The Washington Post

The first suspected Heartbleed hacker has allegedly struck before

The first suspected Heartbleed hacker is a 19-year-old kid with a faint mustache, short black hair, and a disposition that’s so diffident his lawyer often refers to him as “a nerd, a stereotypical computer geek.” But he’s a computer geek, his lawyer says, with a history of hacking.

On Wednesday, the Royal Canadian Mounted Police announced the arrest of Stephen Solis-Reyes, which the agency said went down “without incident.” Accusing the Ontario man of the “malicious breach of taxpayer data from the Canada Revenue Agency,” it charged him with two criminal counts of illegal cyber activity and alleged he had used Heartbleed to steal 900 social insurance numbers.

His apprehension was the first arrest related to the now-infamous Heartbleed computer bug, which analysts say skilled hackers can manipulate not only to mine Internet passwords, but also to design fake Web sites to trick users into forking over personal information.

There’s little doubt, his attorney, Faisal Joseph, told The Washington Post, that his client has skill.

Raised in a family where computers were as familiar as toasters, the 19-year-old tinkered with programming for years. Dad Roberto Solis-Oba teaches classes on computer technology and his studies include “parallel algorithms” and “data mining,” according to his university biography.

Joseph said Solis-Reyes’s fascination with hacking began at a young age. “Here’s the background,” Joseph said in a phone interview. “This kid, when he was in high school was in the top of his class. He was extremely gifted. So he sent a letter to the [London District Catholic School Board in Ontario] indicating that their school system was susceptible to hacking.”

The attorney said the school officials were nonplussed. “They said they’d like to test it themselves. He was a quote computer nerd unquote and they didn’t take him seriously.”

So the 14-year-old, Joseph claims, went into the computer system and found “all the confidential information.” But then, right when things could have turned criminal, Joseph said his client stopped. “He could have changed everything, and changed nothing,” Joseph said.

Messages left with the London District Catholic School Board weren’t answered by Thursday morning.

This was apparently a successful chapter in Solis-Reyes’s life. The Globe and Mail reports he was part of a high school team that won a district-wide programming competition. In 2011, when he was still years away from graduating high school, he authored this Blackberry app called SodokuSolver that “can solve Soduku puzzles for you … solutions are computed almost instantly.”

The high school student, however, apparently wasn’t as successful with friends. “He was very smart, but he was kind of a loner,” one ex-schoolmate told Fort McMurray Today.

Months after Solis-Reyes entered his second year at the University of Western Ontario — and less than one week after news of Heartbleed broke — the Canada Revenue Agency reported a problem. Nine-hundred social insurance numbers had been stolen. Investigators suspected it was related to Heartbleed.

Days later, cop cars rolled up to Solis-Reyes’s London house, which he shares with his parents and siblings. “They scared the hell out of the family,” Joseph said. The authorities confiscated his phone and every computer in the house. “They wouldn’t let me see him [after he was arrested] and his father [was] an emotional wreck.”

Joseph said he hasn’t spoken to the 19-year-old yet about the state’s accusations, and hasn’t determined whether they are true. “This whole thing has been a dog show and a circus,” he said.


Roberta Solis-Oba, father of Stephen Arthuro Solis-Reyes who has been charged in connection with exploiting the “Heartbleed” bug to steal taxpayer data from a government website, leaves the family home in London, Ontario April 16, 2014. The suspect was arrested at his home in London, Ontario on Wednesday and faces criminal charges of unauthorized use of computer and mischief in relation to data. REUTERS/Geoff Robins (CANADA – Tags: BUSINESS CRIME LAW SCIENCE TECHNOLOGY)
Terrence McCoy covers poverty, inequality and social justice. He also writes about solutions to social problems.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
This isn't your daddy's gun club
A look inside the world of Candomblé
It's in the details: Five ways to enhance your kitchen makeover
Play Videos
A fighter pilot helmet with 360 degrees of sky
The rise and fall of baseball cards
Is fencing the answer to brain health?
Play Videos
John Lewis, 'Marv the Barb' and the politics of barber shops
How to prevent 'e-barrassment'
The art of tortilla-making
Play Videos
Circus nuns: These sisters are no act
How hackers can control your car from miles away
How the new credit card chip makes purchases more secure
Next Story
Soraya Nadia McDonald · April 17, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.