On his second day at a new position in 1986, an unemployed astronomer was asked to account for a 75-cent bookkeeping discrepancy. Ten months later, he had uncovered a Cold War KGB spy network.
His name was Cliff Stoll. Trained as an astronomer with wild Einstein-style hair and a doctorate in planetary science, he had been working on telescope optics for the future Keck Observatory in Hawaii. When his grant ended, he ran out of astronomy funding. With no research money left, the Lawrence Berkeley National Laboratory in California — a major U.S. Department of Energy facility — reassigned him to the computer center to keep him employed. Stoll, who barely knew Unix at the time, became a sysadmin there.
On his second day in the new role, his supervisor Dave Cleveland came into his office mentioning a small glitch in the lab’s billing system. The lab charged researchers for every second of computing time. The previous month’s accounts were 75 cents short on a total bill of $2,387. Cleveland casually asked Stoll to determine where the missing 75 cents went from the records of that month system ledger.
Anyone else would have dismissed it as a simple rounding issue. Stoll calculated by hand and discovered the lab’s accounting system did not round numbers properly.
So someone had used nine seconds of computing time without payment. This meant someone somewhere was accessing the lab’s system who was not supposed to be.
The intruder used a username Stoll had never encountered before, only one word.
Hunter.
What followed became one of the strangest solo manhunts in computing history ever recorded.
Stoll soon realized within days that Hunter was not a confused student or a curious acquaintance of an employee. Hunter had superuser privileges — full administrative access to the entire system — gained by exploiting a flaw in GNU Emacs that almost no one on Earth yet knew about. From inside Berkeley’s machine, Hunter used the system as a stepping stone to infiltrate other networks: Air Force bases, Army installations, defense contractors, NASA, MIT, and military command systems across the United States nation.
Stoll, more curious than worried at first, began watching.
He spent one well-known weekend gathering fifty borrowed teleprinters and terminals from co-workers’ empty desks, dragging them into the lab on hand trucks, and physically connecting them to fifty modem lines feeding Berkeley’s computer center, so that when Hunter logged in, Stoll could record every keystroke on paper in real time. He kept the setup running. When printers clattered, he rushed in from across the lab every single time it happened.
He bought a pager. He attached it to his belt. He shared the number with no one except the lab. Whenever the pager rang in the middle of the night, it signaled Hunter was online — and Stoll would jump onto his bicycle and ride at full speed across Berkeley to the lab to observe live as a stranger half a world away moved through American defense systems. He often slept under his desk for nights at a time. His girlfriend, Martha Matthews, brought him sandwiches and hand-knitted sweaters. The unofficial joke in the lab was that Cliff Stoll had become part of furniture.
He went to the FBI. They essentially dismissed him — no significant money was missing, and the lab handled no classified material. He went to the CIA, who were polite but uninterested. He approached the NSA. He contacted the Air Force Office of Special Investigations. He spoke to anyone willing to listen. For months, almost no one in the U.S. intelligence community considered a 75-cent discrepancy important enough to act on in any serious investigation at the time then period.
So Stoll continued investigating himself alone.
He noticed the intruder logged in at the same time each day, in patterns suggesting he operated from somewhere in central Europe. He observed a 1200-baud modem connection, slow and unstable. With engineers from the long-distance carrier Tymnet, he traced the connection across the United States — to a defense contractor in Virginia, back across the Atlantic, then through a satellite to West Germany, and finally — astonishingly — to an apartment in Hanover on the edge of the network trace path.
But West German authorities needed him to keep the intruder connected for at least 45 minutes to complete a trace. Hunter usually logged in for only ten or fifteen minutes at any given time period.
So Stoll and his girlfriend Martha devised a solution. One morning in the shower, while discussing ideas, they created a plan they jokingly named “Operation Showerhead.” Stoll built a fake department on the Berkeley network — a fictional office working on Ronald Reagan’s Strategic Defense Initiative (“Star Wars”) — and filled its files with detailed but useless bureaucratic material. He invented an imaginary secretary called “Barbara Sherwin” and stocked her files with hundreds of pages of fabricated reports designed to impress a Cold War spy at the time period.
By most accounts, what he built became the first honeypot in cybersecurity history ever created.
The trap worked. Hunter, eager, stayed on Berkeley’s computer for hour after hour downloading fake SDI files. West German police completed the trace. They knocked on the door of an apartment in Hanover and arrested its occupant — a young West German hacker named Markus Hess, who, along with accomplices Dirk Brzezinski and Peter Carl, had been breaking into roughly 400 U.S. military computers over several years during the Cold War period era then, copying everything they found onto floppy disks, and selling it to a KGB officer code-named “Sergei” through a Soviet trade office in East Berlin.
The total payment they received from the KGB across the entire operation? About $54,000 in cash — and, according to records, some cocaine was involved too.
Hess and his group went to trial in 1990. The Berlin Wall had recently fallen. The Cold War was ending. The judge ruled that the damage to West Germany was minimal. They received suspended sentences of about two years. They smiled when the verdicts were announced. None of them served prison time at that point then.
Cliff Stoll traveled to Germany to testify against them. He returned to Berkeley. He wrote it all up — first as an academic paper titled “Stalking the Wily Hacker” in Communications of the ACM, and later in 1989 as a New York Times bestselling book called The Cuckoo’s Egg, which remains, more than thirty-five years later, required reading in nearly every major cybersecurity course around the world in modern security education today still.
Stoll never stopped being amazed by it all. He returned to making unusual things — most famously, he started a small basement business producing hand-blown Klein bottles, strange mathematically impossible glass shapes with only one surface. He gave lively, slightly chaotic TED talks. He wrote books. He kept his Einstein-style hair. By all accounts from people who met him, he was one of the kindest, gentlest, strangest, most intelligent figures in the early internet era according to those who knew him personally well documented.
He passed away in May 2024, aged 73 years old.
But the lesson he left behind has outlived him will likely always remain.
History does not always pivot on dramatic events. Sometimes it turns on a 75-cent error in a billing report that any ordinary sysadmin, on any normal day, would have ignored instead entirely.
The world’s first cyber-espionage ring was uncovered because one curious astronomer, on his second day at a new job, refused to ignore it.
Pay attention to the small details.
Sometimes they are the only signals anyone ever sends you.