News

Jun 15, 2023

Clouded Judgment: How a Former Amazon Employee Hacked Capital One

ByBenjamin CassidyApril 4, 2023Published in the Summer 2023 issue ofSeattle Met J ust after sunrise on a still July morning, federal agents swarm a one-story house on a quiet residential street in

ByBenjamin CassidyApril 4, 2023Published in the Summer 2023 issue ofSeattle Met

Just after sunrise on a still July morning, federal agents swarm a one-story house on a quiet residential street in Seattle.

A SWAT team in camouflage wields assault rifles and a battering ram as they file between a row of vehicles—a furniture truck, a Jeep, and an Airstream RV—parked in the front yard. The unit advances past them and, guns still pointed, bangs on the protective security door. “FBI, open up!”

The shout and the rattle rouse the five residents at the Beacon Hill home. The feds clear them from the premises, then fan out among three bedrooms and a cluttered living room bathed in the galactic hues of TV and computer screen savers. An L-shaped couch and a cat tree in the common space look innocent enough. But in one of the bedrooms, agents find a veritable arsenal of weapons: eight rifles, four semiautomatic pistols, and three containers of explosives.

The Beacon Hill home where Paige Thompson lived, photographed a few days after her arrest.

Image: AP Photo/Ted S. Warren

Outside, cuffed with the rest of his housemates, Park Quan won’t stop talking about his cache of weapons. But the authorities weren’t after the 66-year-old homeowner who already had two federal convictions to his name. The real target, the reason the FBI descended on this tranquil neighborhood at daybreak, emitted an industrial hum in a bedroom near his.

Behind the door, a custom-built white computer the size of a mini fridge was still powered on, and Waymon Ho could breathe a little easier. Ho wasn’t part of the SWAT team that led the raid. Instead, he was a computer scientist and a member of the FBI’s Cyber Action Team, a unit that didn’t form until 2006. It consisted of people like Ho, who know that, say, having to reboot a DIY computer could mean losing crucial evidence.

Evidence like personal data belonging to more than 100 million people. Ho found himself in this small, scattered bedroom on a summer day in 2019 because of a potentially colossal breach. A former Amazon Web Services employee had allegedly hacked customers of her erstwhile employer. The most prominent client, credit card behemoth Capital One, had alerted authorities just over a week earlier. In the Seattle field office, special agent Joel Martini quickly deemed the case top priority and orchestrated a search operation.

After passing through the living area of the house, federal agents found a custom white computer in Thompson's disheveled bedroom.

Image: Courtesy United States District Court for the Western District of Washington

Before the raid, Ho reviewed the suspect’s messages online. It was as if Paige Thompson wanted to be caught. In a Twitter DM to a member of the information security community, Thompson, who went by the handle “erratic” online, sent links to scripts for carrying out the breach with her full name in the address. On Slack, she listed files from a folder named “aws_dumps” where she stored the downloaded data.

Ho quickly found the folder on her computer. He instructed a photographer to capture the screen and then jammed a media drive into the machine. It would take hours to copy the data, enough to fill several laptops.

As she awaited her fate, Thompson lived up to her “erratic” online handle. The 33-year-old initially told investigators she didn’t recall downloading any data, Martini later testified. If she did download it, she never viewed its information. But in the same interview, she 180’d, the agent said—she fessed up to the downloading.

An associate had warned Thompson she’d gone too far. “Sketchy shit,” they wrote on Slack. “Don’t go to jail plz.”

Yet, by day’s end, Thompson was en route to the Federal Detention Center in SeaTac, accused of computer fraud and abuse. Quan would join her there on separate weapons charges. Meanwhile, news outlets around the world raced to cover the arrest of the former Seattle tech worker behind one of the biggest hacks ever.Thompson’s case had only just begun to reveal the dangers of being too online.

Anyone appearing in front of the honorable Robert S. Lasnik is liable to endure some very dry attempts at humor. In the late 1990s, when a committee asked why he wanted to be a federal judge, Lasnik told them he’d noticed the reception of his jokes plateau at the state level. “If I become a federal judge, I might get that bump up again.”

The then 71-year-old didn’t let the severity of the alleged crimes in United States of America v. Paige A. Thompson deter him from keeping it light. During one pretrial hearing in March 2022, two-and-a-half years after Thompson’s case first hit his desk, Lasnik unleashed some classic deadpan to admit he was still lost in all the tech terminology. “Boy, am I nostalgic for somebody shooting somebody,” he said. “That, I understand.”

Sardonic as Lasnik’s crack may have been, it was more than a little alarming to hear the man presiding over a major hacking case, in the year 2022, confess he was still playing catch-up on all this computer crime stuff. It was also relatable. For all our screen time and scrolling, how many of us truly understand how our information gets stored, let alone secured, online? Or just how exposed we are? Sure, some low-level awareness of our vulnerability arrives with every two-factor authentication code texted or emailed to us. And maybe we’ve learned that a free gift card offer never comes from a good place. But ultimately, we entrust our digital lives to institutions that aren’t as impenetrable as they may seem. “Security is about understanding and mitigating risk,” one AWS higher-up said during the trial, “not about guarantying security.”

The Capital One hack should’ve shaken us all. Of the roughly 106 million people whose personal information Paige Thompson had downloaded, about 100 million lived in the U.S.—that was close to 40 percent of the adult population at the time. The breach was so big that attorneys on both sides of the trial had to acknowledge their data could’ve been compromised. The government called it the second-largest hack of personally identifiable information (PII, in security parlance) in history.

As the prosecution would outline, Thompson created a program to scan the remote servers of Amazon Web Services accounts for a firewall vulnerability—like someone testing 37 million doorknobs all at once. Thompson didn’t know exactly whom or what she’d find behind those virtual doors. But once she obtained security credentials for the unprotected hosts and downloaded their data, she could see lines upon lines of information.

Most of it—names, addresses, dates of birth—was innocuous. Still, for a fair share of victims, Thompson had managed to download some of the most sensitive PII—about 140,000 Social Security numbers and 80,000 bank account numbers.

The scale of the breach would be a nightmare for any company, especially one tied to personal finances. All of a sudden, the slogan “What’s in your wallet?” sounded a bit more intrusive than Capital One had ever intended. The credit card giant set aside $190 million for affected consumers in a class-action settlement. It also forked over an $80 million fine to a federal regulatory agency for cybersecurity shortcomings since migrating its IT to the cloud.

But Capital One was hardly the only Amazon Web Services client with a faulty firewall. Thompson downloaded data from more than 30 entities, ranging from a software startup in California to Michigan State University. The hack crystallized the breadth of the Seattle-based cloud computing giant’s influence over modern life, an invisible backbone for everything from Netflix streams to cloud security software itself.

Thompson understood the gravity of what she’d done. “Ive [sic] basically strapped myself with a bomb vest,” she wrote in a Twitter direct message.

Her intent was less clear. In that same thread, she wrote that she wanted to distribute “ssns…with full name and dob.” Separately, she also grouped the information of some Seattle residents together. And, as with seemingly all tortuous digital drama these days, crypto was involved: She made about $10,000 mining digital currency on hacked servers.

But Thompson never actually shared or sold the customer data she acquired beginning in March 2019. Maybe the authorities had stopped her before she could. Or, as her defense team and allies would suggest after she pleaded not guilty that September, maybe she’d merely wanted to expose a security vulnerability, rather than exploit it.

Lasnik had never heard of a “white-hat,” or ethical, hacker before Thompson’s case ended up in his court. Despite his tech illiteracy, he took pains to demonstrate he wouldn’t be overly punitive for reasons unrelated to the charges of computer fraud and abuse, wire fraud, access device fraud, and aggravated identity theft. In November 2019, about 100 days after Thompson arrived at the Federal Detention Center in SeaTac, he granted her release to a halfway house in Seattle. He acknowledged her struggle as a trans woman being held in the male wing of the jail. “I’m doing this because I care about your mental health and your physical, medical health,” he told her, while warning her he was still “going out on quite a limb here.” A month later, he’d let her move to an apartment with an ankle monitor.

The timing was fortuitous for Thompson. A trial originally slated for mid-2020 wouldn’t commence for another two years in the U.S. District Court for the Western District of Washington as Covid froze dockets. The world was veering more online, more into the cloud, leaving us increasingly vulnerable to hackers lurking in the digital shadows. Or, as in the case of Thompson, hiding in plain sight.

For a few months in 1994, the most wanted hacker in the U.S. worked on the IT help desk at Virginia Mason Medical Center on First Hill.

Kevin Mitnick changed his name and settled into a new life as Brian Merrill. After so many months on the run, the notorious computer fraudster found an apartment near the University of Washington. He exercised at the local YMCA and dined at a cheap Thai restaurant. He even took a server there out on a few dates.

But one damp October night, 25 years before the FBI came knocking on Paige Thompson’s door, a group of police officers and Secret Service members busted through Mitnick’s. They seized a laptop, floppy disks, and tapes from someone they suspected was stealing phone service from McCaw Cellular Communications—someone named Brian Merrill. They didn’t know yet they’d walked into the home of a world-renowned computer hacker who’d stolen software from Motorola and others.

Mitnick, who’d been out working on his resume at Kinko’s when the cops came by after losing the Virginia Mason job, didn’t press his luck. He fled that night, staying in a motel by Pike Place Market before hopping a bus to Tacoma and a train to Portland. From there he’d travel across the country. But his near capture in Seattle signaled the beginning of the end. In February 1995 the FBI nabbed him in Raleigh, North Carolina.

All of a sudden, the slogan, “What’s in your wallet?” sounded a bit more intrusive than Capital One had ever intended.

Mitnick’s five-year prison term came relatively early in the war on cybercrime. Most prosecutions hinge on the Computer Fraud and Abuse Act, which prohibits accessing a protected computer “without authorization” or “exceeding authorized access.” The law didn’t even exist until 1986, around the time that the word “hacker” began to acquire a darker significance.

The word first surfaced at MIT in the 1960s as a term of endearment for a certain type of countercultural coder—someone who detested gatekeeping, reveled in problem-solving, and could see a better world in all those ones and zeros. Yet, in the early ’80s, writes journalist (and former hacker) Kevin Poulsen in Kingpin, it acquired a double meaning: “a talented programmer who pulled himself up by his own bootstraps, and a recreational computer intruder.” To make matters more confusing, “many hackers were both.”

While terrorists and governments have since ascribed a scarier meaning to “hack,” tech leaders have taken some of the edge off the word. Corporate hackathons try to harness the old-school hacker energy without all the subversiveness, especially in Seattle, where the convergence of booming software and arts scenes attracted some of the first computing enthusiasts testing the bounds of corporate grunt work and digital insurgency.

Camaraderie in the city’s hacking community persists today with “capture the flag” competitions, in which geeks trawl for hidden items in deliberately vulnerable programs, and with security conventions like HushCon. It’s also an increasingly malleable term. Now we can hack anything from popping Champagne corks to folding a fitted sheet.

But hacking can still cripple us in multiple ways. At the outset of the pandemic, a fraud ring swindled an estimated $45.6 billion from unemployment departments across the country, including about $645 million from Washington. And last year, a ransomware hack of a national health care chain delayed a procedure for a brain bleed at St. Michael Medical Center in Silverdale and throttled basic operations at St. Joseph Medical Center in Tacoma. In between these headline-grabbing crimes, the number of cyberattacks in Washington rose from 38 in 2020 to 245 in 2021.

Oftentimes, says U.S. attorney Nicholas Brown, hacks originate overseas. But one of the biggest took root right in our backyard.

The vending machine dispensed M&Ms and USB cables. The long white work tables could each fit a startup’s worth of laptops. For nearly a decade, Metrix: Create Space on Broadway was a virtual Candy Land for a cadre of hackers—and a haunt for Paige Thompson.

A cybersecurity worker named Falcon Darkstar Momot met her there before Metrix closed in 2018. Momot came to know Thompson as seemingly everyone else did back then: as both a brilliant mind and, sadly, a bit of a troll. She’d try to get a rise out of people by saying things “that would really freak a person out,” Momot recalls. She lectured them about password security and ventured into hyperbole on the regular, blowing things out of proportion. “You know, if you see a star, you describe it as the moon.”

Like other friends and acquaintances, Momot viewed her attention-seeking as a way of reaching out from a void of isolation. As cries for help.

Falcon Darkstar Momot met Thompson at a hangout for Seattle's robust cybersecurity community.

Image: Mike Kane

Born in Kansas City, Missouri, in 1986, Thompson grew up primarily in Arkansas with a single mother and, eventually, an abusive stepfather before moving to the Seattle area, according to filings by her defense team. From a young age, she found solace in computing and dreamed of working in a tech hub. But she struggled to focus on her studies, dropping out of high school after just one year. An ADHD diagnosis offered another possible explanation; later, she’d pin more of her distress at that time on “gender incongruity,” also according to a filing by her defense team. She wouldn’t start gender-affirming care until 2008, roughly a decade after uprooting to the Pacific Northwest.

As a teenager in Washington, while she bounced between homes in Seattle and the suburbs, she found a stable community via the internet. She fit in with a similarly precocious clique of computer wizzes sharing knowledge and laughs through Internet Relay Chat. On this messaging platform, Thompson went by the moniker “zero.”

Tim Carstens first encountered “zero” on IRC shortly after Thompson’s arrival here. They discussed computer programming, the Linux operating system, and other “really nerdy things,” Carstens, a principal engineer at a hacker-founded Seattle startup, testified during her trial. In a group of talented upstarts, Thompson stood out as “one of the more capable.”

But “zero” also earned a reputation for spamming other members of the group. Soon, a different handle took hold, one she’d claim until the time of her arrest: “erratic.”

When he eventually met Thompson, Carstens noted that her mercurial communication style manifested in person, too. He didn’t mind so much; the two have been friends now for more than two decades. But he watched Thompson change jobs every year or two as others’ careers took off.

At the same time, with all that technical sophistication at her disposal, it was easy to understand why companies kept taking chances on her. Even one with everything to lose.

We live in the cloud now. Binge a Netflix drama, book a Delta flight, run a Roomba, and you’re not just supporting the companies in front of your eyes; you’re indirectly lining the pockets of the tech titan they depend on for cloud computing services. In those cases, and in the case of a certain credit card provider, that’s Amazon Web Services.

While Prime deliveries dominate headlines and casual conversation about Amazon, the web services subsidiary of the e-commerce giant is quietly its real moneymaker. In 2021 AWS accounted for three-quarters of the company’s profits. As much as many Seattleites love to bypass all those Amazon shipments and Fresh grocery runs on principle, every time they go online they’re basically seeding the retail operations they avoid. “AWS is down! Half of the internet is down!” one Reddit thread proclaimed during an outage in December 2021 that broke everything from Disney+ to smart home doorbells.

The rise of AWS and its closest competitor, Microsoft Azure, has dovetailed with an increasingly remote world. Businesses no longer need clunky “on-premises” servers, blinking and burning in the company closet. Organizations of different sizes can rent as much server space as they need from closely guarded data centers around the world.

The hack crystallized the breadth of the Seattle-based cloud computing giant’s influence over modern life, an invisible backbone for everything from Netflix streams to cloud security software itself.

None of these are in Washington—the nearest data centers line remote areas off the Columbia River in Oregon—but the brainpower that spawned these clouds still emanates largely from Seattle. Amazon created AWS in 2006 after realizing its own internal IT prowess could be marketable to others. Before Jeff Bezos stepped down in 2021, he tapped then AWS CEO Andy Jassy as his successor.

Throngs of AWS employees circulate every day between glossy towers in South Lake Union, not far from the federal courthouse. On the second day of Thompson’s trial in June 2022, Judge Lasnik stepped out for lunch and saw about 15 AWS backpacks and sweatshirts on his trip to Whole Foods. As Lasnik put it after returning from recess, “The army is out there.”

For a fleeting period, Paige Thompson belonged to this legion. She landed a systems engineer role at AWS in May 2015, working on the servers at those distant data centers for a sizable salary. She could finally afford her own apartment.

But “mistreatment” from a coworker sent her on a downward spiral, according to a court filing by her defense team. The bullying conjured past verbal abuses and reminded her why she’d avoided corporate tech culture before joining Amazon. In 2016 she quit her job and became more isolated as she failed to find a new one. She lost the apartment and, running out of money, agreed to move into the Beacon Hill home of a man she met on Craigslist—one who stashed firearms in his bedroom.

Thompson, gaunt with brown hair down to a shoulder tattoo, slept on a twin mattress in a small bedroom. She’d struggled with mental health and substance abuse problems before, and her depression grew as her world shrank and her cat fell ill. She was remarkably candid about a life that was, as Momot put it to the court, “entirely mediated via computer.” While she managed to get sober, her digital behavior only became more disturbing.

A Seattle couple obtained protective orders against her in 2018 following a series of messages they deemed harassment and stalking. And in May 2019, just two months before the FBI’s raid, Thompson DMed a former coworker on Twitter that she would “shoot up” an office in California, according to a police report. She later added that “maybe spd could do something kind and come over and shoot me.”

Thompson was never arrested for these incidents. Her defense team noted they were matters of mental health, not public safety—she didn’t have the money or means of transport to get to that office in California.

Friends also say she wasn’t materialistic or greedy—Tim Carstens wrote that she’d choose Popeyes in Renton over sushi in Belltown, Target over Nordstrom. Her motivation for her breach of AWS customer servers, they assumed, was to expose their vulnerability to the public.

If that was her intent, Thompson didn’t go through traditional channels to do so. After the hack, she posted information about it on the software development site GitHub. Then she started one fateful Twitter conversation.

For a couple of days, Kat Valentine ignored the rando who’d slid into her DMs. Someone with the Twitter handle “erratic” had started talking about strapping herself with a bomb vest and “dropping capitol ones dox,” including “ssns…with full name and dob.” This user even posted some links to GitHub.

At first, Valentine, an information security consultant and hacking enthusiast living in Antioch, California, at the time, sat on the outlandish claims. She had a friend who loved to prank. It was probably her. Or maybe just someone who saw the hacker-themed shoes Valentine posted about on Twitter and read a little too much into them.

But as “erratic” kept prodding (about “jacked” data, about how she was “ready for this to end”), Valentine finally bit. She asked why this stranger wanted to out themselves to her.

“Im ready to check the fuck out,” Paige Thompson wrote back. “I dont care if its jail or death.”

When Valentine didn’t respond, Thompson grew hostile. She dropped some '90s hacker shade, calling her a “lam3r” for doing nothing with the info. So Valentine blocked her. But not before sending one last message. “Go snitch on yourself, fbi dot gov big homie.”

Thompson never did. A couple weeks later, on July 4, a friend of Valentine’s pointed her to a provocative tweet. Valentine had blocked its author: “erratic.” She decided to reexamine those GitHub links after all. A quick Google with her friend confirmed their hunch that the information there represented downloaded credit card data. Her friend recommended she report it to Capital One. After two weeks of deliberation, on July 17, Valentine worked up the nerve to email the massive company.

Clear my calendar, Michael Fisk told his admin on the morning of July 18. Capital One’s deputy chief information security officer was on his way down to the operations center at the corporate offices in Virginia. He’d just been notified of a disturbing email from a whistleblower. It included a link to directions for breaching the company’s firewalls. This, he knew right away, was big.

A day later, after a call with Capital One to discuss how she got access to the link, Valentine would send another email with screenshots of her Twitter conversation with Thompson. The one where Thompson said she wanted to “distribute” Social Security numbers and other personally identifiable information. Now Fisk was even more concerned. For the next two weeks, he and his colleagues would practically live in Capital One’s security offices while the FBI investigation got underway.

In the meantime, Amazon Web Services examined whether it had held up its own part of a shared security model. While AWS must secure the hardware of the cloud—software and all those data centers—protecting data in the cloud falls on the customer. Even the cloud can’t help if you don’t read the manual. “The responsibility for this ended up on Capital One’s side,” AWS incident response leader Steve Schuster said on the first day of witness testimony. Fisk admitted the firewall installation was a “misconfiguration.”

U.S. attorney Nicholas Brown didn't view Thompson's case as all that difficult to understand. "What she did was break into a business and steal stuff."

Image: Mike Kane

That word became a focus in a trial that boiled down to authorization and access. The defense didn’t dispute that Thompson created a program to scan for firewall vulnerabilities, or that she obtained credentials to access data. Attorney Brian Klein, representing Thompson, argued anyone could have done so. But some employees at Capital One decided to configure the firewall this way. If a company made sensitive information public unwittingly in the process, had it granted authorization to access it?

The federal government’s oft-amended Computer Fraud and Abuse Act left room for interpretation. Enough to inspire the LA-based Klein, who represented Facebook whistleblower Frances Haugen, to join the case pro bono with Thompson’s Seattle public defense team. Before the trial, Klein advocated for a strict “gates up or gates down” reading of authorization. Federal prosecutor Jessica Manca preferred a different metaphor. “Dropping a set of keys gives someone access to a home. It doesn’t give that same person authorization to enter the home.”

Other entities had fumbled their firewalls, too. But Capital One’s cybersecurity operation touted 700 employees and a budget in the hundreds of millions, according to Fisk. That did not make, as judge Robert S. Lasnik would point out, for a very sympathetic “victim.” Especially since Kat Valentine’s tip wasn’t the company’s only hint of a hack.

The scrawl on the hotel stationery baffled Eric Brandwine.Open Socks Proxy35.162.65.136Can Hit IMS – Lots ofSecurity – Credentials

The vice president and distinguished engineer on the Amazon Web Services security team had seen numerous tips over the course of his career, but—a physical note? In the year 2019? At a gathering of tech professionals? Weird. They’d always come in electronically.

Brandwine and some of the company’s other top technical talent had assembled at a Sheraton downtown in May 2019 for an annual offsite in Seattle. The conference was supposed to be restricted to Amazon employees.

Who handed this to you? he asked the fellow principal engineer who’d passed it to him.

The colleague responded, to Brandwine’s recollection, “‘I was just given this and asked to give it to you, and so that’s what I’m doing.’”

While the message clearly signified a security breach, Brandwine couldn’t ascertain more without any contact information to follow up. He took a picture of the note and sent it to the on-call that day. Then he forgot all about it.

Turned out the IP address belonged to Capital One. AWS told its customer about the note. But the credit card company didn’t turn up anything that it deemed worth pursuing at the time. (“Capital One acted swiftly and comprehensively to resolve the breach and mitigate any potential harm to consumers,” a company spokesperson wrote in a statement.)

Later, after Valentine’s email, Capital One executives would submit a working theory that either Thompson or an associate had tried to slip them the note. But the company’s theory got some basic information wrong, like the location and timing of the conference.

The origins of the message weren’t settled at trial. The defense suggested Thompson may have been behind it, but it never put her on the stand to provide a definitive answer. Lasnik deemed it “an unproven fact.” And for whatever reason, nobody pushed Brandwine too hard on why he didn’t seek more information from his colleague about the note’s courier. So the question lingered: Had Thompson tried, belatedly, to responsibly disclose her hack? To be an ethical, or white-hat, hacker?

Her defense team would argue that she “freaked out” after downloading the data and contacted multiple people to elevate the security risk. She never took the step that Kat Valentine did, emailing Capital One’s responsible disclosure email account. But this traditional avenue for reporting a vulnerability is a controversial one in the hacking world. Companies often have little incentive to go public if they’ve been hacked. And with the muddy Computer Fraud and Abuse Act still the standard, the line between being seen as a Good Samaritan or a suspect is a shaky one to traverse. Perhaps Thompson was just scared, her lawyers posited.

Still, many actions before a disclosure are definitively on one side or the other, according to David Kohlbrenner, a codirector of the Security and Privacy Research Lab at the University of Washington. Acquiring personally identifiable information—those all-important bank account and Social Security numbers—as an external party, like Paige Thompson did? Not even close. “That’s over the line.”

On June 17, 2022, the jury delivered its verdict. After 10 hours of deliberation, it found Thompson guilty of wire fraud, unlawfully obtaining information from a card issuer, “transmitting a program, information, code, or command to a computer, intending to cause damage,” and four counts of unlawfully obtaining information from a protected computer. (She was found not guilty of aggravated identity theft or unlawful possession of unauthorized access devices.) A sentencing date would come later.

Afterward, Thompson walked from the courthouse to Fonté Cafe with Falcon Momot and a few other supporters. Over coffee, Thompson admitted she’d said some stupid things, Momot recalls. For the first time, she recognized the cost of her online behavior, even if she didn’t know exactly what the consequences would be yet.

Waymon Ho turned around and tried not to act surprised. It was August 15, 2022, and the FBI computer scientist was on a Delta flight back to Seattle after spending the weekend at Def Con in Las Vegas. It should have been a tranquil trip home, but a loud man behind him rendered earplugs futile. Ho grew even more distracted when he finally heard the other side of the conversation. He recognized that voice. A glance backward confirmed it: Right there, in seat 19B, was Paige Thompson.

Less than two months after her conviction, Thompson had hopped a plane to check out the world’s largest hacking convention, Ho gathered as he jotted down everything he could eavesdrop. The man next to her had attended, too. They talked about vulnerability research and malware and the video game Counter-Strike. Before parting ways, the man expressed interest in joining Thompson’s Internet Relay Chat. She floated the idea of forming a capture the flag team for next year’s convention.

“Ten judges might come up with ten different sentences in this situation,” Lasnik acknowledged.

Prosecutor Andrew Friedman would bring up this chance encounter at the sentencing hearing on October 4. At this point, Thompson’s online activities had been under strict supervision for years, and though she’d gotten permission to attend Def Con, her internet use was supposed to be limited to job-seeking activities. Her conversation on the plane about hanging out on Internet Relay Chat suggested she’d strayed. (Thompson and her defense team denied she’d done anything online unrelated to employment.)

Friedman and company recommended seven years of prison for Thompson, well under the sentencing guidelines of 210 to 262 months. Thompson’s legal team countered with time served and supervised release. Then, for the first time, Thompson addressed the court with a statement.

She’d recently received an official diagnosis of autism spectrum disorder, she said, something she’d suspected but never known for sure. She wanted to be “gainfully employed again, and contribute something meaningful to the world.” Judge Lasnik asked if that was all. “Thank you, sir,” she replied before correcting herself. “Thank you, Your Honor. And I’m very sorry about this.”

Before making his judgment, Lasnik reminded the court that prison can be especially rough on trans people. Even if the Bureau of Prisons had changed its policy since Thompson went to jail back in 2019—Thompson could now potentially land in a women’s prison—a 2024 election result could jeopardize that guidance.

Lasnik wouldn’t take the chance. He sentenced her to time served and five years of probation. Her electronic devices would be continuously monitored. “Ten judges might come up with ten different sentences in this situation,” Lasnik acknowledged. His son would later inform him he was getting killed on Reddit.

Nicholas Brown wasn’t happy, either. He’s hardly a punitive guy by prosecutor standards—Brown helped institute a moratorium on the death penalty in Washington state. But the first Black U.S. attorney for the Western District of Washington took the rare step of expressing his disappointment with the judgment in a statement after sentencing. “This is not what justice looks like.”

A few months later, in his corner office, Brown didn’t want his words to come off as an indictment of Lasnik. He respects the judge. He called Lasnik’s concerns about Thompson’s health in prison “valid.” But he worries the sentence won’t deter any hackers or quell consumer anxiety. And, for all the back and forth during a case that spanned three years, Brown wasn’t sold Thompson’s hack was really all that complicated. “What she did was break into a business and steal stuff,” he says. “And I think people understand that.” (Later, she’d be ordered to forfeit about $10,000 in crypto earnings mined via hacked clouds, and, more symbolically, pay Capital One more than $40,750,00 in restitution.)

In late 2022, Thompson appealed the court's denials of separate motions for a new trial and acquittal, as well as her sentence, forfeiture, and restitution judgments. Friends reported she was living in a stable home with supportive roommates and a new cat.

And though she declined to be interviewed for this story through her attorney, her voice has started to resurface online. Her blog includes techno set lists, a game idea, and a key for encryption. It has a disclaimer up top. “Please do not use this key to contact me about illegal activities. My communications are subject to monitoring, and I’m not interested.”

She’s ditched the “erratic” handle on Twitter, and her quest to rejoin the ranks of Seattle tech workers has led to a flurry of LinkedIn activity. On top of her profile, Thompson lists services she can provide to potential clients. Among them? Cybersecurity.

Year in Review

12/27/2022BySeattle Met Staff

Tour Notes

02/08/2023ByAngela Cabotaje

ICYMI

02/22/2023ByAngela Cabotaje and Benjamin Cassidy

Tech Talk

03/08/2023ByAngela Cabotaje