. I wondered why other kids could see their names on their screens when we were on the same website. It got me interested in programming in PHP.
At around the same time, I got on Skype with the other kids I had been gaming with and I witnessed them shelling websites. That sparked more curiosity to explore it myself. I began researching and experimenting, which led me to discover my first n-day vulnerability which I decided to use. I could put some code on a website, but to be honest, I didn’t really understand what I was doing or what it could do. I was pretty much just a script kiddie at that time.
D: Did the police give you a stern lecture and a warning or threaten you with jail or what?
P: They let me off with a warning.
But that became a defining moment in my life. It stirred up a lot of emotions. I felt fear, shame, confusion, and remorse. A lot of other things happened as a result that sent my life on a downward course. I do not want to talk about those things.
D: That’s okay. So what happened that actually led to the Hack_Right program? How old were you and what had you done?
P: I think I was about 16.
I was going to a school for computer studies and I wanted to get a certificate. I was in the first year of the program and was really bored after a few weeks. So I did something to the school network. I’m not allowed to discuss details of what happened.
D: Did the school report you to the police? Are you allowed to say?
P: Yes. But the director of the school didn’t suspend me. They gave me an assignment to write out what I had done. I wrote them about 30-50 pages about their security and my recommendations. They were very grateful for that. I also had to give them something on my self-reflections.
So some good came out of it because the director saw that I was bored and was way ahead of the program. After the first few weeks in their program, they skipped me to the next year. He helped me get through the program much faster — like in two years instead of three or four.
I think it was about a year later — in 2019 or so — when the police finally got around to my case. I met with them, and they mentioned the Hack_Right project. They wouldn’t tell me how long I might be in jail if I didn’t choose to go into the program, so I went into it.
D: What was the Hack_Right program like at that time? From my reading online, it was supposed to give you some kind of assignment as part of it, right? How many hours each day or week did you work on this and for how many weeks or months were you in the Hack_Right program?
P: I was assigned an internship at a security firm. So I went to the firm’s office for two days. But because there was no NonDisclosure Agreement (NDA) forms for me to sign, they couldn’t tell me anything. So I couldn’t really do any work with them. I wound up just sitting in their office for two days doing Hack the Box on my laptop.
D: What happened after the two days?
P. That was pretty much it. I was required to do a presentation in Powerpoint with at least 5 slides about what I had done that resulted in me getting into trouble. I made the Powerpoint at home in 15 minutes. Then I went to talk to the people at HALT, made the presentation to them, and that was all. In total, I spent three days on Hack_Right.
D: That’s not what I expected to hear at all. Did anyone ever assess you for mental health issues that might be contributing to your illegal behaviors?
P: No.
D: Was there any counseling or training for you on how to avoid trouble?
P: No.
D: Did they offer any support or training to your family so that they could support you in staying away from temptation or trouble?
P: No.
D: Did they give you any handouts with resources or names and phone numbers you could call at Hack_Right if you felt you needed more help or support?
P: I tried to reach out to them a year later, but the person whose phone number I had been given was no longer there. So they didn’t even know whether I needed more help or what.
D: So how did they know when you were ready to graduate?
P: I did that PowerPoint presentation and that was it.
D: This is nothing like what I expected to hear. Did the Hack_Right program follow up with you at all — to reach out or touch base to see how you were doing?
P: No.
D: I was going to ask you whether while you were involved in Hack_Right, you were still engaging in illegal conduct, but it was only three days.
P: I don’t think I was for those days.
D: At what point did you start or resume hacking illegally? How long after you completed Hack_Right?
P: I think I completed Hack_Right around December 2019 or January 2020. That was around the time that I graduated from school. I had been trying to decide whether to get more education or get a job. But all schools were closed due to COVID, so I decided to get a job.
I was working from home for the job. Once it became boring to work from home, I started doing more illegal things again. I had been engaged in a few illegal activities even in 2016 and somewhat in 2017, but after this, I resumed activities and eventually became more active.
D: Boredom seems to be a recurring theme for you as a predictor. When you were talking with the police or HALT about Hack_Right before you went into the program, did they know what you had been doing even before the school network incident or they only knew about the school network incident?
P: Only about the school network.
D: Did they ever ask you whether you had ever done anything else illegal?
P: They asked me some questions such as whether I was active on 4Chan, but I don’t remember much more about it. I really don’t remember what I told them. It was a very stressful period in my life.
D: So when was it that you became a lot more active? The criminal charges allege you were active in August 2020 and after that.
P: I became somewhat more active in 2020, and then a lot more active at some point in 2021 when my skills improved. I had gotten involved in the scene and certain forums in 2014, but I was not really active in hacking until later.
D. On the day you finished HackRight, did you feel and believe that you would never engage in any illegal hacking again, or did you already know in your heart that you would go back to illegal hacking?
P: I didn’t know in my heart, but I knew for sure that I wasn’t going to cause any more trouble at school. Other than that, I wasn’t really thinking about hacking. I had a lot of other things on my mind like another internship that I had to do for school.
I can tell you that that evening, I reached out to the CEO of the company where I had done the two-day internship. I asked him for some information and support and he promised to send it to me, but he never did.
D: Some people from the firm you recently worked for and from DIVD say you never really talked to them about Hack_Right. Were you ashamed to discuss it or to have been in the program?
I don’t think that “ashamed” is the right word. But I didn’t want it to influence where I could get a job.
I felt really uncomfortable because some people from DIVD had come to me after I had done a conference presentation in 2022 and they told me that they knew what I had done to the school’s network years earlier. Once I knew that they knew, I felt self-rejection and shame.
Looking back on it now, I think it was their way of letting me know they were proud of what I had become, but at the time, it really struck me and I didn’t know how to talk to people about it, so I didn’t.
D: So they were trying to be supportive of you and encourage you, but you either didn’t recognize it at the time or just didn’t know how to respond? That’s sad.
D: I know you have some thoughts about how to improve the Hack_Right project to make it more effective. We agreed to hold off on that until you learn more about how the current project functions. But someone recently said to me that you can’t really blame Hack_Right for not following up with you because you were in the program at age 16 or 17 and your crimes were committed years later. Do you think that’s a fair point?
P: That’s definitely a fair point. I don’t necessarily think the program needs to follow up for years, and the length of follow-up can be individually tailored to the individual’s needs and situation. But it would be helpful if you could reach them and talk to them or get some advice or support if you are regressing into old bad patterns or behaviors. I was unable to reach them. Even now, it has been difficult to make contact.
D: Did you feel that the government somehow owed it to you to be available to you? Do you blame the government for not doing more to prevent you from hacking again?
P: I don’t feel the government owed it to me, no. I do feel like the system had failed me at times when I made an appeal to them for help years earlier. But I don’t blame everything on that or on the government. I made some choices during hard times and some of them I have to stand up for and own.
[Note: P. was referring to reaching out for help at age 14 on issues that he declined to discuss for this interview. He says he did not get the help he needed and things got worse. Those issues contributed to some choices he made, but he does not blame all that on the government or on Hack_Right, which did not even exist at the time.]
D: In many chats we had before you were arrested, you said that you wanted to get out, but it felt impossible. I’ve heard from some young hackers who read Part 1 of your interview where you said that. They tell me that they can really relate to that feeling of not being able to get out of the illegal hacking. Is there anything you want to say to them now — to the kids who feel quitting feels impossible?
P: Yes. I want them to read what I said before that my friends, my social network, my family, and my colleagues would have been there for me if I had reached out to them.
To those who feel trapped in the situation they want to escape, I want to say they should seek support from trustworthy individuals. Reach out to someone — to a doctor, or a teacher you trust, or even a lawyer, and tell them what you are doing and ask for help.
When you are engaging in illegal activities, you are trading your life — you give away your own life by doing illegal things. You think you can’t stop but you can. You can always stop. You can stop at this very moment in time. It is your choice to make. You will have to face the shame, but ask for help.
If you are a bit older, try to reach out to your family, especially if they were aware that you had been hacking in the past. Even though there is a big gap in knowledge between what you are doing and what they understand, if you let them know you need help, they might be willing to help you. Yes, you will have to face the shame, but ask for help.
One of the things that, in hindsight, I should have done was to get rid of my database collection and login credentials because they made it too easy for me to continue in the scene and to get a reputation that made it even harder to walk away. If you’re trying to stop, think about getting rid of databases and login credentials. It will feel terrible at first like giving away all of your Pokemon cards – even the shiny ones – but it can help you break away from the scene.
And if you are hacking because of personal or mental health issues, it may help to seek therapy to help you deal with any traumas and build up resilience. You will get stronger and it will be easier to resist illegal activities. Make the time to take care of yourself. I didn’t do that when I had the chance to seek therapy and I regret it now.
Safety Note from Dissent: Many young hackers who have contacted me are on prescription medications and also use recreational drugs. Their prescribing physicians usually have no idea that their patient is struggling with hacking and other issues. Some have told me that they are on antidepressants, but their physician has no idea that they are getting manicky while hacking. Some antidepressants can trip people into hypomania or mania. If you are on meds or recreational drugs and struggling emotionally or struggling to get out of the scene, try to talk to your doctor privately. But FIRST: if you are concerned about your parents finding out, ask the doctor if they can keep what you tell them confidential and not even tell your parents. The laws about confidentiality vary by country and area. Keeping what you tell them confidential for now will help you talk more honestly to them, and perhaps in time, if it is safe to do so, they can help you open up to your family about what’s going on.
Pepijn gave you good advice about reaching out to trusted people for support, and I hope you do that, but keep yourself safe by first asking about confidentiality, especially if you are in a domestic situation where you might be at risk of physical abuse.
If you have something specific you would like Van der Stap to address or talk about in future interview sections, you can send your questions to breaches@databreaches[.]net.