Atlanta firm hacks, breaks into businesses — for hire

Some of Bonnie Smyre’s stories from work sound like cheesy thriller movies.

One of her favorites:

She put on generic black-framed glasses. She tucked her red locks under a wig. It was cheap looking and blond, shining brightly — like a … cheap wig — but to her amazement, security officers in the New York City high-rise didn’t seem to notice her. She slipped onto an elevator and sneaked into a financial services firm.

Toying with an unattended computer, she found her way into the guts of software the company used to track investments. Within minutes, she was ready to start draining the life savings of the company’s clients.

Of course, Smyre didn’t steal the money. She isn’t a thief. She works for Raxis, an Atlanta cybersecurity firm that will hack or break into your business for a fee.

It might sound like a strange idea for a business, but the reason it exists is obvious: cybersecurity becomes more important and urgent all the time as devastating data breaches become more frequent. In the long and growing list of hacking victims, you’ll find Home Depot, the city of Atlanta, the Georgia Department of Public Safety and the U.S. government.

In 2019, 205,280 organizations said they’d been hit in a ransomware attack, in which the hackers shut down computer systems and demanded a ransom, according to the New York Times. That was a 41% increase from the year before.

Companies and institutions must figure out how to keep their systems safe. In its short history, Raxis has already racked up a long client list, including Delta Air Lines, Ferrari, GE, Nordstrom and Southern Co.

Investment in cybersecurity is a necessity for these large firms, as well as smaller ones that could founder after a costly hack. Repairing the damage is often expensive. When the hackers demand a ransom, things get worse.

In December 2019, the average payment made to attackers was $190,946, and several organizations faced demands for millions, according to data obtained by the New York Times.

The problem is expected to get worse before it gets better because so many businesses and organizations are behind the curve.

“Some of the hacks are, ‘I found one thing.’ A lot of the hacks are, ‘I’ve found a lot of little things, and I put them together,’” said Smyre, who started as an “ethical hacker” at the company and now is the chief operating officer. “It does sort of feel like some of the movies about hacking sometimes.”

Credit: Mark Puckett

Credit: Mark Puckett

The company was founded in 2011 by Mark Puckett. He’d worked in cybersecurity at various companies around metro Atlanta and saw the need for a firm that could take a hard look at other companies and find their vulnerabilities. As others who’ve started similar firms have, Puckett thought: What better way to attack the hacker problem than to hack?

Raxis started with two employees and now has 15.

None of them went to school for hacking or figured it out in their mother’s basement. They generally end up at Raxis after spending years working with computers and for whatever reason becoming interested in this corner of the cybersecurity industry.

That’s how Smyre found herself donning that wig. She used to work at the University of North Carolina, doing web development. One day, her high school classmate, CEO Puckett, told her about his new business, and she decided to join up.

She learned the services the company offered and how to provide them. Because the industry is fast-changing, sometimes the research is hands on, creating software and trying to break into it yourself, or falling down obscure Google rabbit holes.

It isn’t just computers that Raxis helps clients secure. They have to contend with any eventuality. They try to clone employee ID badges to get into buildings. They search company websites for little trapdoors to exploit. They scrutinize passwords (or in some cases, tell their clients their systems need to be password protected.)

“Once you get started, it’s just fun,” Smyre said. “It’s exciting. It’s a puzzle.”

The pandemic hasn’t slowed them down much. Raxis has started using a remote device that clients plug into their own network to allow the ethical hackers, quarantined somewhere, to pretend they are in the building.

On the company YouTube page, employees do demonstrations and give tips about security. In one video, a worker managed to hack a Tesla and drive away with it. (Thankfully, it belonged to him.)

And, yes, sometimes, Raxis employees wear wigs.

As it happens, the high-rise job Smyre worked a few years back serves as a good example of the sometimes surreal gig she and her co-workers signed up for at Raxis.

They were there to see if they could sneak into the building (check), slip into the financial services company (check), hack into internal software (check) and, ultimately, show the firm it indeed needed the help Raxis was offering (check).

Before Smyre and a co-worker went in, they’d researched the company and heard a lot about the breakroom, which employees had praised. Smyre went to the breakroom and saw why everyone liked it. It was fully stocked with a wide selection of free food and drinks.

She texted one of the client’s bosses to say she agreed — awesome breakroom.

A few moments later, he appeared.

How did you get in here? he said.