What Is a Red Hat Hacker? Time to Unravel the Mystery

What is a Red Hat Hacker

You might be familiar with terms like "black hat" and "white hat” hackers, but what is a "red hat hacker"? Red hat is a relatively new term that defines a very specific type of hacker with specific motivations. The term is feared by cyber criminals and viewed with conflicted opinions by law enforcement.

In this article, we'll cover what makes someone a red hat, the characteristics of a red hat hack, and some real examples of these hackers in action. 

So let's examine the unique space these individuals take in the hacking community and answer, "just what is a red hat hacker?"

What Is a Red Hat Hacker?

Lurking on the outskirts of the hacking community, red hat hackers are akin to cyber security vigilantes. Similar to white hats, they make it their mission to shut down the efforts of black hat hackers as well as cyber criminals in general. On the other hand, their approach is more aggressive than ethical.

Instead of helping targets secure vulnerabilities, a red hat might go as far as using methods that not only stop black hats in their tracks, but render their computer and hacking resources ineffective. Whether it's flooding a network or destroying a server, red hats are diligent in their efforts to neutralize cyber criminals.

What Are the Different Types of Hackers

The shades of the aforementioned hacking categories have historical significance. The red hat is no different. Red has long been associated with revolutionary characteristics such as strength, courage, and sacrifice. The connection goes back as far as the red garb adorning Roman soldiers and gladiators to the Soviet Union adopting the color for its flag on the heels of the Bolshevik Revolution.

Cyber security pundits have been known to view red hat hacking through a polarizing lens. Some appreciate their any-means-necessary approach to stamping out cyber crime. Others believe their tactics are illicit and every bit as dangerous as those employed by villainous black hats.

What Does a Red Hat Hacker Look Like?

What is a red hat hacker? In order to answer this question, it helps to understand the attributes that define them.

Red hat hackers are essentially vigilantes. While their efforts may aid law enforcement, they'd rather operate alone and allow others to reap the fruits of their labor. Picture Batman and the Gotham Police Department.

  • Black Hat Hackers: Targeting organizations and everyday consumers alike, black hat hackers represent the prototypical cyber criminal. They make it their business to compromise sensitive data via malware, phishing, and other means that allow them to profit from the attack.
  • White Hat Hackers: Also known as ethical hackers, white hat hackers use their skills to counter the nefarious efforts of their black hat counterparts. When they breach a system, it's done for the purpose of identifying vulnerabilities and helping potential victims avoid the costly repercussions of a cyber security attack.
  • Gray Hat Hackers: Gray hat hackers typically will not exploit vulnerable systems with malicious intent. However, they have been known to break into private systems without the target's knowledge or consent, and may even play the black hat role of leaking confidential information to the public. 
  • Red Hat Hackers: The vigilantes of the hacker community, red hats take an aggressive approach to bringing down cyber criminals. Their tactics toe the ethics line and are often shunned by law enforcement. At the same time, they are highly skilled and tend to get results.

If there is one aspect that separates red hats from the pack, it's their methodology.

A red hat hacker's toolkit is stocked with many of the same utilities found in a cyber criminal's toolbox. Their methods include, but are not limited to:

  • DDoS attacks: A Distributed Denial of Service attack disrupts a targeted network or service by flooding it with internet traffic.
  • Malware: Viruses, trojans, and other malicious software is designed to remotely compromise targeted systems. Once installed, it may be used to control the system, steal information, or render the machine unusable.
  • Social engineering: A method used to persuade unsuspecting people to visit rogue websites, share personal information, or take other actions that compromise their security measures. Relying on human engagement rather than traditional hacking, it’s often the first layer of an elaborate cyber attack.   

Red hats have garnered the reputation of hacking for fun, which may create the illusion of untrained hackers who lack the skills and sophistication to make a real impact. On the contrary, some are just as skilled as ethical hackers and other certified cyber security professionals; be it through self-education or formal training. 

Red Hat Hacking Examples

Defining the concepts and characteristics of a red hat hacker are simple enough. Identifying instances of red hat hacking in the real world is a tad more complex. The media tends to prioritize stories that highlight the devastation of black hat exploits. Furthermore, some have questioned whether the existence of red hat wielders is more myth than reality.

There are countless hackers who work tirelessly to bring down cyber criminals. Red hats don't have the fanfare or visibility of their white hat contemporaries. Similar to the quintessential vigilante, their methods are viewed as questionable at best.

So what is a red hat hacker? The following examples offer a better understanding of who they are, and how they operate.

Anonymous Attack on Child Pornography

Anonymous first surfaced in 2003. Since then, the infamous hacker group has stayed busy, and in the news by claiming responsibility for a number of high-profile exploits that run the gamut of the color spectrum. However, one instance has a particular crimson-shaded slant.

Anonymous - Operation Darknet

In 2011, Anonymous launched Operation Darknet, a crusade that targeted dark web websites hosting child pornography. The strike took specific aim at Lolita City, at the time, the largest child pornography site on the web's underbelly. After launching a DDoS attack, the group managed to crash the targeted servers, which left site operators vulnerable to other exploits as they scrambled to get services back online.

Anonymous leaked the usernames of approximately 1600 registered members from Lolita City alone. The onslaught resulted in Lolita City and dozens of other sites being permanently shut down. What's more, the leak allowed federal authorities in the United States to track down identities that ultimately led to the arrests of multiple site owners and operators.

To Catch a Predator Anonymous: Operation Darknet…

Anonymous continued its targeted vigilante efforts in 2017. In what has been reported as the largest attack of its kind, a single member of the group claimed responsibility for taking down well over ten thousand dark web sites. According to a News Week interview, the attack represented 20 percent of the dark web, half of which was attributed to child pornography.

The Revenge of Ghost Exodus

Perhaps best known by his alter ego, Ghost Exodus, Jesse McGraw seems to take a more relaxed approach to red hat hacking. He received a nine-year federal prison sentence in 2011 for hacking into the nursing station computer system at the North Central Medical Plaza, where he worked overnight security. 

Today he runs GhostExodus.org, a blog dedicated to stopping cyber crime through information and awareness.

The Revenge of Ghost Exodus
Image Via https://www.tiktok.com/@ghostexoduseta/ 

One of the more intriguing accounts on the blog highlighted McGraw's own experience with a scammer posing as a civil rights attorney.

At first glance, everything checked out. The impostor assumed the identity of a real attorney based in Mexico. After verifying his credentials on the State Bar Registry and the attorney's official website, the two agreed to chat via phone.

During the conversation, the scammer further wowed McGraw with his passion and knowledge of the civil litigation process. Confident that he'd found a trustworthy professional, he sent the trickster $100 via Cash App to cover the costs of filing feeds. The scammer blocked him immediately after receiving the funds.

Upon realizing he had been duped, McGraw threw on his crimson hat and shifted into Ghost Exodus mode. Equipped with the cell phone number the con artist provided, he used a simple reverse phone number lookup to find a name, which he crossed-referenced on the social media accounts associated with it.

McGraw followed up by uploading the scammer's profile photos to facial recognition and reverse image search engine PimEyes. He used the results to build a comprehensive profile of the man behind the con. A criminal background check revealed that the scammer was a seasoned criminal with an exhaustive list of pretty crimes and had even spent time in prison.

What became of the scammer is unclear. However, McGraw did notify the real attorney that a fraudster was using his name to swindle unsuspecting people for money. He also managed to reverse the Cash App transaction with the aid of a friend.

When analyzing the facets of this elaborate scheme, it's easy to see how even a skilled hacker such as Ghost Exodus could fall victim to the ruse. The scam artist employed the tried and true method of social engineering. A hallmark of phishing, black hats often use this technique to prey on the emotions of prospective victims and lure them into a false sense of security. Paired with malware and other tools, it can be alarmingly effective.

Scammer Payback

What is a red hat hacker? YouTube channel Scammer Payback may represent the best example yet.

The owner of the channel is dedicated to turning the tide on cyber criminals — and having a little fun in the process. Since 2019, he has been harnessing the power of video to show that some scammers aren't as savvy as they may think.

As the name suggests, Scammer Payback sets its sights on the classic scammer; the smiling swindler that uses deception to hack into the hearts and wallets of hapless victims.

The accounts range from uncovering where scammers are physically located to seizing stolen funds and routing them back to the victims. More importantly, they demonstrate a prototypical red hat hacker at work.

A scroll through the library of published content shows that Scammer Payback is big on transparency. Most videos provide a detailed recap of how various tricksters were diffused, some by way of live streams that allow viewers to experience these interactions in real-time. This transparency can be seen in the methods used to hunt down scam artists.

How we find real scammers!

According to the above video, we learn that the hunt is largely a community effort as subscribers are encouraged to submit tips via email. From there, Scammer Payback makes contact with the suspected fraudsters and goes to great lengths to expose their schemes. Exposure could be as simple as revealing phone numbers to so-called support centers that no longer exist, or as involved as unmasking the identities of the people behind these plots.

In another video, the virtual vigilante targets a scammer wielding the popular refund scam, this time, using the combination of phishing, social engineering, and malware. Upon calling to inquire about the refund, a fake support agent convinces the fake customer to install a program that would grant remote access for the purpose of addressing the issue.

Unbeknownst to the agent, that same program allowed the red hat hacker to reverse the connection and gain access to her computer. While playing the role of an oblivious consumer with limited IT knowledge, the caller was at work deleting SYSTEM32 on her computer, the folder that houses the most critical files on a Windows operating system.

The video provides a candid perspective of the scammer's frustration upon learning they've been victimized.


Fueled by the idea of cyber security justice, the mysterious red hat hacker believes in taking the fight right to the bad guys. Their principles are rooted in knocking off the black hats before they have a chance to inflict untold damage across the digital landscape. If the efforts of Ghost Exodus and Scammer Payback are any indication, the red hat army may be ready to step out of the shadows and further unravel the mystery that has long shrouded their kind.

To learn how hackers operate and how to defend yourself, take a look at the courses below available in our Member Section.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • StationX Team

    We are a UK-based cyber security training and career development platform established in 1999. We have over 500,000 students in 195 countries. We empower the next generation of professionals to reach their highest career potential.