These Small-Town Hackers Are Making a Living Showing Companies How Insecure Their Sites Really Are

The members of Pasuruan Black Hat have hacked banks, governments, and huge tech companies like Google.
October 15, 2018, 11:30am
An illustration of black hat hackers in Indonesia.
Illustration by Farraz Tanjung

The small coastal city of Pasuruan, in East Java, is about as far as you could get from Silicon Valley. It's one of those low-rise cities that are so common in places like Java; the kind of place that's technically a "city" but feels more like an overgrown town. The rural farmlands outside city limits are known for their dairy farms. The city itself is more about textiles and sneaker manufacturing than tech and coding.

Advertisement

But there, amid the squat red-roofed homes and the wild, tree-lined streets, a 19-year-old hacker who goes by the name Apapedulimu discovered a bug that could let malicious hackers steal confidential information from one of Silicon Valley's biggest tech companies—Google.

Apapedulimu, who is a member of the Pasuruan Black Hat hackers collective, told me that he first noticed the bug last March while poking around in some Google code. The bug could allow a third party to steal Google users' personal information through a hack called "clickjacking"—think a link that, when you click it, allows someone else to see your personal information. Apapedulimu reported the bug to Google and then waited. And waited. And waited.

Months later, after hearing no response, Apapedulimu dug deep again, this time accessing Google's subdomain, where he identified the bug once again. He submitted another report, this time with his personal Google account and prepared to wait again. Then, one day last month, he finally heard back. He received an email from Google congratulating him on discovering the bug. "As part of Google Vulnerability Reward Program, the panel decided to issue a reward of $7,500 USD," the email read.

“This is like a dream come true,” he told VICE.


Watch: This Is How Easy It Is To Get Hacked


Indonesia is a rising country on the global hacker scene. The country briefly rose to biggest single source of global cyber attacks in 2013 before falling again—a statistical hiccup that implies that suspicions at the time that the country's rise had more to do with a massive botnet of infected computers being harnessed by overseas hackers than the work of Indonesian hackers themselves were likely true.

The local hacker scene isn't as complex as those in China, Russia, and the United States, where the majority of cyber attacks originated in 2018, according to a report by the cybersecurity company Akamai Technologies.

Advertisement

But when it comes to the defacing of corporate or governmental websites, or the identification of security loopholes, hackers like Apapedulimu are experts in their field. In recent years, Indonesian hackers have attacked government websites in Australia, Malaysia, and Singapore, defacing sites in protest, interrupting internet service, and stealing confidential information in the process.

Apapedulimu and his friends, a small community of hackers in Pasuruan, told VICE that they've penetrated the websites of a major oil company, an e-commerce site, and at least one foreign government. We're only using their hacker handles here because a lot of what they do could be considered illegal. But, in reality, much of what the Pasuruan Black Hat community does is beneficial to the companies they hack. One of the hackers, who goes by the name Alien, told VICE that he usually contacts the companies or owners to inform them of the security issue with the hopes of receiving some kind of monetary reward.

When Alien discovered an issue with a Bandung-based startup's website, he first defaced its homepage. Once the company's IT department fixed the site, he defaced it again. This went back-and-forth for a while before he reached out to the company and told its developers about the security flaw. They then offered him a job as an IT consultant.

"Sometimes we hack to look for a gap in the security of an application or a program," he said. "Usually, when we notify the owner of that program, we get compensation."

Advertisement

Or they use their skills for other forms of personal gain. h3llo, another Pasuruan hacker, told me that he hacked into his university's grading system and added an entire point to his GPA. Even today no one but h3llo and a select few people he told know that his final scores aren't real.

"Only my friends knew about it," he said with a laugh.

h3llo, and his friend PhiA, used to poke around in their school's websites for fun, often changing their grades and, once, defacing the university's website in protest over the fact that they weren't allowed to attend a national hacking tournament in Jember, East Java. For a week, the school's website was down until university staff figured out who was behind the attack and forced them to stop.

“We did this because we were angry,” h3llo expained. "They didn’t expel us because we apologized and promised we wouldn’t do it again."

Defacing a website is fairly easy, h3llo told VICE. It doesn't cause too much damage and it gets the job done, especially if the main goal is raising awareness for a political cause. In 2005, h3llo claims that he hacked the site of an Indonesian oil company in protest of then President Susilo Bambang Yudhoyono's plans to cut the country's costly fuel subsidies. He put an image of a sad-looking man on its homepage and a banner reading, "This is what would happen if the fuel gets more expensive. The people will suffer."

The company reported the hack to the government's communication and technology ministry and soon h3llo and his crew were on a list of suspects. h3llo spent two days offline out of fear that he was about to get caught until, one day, his friend suggested he write an email to the company offering to show them how he hack their site if they dropped the charges. The company agreed and h3llo remained a free man.

He later hacked the network of a large private bank and accessed the financial information of millions of Indonesians. But he left that one alone. "I can still access the data now,” he bragged.

So far, the Pasuruan Black Hat community has been able to avoid prosecution by skirting the law. They keep their profiles high enough, and their skills sharp enough, to keep receiving offers of work from the companies they target in their attacks. When our reporter met them, the crew was busy reminiscing about prior hacks and exchanging stickers. Without their laptops, they men all looked like regular, harmless university students. But slowly, online, they're raising the reputation of Indonesia's least-likely hacker hotbed.