Millions of Records, Millions of Euros: Inside the Mind of Hacker Pepijn van der Stap
At the beginning of 2023, authorities arrested 20-year-old Pepijn van der Stap at his seaside apartment in the Dutch town of Zandvoort. Around a dozen officers stormed his home, surrounding the young man, who was renowned within professional circles as a high-caliber cybersecurity specialist. However, van der Stap’s arrest marked the culmination of a two-year investigation: behind the façade of an expert who had safeguarded hundreds of companies from cyberattacks lay a master hacker and the country’s most prolific “collector” of stolen data.
Pepijn had been captivated by computers from a young age. Previously celebrated in the Netherlands for his achievements in cybersecurity, he frequently presented his work at industry conferences. Yet, his obsession with data collection overpowered ethical boundaries. By the age of 20, van der Stap had already amassed the personal data of hundreds of millions of individuals—likely nearly the entire population of the Netherlands. Court documents suggest that the scale of his crimes was unprecedented in the nation.
For two years, police monitored van der Stap’s activities through wiretaps and software on his devices. He accumulated data, building his personal “archive” on encrypted hard drives, both from his own hacks and through exchanges with other hackers. Investigators allege that the data was meticulously organized into thousands of folders. Van der Stap himself often stated he collected information to maintain a top position within the hacking community. Police believe such data collections were frequently used to threaten companies.
The sum of money found with the hacker exceeded 600,000 euros, highlighting the scale of his operations. Despite any financial motivations, van der Stap continued to work legitimately, using his cybersecurity job to pay for his apartment and living expenses. According to him, money was insignificant; his “trophies” were the data he collected.
From an early age, Pepijn displayed unusual interests. At school, he stood out for his passion for programming, teaching himself PHP at the age of 10. He spent most of his time at the computer, avoiding typical childhood pastimes. By adolescence, his fascination turned online, leading him to connect with other hackers and eventually delve into cybercrime. His first major hack was an attack on the servers of the educational institution he attended. For this incident, he went through the Hack_Right rehabilitation program, designed to prevent juvenile cyber offenses. Later, Pepijn secured employment with Dutch and British cybersecurity firms, where he was known as an exceptional talent.
Nonetheless, by 2021, he had returned to criminal activities. His targets included universities, corporations, and even cryptocurrency exchanges. He stored the stolen data on servers outside the jurisdiction of European authorities and occasionally threatened victims for the data’s safe return. In one instance, after breaching Ticketcounter’s systems, he demanded 7 bitcoins to preserve the data, prompting the company to report the incident to the police.
By 2022, however, van der Stap, weary of his double life, decided to “step out of the shadows.” He approached several companies, offering to help rectify their vulnerabilities, and began collaborating with the Dutch Vulnerability Disclosure Institute. Soon, he gained recognition for his contributions to the cybersecurity community. Yet in March of the same year, an old acquaintance persuaded him to carry out one more attack on Virgin Media O2, compromising the data of 49 million users. Van der Stap demanded $750,000 for the data’s return and later received $764,450 in cryptocurrency.
A lengthy police investigation culminated in Pepijn’s arrest in January 2023. Authorities tracked him through IP addresses, email, phone numbers, and cryptocurrency wallets used in attacks since March 2021. They discovered his archives containing 33 terabytes of stolen data, divided into more than 4,000 folders. The scale of the discovered data was staggering: investigators were unable even to estimate the exact number of victims.
Following his arrest, those around van der Stap expressed shock and disappointment. His colleagues in cybersecurity were stunned to learn that one of their own had been a hacker. One former employer called it a “betrayal,” while another lamented that such a brilliant mind had turned to crime. Fellow Hack_Right participants also felt deep disappointment. The arrest dealt a blow to the reputation of the Dutch Vulnerability Disclosure Institute, which lost funding and narrowly avoided bankruptcy.
In November 2023, van der Stap was found guilty of computer system breaches, extortion, theft of non-public data, ransomware distribution, and laundering at least 1.5 million euros. Given his age and confession, he received a four-year prison sentence with the possibility of release after three years, followed by a three-year probation period.
Currently, van der Stap serves his sentence in a prison on the outskirts of Amsterdam. He is undergoing psychological therapy and admits he is relieved to end his exhausting double life. Upon release, he plans to change fields entirely and pursue studies in biochemistry and medicine.
