Pathways to Criminal Hacking: Connecting Lived Experiences with Theoretical Explanations

Abstract

Background: Over the course of the last decade, cybercrime has become a significant global concern. A comprehensive approach to crimes that occur in cyber contexts needs to address not only the technological aspects of cybercrime but also the human elements. Therefore, the aim of the current research is twofold: first, to gain an in-depth understanding of the pathways that lead to criminal hacking behavior through interviews with current or former criminal hackers, and second, to explore how the lived experiences of these individuals fit within theoretical explanations of hacking. Method: Semi-structured interviews were conducted with a sample of ten current and former criminal hackers. Participants for this study were recruited through social media and hacker forums. Interviews were conducted from November 2023 to March 2024. Data collected during the interviews were analyzed through a process of thematic analysis. Focusing on the lived experiences of these hackers, a “pathway of hacking” behavior, expanding upon those proposed in research emanating from Europe, was identified. Findings: Notably, the current study found that young males who are curious and creative in childhood, experience destabilizing events, and develop an early interest in technology are well placed to follow the pathway to criminal hacking behavior. Online gaming was identified as a possible gateway to criminal hacking activities. A sense of overcoming a challenge, being elite, and having “control over the machine” encourages youth to continue criminal hacking activities. In addition to the identification of a criminal hacking pathway, an integration of existing cyberpsychological, psychological, criminological, and sociological theories is presented to provide a theoretical explanation for the initiation, continuation, and desistence of criminal hacking behavior. This work represents the first effort to present an integration of theories (e.g., Social Learning, General Theory of Crime, Flow, and the cyberpsychological theoretical construct of the “Online Disinhibition Effect”) based on the stages of the criminal hacking pathway.

1. Introduction

Over the course of the last decade, the continuous growth of cybercrime has become arguably one of the most significant concerns for governments across the globe [1]. With technological advancements arguably surpassing society’s ability to effectively regulate cyberspace and appropriate use of technologies, global societies find themselves in a precarious state of near-constant vulnerability [2]. While enhanced cyber security is of the utmost importance in the protection of computer systems and networks, practitioners need to move beyond a technology-centric approach to combating cybercrime [3]. This view is supported by Lundie et al. [4], who argue that there is a significant psychological element to cybercrime. Comprehensive understandings of cybercriminality require multidisciplinary frameworks which integrate the research emanating from the fields of cyberpsychology and behavioral science with that from the computer sciences [5,6]. The volume of empirical research on cybercriminals is considerably low, with many of the existing studies based on convenience samples of college or university students (as identified in [7]). Therefore, there is a need to establish a more comprehensive understanding of cybercriminals through focused empirical study [8].

The lack of standardization in the conceptualization and defining of cybercrime as previously discussed by Phillips et al. [9] has complicated research efforts and the application of theoretical frameworks. Cybercrime is a broad term that has been liberally applied to a diverse range of criminal activities that are cyber-dependent (e.g., distributed denial of service [DDoS] and unauthorized access to computer system) or cyber-enabled (e.g., online child exploitation and online frauds and scams) [8,10,11,12,13,14,15,16]. Existing research has arguably encountered challenges in terms of precisely identifying activities included in the researchers’ definition of cybercrime and/or the fact that various cybercrime activities have been somewhat conflated. In order to understand the nuances of cybercriminality, it is necessary to acknowledge the heterogeneous nature of cybercrime and offender populations [17,18,19].

1.1. Research Exploring Cybercrime Pathways

There is a dearth of literature that focuses specifically on the pathway (initiation, continuation, and desistence) of hacking behavior [8,13,20]. Behavioral research often invokes the concept of a pathway to represent “how life experiences, often beginning during childhood, lead to criminality in adolescence or adulthood” [21]. Since 2016, there have, however, been a few seminal studies out of the United Kingdom, the Netherlands, and Australia that provide initial insight into the pathways to cybercrime and the foundation for additional research in this area [8,22,23,24,25,26,27,28]. The data informing these studies include interviews with experts in the field of behavioral and/or computer science [22], youth case histories [22], youth or student samples [8,23,25,26], and youth under caution for their behavior online [27,28]. Out of the literature reviewed, only the research undertaken by the National Crime Agency in the United Kingdom [27,28] was based on samples of individuals known to be involved in cyber-dependent offenses.

Each of these studies, as well as research studies exploring specific correlates of hacking behavior [14,20,29,30,31,32], identifies key elements on the pathway that can lead young people into cybercriminal activity. Early studies exploring the pathways to cybercrime identified key elements as the following: an early interest in and aptitude for technology [20,22,27,28,31], connection to a network of like-minded individuals [14,20,22], importance of building one’s reputation [22,28], the development of addictive-type behaviors [22], and the presence of autistic traits [27,28]. Interestingly, in their study of adolescents in the Netherlands, Kranenbarg et al. [25] found that youth who commit cyber-dependent offenses do not seek out peers based on shared delinquency. This finding opposed the importance of connecting to a network of like-minded peers within the pathway to cybercrime [14,20,22]. In a discussion paper authored by the National Crime Agency [33], the importance of online gaming and cybercrime victimization were highlighted as significant gateways into cybercriminal activity. Previous studies have also identified the significance of gaming [24,25,26,27,28,29,30,31], while the connection between victimization and perpetration of cybercrime was highlighted by [12].

Spending a considerable amount of time online, particularly if unsupervised, was identified as a contextual element of the pathway to cybercrime [24,26]. Additional contextual elements included disengagement or disinterest in academics [20,31,32] and exposure to domestic violence [26]. Extant research shows that young perpetrators of cybercrime tend to be intelligent children, whose level of intelligence is incongruent with their academic performance [20,22,27,31]. Xu et al. [20] noted that youth engaged in cybercriminality tended to prefer enhancing technical skill over participation in traditional education [20,22,26,27,32]. Maras et al. [26] identified a correlation between domestic abuse among parents and child involvement in cyber offending. In a recent addition to the literature, Aiken et al. [23] explored the intention to hack among youth. The study found that the intention to hack and perceived behavioral control are the most important predictors of hacking behavior [23].

While there are differences in the identification of important factors regarding pathways to cybercrime, researchers generally agree that becoming a hacker is a process which is consistent with historical research on developmental pathways into delinquency [34]. Steinmetz [35] (p. 2) refers to the pathway of cybercrime as a “process of becoming”. Research supports that this process can begin at an early age [36,37,38]. Therefore, a greater understanding of the process of becoming a hacker and the individuals who find themselves on the pathway to criminal hacking can help to inform more effective prevention, intervention, and deterrence strategies.

1.2. Theoretical Explanations of Hacking Behavior

There has been some debate as to whether cybercrime should be viewed through the same lenses as traditional crime—“old wine in new bottle” [39,40]—or a new crime type—“new wine, no bottles” [41]—requiring new theoretical explanations [42,43]. While this debate continues, researchers have attempted to establish the scientific value and relevance of a number of different traditional theories emanating from the field of criminology, psychology, and sociology, including, for example, the General Theory of Crime (GTC) [44], Routine Activity Theory (RAT) [45], Social Learning Theory (SLT) [46,47], Theory of Planned Behavior (TPB) [48,49], Reinforcement Sensitivity Theory (RST) [50], and flow theory [51,52]. These efforts were followed by the establishment of more contemporary theories in cyberpsychology, such as the Online Disinhibition Effect (ODE) [53]. The ODE is a key construct in cyberpsychology and behavioral science which argues that individuals may behave differently within a cyber context than they would in the physical world as a result of feeling disinhibited. The feeling of disinhibition is heightened by a perceived sense of anonymity when online [53,54].

Back et al. [55] provided an empirical test for the effect of low self-control and social bonding among a sample of 18,985 youth across eight countries. Their findings demonstrated that self-control and social bonding are significant factors in the perpetration of juvenile hacking. In fact, low self-control increased the likelihood of hacking in every country by a range of 37% to 86%, demonstrating the generalizability of this factor globally [55]. Research exploring the applicability of RAT has obtained mixed results. Leukfeldt and Yar [17] found that while aspects of the theory may apply to cybercrime victimization, the applicability of the theory varied by type of cybercrime and that not all elements of the theory can be applied.

Hollinger [56] found that peer involvement and a perceived certainty of getting caught were strongly related to participation in cybercrime. These findings were supported by a number of subsequent studies [14,57,58,59,60]. Nodeland and Morris [58] explored the mediating and moderating effects of self-control on the learning process and found increased levels of self-reported association with deviant peers (both online and offline) and holding definitions favorable to crime positively influenced involvement in cyber offending. Less commonly, the TPB has been explored as an explanatory framework for cybercrime [23,61]. Previous research has found support for the influence of moral obligation on attitudes and intentions and perceived self-efficacy on one’s intention to hack [23,62]. Palmieri et al. [63] found support for RST, identifying a positive association between reward interest and the decision to engage in cybercrime.

Beveren [64] is a proponent for the inclusion of flow theory in explanations of cybercrime. Woo [65] found that the experience of flow was related to both the frequency and type of hacking activities and that hackers who experienced high levels of flow were more likely to break into other’s computer systems or deface/alter websites. Jaishankar [43] argued that traditional theories of crime failed to fully explain cybercriminality and in response he introduced Space Transition Theory (STT). Assarut et al. [66] found support for STT, such that people were more likely to commit crimes in cyberspace than in the physical world. Like STT, the ODE recognizes the importance of the unique environment that is created in cyberspace and its influence on human behavior. Past research has found support for the ODE [12,67].

Efforts to provide a theoretical foundation for cybercrime have acknowledged the inability of any one theory to explain how some individuals become engaged, persist, and eventually desist in cybercrime activities [61]. Various researchers have suggested multi-theoretic explanations for cybercriminality [22,26,68,69]. Through their study on risk factors for juvenile cybercrime, Wissink et al. [32] found support for the integration of the General Theory of Crime, Social Learning Theory, and Kohlberg’s Theory of Moral Development.

Cyberpsychology informs a comprehensive response to cyber-dependent crime by integrating and addressing both the technical and human elements of cybercriminality. The aim of the current research is twofold: first, to gain an in-depth understanding of the pathways that may lead to criminal hacking behavior through interviews with current or former criminal hackers. The use of qualitative research methods will allow for a more in-depth understanding and detailed description of the study sample [70]. This research seeks to address the limitation of previous research in terms of examining hacking using college samples [14]. Second, is to explore how the lived experiences of a sample of current and former hackers fit within theoretical explanations of hacking. Previous studies have evaluated how specific existing theories map to cybercrime. This work represents the first effort to present an integration of theories based on the stages of the pathway to criminal hacking behavior. It is hoped that the knowledge gleaned from this study will provide a foundation for improved cybercrime prevention, investigation, and intervention.

2. Method

2.1. Sample

Ten participants self-identified as males between the ages of 18 and 55 years, with the majority of study participants being in their 20s (n = 6). The current study focuses on the lived experiences of individuals who self-identified as current or former criminal hackers, including both those whose criminal hacking behaviors were discovered by law enforcement and resulted in criminal justice consequences and those whose activities have remained undiscovered. In qualitative research, lived experience refers to knowledge based on one’s own subjective first-hand experiences, rather than on external constructs [71]. Participants came from diverse geographic locations including the Commonwealth of Independent States, Canada, United States, South America, Hungary, and the United Kingdom. Participants reported involvement in a variety of hacking activities including distributed denial of service (DDoS) attacks, unauthorized access to websites, harvesting credentials, ransomware attacks, and the buying and selling of stolen data. The most common activities reported by participants were harvesting credentials (50% of participants) and DDoS attacks (40% of participants).

2.2. Recruitment of Participants

A multi-faceted recruitment approach was employed for the purpose of this study. The lead researcher attended hacker conferences (i.e., Blackhat and DefCON) to become more familiar with the hacking community and make connections with current and former hackers. Efforts were also made to identify potential participants through cyber security and law enforcement personnel in North America. Perhaps the most effective component of the recruitment strategy, however, was establishing a presence in online hacker forums (i.e., Breached, Cracked, Dread, and Hacker Forums). In addition to posting recruitment messages, the first author created many posts over several months to spark discussion among forum members on issues related to the pathway and factors related to criminal hacking behaviors. While the discussion that ensued from these posts could not be included in the research due to a lack of informed consent, the discussion provided considerable insight into the community. This cyber ethnographic approach [72], a relatively new method of data collection, arguably helped the first author gain greater experience and credibility as a researcher in the field of cyberpsychology among forum members. Recruitment posts sought the participation of adult-aged individuals who self-identified as current or former criminal or black hat hackers. Examples of hacking activities (e.g., unauthorized access to a computer system, DDoS, phishing, spamming, etc.), were provided to clarify the definition of hacking being applied for this study. These strategies combined resulted in the conduct of semi-structured interviews with 10 individuals.

2.3. Semi-Structured Interviews

An interview guide was prepared by the first author based on an extensive review of the literature related to hacking. The guide was shared with a number of experts in the field to obtain feedback and refine and validate the interview prompts. Interviews were conducted from November 2023 to March 2024, either via an online meeting (i.e., Zoom) or a communication platform (e.g., Messenger, Discord, Telegram, Matrix) based on the preference of the participant. Providing participants with an option to conduct the interview via audio or text only proved essential to obtaining an adequate number of participants. The majority of participants opted to conduct the interview via text-based communication platforms. As anonymity was very important to most subjects, text offered greater identity protection. All participants were provided with a copy of the informed consent form, either as an attachment or copied into the messaging platform and were reminded that the interview was voluntary. To further protect anonymity, participants were not obligated to sign and return the consent form, but rather permitted to indicate in writing that they consented to the interview. All interviews were either recorded (audio) and transcribed or preserved (text conversation exported) to ensure the accuracy of data collection and allow for in-depth analysis. Each participant was assigned an identification number from one to ten preceded by the letter “H”.

2.4. Analytical Strategy

Thematic analysis was used to analyze the data collected during the semi-structured interviews. According to Vaismordi et al. [70] (p. 100), this qualitative method is appropriate to “contribute to description and interpretation of complex phenomena, developing and revising understanding, rather than purely verifying earlier conclusions of theories”. The process for thematic analysis originally developed by Braun and Clarke [73] was employed. Braun and Clarke [73] recommend a six-stage iterative process whereby analysis is accomplished through (1) familiarization, (2) coding, (3) generating themes, (4) reviewing themes, (5) defining and naming themes, and (6) writing up the analysis. The analytical approach was both deductive (interview prompts guided the analysis) and inductive (additional themes emerged through the data) [73,74]. Analysis was accomplished using both semantic and latent approaches, such that, in some cases, the words of the participants were explicit, requiring little interpretation. In other areas, a latent approach was necessary to interpret the subtext and assumptions underlying the data [73,74]. Vaismordi et al. [70] differentiate these processes as considering both manifest content (semantic) and latent content (themes) for the purposes of description and interpretation, respectively. The reliability of the thematic analysis was ensured by having sanitized interview data independently reviewed by an external researcher to ensure an appropriate identification of themes. Good agreement was found between the initial thematic analysis and the independent review. This study was approved by the Institutional Review Board affiliated with the institution of the first author.

3. Results

While each participant had their own unique life experiences, it was possible to identify themes across the ten interviews that established a pathway of hacking behaviors. These themes culminate to help explain when these individuals were first exposed to hacking, how they became involved in hacking activities, why they continued in these activities, and, in some cases, what lead to their desistence of criminal hacking behaviors. The assigned identification numbers will be used to identify participants and attribute quotations throughout the Results Section.

3.1. Personality and Early Childhood Experiences

3.1.1. Quiet, Creative, Anxious

Many of the participants described themselves as quiet (H2, H5, H10) or shy children who preferred independent activities over social interaction. Some of the participants described themselves in terms with slightly negative connotations, such as “quite dorky” (H1), “well, to be fair, I was weird” (H7), and “I was ah definitely awkward when I was a kid” (H5), while others simply identified as being a shy and reserved child. As stated by H10, “I was fairly quiet and reserved, I preferred to spend time alone either reading or using computers […]”.

During early childhood, the participants preferred Lego, action figures, puzzles, and card games. The majority of participants appeared to prefer toys that could be taken apart and put back together and/or allowed for the use of imagination and creativity. One participant was highly involved in music from a very young age, spending hours practicing a musical instrument (H5). A more introverted personality, along with a preference for toys that allowed for solitary play (or playing with siblings), is congruent with the reporting of many of the participants that they lacked social skills or suffered from social anxiety from a young age. H1 described being bullied in school because he was overweight and recognized himself as lacking social skills well into high school. H7 stated that he struggled socially in school and that he was perceived to be weird. Perhaps the most extreme example of the avoidance of social interaction came from H2, who saw “[…] socializing as a bit of an inconvenience […] in short, I just cannot relate to a lot of people”. Half of the participants indicated that they began experiencing anxiety in childhood. H10 reported that “throughout my childhood I had severe anxiety and frequently had panic attacks”.

3.1.2. Destabilizing Events

The majority of the participants grew up in a home with both parents and siblings. Three of the participants (H6, H8, and H9) had no father figure, growing up as an only child living with their mother or with their mother and siblings. One participant (H7) rotated between his mother, father, and grandmother. While several participants described themselves as having a “normal” or “regular” childhood (H2, H3, H4, and H6), the majority of participants went on to describe what has been labeled in this paper as destabilizing events. For the purpose of this research, destabilizing events are defined as situations or occurrences that have the potential to impact the physical, psychological/emotional, or social development of the child. The majority of participants were exposed to violence during childhood. Four participants were themselves victims of physical and/or sexual abuse perpetrated by a family member (parent, step-parent, or sibling). Others witnessed violence among the adults in their lives, with three participants witnessing physical violence between their parents.

Other destabilizing events experienced by participants included moving residences, troubled siblings, parent absenteeism, and health issues. H1 moved to a foreign country at the age of 12 years, having only a basic grasp of the new country’s primary language. His integration into his new school environment was difficult and he found himself the victim of bullying. For H7, a lack of stability came from being passed between the home of his mother, his father, and his grandmother and his parents not being overly involved in his life. This was coupled with the experience of neglect and emotional and physical abuse. H3, H4, and H5 all experienced issues with their siblings. In the case of H3, his sibling struggled with drug addiction. This led to H3 being exposed to his sibling’s erratic behavior and their family home being burglarized several times. H4’s sibling displayed problematic behavior which eventually led to the sibling’s imprisonment. In the case of H5, both he and his sibling were placed in foster care at a young age. The sibling engaged in violent behavior and abused H5. After many years of incurred violent and sexual abuse, the sibling was removed from the home. H8 grew up in a single-parent household after his abusive father was removed from the home. He recalls being very poor and his mother being away from the home often as she needed to work nights to be able to feed him and his siblings. H9 never met his father. His experience as a child involved frequent residential moves and living with a mother who he describes as “narcissistic” and an abusive step-father. H10 developed a serious health condition as a child. This condition left H10 bedridden for over a year. He indicated that this illness led to him experiencing abuse and neglect and eventually he was diagnosed with post-traumatic stress disorder in his early teenage years.

3.2. Familial Alienation

While four of the participants have maintained close ties with some of their family members (H2, H3, H4, and H6), half of the participants report that they do not have close social ties with their family of origin. For these participants, members within their family of origin represent past traumas or significant disagreements. For H1, friendships have become more important to him than family as evidenced in his words, “[…] at the end of the day family can screw you worse than your worst enemy”. When asked about his relationship with his family, H10 replied, “By choice, I have no contact with them”. Similarly, H5 has established boundaries when it comes to his family of origin, opting to limit his contact to periodic messaging.

3.3. Early Interest in Technology

All of the participants indicated that they had an interest in technology from a young age, with all but one participant showing interest in computers before the age of 12 years. The participant reporting a later initial interest was the oldest included in this study. His age of first interest was likely influenced by the availability of home computers. He recalled seeing an ad for a computer during his childhood and he was determined to obtain one. The majority of the participants started using a computer between the ages of 4 and 8 years. H1 recalls being interested in technology (computers, mobile phones, etc.) from a young age, stating “I was fascinated with cell phones and technology in general” and “I thought it was magical”. Similarly, H3 indicated “I have always loved electronics, computers, gaming consoles”. While he could not remember the exact age that he developed this interest, he indicated that he was “super young”. H9 said “I became friend [sic] with computer [sic] so early” and “my mom said I could write my name on a computer before paper”. H10 was introduced to computers by a family member at the age of 4 years. He stated, “at age 6, I remember being able to navigate Windows pretty comfortably”. Similarly, H5 started using computers young and was able to write basic programs by the age of 8 years.

The participants’ interest in technology was generally supported by, or at least not discouraged, by the adults in their lives. In many cases, the participants had a greater knowledge of computers than their parents, leading to a reversal of roles, whereby the child became the teacher to the parent. H2 indicated that after teaching himself to use a computer, he was showing his parents how to use it, whereas H1 reported that his parents did not really understand what he was doing when he was online. H10 was encouraged from a young age to explore computers by a member of his family. Many participants were provided with unsupervised access to computers, with several stating that they had a computer of their own by the age of 8. H2 explained that his parents saw how happy he was when he was on a computer and they perceived it to be a harmless activity. “They let me on it for two to three hours a night”.

3.4. Significant Time Spent Online

Computing was often a core activity in the lives of the participants. Spending a significant amount of time online is something that participants had in common. The majority of participants reported spending more than 8 h per day online. For more than half of the participants, the number of hours spent online per day was 12 or more. As young people, some of the participants reported being online almost constantly (H1, H2, H3, H7). A few of the participants spoke of binges or coding sprees that would last more than a single day. H2 said that it was normal for him to spend 18 to 20 h a day online and that there were times when “I went on binges for days at a time lol 48 h was not unusual”. H3 recalls times when he would not leave his computer for 30 h straight before taking a nap so he could get up and hack again. H5 reported engaging in coding sprees that could last for weeks (with sleep periods).

3.5. The Juxtaposition of Unlimited Freedom and Power and Control

The participants’ interest in computers was likely fostered by their perception of the computer as a means of accessing unlimited knowledge, freedom, connection to like-minded others, and a safe space. When asked what they liked most about computers, many of the participants expressed a liking for the ability to access unlimited knowledge online. The computer was seen as a source of “unlimited informational knowledge” (H1) where an individual could go to learn anything. H6 stated that he likes “the convenience of being able to access information from anywhere at any time”. This was echoed by H7 who liked “the endless stream of information about anything I could ever think of”. H10 stated that computers have made knowledge free and accessible to all. The computer and internet offered a safe space for having questions answered in the absence of judgment and a space to find others with similar interests. H1 indicated, “I had a lot of questions and some questions you don’t ask your parents and your parents don’t know and the internet, you can Google it. You can research it. You can find another person who had the same question as you years ago”.

Not only was the computer seen as providing free knowledge; it was also seen as a providing a sense of freedom. H5 and H8 both expressed the idea that computers equal unconstrained freedom. For H5 this was expressed as “the very fact that you can build whatever you imagine. So, you’re only limited to your imagination”. While H8 spoke of “the freedom you got with them. You could tinker around on computers”. Beyond freedom, some participants also enjoyed the sense of control that they obtained from computing. H4 spoke of being able to get the machine to do whatever he wanted. “Here’s a world where I could go in and create what I want and completely control everything that I see. I think it had something to do with having the power to control it and bend it to your will”. This sentiment was echoed by H5 and H8, who spoke of being able to perform functions on the computer that the developers had not intended and the sense of power and control that comes from these activities. This desire for control appears to be juxtaposed to the feeling of a lack of power and agency that these individuals experience in society. A sense of inequality may be an important consideration for why many young people engage in hacking behaviors.

3.6. Computer as a Safe Haven

For some of these shy, quiet kids who lacked social skills, the computer was a safe space where they could meet others who had similar interests and could escape the stressors of the physical world. For H9, despite being an early adopter of technology, he was not even sure if he truly liked computers. They were a means to connect virtually with others who he perceived were more like him. For H2, computers and being online was an escape from life in the physical world. “At a young age I think it was escapism or something. Because I wasn’t interested with other kids in school. So they’d all go out and play, or go to birthday parties and I would sort of do nothing until I found the computer”. For H5, online was a space where in contrast to the physical world, he felt accepted and like he belonged. The internet provided a space where people struggling in the physical world could flourish. “I felt like the magician that could go in and out and people respected me and were like holy shit” (H5). The computer and internet offered a haven for some participants who were trying to establish a sense of belonging and independence and autonomy from the adults in their lives. It offered a place where a young person could seek information on topics that they did not feel comfortable speaking about to others in person. The computer was a non-judgmental confidante.

3.7. Academic Struggles

Many of the participants did not have a positive experience in the educational system. While some of the participants reported high academic performance early in their academic careers, many found school to be a place of social isolation and boredom. Many of the participants reported achieving high academic performance at least some of the time and in some subjects in school. H4 reported being an honor roll student, H7 indicated that he obtained As and Bs in school even though he did not study, and H8 and H10 were good students who obtained high grades. Two of the participants reported being identified as gifted and either skipping grades or attending special programs. Whether academically gifted or not, many of the participants found school to be boring and did not feel a sense of engagement. Participants recalled either not being academically challenged (e.g., “I found school to be extremely easy” H1) or finding the curriculum unengaging and boring (e.g., “From a young age I also found school a bit pointless. I was forced to do a lot of classes that I didn’t really see a point in”, H2, “School was boring and topics were boring, had no interest to learn”, H3, and “it was boring at times. Particularly lessons I wasn’t interested in”, H8).

Even when participants were not academically challenged in school (i.e., found school to be easy), many (n = 7) demonstrated very poor academic performance (e.g., poor grades, dropping out or just barely graduating high school). Participants who started out doing well in school (n = 6) found that their academic performance began to suffer in high school. For several participants, grade 9 was a turning point in their education. For example, H5, who was previously identified as gifted, recalled “my grades started slipping ah mostly because I just didn’t give a shit. I stopped doing homework”. For some, they continued to excel in the classes that held their interest, but barely passed the rest (e.g., when asked about his grades, H2 stated “So when you look at my results, you see F, F, F, A*, F, F. There’s no in-between”). Others did the bare minimum just to pass (H3, H5, H7). For some participants, an intense and often all-encompassing interest in technology meant that by the time they were in high school, they were choosing to dedicate more time and effort to improving their technical skills and less to academic achievement. H2 disliked school and much preferred to spend time online, particularly playing video games. It was not uncommon for participants to report that during high school they simply stopped doing any homework (H1, H5) and started skipping school (H1, H2). “I am actually impressed that I didn’t fail anything because I never studied and I didn’t do homework” (H1).

Poor school performance often did not relate to intelligence. Some participants excelled in academic subjects that they found interesting. Performance was often a measure of the extent to which the participant found school unstimulating and/or pointless (i.e., learning subjects they did not perceive would be useful in their lives). The experience of bullying within the school system may also have impacted the academic performance of some of the participants. Four of the participants spoke of experiencing bullying in school. In describing his experiences, H1 stated “kids are devils. Honestly, kids are more cruel than inmates”. H2 indicated that he avoided school a lot and found the social interaction aspect of school challenging. H7 and H9 both described themselves as being the “weird” kid at school. H5 described a prolonged experience with bullying both in and out of school. His experiences included social isolation and physical attacks. He described his experiences as “I was always picked on” and “I would be kind of a loner for a long time” (H5). Only three participants (H2, H4 and H6) engaged in post-secondary education. Both H2 and H4 pursued post-secondary education in the information technology field, while H6 obtained a bachelor of science degree. The majority of participants ended their academic careers with a secondary school diploma. One participant did not complete high school (H10).

3.8. Participants in the World of Gaming

All of the participants were interested in video games at some point in their lives, although not all identified themselves as gamers. All participants began playing video games in childhood. For some participants, video games were an integral part of their childhood recreation/socialization. When asked about his childhood, H2 said, “I used to play online video games and that was mainly my life for a large quantity of time. I had few friends in real life, but we only connected because we all played video games”. H2 indicated that he would play video games for 12–14 h a day and his favorite game was World of Warcraft, describing the game as “a bigger part of my life than anything”. H3 remembers being 5 or 6 years of age and watching his sibling play video games. He described himself as being “addicted” to online gaming as a kid. H5 started playing video games on the family computer at the age of 8. H6 and H7 both loved online gaming as kids. H9 played games on his personal computer and H10 reported that he spent “a decent” amount of time playing video games as a child. Favored games included Minecraft, World of Warcraft, CS:GO, and first-person shooter games. The preferred platform for playing games was PC, although a number of participants also mentioned liking various versions of PlayStation.

From Cheating/Modifying Games to Hacking

The majority of participants indicated that they not only played online video games, but they also modified or created cheats for their favorite games. In fact, PC became a preferred platform for some participants because it was easier to pirate or modify games and create cheats in this environment. H6 indicated that he preferred playing games on PC because it was easier to pirate games. He stated, “I was into gaming as a child and was curious about changing game files to cheat at games”. Similarly, H3 moved from playing video games on PlayStation to online games on his PC, because he wanted to be able to modify the games. Online video games were not yet available when H4 was a child. While H4 would not describe himself as a gamer, he did enjoy video games and eventually developed the skills to break the protections on video game disks so that he could copy the games and sell them to others. Selling bootlegged copies of video games was a source of revenue for H4 and allowed him to build his game collection. For H2, as he honed his video game playing skills, modifying and creating cheats was a natural progression. He stated, “But to be honest, I tried to modify or cheat on every game I played” (H2).

For many participants, online gaming was a stepping stone on the pathway to hacking. Even though H1 did not identify with the label of gamer, he did play video games as a young child. He orientates his interest in programming as a response to the family computer being too inferior to play desired video games. A direct link between game playing and criminal hacking is made by H2, who said “eventually I got really good at it and the game is ultimately how I got into the whole cybercrime aspect of my life”.

3.9. The Influence of Online Forums and Friends

For many participants, their love of gaming, modifying video game code, and developing cheats was the gateway to further hacking behavior. As one participant put it, “I was always adjacent to it in Xbox hacking forums, it wasn’t much of a leap” (H7). The primary acquisition of technical knowledge for the majority of the participants was a process of trial and error and self-directed learning. As described by H8, “we wanted to know like, things didn’t come with instructions. You just had to figure it out”. While one participant reported being taught at a very young age by a family member and another reported learning the basics in high school, all participants spent time actively seeking the information they needed to improve their hacking skills. Seeking information online brought all of the participants to online groups and forums. When asked about participation in online hacking forums, H5 replied “Yes it was constant. I lived on that shit” and H10 stated “Yes. I am on most forums/in most hacker communities”. Forums and hacking channels on end-to-end encryption messaging platforms (e.g., Telegram and Discord) were identified as a good source of information and knowledge where one could learn about techniques for specific types of cyber-dependent offenses (e.g., DDoS attacks or leveraging specific exploits). According to H1, “If you wanted to learn something specific you could for the right price. You could always contact the person and make an offer and just hope you don’t get scammed”. H2 indicated that he participated in forums and groups excessively, finding these online spaces to be useful for learning about cybercrime and networking with other criminal hackers. He described the existence of a reciprocal arrangement on forums, whereby “the more you gave, the more you got back” (H2). In his experience, people are very willing to share information on forums, particularly if you are also providing useful material. While H4’s engagement in hacking activities occurred before the emergence of many of today’s online forums and hacking channels, he described using online bulletin boards (the predecessor to forums) for learning techniques and marketing his skills and products.

As with H4, other participants used forums as a place where they could advertise their hack-related goods and services. H1 advertised his account hacking services on forums, while H3 identified as being an original member of an infamous marketplace where he could buy and sell hacking tools and data. Similarly, H10 uses forums for his hacking business, using embedded marketplaces to buy and sell data and access to computer systems. Beyond the learning of skills and techniques and the advertising of goods and services, forums are also a place for networking. While many of the participants espouse a motto of never trusting anyone online, it is clear that online gaming and hacking forums and channels were a source of social connection for many of the participants. A good example comes from H2, who does not enjoy in-person social interaction but was able to connect with other kids through online gaming. Several participants indicated that at some point in their lives they had more online friends than offline friends. H8 explained that while he has more online friends, he feels a stronger social connection to his offline friends. For some participants, online friends became off-line friends overtime. Trust-building online occurred through the demonstration of skill, having a good reputation score on forums, and naturally overtime through continued interactions. H8 described the process of trust-building as “You should never fully trust people online. However, I feel once you’ve met them in person, which I guess is a level of trust in itself. But I guess its just time. Time and how much they divulge to you as well”. For three participants (H3, H8, and H10), the online friendships were significant enough that they traveled, sometimes to foreign countries, to meet online friends in person. In fact, the friendship between H8 and an individual who he met through online gaming resulted in the friend inviting H8 to live together as roommates.

3.10. Motivated by Curiosity, Challenge, Thrill, and Money

Many of the participants expressed the notion that hacking was not a planned or intended behavior for them. Various desires and intentions resulted in the participants finding themselves on the hacking pathway. For H1, whose early hacking behaviors could be described as misguided private investigating, hacking grew out of a desire to help others and determine who in his life he could trust. His technical skill developed from a desire to improve his computer system, which was not powerful enough to play certain video games. For H2, hacking grew from a desire to access restricted video games and in response to being victimized by a DDoS attack while gaming. The notion that being a hacker was not the initial goal is perhaps best expressed by H3, who revealed “I didn’t wake up one day to be a hacker. It slowly happened over time”.

Like H1, many of the participants were initially motivated to learn hacking skills to solve a problem (e.g., gain access to expensive or restricted games, gain an advantage over an online gaming opponent, or improve their computer system to enhance functionality). The intellectual challenge of hacking also attracted many of the participants. H10 stated, “I enjoy the challenge. The research and techniques are fascinating…” Some participants reported feeling a sense of accomplishment when they could overcome an obstacle. According to H5, “So if it was harder to do, I love that challenge”. For some participants, hacking was viewed through the lens of game playing. Both H1 and H8, compared hacking to solving a puzzle, “you got a very big sense of accomplishment when you finally cracked the puzzle that was getting in and chaining all these weaknesses together to get where you needed to be” (H8). According to H5, “there’s a gamification to it”.

A few participants appeared to have an interest in cyber security or at least an interest in using their technical/hacking skills for prosocial feats. In his early hacking days, H2 uncovered a number of vulnerabilities. When he attempted to share these vulnerabilities with the system owners, he was largely ignored. H3 indicated that his dream job would be to work in cyber security, but he could not afford the schooling to become an ethical hacker. Both H5 and H6 expressed an interest in ethical hacking, stating “I wanted to be the good guy” and “I’m more inclined to learning for the sake of offering legal business”, respectively.

A sense of righteousness and the thrill of doing something taboo were also identified as motivations for hacking among participants. When asked about what motivated him, H8 indicated that it was his teenage sense of righteousness. “I guess maybe some dumbfounded sense of righteousness and wrongness in terms of ah maybe they did unethical things…” (H8). An ideological motivation for hacking was also identified by H3, who stated, “I hate banks and insurance companies. They legally rip and rob everyone all day”, and H9, who said “I don’t like corruption”. H3 also found motivation in the thrill of doing the forbidden. In his words, “I just love learning the dark side of things…and because it was taboo, it gave you a little rush too”. For H6, the thrill of hacking was compared to the feeling one has at Christmas. “I’m excited to exploit things. Giving yourself permission that you never had feels like Christmas” (H6). For H8, hacking was a bit like having the power of the Wizard of Oz: “it felt like you were looking behind the curtain”.

While several participants identified a financial motivation for hacking, the financial motive appeared as a secondary or tertiary motive that evolved overtime. What started out as curiosity, challenge, and problem-solving morphed into financial motivation once the participant realized that they could make money for their efforts. This was definitely the case for H1, who initially offered his hacking services for free to family, friends, and associates and only started charging after one grateful customer insisted on paying him for his efforts. For H2, monetizing his hacking activities stemmed from his disillusionment with companies who ignored his warnings about their vulnerabilities. He stated, “financial motive came because I didn’t know what to do with the access that I had to websites and servers, etc., so thought I’d monetize the information”. For H2, it was also a means of making money that did not require in-person socializing. H4 was initially motivated by the thrill of hacking but eventually monetized his skills. Similarly, H7’s entry to the hacking pathway was instigated by curiosity and the sense of fun he obtained from modifying games. His continuation on the pathway, however, was motivated by money. The pathway of H10 similarly began with an enjoyment gleaned from the challenge of hacking. H10, however, discovered that hacking is lucrative work. He stated that “…it definitely helps that I’ve made more money than I have in my entire life” (H10). The motive of H9 evolved into one of financial gain when he was unable to obtain legitimate employment and recognized that others were making quick money by monetizing their hacking activities. The motivations for hacking identified by the participants are summarized in Figure 1 below.

3.11. Being Part of the Elite

For many participants, online gaming and hacking activities introduced them to an online community where they could engage with like-minded others and feel a sense of belonging. While entering the community was generally easy, building a reputation came from being a trustworthy vendor or buyer and the demonstration of skill, particularly the ability to achieve technical feats not attainable by others. Part of the attraction to hacking was explained by some participants as being part of an elite group. Membership to this elite group comes from having knowledge that few are privy to and subsequently gaining an edge over others. H1 explains it as “its not something that anyone would know. It’s always good when you know something that the general public wouldn’t know. It gives you, almost like an edge”. For H10, hacking was not only a way to make money but also a means of creating a legacy. In his words, “if you’re good at what you do, you’re paid well and leave a mark”. For some participants, being part of an elite group online was a direct contrast to their inability to find such belonging in the physical world, where they experienced social anxiety and bullying. For H8, being able to thwart security measures to gain access to systems and information gave him a unique identity. “It somewhat made you special in a way” (H8). H5 experienced significant bullying during his childhood. For him, hacking introduced him to a world where he could be dominant and became an expression of ego. He explained that “…the smarter the system administrator ah the more fun it was for me because it was harder. Like it was egos”. H5 described feeling like a king and a master and explained “…they had terms like elite, you were elite”.

3.12. Hacking as a Game—The Abstraction of Victimization

A number of participants viewed hacking as an extension of game playing. Through this lens, it became possible to minimize the harm done and deny the victims of the cybercrime being committed. Much like the opponent in a game, victims could be identified as objects as opposed to people. This abstraction of the victim is well articulated by H2, who elucidated, “At the time of my offending, I saw people that I was blackmailing as an object that I wanted money from”. Abstraction was also accomplished through methods such as untargeted bulk victimization. For example, H3 did not feel that he had ever really targeted anyone in his crimes because he engaged in bulk spamming.

Hacking as game playing also allowed for victims to be perceived as antagonists, deserving of their fate. From this perspective the hacking of victims could be justified as appropriate action taken against a competitor (as was the case with H1 and H2) or defeating an inferior adversary (H2, H3, H7, and H10). H2 explains that hacks were the result of “poor programming practices and lazy security”. For H3, victimization only occurred to those who were “dumb enough to fall for it”. Similarly, H10 explained the ease of hacking Internet of Things (IoT) devices because people inherently trust such devices, and therefore you can exploit their weaknesses. H7 presented a unique perspective of shared responsibility for cybercrimes, when he stated that “it should be the people not paying for security that get punished as well as the hackers”.

Many of the participants expressed that it was easier to commit cybercrime because of the lack of any direct interaction with the victim. The absence of a face-to-face interaction further supported the abstraction of victimization and allowed for the use of minimizing techniques. As stated by H2, “there is massive abstraction and its partially why I don’t think cybercrime should be dealt with the same way as regular offending” and “I wouldn’t even be able to steal something from a store, yet online I was capable of blackmail”. The distinction between criminal hacking and other traditional forms of offending was supported by the lack of involvement by most participants in traditional forms of offending. The exception was involvement in driving-related offenses (street racing and speeding) and drug offenses (most often possession for personal use). When asked about their involvement in traditional forms of offending (defined as crimes that do not involve a computer), seven participants indicated that they had used illegal substances (marijuana, cocaine, MDMA). Only one of these participants admitted to selling illicit drugs to others (H7). Two of the participants admitted to involvement in other forms of traditional crime. H7 had committed criminal arson, while H10 admitted to perpetrating property offenses, including graffiti and shoplifting. None of the participants reported any involvement in violent interpersonal crimes.

3.13. The Biology and Mental Health Connection

In discussing their attraction to criminal hacking activities, some participants referred to the sensory experience that comes from biological processes (e.g., adrenaline and/or dopamine rush) and/or engaged in rhetoric that surrounds the abuse of pharmaceuticals or use of illicit substances (i.e., feeling of getting high). For these participants, hacking was not merely a form of recreation or business but a sensory experience that resulted as a result of the activation of biological processes. For H2, hacking provided a unique and desired sensation, “I couldn’t get that feeling out of anything else in life…I found it challenging and enjoyed the high that came from it”. H4 made a direct comparison between drug use and hacking when he said, “next kind of high you get from actually breaking into a system and gaining control and running it…It was like a drug”. The most nuanced and biologically driven explanation of hacking attraction came from H5, who acknowledged that for him, hacking produced both an adrenaline rush and much needed release of dopamine. During various times in his interview, H5 alluded to these processes and sensations. In his words, “It was an adrenaline rush for me because it was kind of illegal too, you have to be to stealth, right” and “It was the build-up of dopamine and the release…So there is definitely a high from it”.

Participants were also asked about their experiences with certain mental health conditions. As previously noted, a number of participants indicated that they began suffering from anxiety during childhood. When asked whether they had ever experienced anxiety, all participants identified as having suffered from some form of anxiety disorder at some point in their lives. Anxiety among participants often manifested in the form of social anxiety. While not as pervasive as anxiety, the majority of participants also reported experiencing at least one depressive episode in their lives. Only two participants indicated that they had never experienced or suffered from depression.

Autism Spectrum Disorder (ASD) and Attention Deficit Hyperactivity Disorder (ADHD) were also discussed with the interview participants. Only three of the participants identified as having ASD. Half of the participants indicated that they were either suspected of having or had been diagnosed with ADHD. A lack of attention and hyperactivity may not seem to be congruent with the ability to engage in an activity that requires prolonged concentration. The ability of hyper-focus on activities of interest, however, is a characteristic of ADHD in some individuals [75]. Three participants indicated that they were suspected of having or diagnosed with a learning disability. Interestingly, despite later being considered to be gifted, H5 was believed to suffer from intellectual impairment as a very young child. H3 was told that he has a learning disability and identifies himself as being a slow learner. H9 was identified as having special needs within the educational system. Half of the participants reported having comorbid conditions. A single participant reported comorbidity of all four considered conditions (ASD, ADHD, depression, and anxiety).

4. Discussion

4.1. Pathway to Criminal Hacking

The lived experiences of the participants inform the conception of a pathway of hacking behavior, which builds upon the pathways that have previously been identified in the extant literature [27,28]. Hacking behavior generally appears to begin with an early interest in technology. This interest leads to online game playing, the development of cheats and game modification, a virtual connection to like-minded others and self-directed development of technical skills and abilities. Intrinsic and extrinsic rewards cause a continuation of hacking behavior, which only ceases due to criminal justice intervention or a choice to redirect one’s interest. Figure 2 visually represents the pathway derived from the findings of the current study.

As with previous research [8,14,23,25,26,30,76] the current study found criminal hacking to be an activity dominated by males. It is possible, however, that extant research samples do not accurately depict the participation of female hackers within the cybercrime ecosystem. The sample in Wissink et al. [32] included female hackers who they found were more likely to engage in hacking activities slightly later in life (during college or university) compared to their male counterparts. Efforts to recruit self-identified female participants for the present study were not successful. It was clear from discussions within the forums that females tend not to identify themselves by their gender and some purposely use unisex or masculine monikers to avoid gender identification. This may be due to the sexism that exists within the male-dominated hacking community [77].

Young males enter the pathway at an early age and are permitted to spend a significant amount of time online, unsupervised [24,31,76]. Destabilization events may play an important role in relation to entry into the criminal hacking pathway, as these events provide a context that may leave youth vulnerable and isolated. The participants in the current study experienced various events ranging from bullying victimization, difficulties in the educational system, residential instability, parental estrangement, exposure to domestic violence, and physical or sexual abuse. Maras et al. [26] also found that exposure to domestic violence and disengagement from academics increases the risk of hacking behavior. In their study of the intersection between online risk and offline vulnerability, El Asam and Katz [78] found that vulnerable youth have a higher risk of engaging in high risk activities online. Fox and Holt [68] also recognized the importance of adverse experiences, such as being bullied, experiencing violence, and parental abuse of drugs and alcohol in delineating hacker from non-hacker youth populations.

Hacking skills appear to be acquired initially through self-directed learning and exploration [20,31,76]. Curious youth motivated through a desire to master the machine (power and control), access and excel in the online gaming environment, and establish a reputation in online spaces as being elite will seek the information they require to hone their skills. Online game playing and cheating at and developing modifications to games send the young hacker further down the path, introducing them to online hacking forums [22,24,25,26,27,28,29,30,33].

Forums offer young hackers an opportunity to connect with others who share their interest in technology and allow them to further develop their hacking skills. Most hacking forums incorporate a reputation ranking based on the skills and actions of the forum member [79]. This system contributes to the overall gamification of hacking activities for the young hacker. Just as completing challenges and acquiring points or desired objects in a video game leads to victory, overcoming security obstacles and perpetrating impressive hacking feats wins the young hacker a reputation of being elite. Such a feeling of accomplishment, power, and belonging may be particularly important to young hackers who have difficulty attaining such feelings in the physical world [22,27]. Much like a game progresses from easier to more difficult levels, as hackers develop their skills, they progress from less technical and sophisticated hacking activities (e.g., guessing a password), to more serious and technically complex hacks (e.g., stringing multiple exploits together to defeat advanced cyber security systems) [28,76].

While Aiken et al. [23] found that intention to hack was one of the most important predictors for hacking behavior, the participants in the current study did not generally start out with any intention to become hackers. The data would indicate that intention to hack developed as the young person moved along the pathway and experienced the rewards and benefits of the behavior. Few of the participants identified monetary gain as a primary motivation for their hacking activities. The introduction of monetary gain, however, was key to continuation on the hacking pathway. The current study included both current and former criminal hackers. Among the former hackers, desistence from criminal hacking came about either from the discovery of and interaction with the criminal justice system or through a process of maturation, whereby the individual became concerned about their future and decided to use their technical skills in more prosocial ways.

4.2. Integration of Theories to Explain the Hacking Pathway

Extant research has demonstrated that singular psychological, criminological, and sociological theories fail to adequately explain criminal hacking behavior [18,32]. The lived experiences of the participants of the current study support the need for a multidisciplinary approach, integrating various theories to explain different elements of the criminal hacking pathway.

Entry to the pathway appears to be highly influenced by self-control, personality factors (e.g., being highly curious and creative), vulnerability due to destabilization events, and a lack of appropriate supervision. Elements of the General Theory of Crime (i.e., self-control and opportunity) and Routine Activities Theory (i.e., lack of protective guardianship) layered with developmental psychology are thus supported as frameworks for explaining pathway initiation.

Continuation on the pathway appears to be influenced by connecting with other like-minded individuals, the experience of positive intrinsic (e.g., adrenalin and dopamine rushes, feeling of accomplishment, power and control) and extrinsic rewards (e.g., recognition by peers, financial gain), impulsivity, a lack of negative consequences, and an ability to rationalize and neutralize one’s behavior. Thus, support is found for the integration of Social Learning Theory, Reinforcement Sensitivity Theory, and The General Theory of Crime, as well as Deterrence Theory and Sykes and Matza’s [80] techniques of neutralization to explain one’s continuation on the criminal hacking pathway.

Once an individual has progressed to the later stages of the pathway, where their status as a criminal hacker has been confirmed through their own actions and the recognition of others, it appears that persistence may be the result of a more rational choice of balancing the costs versus benefits. Internationalizing the identity of a criminal hacker may also play a role. As such, it appears that continued participation in criminal hacking may best be explained through the integration and layering of Social Learning, Rational Choice Theory, the Theory of Reasoned Action and Planned Behavior, and Becker’s [81] Labeling Theory.

Desistence from criminal hacking appears to be a result of being discovered and experiencing negative consequences (e.g., arrest and prosecution) or of a process of maturation that allows the individual to consider their future and choose to avoid negative consequences. Deterrence Theory, Rational Choice Theory, and the Theory of Planned Behavior layered with development psychology provide insight into why individuals leave the criminal hacking pathway. An integration of existing theories considered along the temporal continuum of the development of hacking behaviors provides a better explanation of initiation, continuation, and desistence of hacking behavior. Figure 3 provides a visual depiction of how various theories may be integrated along the pathway of criminal hacking behavior.

Although some studies have found overlap between cybercrime and traditional offending [8,24,26,28], the current study supports the findings of Kranenbarg et al. [25] which reported that the majority of cyber-dependent offenders had not committed a traditional offense. Contradictory findings may stem from the specific samples studied, the method of study (qualitative versus quantitative) or differences in the offenses included as cybercrimes. The general lack of traditional offending behavior among the current sample lends support to Space Transition Theory, as well as the Online Disinhibition Effect.

4.3. Implications, Study Limitations, and Future Research

4.3.1. Implications

The findings of the current study, supported by previous research, suggest that criminal hacking behavior develops over time represented by a pathway that can begin in early childhood. Criminal behavior is often not an intended or planned action early in the pathway. Rather, a context of destabilizing events, an early interest in technology, a lack of online supervision, and competitiveness in online gaming lead young people into an online environment where they can learn hacking skills and meet others engaged in hacking activities. According to Aiken et al. [22] (p. 3), “Understanding the behavioral and development aspects of cybercriminality is becoming increasingly important, and underlies the necessity of a shift in focus from sanctions to deterrence and prevention”. A failure to consider preventive and deterrence measures will result in the criminalization of youth who may not be fully cognizant of the implications or legality of their actions [22].

Given that most of the participants in the present sample were spending a considerable amount of time on computers between the ages of 8 and 12 years, there is a need for the introduction of cyber education in the early years of schooling. Cyber education programs must be more comprehensive to teach youth not only the dangers of victimization in online spaces and proper online etiquette but also clearly articulate the legal boundaries in cyberspace. It is also important to educate parents and teachers of online risks and how to appropriately supervise children in online spaces. Education is a key component to cybercrime prevention efforts. Given the connection between online gaming and criminal hacking, the use of online games as a platform for education and prevention should be considered.

Removing barriers to post-secondary education for low-socio-economic-status youth may also change the trajectory of youth on the pathway to criminal hacking. Creating opportunities for more young people to pursue an education in information technology, computer science, and cyber security regardless of socio-economic status could help direct those with advanced technical abilities to prosocial uses of their skills. Early identification of youth who are engaging in risky online behaviors described by Aiken et al. [22] as “juvenile cyber delinquency” may allow for redirection before a particular youth moves too far along the pathway to hacking behavior. The creation of diversion programs could help redirect youth who have moved into minor illegal hacking activities. A diversion program would allow first-time offenders to avoid further engagement with the criminal justice system. Rather, these youth could be diverted to a program where their technical skills would be valued and developed in a safe space with appropriate mentorship and exposure to possible future career opportunities. The United Kingdom and the Netherlands have had some success with these approaches with their Cyber Choices (NCA, https://www.nationalcrimeagency.gov.uk/cyber-choices accessed on 22 July 2024) and Hack Right (The Dutch National Police, https://www.politie.nl/en/information/what-is-cyber-offender-prevention.html, accessed on 22 July 2024) programs.

The findings of the current research support the contention of previous researchers that there is a need for more empirically informed, transdisciplinary frameworks to explain cyber-dependent criminality [6,23]. This study provides a preliminary response to the need for an interdisciplinary framework that integrates the unique concepts and constructs of cyberpsychology for understanding cybercriminality.

4.3.2. Study Limitations

The current study provides some important insights into the pathways of criminal hacking behavior based on a diverse, albeit small, sample of current and former criminal hackers. The hacking community is particularly difficult for researchers to access [82]. This study is not without its limitations. Qualitative research methods are ideal for providing a more in-depth understanding of the individuals studied. These methods, however, often are more suitable for smaller sample sizes. Given the data collection method of interviews, it is possible that participants did not honestly represent their life experiences and criminal activities. To reduce the potential for dishonesty and responder bias, participants could remain anonymous, with the interviewer only aware of the participants online moniker. This study may also be subject to respondent bias [83]. It is likely that the individuals who volunteered for this study do not accurately represent the entire heterogeneous criminal hacker population. Advancements within the realm of technology and cyberspace occur so rapidly that it will be necessary to continually assess the pathways and theoretical explanations of criminal hacking behavior. The pathways identified today may not be relevant among future samples. Subjectivity is an element of thematic analysis. While a systematic process was followed and the analysis examined by an independent reviewer, it is possible that another researcher could identify different themes.

4.3.3. Directions for Future Research

It is important that future research attempt to replicate the findings of the current study using a larger sample and applying different research methods (e.g., survey). Replications should also be conducted based on samples from various countries globally. Future studies could also seek to assess whether there are differences in the pathway based on the specific hacking activities undertaken (e.g., initial access, DDoS, defacing websites, ransomware, etc.). Additional research is also required to determine whether there is an overlap between traditional offending and criminal hackers and cyber-dependent offenders when the sample is not intermixed with cyber-enabled offenders.

5. Conclusions

The current study has added to the state of knowledge regarding how youth become criminal hackers. Exploring the lived experience of current and former hackers elucidated a pathway to criminal hacking behavior from initiation to desistence. Building upon the pathways identified in extant research, the current study identified the importance of destabilizing events in the life of young hackers. These events often create a context in which online spaces become a sort of sanctuary. While young hackers navigate to spaces online where they can meet like-minded others, it appears that hacking behavior is generally initiated through self-directed learning and as a solitary pursuit. The current study also counters the common perception that hacking is primarily a financial crime. Curiosity, challenge, and a sense of mastery and control over the machine appear to be more common primary motivations for initial hacking behaviors. Financial motive appears to be secondary or tertiary and better explains the continuation of hacking behavior than its initiation. Early on the pathway, many participants elicited a desire to utilize their technical ingenuity for prosocial purposes. This suggests that effective prevention efforts should target younger youth (i.e., age 8 to 12 years), provide interesting technical challenges, and remove obstacles to a career path in cyber security. The lack of traditional offending among the majority of participants provides support for the online disinhibition effect and suggests that offenders of cyber-dependent crimes differ from general offender populations. It may be pertinent to consider whether traditional interventions and punishments are appropriate for individuals who engage solely in cyber-dependent offenses. Diversion programs for first-time offenders may provide an effective means of moving technically skilled youth off the pathway to more serious cyber offenses and toward a career in cyber security. This study has provided support for pathway research emanating from the United Kingdom and the Netherlands, suggesting a common pathway among criminal hackers in Western countries. It is hoped that the findings of this study will help inform novel cybercrime prevention and deterrence efforts.