The Hacking Groups That Shaped the Security Industry

Before security became an industry, it was a scene. In the half-lit margins of the early internet, a handful of names kept appearing wherever things broke in interesting ways, and these were the ones who defined what was to come.

Remembering the Pioneers of Security Research

Respect

Fabled security researcher Felix “FX” Linder passed away last week. To many in the industry and on our team, he was a hero and an inspiration.

If you were around the security scene in the late 1990s and early 2000s, you would know who he was and what PHENOELIT meant. If you weren't, this is a good time to learn. That era produced some of the most important security research ever published, mostly by people with no job titles, no corporate backing, and no formal mandate to do so. They were just people who were very good at finding things that were broken, and they found plenty.

L0pht Heavy Industries

L0pht was a Boston-based group named after the loft space where its members worked. The core roster included Mudge (Peiter Zatko), Weld Pond, Kingpin, Dildog, Space Rogue, Brian Oblivion, and Silicosis.

Their password auditing tool L0phtCrack caused significant disruption when it was released. It cracked Windows NT passwords by exploiting weaknesses in Microsoft's LAN Manager hash quickly enough that the scale of the problem became impossible to ignore.

The group's most notable public moment came when seven members testified before the United States Senate Committee on Governmental Affairs, speaking under their hacker handles. Mudge told Senator Fred Thompson that they could take down the entire internet within thirty minutes. It was one of the first times Congress had engaged directly with the hacking community on security issues.

L0pht later merged into the security firm @stake. Mudge went on to work at DARPA and became Twitter's head of security, eventually filing a whistleblower complaint about the company's security practices. Dildog was a member of both L0pht and cDc, and went on to work on Back Orifice 2000 as part of the cDc project. Kingpin moved into hardware security research.

TESO

TESO was a German and Austrian group active in the late 1990s and early 2000s. Their members included Scut, Skyper, and Halvar Flake, and they produced some of the more technically rigorous research of that era.

Scut wrote "Exploiting Format String Vulnerabilities," which became a widely referenced document in the security field. Before that paper, format string bugs were poorly understood. It established them as a defined vulnerability class and influenced how auditors approached code review going forward.

Halvar Flake, whose real name is Thomas Dullien, focused on binary analysis and developed BinDiff, a tool for comparing compiled binaries that became widely used for patch diffing. The idea is to compare a patched binary against the unpatched version to identify exactly what changed and work out what the underlying vulnerability was. BinDiff is still used by security researchers and has since been open-sourced by Google.

TESO also published research on SSH at a time when SSH was increasingly trusted as a secure protocol. Their work included research into the crc32 compensation attack detector vulnerability in sshd, which was a significant remote exploitation issue. Their advisories were often released without prior vendor coordination, which was common practice in parts of the underground at the time.

THC

The Hacker's Choice, is a German group that remained active long after most groups from the same era had disbanded. Van Hauser was their most consistent public-facing member over the years.

THC-Hydra is the tool most associated with the group. It is a network login brute-forcer supporting a large number of protocols including FTP, HTTP, HTTPS, SMB, LDAP, and Cisco authentication. It became a standard tool in penetration testing and still ships with Kali Linux.

The group also published research on VoIP security when SIP adoption was growing rapidly, and released THC-SSL-DOS, which demonstrated a denial of service condition in SSL/TLS renegotiation. Fixing that issue required coordinated patches across browser vendors and server software.

PHENOELIT

PHENOELIT was a German group best known through their member FX, who did substantial research into Cisco IOS vulnerabilities. Cisco routers were running critical infrastructure and corporate networks globally, and PHENOELIT published vulnerabilities in IOS covering remote code execution and denial of service. FX presented this work at DEF CON, Black Hat, and the Chaos Communication Congress.

The group also published research on HP JetDirect, SAP, and RIM BlackBerry, demonstrating that networked printers, enterprise software, and mobile devices were viable attack targets that most people had not been paying attention to. FX ran Recurity Labs, a Berlin-based security consulting firm, until his death.

LSD

Last Stage of Delirium was a Polish research group active through the late 1990s and early 2000s. Their output covered a lot of ground. They published shellcode development techniques for a wide range of processor architectures including MIPS, PA-RISC, PowerPC, and SPARC at a time when that kind of cross-platform exploit knowledge was rare and genuinely useful.

They won the Argus Hacking Challenge, a well-known competition involving a military-grade security system called Argus Pitbull, using kernel-level exploits. The writeup they published on how they did it was presented at Black Hat and became a reference document for anyone interested in kernel exploitation.

They also did substantial research into Java and JVM security vulnerabilities, presented at Black Hat Asia, covering exploitation techniques that most people in the security community had not seriously considered at the time. Later they published research on Microsoft Windows RPC vulnerabilities, which had a broad impact given how widely Windows was deployed across enterprise networks.

The group kept a low profile but produced consistently serious work across multiple areas over the course of nearly a decade.

CdC

The Cult of the Dead Cow, founded in Lubbock, Texas, is one of the longest-running hacking groups around. By the late 1990s the group had built a reputation for combining technical work with a distinctly political perspective on hacking.

Their best-known release is Back Orifice, a Windows 98 remote administration tool presented at DEFCON by member Sir Dystic. It gave an attacker full control over a compromised machine, including file access, keylogging, and process manipulation. Microsoft labeled it malware, though the security community generally viewed it as a demonstration of how poorly Windows had been designed with security in mind.

The follow-up, Back Orifice 2000, was developed by cDc with Dildog, who was a member of both cDc and L0pht, and extended the same functionality to Windows NT and 2000. It was released as open source. Oxblood Ruffin led Hacktivismo, a cDc subproject that built tools designed to bypass censorship systems in authoritarian countries.

W00w00

w00w00 was an online security group active in the late 1990s that operated differently from most underground crews. Rather than being geographically concentrated, it was a distributed network of members who communicated remotely. It attracted a number of people who went on to significant careers in technology, the most well-known being Jan Koum, who co-founded WhatsApp.

The group focused on finding vulnerabilities in widely deployed software and published advisories on weaknesses in things like wu-ftpd and other common Unix services. They were not as prolific as some contemporaries but were well-regarded in the community and connected to serious researchers across the scene.

ADM

ADM, sometimes expanded as the "ADM crew," was active in the late 1990s and released a significant volume of exploit code targeting core internet infrastructure. Their releases covered vulnerabilities in BIND, the DNS server running the majority of internet name resolution at the time, as well as sendmail, wu-ftpd, and other widely deployed Unix services.

Their output was raw and often dropped without much documentation, but the targets they chose were consequential. Vulnerabilities in BIND in particular had a broad impact given how much of the internet depended on it. ADM did not have the public presence of groups like L0pht or cDc but their releases were taken seriously by administrators and vendors who had to respond to them.

XFocus

XFocus was a Chinese security group that emerged from the broader patriotic hacker scene of the late 1990s and early 2000s. One of their notable members was Glacier, whose real name is Huang Xin, who released one of the first Chinese-developed remote access trojans and co-created X-Scan, a network vulnerability scanner that became widely used in China and beyond.

The group has also been linked to the Blaster worm. XFocus published proof-of-concept code after reverse-engineering a Microsoft Windows patch, which was later used in the Blaster chain. Court documents from the prosecution of a US teenager who created a Blaster variant named XFocus in connection with the original reverse engineering work.

XFocus also ran XCon, one of China's first serious technical security conferences, which brought together researchers from across China and internationally. Several members went on to careers in China's cybersecurity industry, and outside reporting has noted overlaps between XFocus alumni and firms such as VenusTech.

What They Left Behind

Most of these groups no longer exist in their original form. The security industry that replaced the underground has bug bounty programs, disclosure policies, and corporate research teams, many of them staffed by people who came up through the same scene.

THC-Hydra is still in active use. L0phtCrack eventually went open source. Research from LSD and TESO is still cited in vulnerability work. The techniques these groups developed and documented became standard knowledge for the generations of security professionals that followed.