In some ways Juvi is just an average eighteen-year-old. He speaks in short, brusque sentences. He works as an artist at a tattoo parlor. He was born in the U.K., but he now shares a loft with his girlfriend in Spain. He spends a lot of time on the Internet, and he sometimes says mean things to people online.
In other ways heâs a little bit different: Juvi claims heâs hacked into hundreds of accounts on Xbox Live, YouTube, AIM, PayPal, and various other services over the past few years. And he could probably get into your Netflix account right now.
Juvi, who prefers to use that Internet handle rather than his real name, uses whatâs called social engineeringâthat is, phishing for information from customer support representativesâto reset e-mail addresses, change passwords and get into other peoplesâ personal accounts. Heâs done this for quite some time now, and he says heâs made thousands of dollars doing it.
Juvi used to be able to get into just about any Xbox Live accountâand he can still get into someâbut he says Microsoft has clamped down on security for their gaming console in recent years. Other companies arenât quite as vigilant.
During a conversation on Skype earlier this week, Juvi let me listen in as he convinced a Netflix customer support representative to give him the password to someone elseâs account. It was frighteningly simple; all Juvi needed was the e-mail address of his targetâeasy to find on AIM, YouTube, or any other social networkâand a full name, which anyone can get by entering an e-mail into Spokeo, an online phone book.
Walking me through the process, Juvi pulled up an e-mail address for an account he had previously stolen. He already knew the password, but he wanted to show me how easy it was to get it reset on Netflix. So without giving me any other info, he had me enter the e-mail address on Spokeo. A few seconds later, I had the full name of the guy who owned the original account. That was all we needed. Juvi loaded up a conference call and dialed up customer support.
âThank you for calling Netflix,â said the representative. âWhat can I do for you today?â
âUm, I forgot the password for my Netflix account,â Juvi said. âIs there anything you can help meâto reset it?â
âYes I can,â said the representative, asking for the e-mail address. Juvi gave it to him.
âAnd who am I speaking with?â asked the representative. Juvi gave him the account ownerâs name.
âGive me one second here to plug in the information⊠I see you started an account in April of 2010âhave you had an account since then?â
âNo, I havenâtâI did create the account a long time ago,â Juvi said.
âOkay, so that was two years ago, correct?â
âCorrect.â
âOkay, I was just making sure that you- that I didnât pull up the wrong account and that you may have another one that has more recent activity on it,â the representative said.
âYeah, okay,â Juvi said.
âGive me one second here and Iâll reset the password for you,â the rep said. âAlright, sir, if you would just go to Netflix.com for me and click on âNetflix sign-inâ in the upper righthand corner?â
âOkay,â Juvi said.
âOnce youâre there, youâre set to log into your account,â the rep said. âPut in the email address you gave me, and then your password will be 1-2-3-4-5 and let me know if that works for you.â
âYeah, that worked.â
âOkay then, so youâre good to go,â the rep said.
And that was that. I tried to log onto this Netflix accountâsomeone elseâs Netflix accountâwith the new â12345â password. It worked. I started to feel supremely guilty, like I was entering someoneâs house without their permission and looking through their things. I quickly closed the browser.
âThis account doesnât have a credit card added,â Juvi told me, âbut if it did, you could see the last four digits.â
Scary stuff.
The Xbox Hacker
Three or four years ago, Juvi stumbled upon a website that had been defaced by some group of hackers. âHacked by [some name],â it read. Juvi was immediately interested. He googled the name and found a forum for people who like to do illicit things on the web. Posting a new thread to introduce himself, he asked where beginners should start off. A few people suggested keyloggers, devices that can track a targetâs key strokes and keep a printed record of their passwords and credit card information.
âI just thought it was pretty cool,â Juvi said. âI just thought that it seems pretty easy to get access to somebodyâs account, and when I started Xbox Live I would get host-booted offline, so I wanted to be the one to host-boot them back, like get revenge or whatever.â
(âHost-booting,â a phrase first made popular by Halo 3 users, is slang for kicking someone off Xbox Live.)
STAY SECURE â Thereâs no surefire way to stave off hackers, but here are tips for dodging some common hacking methods:
Use different e-mail addresses for your social accounts and important services. Keep your Twitter e-mail different from your PayPal e-mail.
Two-step verification is your best friend
Donât pick easy security questions. Make sure the answers to your security questions arenât Googlable.
Share as little information as possible on your accounts.
If someone calls you up and says theyâre from Microsoft, donât believe them.
Keyloggers werenât enough, though; in order to get into peoplesâ Xbox Live accounts, Juvi had to try different techniques. Heâd guess peoplesâ security questions, many of which were mindbogglingly easy to answer. And heâd mine for details, either googling or calling different customer support representatives and phishing for different bits of account info from each one.
âIf you can find the name of somebody, you can find their e-mail,â Juvi said. âFrom their e-mail you can see if itâs connected to an Amazon account, PayPal maybe, even Netflixâanything that stores credit card information. And then all you need is the last four digits.â
Sometimes Juvi would set his sights on gamers. Heâd call up Xbox customer support pretending to be a Microsoft employee, then say something like âHi, Iâm John Doe from Tier 3 and my Customer Care Framework has crashed. Could you help me pull out some information on this gamertag?â
With a name, e-mail address, date of birth and the last four digits of their credit card, Juvi found it pretty easy to get into an Xbox account. That was all the information he needed in order to convince customer support to reset the e-mail attached to someoneâs gamertag. Microsoft has tightened security since then, though.
â[Now] you need the last console that it was signed in on, the console ID, the serial ID,â Juvi said, âand it takes one to three days for them to find out whether youâve got access to the account or not. You used to be able to just do it in one phone call, like straight up.â
These days, Juvi says he doesnât get into that many Xbox accounts. People are using other sorts of phishing techniques to get peoplesâ information, though: âYou can get information on that person and call that phone pretending to be an Xbox employee, say that you need their information for something, say someoneâs been trying to access their account and you need to confirm that theyâre the owner.
âBasically all you need for that is the e-mail and the secret question. You could reset the e-mail, sign into the Xbox accountâif you were able to get the console ID and the serial number, youâd be able to sign into their account easily. Thatâs pretty hard to do.â
In fact, Juvi added, âyou pretty much canât, unless you have access to their console or unless they tell you. Possibly some really, really dumb peopleâyou could get it out of them.â
Victims Who Deserve It
In July, Juvi hacked the YouTube account for SteelSeries, a gaming accessory manufacturer that distributes headsets, keyboards, and mice. He deleted all of their videos and posted a couple of his own.
âIt was actually really easy,â Juvi said. He got the e-mail address associated with the YouTube account, then went to to take a look. âI was gonna call up and get his e-mail reset, but the secret question was like something really stupid, like âwhen was Steelseries founded?â So I just googled it and it was right there.â
(I reached out to SteelSeries to hear their side of the story, but as of press time, I havenât heard back.)
Juvi deleted all of SteelSeriesâs videos, some of which are still missing today. âI had it for three weeks before they could get it back,â Juvi said, pride in his voice. âThey couldnât do anything.â
https://www.youtube.com/watch?v=ZtghC4AvHhI
âWhy target SteelSeries?â I asked.
âI donât like their headsets.â
âYou donât like their headsets?â
âI had one, I think it was a year ago, and it broke and they wouldnât give me a refund,â Juvi said. âThat simple.â
I asked if they had any way of knowing that he did it for revenge. âNopeâI was e-mailing them but they never responded.â
Juvi also took over YouTube accounts for a dubstep artist named Caspa, a Kim Kardashian video page, and a wrestler named Raven. (The victims were all able to recover their accounts later.) He defaced a website called Forum Revolution because the guy who owned it scammed one of his friends for $100.
Juvi says he still âjacksâ accounts on AOL Instant Messenger, particularly the ones with valuable, original handles. He says heâs made thousands of dollars selling them on the Internet. And he says he only takes the inactive onesâin fact, Juvi says, he took an AIM account recently and its original owner messaged him, so he gave it right back.
So why did he break into those celebrity YouTube accounts?
âI dunno,â Juvi said. âJust seemed fun.â
The Arrest
Juvi says in late August, he was arrested and put in jail for three days. Although Iâve been able to verify the majority of his other claims, I could not completely confirm the veracity of the following story. Juvi sent over parts of a court document, but he did not want to share specifics about his name and location, so we could not verify this with a police department.
About two months ago, Juvi was asleep at his momâs house in Spain when he heard someone pounding at the door. He woke up, got dressed, and went downstairs. Policemen were standing there with an arrest warrant, ready to put him in cuffs and drag him to prison. Juvi was charged with âunauthorized access and DDOS,â he says.
âI was kept in prison for three days,â Juvi told me. âI was in court and then I was on bail and I went back to court and I got let off because they couldnât tie me to the alias of Juvi⊠I was using a VPN that they could get logs from, and so they logged it back to my IP address, but obviously a lot of people are connected to that VPN so thatâs not really solid proof. â
A VPN, or a virtual private network, allows people to mask their info so their real IP addressesâidentification numbers assigned to every personâs Internet connectionâcanât be found. If not for that VPN, if the cops did figure out that Juvi was Juvi, the hacker thinks heâd be in jail for a while.
âI was kinda scared âcause I didnât know the outcome, I didnât know what evidence they had,â Juvi said. âIf they actually had my IP addressâmy solid IP address, not the VPNâthat was pretty muchâŠ
âI always use a VPN and then I go on a Tor browser. They couldnât really track it connecting to websites or logging into the accounts.â
I asked why he had to stay in jail for three days. Shouldnât he have been able to get out on bail? âI think I couldâve⊠but I dunno. My momâmaybe she was punishing me.
âShe was shocked,â Juvi said. âBut I wasâIâm 18. So I guess she just lets me get on with what I do.â
Juvi says his parents have gotten used to his activities. They canât do much now that heâs out on his own. And he says heâs going to keep hacking, keep breaking into peopleâs accounts. Heâs still snagging accounts and websites from enemies and people who piss off his friends. Heâs still defacing websites. Sometimes itâs just for money. Other times itâs just for âthe lulz,â as he put it in an e-mail to me.
âI donât hack peoples accounts as requests any longer,â he said, âmostly because Iâm not online as much as I was.
âBut if someone was to fuck with my friends online then they would get what they deserve.â
