A cyber prodigy defended companies against intrusion while continuing to amass data through a series of his own hacks.
By Ryan Gallagher Photo Illustrations by Vartika Sharma
October 31, 2024, 1:01 AM UTC, Updated on October 31, 2024, 2:25 PM UTC
Pepijn Van der Stap stayed up through the night of Jan. 22, 2023, repairing one of his computers in silence save for the whirring of its fan. About an hour before sunrise, he logged in to his account on a cybercrime website. When he did so, a dozen police officers burst into his apartment—a beachfront spot in the Dutch coastal town of Zandvoort—their faces hidden behind black balaclavas. Within minutes, they’d surrounded Van der Stap, blindfolded him and commandeered his keyboard.
It was a surprising show of force to capture the slim, 5-foot-8 man with dark blond hair and a baby face. Just 20 years old at the time of his arrest, he was well-known among cybersecurity experts in the Netherlands. But not as a criminal—as one of their own. Van der Stap’s work identifying security vulnerabilities in commonly used software had helped protect government agencies and thousands of companies internationally from potential data breaches. He’d presented his work at cybersecurity conferences, and his colleagues lauded him for his brilliance.
As those colleagues were about to learn, Van der Stap had also been the subject of a two-year police investigation. For months officers had been listening in on him in his apartment and monitoring his online activity through devices they’d surreptitiously installed on his computer. Van der Stap hadn’t broken bad so much as he’d reverted to form, failing in his attempt to leave the hacking underworld behind. His cybersecurity career had been inspired in part by a desire to manage his compulsions, which had begun in his teens and turned him into one of Europe’s most prolific hoarders of stolen data.
According to prosecutors, Van der Stap had obtained databases containing stolen information from thousands of companies, meticulously organizing and categorizing them on encrypted hard drives and servers he controlled. Either through his own hacking or by swapping data with other hackers, he’d accumulated personal information on hundreds of millions of people, likely including records on almost every Dutch citizen. His prosecutors say crimes on such a scale “have never occurred before in a Dutch criminal case.”
Police say Van der Stap extorted the organizations responsible for protecting the data, sometimes by threatening to delete their databases or damage their network infrastructure. Officers seized more than €600,000 ($670,000) in cash and cryptocurrency; Van der Stap eventually confessed and was sentenced to four years in prison.
Evidence emerged during the legal process suggesting that financial gain was not Van der Stap’s primary motivation. He paid for the apartment in Zandvoort with his salary from lawful cybersecurity work and had accumulated none of the trophies associated with young hackers—no fast cars, designer clothing or expensive jewelry. Most of what he’d extorted was still sitting in his cryptocurrency wallets. When a Bloomberg Businessweek reporter asked him what he liked to spend money on, he listed two things: hard drives and servers.
The real prize, for him, was the data itself. Van der Stap had grown obsessed with collecting it and meticulously organizing it into thousands of folders. He was also driven by a competitive urge to have a more comprehensive repository of stolen data than any other hacker, going to extraordinary lengths to maintain his superiority. Sometimes he would exploit security vulnerabilities during a hack, then fix them when he was finished harvesting what he wanted. He didn’t do this as a sop to his victims; he just wanted to be the only hacker who had the data.
Over several months of interviews on the phone and in person during his incarceration, Van der Stap explained how he’d been drawn to computers at a young age and gravitated toward hacking. He said he wanted to tell his story as a way to atone for his crimes, and in the hope that it would help other young hackers get their own lives in order.
During the exchanges with Businessweek, Van der Stap still seemed to be coming to terms with the severity of what he’d done. He freely admitted guilt, yet at times he couldn’t resist lapsing into boasts about the technical skills he’d displayed during his crime spree. As he considered his criminal career in a prison cell 12 miles northwest of Amsterdam, Van der Stap said he felt a deep sense of relief. “I wanted them to arrest me earlier,” he said. “I am glad I am where I am.”
Van der Stap’s mother, Sammy Brands, says her son didn’t play outside much as a kid. He had unusual interests, such as the techniques for displaying content on websites. When Van der Stap was about 10, he got his hands on a book from the series PHP for Dummies and dived into learning the programming language, which is widely used to build websites.
He spent much of his youth moving from place to place in Almere and Lelystad, provincial cities within an hour’s drive of Amsterdam. His mother worked in a housewares store and helped manage restaurants; Van der Stap and one of his older brothers went to a Waldorf school, which prioritized creativity and imagination in part by keeping technology out of the classroom. “He was crazy, because all he wanted was to go on the computer—that was his life,” Brands recalls.
Van der Stap’s parents had separated when he was about 4 years old. His mother says his relationships with her subsequent partners were hard on her son, who was also dealing with other issues. He was diagnosed at one point with Asperger’s syndrome, a developmental disorder typified by difficulty relating to others socially and a tendency to obsess over specific routines and interests. Brands says she rejected the diagnosis.
Van der Stap was reluctant to discuss his childhood in detail. But documents related to his prosecution show he once tried to take his own life, and he and his mother both confirm that. He also spent some time living away from his family in a facility for children with troubled home lives.
The computer was a reliable escape. When he was 13, Van der Stap was playing the world-building game Minecraft when someone boasted in the chat that he could hack an internet service provider and obtain personal details on any of the company’s subscribers. Van der Stap challenged the hacker to find his family’s information and send it to him. The hacker did, impressing Van der Stap and sparking a friendship that led to him joining an online group where he met others dabbling in cybercrime.
Before long he started visiting 8chan, a notorious collection of anonymous message boards that rose to prominence for fostering the Gamergate trolling movement and the QAnon conspiracy theory. (The site’s name has since been changed to 8kun.) Van der Stap mostly skipped the political stuff. He was primarily drawn to a board called Baphomet, where users posted lists of databases they’d obtained, such as stolen troves of consumer data from hacked companies, and ones they still wanted.
Van der Stap on his computer in 2006. Source: Sammy Brands
Van der Stap became obsessed with having the best and most complete collection of databases, which in turn fueled his desire to carry out cyberattacks. “The hacking was very easy for me, and it wasn’t a compulsion,” he says. “My habit was collecting. Collecting data, organizing data, downloading data, creating folders.”
In 2018, at age 16, Van der Stap signed up for vocational college to study computer programming. During his first week, he got bored and orchestrated a distributed denial-of-service (DDoS) attack on the college’s computer network—bombarding it with traffic to force it offline. After he got caught, he was sent to participate in a government program, Hack_Right, aimed at steering young cybercriminals away from illegal activity. Van der Stap completed the initiative and graduated from college in 2020. He began doing freelance work in software development and engineering for several Dutch companies from his bedroom at his mother’s house.
According to Brands, Van der Stap would work deep into the evening most days. She recalls that he had three laptops and two desktop computers, often all turned on at the same time. “He had a lot of screens,” she says. “He worked like crazy and was always typing very fast.” Brands didn’t think anything was amiss.
By his own account, Van der Stap began a hacking and extortion spree around this time. Among his targets were two universities, a Dutch publishing company, a pizza chain, several technology and commerce firms and a cryptocurrency exchange. He also helped another hacker who spread ransomware that rendered files on infected computers inaccessible. Police later found evidence that Van der Stap tried to extort money from at least two victims of the ransomware, including a health-care organization. (Although Van der Stap readily admits many of his crimes, he remains reluctant to take accountability for the ransomware attacks, saying his partner was the driving force in those cases. “Apparently I had undergone negotiations with two of those victims,” he acknowledges. “So that does make it somewhat extortion.”)
In October 2021, the cybersecurity firm NCC Group, based in Manchester, England, produced a report on a hacker they dubbed SnapMC, who they said was carrying out “rapid attacks, generally completed in under 30 minutes.” Van der Stap says it was him, sounding almost proud that he elicited the report. “I was so fast that almost no security company could respond,” he says.
Rickey Gevers, a Dutch cybersecurity expert who closely tracked a group of hackers Van der Stap associated with, concurs that his skills were remarkable. In a group that often engaged in juvenile trolling, “he was more of the quiet one,” Gevers says, yet “would always cross all the boundaries.”
In February 2021, Van der Stap obtained stolen data from the Rotterdam-based ticketing company Ticketcounter BV and tried to sell 3 million of its customer records on a cybercrime forum. A few days later, he created a fake persona on WhatsApp and, using a Portuguese phone number and a profile image of Russian opposition figure Alexey Navalny, sent a message to Sjoerd Bakker, Ticketcounter’s chief executive officer. “If we can handle this in a confidential manner, no harm will be done,” he wrote. He told Bakker he’d make the data public unless he received seven Bitcoin, worth about $400,000 at the time.
Van der Stap had become a prolific hacker by his late teens. Source: Sammy Brands
Bakker immediately notified police. Even though he was scared about the potential damage to his company, he had no intention of paying the extortion demand, which seemed to anger Van der Stap. “He said, ‘I know who your husband is. I know where you live.’ It got very scary,” Bakker says. “I just stopped all contact at that point.”
Working on his computer day and night, Van der Stap began to burn out on cybercrime. He no longer got a thrill from the challenge. In two minutes on his computer, he says, he could type in commands that would cause devastation: “I could do it with my eyes closed. It was not exciting anymore; it was just unhealthy.”
He was also increasingly anxious, because he knew he was attracting the attention not just of cybersecurity researchers but also of hacker gangs who wanted him to do their bidding. The notorious Russian-speaking ransomware gang LockBit repeatedly tried to recruit him, he says. He never liked LockBit, viewing its members as greedy and its leaders as unstable and dangerous. “They had an idea that I had a lot of data, which was correct,” he says. “I never went with them, as I thought it was a bit filthy.”
There were requests, too, from people seeking information about everything from sensitive telecommunications infrastructure to missile systems, he says. He would usually back off from such requests, which he worried could be coming from people working for governments. It all became “weird and scary,” he says. He was still a teenager. One morning he looked at himself in the mirror and suddenly felt overwhelmed with fear.
Toward the end of 2021, Van der Stap, then 19, decided to go legit. He began contacting companies, offering help with their cybersecurity vulnerabilities. In one case, he says, he identified security shortcomings in servers used by an organization in the Netherlands that helps people with addiction issues. In another instance, he says, he tipped off a Dutch water company and electricity providers about vulnerabilities in their infrastructure. The water company’s management sent him a box of gifts in return alongside a handwritten thank you note. “I tried to compensate for bad things I had done with something good,” he says.
He also got a job working with Hadrian Security, a cybersecurity startup in London and Amsterdam. Olivier Beg, one of the company’s co-founders, who’d mentored Van der Stap in the Hack_Right program, helped him land the role. Part of his job was to carry out simulated cyberattacks on Hadrian’s customers.
Beg declined to be interviewed for this story. But Rogier Fischer, co-founder and CEO of Hadrian, says Van der Stap raised no red flags. “All hackers are a bit quirky. The same goes for developers,” says Fischer. “But he was extremely capable.”
“I tried to compensate
for bad things I had done
with something good”
“I tried to compensate
for bad things I had done
with something good”
“I tried to compensate
for bad things I had done
with something good”
In January 2022, Van der Stap began volunteering for the Dutch Institute for Vulnerability Disclosure, a nonprofit that scans the internet for vulnerabilities so they can be fixed. “The moment he got going at DIVD he turned out to be one of our most brilliant researchers,” recalls Chris van ’t Hof, DIVD’s managing director. “Each case he would immediately be the most productive of the team.” Van der Stap helped resolve vulnerabilities that affected tens of thousands of companies, Van ’t Hof says. His contributions got him listed on a European Union cybersecurity agency’s “hall of fame,” crediting him for his efforts to “selflessly help our community.”
But the lure of cybercrime proved difficult to resist. In February 2022 an old associate contacted Van der Stap seeking help with a hack. The person had identified vulnerable servers linked to the British company Virgin Media O2, which has more than 49 million phone, television and internet subscribers in the UK. If they were able to break into the server, it would be one of the largest ever compromises of a telecommunications company.
Van der Stap at first ignored the advances from his former associate, whom he viewed as a freeloader seeking someone else to do the real work. But after three months of pressure and what he describes as 20 messages begging for his assistance “almost in a crying tone,” he finally agreed. Exploiting a security hole in the server’s outdated software, Van der Stap broke in. “It took me three minutes,” he says.
He grabbed more than 20 million customer records, as well as company backup files and production logs. Much of the data was unencrypted, according to Van der Stap. It was an astonishing haul.
Van der Stap made a copy of the data and stored it on a server in Russia, where it would be out of the reach of Western law enforcement agencies. According to Dutch prosecutors, he then made the data inaccessible on the company’s own server and sent a message to its security team. “Hello, you are probably wondering why you received this email,” the note began. “I was able to grab a lot of data you keep … due to a vulnerability in your infrastructure.”
Van der Stap went on to explain the specifics of what he’d obtained, demanded a payment of $750,000 in Bitcoin and gave the company 72 hours to respond. “If you don’t get in contact, we will cause severe harm to your infrastructure, and you will have your source code leaked,” he threatened.
The message sent Virgin Media O2’s security teams into a panic. In an internal email viewed by Businessweek, a company manager instructed anyone not involved in the security response who’d received Van der Stap’s message to delete it. “Due to the potential impact to our customers and reputational damage if this turns out to be correct, we need to tread carefully and not disseminate or share what has been received with anyone,” the manager warned.
Within two days, the company had verified that Van der Stap’s claims were real. It paid him 24.7 Bitcoin, with a market value of $764,450.
The breach hasn’t been publicly reported until now. The company, owned by international giants Telefónica and Liberty Global, didn’t disclose it at the time because, a spokesperson said in an email to Businessweek, it had no material impact to its business. “No personal financial information was accessible, and we took rapid action which included immediately alerting the ICO (the UK Information Commissioner’s Office) and other authorities who we cooperated with throughout,” the spokesperson wrote, adding that the ICO, which is the UK’s data protection regulator, investigated the incident and Virgin Media O2’s response and took no action.
“For security reasons we are not detailing the specific steps we took, but these actions were swift, rigorous and all focused on protecting our customers which is always our top priority,” the spokesperson wrote. The company didn’t answer questions about the Bitcoin payment.
It was Van der Stap’s biggest payout ever. He shared about one-fifth of the money with the associate who’d pressured him to do the hack. The rest he stored in a cryptocurrency wallet. Then he went back to his day jobs at Hadrian and the DIVD.
After the attack, Van der Stap again withdrew from the cybercrime scene. But eight months later, on that night in January, he made the critical mistake of turning on the computer he used for criminal activity and logging in to some of his accounts.
Dutch police had been preparing for this moment for almost two years. They’d noticed that a rash of attacks going as far back as March 2021 had been carried out using the same collection of IP addresses, email addresses, phone numbers and cryptocurrency wallets. In some instances the notes sent to victims had almost identical wording.
They began searching for clues that would connect the online accounts and phone numbers to a real-world identity. The hacker seemed to have done a good job of covering his tracks, hiding behind a web of false identities. But in early 2022 police obtained copies of user databases seized from RaidForums, an online message board for cybercriminals. One user who’d been trying to sell data from a hack had initially registered with an email address containing the handle “pepijnstap”—Van der Stap’s actual name.
He quickly became a leading suspect in a handful of hacking cases. Police obtained approval to bug his apartment, breaking in while he was away and installing a microphone in his home office. They also installed a keylogger inside his keyboards, allowing them to monitor everything he typed.
For months the police watched, waiting for Van der Stap to log in to the computer he used for cybercrime. Because its internal hard drives were encrypted, the only way to obtain the evidence they needed to prove his responsibility for the hacks would be to catch him while he was using it. When he finally did, everything happened very quickly. It took Van der Stap a few moments to realize he was being arrested—at first he thought he was being robbed.
The computer contained a complex system of individually encrypted hard drives with 33 terabytes of stolen data, carefully organized into more than 4,000 folders. The sheer scale of it overwhelmed police and prosecutors. “The amount of personal data found on the suspect’s computer is so large that it has not even been determined how many people are involved in total,” prosecutors concluded. All the same, police managed to retrieve evidence such as copies of threatening messages Van der Stap had sent hacked companies, login details for an email account he’d used to send the threats, and messages about stolen data he’d posted to the cybercrime forum he was logged in to when he was arrested.
Around the time of the raid on Van der Stap’s apartment, a team of officers turned up at his mother’s home in Almere. When she saw them at the door, she feared the worst. She knew her son had struggled with anxiety and depression—her first thought was that they were there to tell her he was dead.
Police didn’t immediately explain their presence, saying simply that they had a warrant to carry out a search. Only after speaking to Van der Stap’s lawyer and colleagues at Hadrian did Brands realize that her son had been detained and charged with serious cybercrimes. “It was a complete shock to me,” she says. “Because Pepijn is a very sweet, caring son, it was unbelievable for me. We have a phrase in Dutch—the ground beneath my feet was gone.”
The charges against Van der Stap were laid out at a court building in the south of Amsterdam in October 2023. Hearings took place over two days, with the public gallery full of people Van der Stap had worked with in his cybersecurity roles.
Among them was Hadrian’s Fischer, who was shocked by what he heard. “It felt like a betrayal,” he says. “Because on a day-to-day basis we were fighting hackers like him.” What particularly stung were the details about Van der Stap’s involvement in threatening people and extorting companies. “I thought, ‘This is unforgivable and unacceptable behavior.’ And that hurt.”
The DIVD held staff meetings to discuss the issue, and people broke down in tears. Van ’t Hof feared the case might bring down the organization. As a nonprofit, it relies on outside funding, and shortly after the news emerged in the aftermath of Van der Stap’s arrest, one of the organization’s sponsors severed its relationship with DIVD and canceled scheduled payments totaling €200,000. “We went through hell, almost went bankrupt, lost trust,” Van ’t Hof says.
The DIVD had an external contractor carry out an investigation to see if Van der Stap had abused his position at the organization; it found nothing. The DIVD has since recovered financially.
Van ’t Hof says he isn’t angry at Van der Stap. He professes sorrow and pity for him instead: “What a huge waste of such a brilliant mind.”
In November 2023, a judge found Van der Stap guilty on multiple counts of computer trespassing, extortion, stealing nonpublic data, distributing ransomware and laundering at least €1.5 million. He was given a lenient sentence after the judge factored in Van der Stap’s age, personal circumstances and confession. He’s expected to be released after three years, to be followed by three years of probation.
Van der Stap now lives in a small jail cell in an industrial area on the outskirts of Amsterdam. He spends his time trying to make amends. When he was behind his computer screen, he was distant from the harm he caused, he says, but now he’s been forced to confront it.
As an hourlong conversation with Businessweek wound down about a month after his sentencing, Van der Stap broached the subject of his moral culpability directly. He went silent for a moment, then asked, “What is your opinion on everything I have done?” He’d been hacking for so long—since he was so young—that he was having difficulty figuring out when it had gone wrong for him and how bad he’d been. “Most of it is ridiculously—I don’t know how to say this—most of it is way over the boundaries,” he said of his actions. “But what I keep wondering is, ‘Am I really to blame for what I did in 2016 or 2018?’”
“But what I keep wondering is,
‘Am I really to blame for
what I did in 2016 or 2018?’”
“But what I keep wondering is,
‘Am I really to blame for
what I did in 2016 or 2018?’”
“But what I keep wondering is,
‘Am I really to blame for
what I did in 2016 or 2018?’”
I told him I thought he seemed less like a hardened criminal hacker such as the ones in LockBit and more like the ones in LulzSec, a group I’d reported on years ago. Those hackers were also mostly teenagers. Some had political motivations, but they mainly acted out of some combination of boredom and curiosity, or the glory of taking down a big target. “I was not working out of any ideology,” he replied, saying the same is true of many young hackers who find themselves struggling to escape from the situation they’ve created for themselves. “I don’t know if you have heard this,” he said, but “everybody repeated the same sentence: ‘I have already sold my soul. I can never stop.’ And so many hackers want to get out.”
Van der Stap has access to a phone, and he’s been calling family, colleagues and some of his victims to apologize for what he did. Late last year he contacted Bakker, the Ticketcounter CEO he’d threatened and tried to extort. Bakker had originally been furious at Van der Stap and wanted to see him severely punished, but he agreed to meet with him. He came away from their conversation feeling more sympathetic. “I am happy it is over, but I am not happy with the outcome,” Bakker says. “There are only losers here.”
Inside the jail, in a visitation room, Van der Stap wore a white T-shirt and jeans. He stood out from his fellow prisoners with his boyish face and shy demeanor. He says he’s been receiving therapy and is glad that he’s been forcibly severed from the exhaustions of his two-sided life. He spends a lot of time calling his mother, who has forgiven him. He doesn’t plan on returning to cybersecurity when his sentence is over. Instead he’s been studying biochemistry and medicine. The prison gives him supervised access to a computer, but he doesn’t like to use it much anymore.
(Updates paragraph 27 with additional information about Van der Stap’s interactions with Dutch utilities. A previous version corrected the number of customer records he attempted to sell in February 2021. )
PHOTO ILLUSTRATIONS: Vartika Sharma FOR BLOOMBERG BUSINESSWEEK; PHOTOS: GETTY(5), ISTOCK(1)
