The first time I engaged a cybercriminal, it was because I noticed unusual logins on a router in a nearby town where the ISP I worked for had a point of presence (POP). Closer inspection indicated the alleged perpetrator had pivoted from that system to one of our systems primarily used to make backups. I engaged that first threat actor in a short but important dialogue: “Boss, I know it’s you. I don’t know what you are doing, but you are putting my job at risk. Please log out and do not return. Next time, I will report this.”
Now, 30 years later, I find myself faced on a daily basis with the startling knowledge that there are dozens of private companies providing spying-as-a-service to commercial and public organizations around the world. These companies have privatized espionage and established prying eyes in some of the seediest parts of the Internet. My company, GroupSense, is one of the best, and we found ourselves specializing in engaging in an often misunderstood and unique part of this business: talking to cybercriminals in the Internet underground.
For decades, a small set of Internet espionage practitioners have quietly infiltrated and interacted with cybercriminals. Cyber intelligence companies were formed to do this at scale, some with more success than others. The criminals, knowing this was occurring, adapted over time and attempted to thwart the Internet spies. Thus, a spy versus spy, cloak-and-dagger game began to formulate across a multitude of channels, websites, forums, and Internet chat tools.
Governments organized stings, bought their way into forums, and occasionally disrupted criminal activity. The FBI would semi-annually announce the dismantling of a particular forum or group’s activities, only to have a proverbial mole pop out of another dark hole on the Internet, awaiting the next attempted digital whack.
I inadvertently became a key player in this cyber landscape, starting small but quickly growing into a global voice for policy change, personal cyber hygiene responsibility, and a voice for the victim, especially individuals or small businesses. My interactions with Internet criminals and bad actors started early in my career, in the early 1990s, and like gravity, an invisible force continued to pull me back into the realm to lead and fight Internet evil.
The Internet was once a budding landscape for most people, and there really was no concept of a cybercriminal. But I found one in those early days and engaged him.
My father worked in a flour mill for Pillsbury in central Illinois. I once visited his workplace as a young boy. It was 110 degrees, a haze of gooey flour, and the air perfumed heavily with sweat and musty yeast. Everything my dad touched—his car, his La-Z-Boy recliner, every shirt he owned—smelled like it. He had a white crust seemingly permanently cemented into any wrinkle of his body, his elbows, and even around his eyelids. During that visit, I watched him move 100-pound sacks of flour from one conveyor belt to another, deafened by the sound of the machines. “This sucks,” I thought.
I also made a number of visits to my mom’s place of work. She worked for the state of Illinois in some accounting capacity. I never understood what she did, but I took note of this: It was quiet and climate-controlled, and she had a cup of fresh coffee in front of her. She typed away on a typewriter and occasionally pecked one-handed on a calculator so fast you could barely make her fingers out, tape mechanically rolling out of the top of it. “I want to work like this,” I thought. As a result, I took every typing, keyboarding, or business-related class I could find. After taking everything my high school offered, I enrolled part-time in a vocational school to take data processing classes, and was there I fell in love with Unix. I fell hard, the way a young man falls for the only girl who ever paid any attention to him. Microsoft was a thing then, and Windows was the standard for what would soon be known as “desktop computing.” Yet I had never used a Windows machine. I had used DOS here and there and Macintosh a bit, primarily to play Oregon Trail in the library. Unix was different and intoxicating for me. I ordered books about it, and when I finished my classroom assignments, I would poke around the systems. I even conspired with some other students to write some code that stole the other students’ passwords. We got caught. No bueno.
One day my mom threw a folded newspaper in front of me at breakfast, a job ad highlighted in yellow. It seemed fortuitous: “TECH SUPPORT ENGINEER WANTED . . . typing . . . Internet . . Unix experience is a plus.” I was a shoo-in for the job at CenCom Internet, one of central Illinois’s first dial-up Internet providers. I quickly became a favorite of the systems administrator, who would invite me to join him on the weekends rebuilding Sun Microsystems servers, standing up new terminal servers, and loading some 20-plus floppy disks to build a new Slackware Linux machines to provide domain name resolution to our customers. I ate it up.
It only made sense, then, when politics ensued and the systems administrator was hastily fired, that the company’s president asked me to “keep things running” until they found a replacement. While outwardly I radiated confidence, on the inside I was terrified and angry at my mentor for his lack of restraint. Still, I moved my things from the tiny desk in the tech support area, which consistently screamed like a nest of baby pterodactyls because of the garage shelves with hundreds of US Robotics and Hayes clamshell modems, volume on, receiving calls.
My mentor’s desk was a mess of papers, floppy disks, a few cards from Magic: The Gathering, and two large Sun Microsystems CRT monitors. Two glass mousepads with a grid and corresponding three-button laser mice rested on the strewn papers. I sat in his chair across from the crappy wicker chair I usually occupied when I was patiently waiting for an answer to a technical question and discovered how strange it was to be on this side of the desk. My mentor had a protocol for handling anyone who came in asking a technical question. If you spoke before he acknowledged you, you would be ignored. We learned to sit in that wicker chair, silent until he looked up or spoke; it seemed that each time you spoke prior to his acknowledgment, the longer you would have to wait. It was an effective method of making sure the prospective question was something that needed asking. This forced many of us to RTFM (Read the F*cking Manual) before we demanded his assistance.
My first move was to log in to the Sun Sparc10s underneath the monitors. I pulled up an XWindows terminal and began to issue commands to populate my screens with terminals of various colors and titles in the title bars. xterm-color -r -fg rgb:20D0C0 -bg rgb:303050 -cr wheat -fn rom14 -T “Decatur-Router” &. I repeated this step for every terminal server, router, and critical system. I then connected each terminal to the corresponding system and executed a tail command on the critical system logs. tail -f /var/log/syslog The result was CRT monitors full of colorful text-filled system log windows, scrolling as things changed and errors occurred on each system. While largely unmanageable, this was the only way I felt safe until I had my administrator legs under me.
What I found were unusual logins on a router in a nearby town where we provided service. Closer inspection indicated that the alleged perpetrator had pivoted from that system to one of our BSD systems that were primarily used to make backups of the NIS network. It was on those BSD systems that I engaged my first threat actor in a short but important dialogue, letting the intruder know I knew he was my recently fired boss and letting him know in no uncertain terms that should I catch him again, I’d report him to the authorities.
If he returned, I never knew it. His experience eclipsed mine by more than a decade, and if he had wanted, he could have pulled the digital rug out from under CenCom and me any time he wanted. Eventually, he hired me at his new venture as his “Chief Technician,” and we launched a competitive Internet company together, where, among other tasks, I found and chased bad guys online.
Back then, the bad actors were unlikely to be nation-states or financially motivated cybercriminals. They were often kids like me, testing their skills and inflating their egos. If you had explained to me the world we live in now and that I, Kurtis Minder, would be involved in some of the most effective cyber espionage and cyber warfare in history, I would have no doubt spewed Mt. Dew from my nose.
Today, I am humbled to be surrounded by some of the best talent in cybersecurity. On a daily basis, we engage in clandestine conversations with ransomware gangs, Russian organized criminals, lone-wolf actors, and even nation-state adversaries. Years of experience have aided in creating a playbook of best practices in operational security (OPSEC), cryptocurrency logistics, compliance adherence, and, of course, the psychology of transacting or negotiating with those who occupy the internet’s seedy underground.
Excerpted with permission from the publisher, Wiley, from Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation by Kurtis Minder. Copyright © 2025 by John Wiley & Sons, Inc. All rights reserved. This book is available wherever books and eBooks are sold.