I feel conflicted.

On the one hand, it was illegal.

On the other hand, they were bad people and it was very cool.

I once attempted to describe the “hacker mindset”, which is less about technology, and more about trying to find innovative ways to do things – for many “old-school” hackers, it was far more about solving puzzles.

Over the years, the word “hacker” has become more and more difficult to define. Depending on the context and the person speaking, the word can mean “OG computer people, who wanted information to be free”, to hats of various colours, to various other terms which cover a vast range of skill levels and motivations.

In fact, the way the term is used often tells more about the speaker than about the person being described. For some, hacking is a noble pursuit, while “cracking” is for criminals. For others, there are no real distinctions made regarding intent or level of skill.

So, given the baggage associated with the term, how can the word “hacktivism” be any easier to define?

Roughly-speaking, the term refers to the use of computer-based action to bring about social change, and attempts were made by early hackers to define the word in terms of the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR), particularly Article 19 of the ICCPR, which reads (in part):

Sadly, these attempts appear to have failed, and groups have been named (by themselves or others) “hacktivists” even when doing things that violate the intent of this early attempt to clearly define the term. The idea that “information wants to be free” seems inconsistent with actions such as the defacement of websites or DOS (Denial of Service) attacks which make websites unavailable.

Nowadays, many “hacktivist” groups appear to be state-aligned or state-influenced, if not state-controlled. Some of this may be for “plausible deniability”, such as the “Guardians of Peace”, who claimed credit for the Sony Pictures hack in 2014, though they (aka, Lazarus Group, as I have mentioned before) are most likely controlled by the government of North Korea.

On the other hand, some groups are more open about their motivations, such as the IT Army of Ukraine, which is focused on the defence of Ukraine and attacks on the invading Russian army.

And yet, we can still see what I would consider more “traditional” hacktivism, focused on making the world a better place, which brings us to the Chaos Communication Congress, organized by the Chaos Computer Club (CCC).

The easiest description of this conference for a North American audience might be the “European DEF CON”, but that would not really be a fair comparison. For one thing, founded in 1981, CCC is a non-profit organization which may be the oldest major hacker organization still active, and has a much larger membership (7000+) than most other similar organizations.

They provide a clear set of ethical guidelines, including:

• Access to computers - and anything which might teach you something about the way the world really works - should be unlimited and total. Always yield to the Hands-On Imperative!

• All information should be free.

• Mistrust authority - promote decentralization.

• Hackers should be judged by their acting, not bogus criteria such as degrees, age, race, or position.

• You can create art and beauty on a computer.

• Computers can change your life for the better.

• Don't litter other people's data.

• Make public data available, protect private data.

During the 2025 Chaos Communication Congress, there was a presentation called: “39C3 – The Heartbreak Machine: Nazis in the Echo Chamber”, in which two journalists (Eva Hoffman and Christian Fuchs) appear with a hacker known as “Martha Root”, dressed as Pink Ranger, and gave a presentation describing their investigation into three white supremacist sites known as WhiteDate (described as “Tinder for Nazis”), WhiteChild (described as a service that claimed to match white supremacist sperm and egg donors), and WhiteDeal (described as a labour marketplace for racists).

During the course of the presentation (and with thanks to YouTube subtitle translations from German), Hoffman and Fuchs described the site, users, and the results of their investigation, while Martha Root described how she used AI bots to “catfish” some users, how the site had security settings which “would make even your grandma’s AOL account blush”, and how she copied 100GB of data, which was forwarded to a non-profit whistleblower site, where it could be accessed by vetted journalists.

So far so good, right?

Why would I be conflicted about that? Martha Root compromised a site dedicated to white supremacists and Nazis, which was already being investigated by law enforcement.

After the presentation came the Q&A, and the first question was (translated via YouTube): “I wanted to ask if the Federal Office for the Protection of the Constitution had investigated something, did they at least take down or shut down the websites?”

In response, Martha Root noted that the sites had not – to her knowledge – been shut down, but that the data would be available to journalists in the next few days. She then spent a minute or two setting up a demonstration (while the audience whistled the Jeopardy theme-music).

She opened a terminal, then executed a Python script called “lol.py”, which started printing messages. There was silence for a moment, then applause and cheering which grew as the process continued...

There, in real-time, Martha Root’s script logged into and deleted all three sites, the filesystem, database, backups, and various email and social media accounts.

This is why I am conflicted. While there is no doubt in my mind that the world is better without those sites, actively deleting them crosses a line.

But they’re white supremacists and Nazis!

Doxxing them is one thing, but deleting the sites is another.

But they’re Nazis, so I really won’t shed a tear for them... You see my dilemma?

As a follow-on, Troy Hunt (the security researcher who runs Have I Been Pwned (HIBP)) posted about this very case. When he recently received the data for this breach, he marked it as “sensitive”, which simply means that it is not publicly searchable and email addresses associated with the breach can only be verified by someone who controls the addresses.

Of course, someone complained to him about it.

In his post, Mr Hunt describes his position more fully than I can, and I agree fully with his position (though, in fact, it doesn’t much matter what I think about it – he’s the one who runs the service), though I will add a few notes.

First, HIBP is NOT a doxxing site, so providing details of users and such to the public is entirely outside the scope of the service. Second, Mr Hunt is being entirely consistent with his stated policies around what constitutes “sensitive”, and there is exactly nothing which suggests that this definition implies anything about his own opinion regarding the service (though he makes it clear in his post that the site includes behaviours which definitely do not align with his personal values).

In addition, Mr Hunt has put an enormous amount of thought and effort into the ethics around HIBP, and his opinions and policies are well thought-out, clear, and clearly described. He is meticulous about ensuring that HIBP is as close to “above reproach” as it is possible to be, which is probably why so many governments and law enforcement services use the service.

And, finally, the individuals attacking Mr Hunt for not providing details of the breach seem to be unaware that (whatever your opinions are regarding doxxing) the ENTIRE data set is available on the doxxing site to which Martha Root sent it. Coverage of this event noted that fact clearly, which suggests that these posters were complaining without bothering to find out even the basics of the story.

HIBP is an excellent service. About that, at least, I feel no conflict.

Cheers!