A few years ago I saw the blooming of new IRC communities. In fact I haven't seen so many people in IRC channels since the end of the last century.

Since I'm a security researcher and sysadmin I was interested in this topic so I joined a small community on one of the bigger IRC servers. The atmosphere was nice and not at all hostile. The topics were mostly politics and the lastest news from hacks on the news.

There was this one guy I briefly talked to and he said that he was still in school and always trying to find new security tools. The tool he recently found was Nikto a simple webserver scanning tool that automatically tries to find badly configured sites and tested against kown vulnerabilities.

He was a nice kid but obviously a script kiddie so I didn't talk to him very long.

"lol, check this out" -scriptkiddie

A few hours later, close to midnight, he sent me a private message via IRC with a link to the official website of a political party with the text "lol, check this out". The link was like this http://political-party-website/stuff (only with the real domain of course). It didn't look suspicious at all since it was the real domain and I thought the path /stuff was some sort of download section or maybe a login form but no..

Inside of /stuff

The /stuff folder had directory listing enabled so you could see all files in that folder from your browser. I didn't look too much around, clicked a few things but seemed like just some directory where the admin put files up that were linked somewhere on the page.

I didn't use a VPN or proxy because I only wanted to talk on IRC and usually I don't click on any links but in this case the link seemed official and clean I didn't think about it.

Since it was late I shut down my PC and went to bed.

"The website of a political party has been hacked last night" - All news sites

The first thing I did after waking up was scrolling through the news on my phone. It was all over the news that the exact website I was surfing on yesterday was hacked and usernames, emails and hashed passwords were published on pastebin. The kiddie obviously found some exploit in the /stuff directory and used it to gain access to the server.

I was on a site around the time it was hacked and I had no proxy or VPN.. oh fuck

The raid

Four months later I was picking up my girlfriend from the trainstation and driving back home. I didn't think about the /stuff folder anymore but when I opened the door we were greeted by the police, counter terrorism agents and a state-prosecutor. In all 7 people who were very polite and explained that they have evidence that I have hacked the website of a political party and that they have a search warrant.

Raiding police src

They thought that I was the script kiddie and that my VPN failed for a moment and that's why they saw my public IP address.

Search warrant

I was also asked for my password and if I had any encrypted data on my PC (which I didn't have at the time).

After the first shock

We sat down at the table and I told them what happened and how my IP got in there. I told them about the script kiddie, the link and that I wasn't using a VPN because I did nothing wrong but of course they were sceptical even thought one of the agents said my story sounded plausible to him.

I was mostly talking to the agent of the federal agency for counter terrorism (in german "Bundesamt für Verfassungsschutz und Terrorismusbekämpfung) and he said we had to go to the next police station where he can enter my statement into the police computer.

What they took

The police said they had no intention in jailing me since after surveilling my phone calls and my movements for weeks they didn't think I was a "big fish" but rather they might find the real bad people through me. Little did they know that I was just some dude who clicked a link he shoudln't have clicked.

I didn't sleep well the next days and weeks and often had the fear that they will charge me for something I didn't do and I had dreams of innocently going to jail.

What did they take? EVERYTHING

They took all my computers, spare harddrives, USB drives and laptops - all my equipment. They were sighing when they saw how many computers and harddrives I owned since they said they had to look through every one of them, look at all images, skip through all videos and had to document everything.

They said it would roughly take a year until I get everything back since I have so much data. They were right.

About a year later I got everything back Some of my things

Thanks to the lucky coincidence that I just put all my personal and company files to my cloud (at the time: Dropbox) just a few days before the raid, I didn't lose any data. The police also said they fear cloud data the most because they need different and most of the time international search warrants to get data from Google or Dropbox.

How did it end?

A year and a half after I clicked the link, the case was dropped because no evidence pointed at me and what I did (clicking a link) was not illegal.

Everything ended well except that I had to buy a new computer because the government kept mine for a year.

Dropping the case

One funny thing though

After getting my drives back I checked one of my USB drives and it had a .docx file on it that didn't come from me. In this Word file there was a photo of some guy (unpixeled). I have no idea who that is (maybe the script kiddie?) but the federal agency must have put it in there by accident.

random dude

Don't click on links from random people on the internet!