A former teen hacker who stole nude photos from Paris Hilton’s cellphone and swiped a half million dollars from unsuspecting consumers tells NBC News – and his most famous victim -- that he’s sorry for what he did.
“Paris, I’m sorry I put your information online,” said Cameron Lacroix. “I should never have done it. I wouldn’t want it done to me.”
But Lacroix, now 26 and about to report to federal prison to begin a four-year sentence, warns that despite security upgrades at major retail chains that have been victimized, he could do it again.
“It was easy. Too easy,” said Lacroix, who doubts the fixes are enough and believes big companies are “absolutely” still vulnerable to hacking.
In a 10-year criminal career, Lacroix, a lifelong resident of New Bedford, Massachusetts, has done everything from hacking the Twitter account of Burger King to forging gift cards to stealing thousands of credit card numbers. He’s even hacked federal law enforcement databases. Authorities estimate that Lacroix, who was known by online handles like “cam0” and “Freak,” has done more than $1 million in damage to private firms.
But Lacroix, a computer obsessive since age 11, says he that when he began hacking he didn’t think he was committing crimes. “It was like a game,” he said. “Like a challenge, I guess.” Hacking was also a refuge from his unhappy home life. His mother died of a drug overdose when he was young, and he dropped out of high school.
Lacroix’s most notorious exploit was among his first. In 2005 at age 16, he became the first hacker to break in to a celebrity cellphone when he cracked the code to Hilton’s Sidekick.
“It all started because I wanted a T-Mobile phone,” he said. “Once I got in there, I realized, ‘Hey, I have access to everybody’s stuff!’” After Hilton did a commercial for the Sidekick, Lacroix guessed she probably owned one. “Sure enough, it was under her name. I went into it and was shocked at what I saw.”
Lacroix published Hilton’s phonebook and messages on the Internet and dumped a trove of nude photos on a website. He watched as the hits started coming.
Hacking gave him a high and a sense of recognition. “I wanted to be a celebrity,” he said. When the Hilton photos went viral online, “it was mind-blowing for me. … I felt famous.
Among those who noticed him, however, were federal officials. They arrested Lacroix and six associates. Lacroix pleaded guilty to hacking Hilton’s phone and making bomb threats to two high schools, and also admitted attacking the LexisNexis database. He served 11 months in a federal juvenile facility, and soon after he got out was sent back to serve more time for violating the terms of his supervised release.
Before he was 21, he was sent to prison again after pleading guilty to racking up thousands in phony gift card purchases. The gift cards were purchased with stolen credit card numbers, but cashiers wouldn’t challenge them – an easy end-run around corporate security.
“[The cards] had no name on [them],” he explains. “The cashier would say, ‘Jeez, you know, it’s $600, $700 worth of stuff.” Then they’d see the gift card and relax.
“You don’t [need] an ID. Nothing. All that matters is that someone else’s information is on that magnetic strip.”
Lacroix walked out of a federal halfway house in 2011 at age 22 having spent most of the previous five years in state and federal custody. He enrolled at a local community college. But he didn’t go straight.
Instead, Lacroix lived off the grid. “My license went to a P.O. box. I wouldn’t tell anybody where I lived. I always used wireless Internet so I couldn’t be tracked. I had no bills under my name.”
And he kept hacking. Armed with little more than a $300 Toshiba laptop from Best Buy, he went back to stealing money with his skills, and used some of the funds to underwrite his growing dependence on opiates.
He still sounds excited when he talks about hacking, and with the help of a social worker he’s trying to understand the allure it holds for him. Both he and the social worker think there’s a clear link to his drug use.
“[You get] the same pleasure. The same reward,” Lacroix said. “That challenge of getting in. It’s just like, ‘Wow.’“
Lacroix stole 14,000 credit card numbers from online retailers, adding to what he thinks is a lifetime total of $500,000 or more in thefts from consumers. Other feats of hacking, however, just seemed to feed his need for a rush.
He hacked into state and local police databases, looking for warrants and arrest records and learning the identities of confidential informants, and through those databases gained access to the FBI’s National Crime Information Center. He changed his grades and his friends’ grades at the community college.
Then, on Feb. 18, 2013, Lacroix took over Burger King’s Twitter account. He replaced the fast-food chain’s logo with McDonald’s golden arches and said that Burger King had been sold to its competitor because “the Whopper flopped.”
The feds knocked on his door this summer. He wasn’t as off the grid as he thought. His need for a rush was sending him back to prison. “It’s really difficult to think about,” he said. “All this wasted time, just for that. Just for a few laughs, just to feel good.”
On Oct. 27, he was sentenced to four years in federal prison and three years of probation for the credit cards thefts, the grade changes and $200,000 in damage to Twitter and another online company. He reports to prison next month.
When he gets out of jail in 2018, he’ll be 30. His plan is to put his skills to work for the other side. He’s already taught the FBI some of his tricks.
In a statement, the Office of the U.S. Attorney for Massachusetts confirmed that Lacroix had provided information on his techniques since his arrest. “It is fair to say he spent time with law enforcement to discuss how he did the hacking and the vulnerabilities he discovered in the systems that he hacked,” said the statement. “This was looked upon favorably for the sentencing.”
Lacroix hopes that, after his release, he can also provide his expertise to major companies, much as famed check forger Frank Abagnale, whose life story became the film “Catch Me If You Can,” did after his arrest and imprisonment.
Said Lacroix, “I’ve caused a lot of harm. I’ve got to fix this.”
For now, Lacroix warns consumers that their credit cards may still be vulnerable, despite increased security precautions. He believes the data might be accessible even if it’s encrypted.
“It’s got to be decrypted at some point,” he explained. “That’s when you go in.”
Lacroix also advises parents to learn from his example and watch for clues that their kids have become hackers, like he did before he’d even finished middle school. “If they’re on their computer and it’s affecting their grades,” he said. “If they lock themselves in their room and sit online all day.”
“These are signs. They need to be noticed, and they need to be acted upon. Immediately.”