by Dr. William Sen
digitalwelt-Columnis for Computer Security and Information Law
One of the best known and most notorious cybercriminals is Kim Dotcom (formerly known as Kim Schmitz), who now resides in New Zealand and is waiting to be extradited to the USA (as of November 2024).
Kim Dotcom in the 1990s
Kim Dotcom’s story began in the mid-1990s when he was using his real name Kim Schmitz. He was known as a member of the so-called hacker subculture ‘Release Scene’. During these times, phone fraud was a necessary evil for many of the members of this Release Scene to exchange data over long distances.
Until the mid-1990s, hackers were always looking for ways to circumvent communication charges with different methods of hacking. One of the tricks was to be involved in the trade of illegal calling cards. The service offered by the communication companies to make calls from anywhere with a 14-digit number opened new opportunities for telephone hackers who called themselves Phreakers — a derivation from the word ‘Phone Freak’. Using various methods, Phreakers at the time succeeded in outwitting communication providers with stolen or even hacked numbers, and thus making calls at the expense of others.
The Internet as we know it today did not exist at that time. Via so-called Bulletin Board Systems (BBS) — called ‘boards’ among the hacking scene — hackers used to exchange illegal data over normal telephone lines. The connections between American and European BBS in particular turned out to be very cost-driving, and thus illegal calling cards were considered a welcome offer.
During that time, Kim Dotcom was one of the hackers trying to create his own counterfeit calling cards to sell them within the Release Scene.
Kim Dotcom was considered neither an experienced computer artist nor a programmer in the Release Scene. When he was young, he worked his way into the Release Scene relatively quickly, which mostly consisted of highly qualified hackers.
Like most members of that scene who gained entry and respect as programmers or with other skills, he was able to make a name for himself as a supplier of illegal calling cards.
Kim Dotcom got his launch in the scene by opening his own bulletin board system called “House of Coolness”, and by providing pirated copies of data through his BBS. Using a modem, scene members simply dialed into his system.
The trade with pirated copies had been booming in the scene for a long time, which is why his BBS was accepted quickly by the scene as a trade platform. He also primarily used his BBS to sell his fake phone cards. His pseudonym in the Release Scene was Kimble.
Kimble also came up with the idea of providing a party hotline for the members of the Release Scene who had to pay by minute. Since the members also dialed into this party hotline with fake or stolen calling cards, he was able to make money on every call. At the same time, listening to the party hotline enabled him to sneak inside knowledge from the scene.
Kim Dotcom’s own Bulletin Board System
It was precisely the business with his own BBS (Bulletin Board System) and the trading of pirated copies inside the BBS that caused a blowback on Kim Dotcom. At this point in the late 1980s to the mid-1990s, it was Günter Freiherr von Gravenreuth, a lawyer from Munich, Germany, who persecuted pirates on behalf of the software industry. Von Gravenreuth also gained the attention of the media as being the inventor of making it a business model by sending out copyright infringement notices in a mass scale — his endeavors later ended in a dramatic death, when he was sued by one of the major news magazines.
Von Gravenreuth was also known at the end of the 1980s as a hunter of people who were spreading infringing material. One of his methods was mostly to let former members of the Release Scene work for him, who were despised in the scene as busters (meaning a ‘traitor’ or ‘snitch’). These busters were given the task of gaining access to the password-protected BBS through undercover investigations, in order to pass evidence on to the Gravenreuth office, whose work culminated in police search warrants. Von Gravenreuth’s business model consisted in intimidating tactics to coerce copyright infringers to pay a certain amount as an amicable agreement. Only later did it become known that more than 60 criminal charges were filed against von Gravenreuth for fraud, blackmailing and extortion by several District Attorneys in Germany.
Kim Dotcom’s First Arrest
Kim Dotcom’s BBS was accessed by a buster, and his data was saved as evidence. When the police officers only wanted to confiscate his BBS and pirated copies to collect evidence of copyright infringement in his little town in Kiel, Germany, they were astonished to find hundreds of counterfeit phone and credit cards, and devices for creating and counterfeiting cards in a mass scale.
Kim Dotcom faced the German court for the first time, and the value in dispute was then estimated at around two million marks, the equivalent of 1.02 million euros / 1,2 million U.S.-Dollars. After Kim Dotcom’s arrest and the upcoming civil suit initiated by von Gravenreuth, something unusual happened: Kim Dotcom decided to cooperate with von Gravenreuth. Shortly afterwards, an unusual amount of arrests followed in the Release Scene and the hackers had identified a new snitch as a buster: Kim Dotcom.
Von Gravenreuth officially responded to the allegations that Kim Dotcom had handed over his own hacking scene to the police as a ‘consulting activity’. At the same time, von Gravenreuth supported Kim Dotcom in court against the allegation of telephone fraud. The acts of Kim Dotcom were seen by the German court as the acts of a naive young man who lived out his technical skills and was not fully aware of the illegality of his acts. At that point, nobody suspected that Kim Dotcom would one day be wanted by the FBI and face a 20-year prison sentence in the United States.
Kim Dotcom had lost his connections to the Release Scene because he was now considered a traitor as many of his contacts and friends were now confronted by the police and had to fight Gravenreuth’s extortion tactics: pay an amount or face the consequences in court.
Kim Dotcom and the Chaos Computer Club
Looking for new contacts and hackers, Kim Dotcom applied for a membership in another scene, namely at that time the world’s biggest hacking club in the world — the Chaos Computer Club (CCC). Gaining access to the CCC was relatively easy for Kim Dotcom, as at that time there were no connections between the CCC and the Release Scene.
The press spokesman for CCC Lutz Donnerhacke himself once had said that the so-called Release Scene with all its BBS and telephone hacks did not exist and was just a myth. This showed how successfully the Release Scene was able to protect itself against all kinds of publicity at the time. It was 5 years later that the Release Scene became known to the public through the FBI’s investigation called Operation Buccaneer, and when the FBI titled the organization a “highly organized syndicate”.
However, the fact the Release Scene was considered a myth even by other hacking groups gave Kim Dotcom an advantage: The information that Kim Dotcom was a traitor and collaborator did not make it to other groups or hacker groups. Kim Dotcom’s days were known in the Release Scene only and were by then distributed via so-called NFO files — documents used and distributed only within in the Release Scene.
That way, Kim Dotcom was able to gain access to the members of the Chaos Computer Club without any obstacles. With the newly equipped jargon from the Release Scene, he was able to reap the respect of the CCC members.
During his encounters with the CCC, he found out that the club had been able to hack the GSM mobile network of the mobile phone company Mannesmann Mobilfunk and thereby were able to clone counterfeit GSM phone cards. The GSM network was the former mobile network, comparable with the 4G LTE or 5G network today.
At that time, the CCC had officially published and named the method as the ‘GSM Hack’ to draw the company’s and society’s attention to the security vulnerabilities of the mobile network. This publication had caused bad press against Mannesmann.
Immediately afterwards, Kim Dotcom made public that he also had allegedly built a device that would exploit security gaps in T-Mobile’s (former Deutsche Telekom) GSM network; and he also called it the ‘GSM hack’. This caused confusion in the press, and the ‘GSM Hack’ hit the headlines once again, but this time as the invention of Kim Dotcom.
Eventually, Kim brought the device to the premises of the Chaos Computer Club hoping the club would further boost his media reach. When Dotcom presented the device to the leading members of the Chaos Computer Club, he was exposed as swindler as his device only simulated a hack. Kim Dotcom allegedly connected several mobile phone numbers with dummy cables and had created an illusion in order to give the impression of a sophisticated technology. He supported his deception with a simple software using BASIC, which displayed complex but fake calculations on the screen. This led to Kim Dotcom’s ban from the CCC.
Kim Dotcom’s Work for T-Mobile
After Kim made his ‘GSM Hack’ public as a member of the Chaos Computer Club. Although he was banned from the club short after he got in touch with them, he would claim to be a leading member of the CCC when talking to the press.
T-Mobile, not savvy in the weeds of the culture of hacking and their organizational structures, responded and invited Kim Dotcom to their headquarters in Bonn, Germany. Kim Dotcom accepted the invitation to appear with several of his own lawyers and his hacking device. The meeting’s observers, who saw the device in alleged action, are said to have seen impressive technical skills of a young hacker. Apparently even the technicians who were present were quite impressed.
T-Mobile announced a short time later that Dotcom would now help the company to fix the GSM network’s vulnerability. This finally brought Kim Dotcom the controversial consultancy contract of 30,000 DM (approx. EUR 15,000) per month, which from then on became his supposed main income — today comparable to an annual salary with a wage value of approx. USD 390,000.
The Chaos Computer Club knew that Kim Dotcom was not able to understand how the GSM network worked and his device was just smoke and mirrors. Thus, they rightfully speculated the consultancy agreement was just a payoff to let go of the matter as it was a part of a Non-Disclosure-Agreement (NDA).
The CCC also tried to clarify that Dotcom had taken advantage of the club’s knowledge and its popularity with the GSM hack in order to trick T-Mobile into a contract with a fake device. According to CCC statements, Kim Dotcom had performed no work as they couldn’t identify anybody inside the company who had knew or worked with him — other than the lawyers that were present during that one single meeting.
Kim Dotcom’s First Company
A short time later, Kim Dotcom founded his first own company called Data Protect. Thanks to his fame through the so-called GSM Hack, which he declared to be his own invention, Kim Dotcom got the attention of the German TV news channels.
As part of his company selling propositions, he then built another software that allegedly revealed security gaps in companies. However, the first TV appearances that presented his software also caused discussions in the hacking scene that his software was a mere simulation in BASIC. Von Gravenreuth himself finally provided the proof: The software was able to mass-dial the extensions of employees in an office to find out if a modem would pick up.
When a modem picked up, Kim Dotcom could claim that someone had illegally accessed the company’s work computer. These were mostly employees who wanted to work from home and therefore had gained access to their office’s computer by connecting through a modem — it was a time where laptops were not wide spread and employees had to find innovative ways to work from home. If no modem picked up at all, Kim Dotcom would say that the company was “secure” from hacking attempts.
In the years 1997 to 1999, during the internet boom, the German press was interested in German success stories from the IT industry. Immediately, Kim Dotcom pretended to be a young millionaire who made his way from an illegal hacker to a successful young entrepreneur, and claimed to have a fortune of 250 million Euros.
Equipped with a high reputation thanks to the press, Kim Dotcom started to built numerous websites, including kimble.com. At least 300 pictures of him were shown on his website: Kim in his own helicopter, Kim on his yacht, Kim in his villa, often accompanied by beautiful modelling women. His tactic initially was to charter helicopters, yachts and expensive cars and temporarily use stickers with his own logo on them, and to collect as much photo material as possible. Short later, he claimed during his appearances that his goal was to become one of the hundred richest men in the world.
Kim Dotcom’s Manipulation on the Stock Exchange
This new awareness gained Kim Dotcom recognition in the investor scene and inside the world of stock marketers during the IT boom in the late 1990s and early 2000. Eventually, Kim Dotcom sold his company Data Protect and founded a new company called Kimvestor.
It was the right time for Kim Dotcom to pull another trick: The announced bankruptcy of a company called Letsbuyit.com, which had successfully positioned itself as a rival to eBay and Amazon. Like many other IT companies, the Letsbuyit.com was on the verge of bankruptcy due to the downfall of the IT bubble in the 1990s. Kim Dotcom bought numerous shares from the company at the low of the share price. Finally, he used his outreach in the press and announced that he would save the company with an investment of 50 million euros. As a consequence, the share price skyrocketed due to the announcement, but an investment by Kim Dotcom never followed. That brought Kim Dotcom more than a million Euro in profits, along with an arrest and sentence to parole for insider trading. Shortly before, he had presented himself to the public as ‘King Kimble the First’, and ‘Ruler of the Kimpire’.
After his arrest, Kim Dotcom criticized Germany as a country and broadcasted on its website that the country was poisonous for successful people like him, called it the “German Poison”, and left the country. He named Finland as his new place of residence, where he is said to be seeking Finnish citizenship.
Update in 2024:
Kim Dotcom removed all of his websites from 2001 to 2007. In 2007, the first investigations by journalists revealed that his name appeared in connection with the largest pirate website called Megaupload, which allegedly accounted for more than 4% of the total illegal trade in the Internet. Following an FBI investigation, he was arrested in New Zealand in 2012.
When the lawsuits against Kim Dotcom aimed to extradite him to the United States, he took the opportunity to go public again.
Meanwhile Dotcom presents himself as an ethical hacker who has started the fight against media companies in the public interest. Critics claim that Dotcom is influencing the weak political structures in the relatively small country of New Zealand through heavy public relations in its favor, just to prevent extradition.
The lawsuits in New Zealand are still pending to determine whether Kim Dotcom will be extradited. He is facing a 20 years sentence in the United States for racketeering, conspiring to commit copyright infringement, and conspiring to commit money laundering.
by Dr. William Sen
Dr. William Sen has been a computer expert for over 25 years. He has published numerous books and articles in the field of network security and hacker culture, including for TV and radio. William lives in San Diego, California.
digitalwelt-Columnis for Computer Security and Information Law
New Zealand will allow almost anyone with lots of money to migrate there and become a citizen. Just look at Peter Thiel. He hasn’t even lived in New Zealand yet he’s been given a New Zealand passport.