Back to all insights
Picture of Shane Brown

Shane Brown

The WANK Worm

The WANK Worm: When Someone Hacked NASA and Got Away With It

This is the first story in a series about hackers who pulled off major attacks and were never caught. These are the ghosts in the machine. The ones who walked away clean.

October 1989: The Perfect Storm

The Berlin Wall was about to fall. The Cold War was ending. And NASA was preparing to launch Space Shuttle Atlantis with 49 pounds of plutonium-238 on board.

The mission was Galileo, a probe headed to Jupiter. The power source was radioisotope thermoelectric generators. The problem was Challenger. Three years earlier, that shuttle had exploded 73 seconds after launch, killing everyone on board.

Anti-nuclear activists were terrified. What happens when Atlantis blows up with plutonium? The answer: radioactive material scatters across Florida. Millions of people get exposed.

Protests erupted. Lawsuits got filed. The Florida Coalition for Peace and Justice organized demonstrations at Kennedy Space Center.

But someone decided the real protest would happen inside NASA’s computers.

The Network They Forgot to Protect

NASA’s internal network was called SPAN (Space Physics Analysis Network). It connected research facilities, labs, and space centers across the country and around the world. The Department of Energy ran a parallel network called HEPnet. Both ran on Digital Equipment Corporation technology using VAX minicomputers and VMS operating systems.

Security was a joke. Many accounts used the default username and password: DECNET/DECNET. Some had no password at all. The FIELD account, a default service account, was often left wide open. Administrators shared credentials freely.

A year earlier, a harmless worm called “Father Christmas” had crawled through these same networks sending holiday greetings. It exposed the exact same weak credentials. Administrators were warned. Most did nothing.

October 16, 1989: The Attack

System administrators at NASA Goddard Space Flight Center woke up to chaos. Login screens were gone. In their place was a massive ASCII art banner:

W O R M S   A G A I N S T   N U C L E A R   K I L L E R S

Your System Has Been Officially WANKed

You talk of times of peace for all, and then prepare for war.

That last line came from “Blossom and Blood” by Midnight Oil, an Australian rock band famous for anti-nuclear activism. This was not random. This was a signature.

The worm spread fast. Machines slowed to a crawl. Accounts locked out. Processes spawned faster than anyone could kill them. Users saw randomized messages: “Vote anarchist.” “The FBI is watching YOU.”

Then came the psychological weapon. Users logging in saw what looked like their files being deleted one by one. A dialogue appeared that would not stop or cancel. Panic erupted. People started wiping their own systems, destroying real data to save it from a threat that did not exist.

The file deletion was completely fake. A bluff designed to maximize chaos.

The CERT Coordination Center at Carnegie Mellon received word the same day. Their advisory opened with: “This is NOT A PRANK.”

How It Worked

The worm was written in DCL (DIGITAL Command Language), the native scripting language of VMS. Not a compiled binary. A shell script. Sophisticated but readable.

Here’s what it did:

It changed the default DECnet password to lock administrators out. It stole credentials and mailed them to a specific mailbox on the network (user GEMPAK at SPAN node 6.59). It renamed itself to look like a legitimate network process. It replaced the system login with the WANK banner. It disabled mail to the SYSTEM account, cutting off administrator communication. It displayed the fake file deletion sequence. It created a backdoor through the FIELD account with full system privileges.

Then it spread. The worm scanned for usernames, tried blank passwords or passwords matching the username, copied itself to remote systems, and repeated the process forever.

One detail stood out. The worm skipped DECnet Area 48. New Zealand. A comment in the code said New Zealand was a “nuclear-free zone.” The author respected that enough to grant immunity.

This was ideological, not random.

The Defense

Two men led the fight. John McMahon from NASA’s SPAN network. R. Kevin Oberman from Lawrence Livermore National Laboratory.

Their biggest problem was infrastructure. SPAN had no comprehensive network map. Contact information for administrators was outdated or missing. They were coordinating defense across hundreds of systems without knowing who to call.

Oberman found the kill switch. The worm checked for a process starting with “NETW_” before running. If it found one, it deleted itself. The fix was simple. Create a harmless process with that name:

$LOOP:
$ Set Process/Name=NETW_BLOCK
$ Wait 12:0
$ GoTo loop

This tiny script acted like a vaccine. When the worm arrived and saw NETW_BLOCK already running, it destroyed itself.

Then nature intervened. October 17, 1989. One day after the worm hit. The Loma Prieta earthquake struck San Francisco. Magnitude 6.9. Oberman was at Lawrence Livermore, right in the affected zone. Amidst earthquake damage and power outages, he finalized and distributed the anti-worm code.

Meanwhile, JPL disconnected entirely from SPAN to avoid infection. This protected their systems but severed critical network pathways, making coordination harder.

OILZ: The Worm Evolves

Six days later, a modified version appeared. Process name: OILZ. Australian shorthand for Midnight Oil.

OILZ fixed bugs in the original. It penetrated blank password accounts. It altered passwords on compromised systems, causing real damage instead of fake deletions.

The anti-WANK vaccine was useless. OILZ used a different process name.

The code differences suggested these worms were evolving. Likely not written by one person. Someone had analyzed the first worm’s weaknesses and improved them in under a week.

Bernard Perrot, a systems manager at the French National Institute of Nuclear and Particle Physics, developed the solution. A program called WANK_SHOT that trapped the worm using a decoy database. When the worm tried to use it, the logic bomb triggered. The worm died.

WANK_SHOT got distributed across SPAN and HEPnet. Over the following weeks, the worm was eradicated.

The Hunt

Every clue pointed to Australia.

The Midnight Oil lyrics. The “OILZ” process name (Australian slang). The word “wank” itself (Commonwealth slang, common in Australia). The New Zealand exemption (a political statement resonating with Australian anti-nuclear activists).

Investigators focused on The Realm, a Melbourne-based hacker collective. Teenagers and young adults who had been breaking into systems worldwide since the mid-1980s.

Two members became primary suspects:

Electron (Richard Jones). Skilled hacker with deep networking knowledge.

Phoenix (Nahshon Even-Chaim). More brash and confrontational. Already on law enforcement’s radar.

The Australian Federal Police launched an investigation. AFP intelligence officer Bill Apro was assigned. They used surveillance, informants, and pioneering digital forensics, inventing new methods on the fly.

One more name surfaces in every account: Julian Assange. Before WikiLeaks, Assange was a young Melbourne hacker who went by Mendax. He was connected to The Realm. The book Underground, published in 1997 by Suelette Dreyfus with research by Assange himself, devotes its entire first chapter to the WANK worm.

NASA’s FOIA-released documents show the FBI and NASA Inspector General were investigating. If Assange was involved, this was the first time the FBI opened an investigation touching his activities.

Assange has never confirmed or denied involvement.

The Verdict: No Verdict

Phoenix and Electron were arrested and convicted for other computer crimes. Not for WANK. Their trials in the early 1990s were the first successful prosecutions under Australia’s new computer crime legislation.

For the WANK worm: no one was ever charged. No one was publicly identified as the author. The case remains unsolved.

AFP’s Bill Apro said the investigation focused on a suspect within The Realm, but “no official identification of the author was made.”

The worm’s creator simply disappeared.

The Cost

NASA estimated the worm cost more than half a million dollars in wasted time and resources. The irony: most damage was not from the worm. It was from people trying to escape it. Panicked employees wiping their systems. Hasty management decisions. JPL’s network disconnection.

The worm left no destroyed files. Its most destructive payload was fear.

What It Proved

The WANK worm was a first in multiple ways.

The first major computer worm with an explicit political message. The first true act of “hacktivism” (a term that would not be coined for years).

It showed cyber attacks work as psychological warfare. The panic a worm creates outweighs what it does to systems.

It exposed catastrophic security weaknesses in networks run by NASA and defense institutions. Warnings were being ignored.

It foreshadowed politically motivated hacking groups like Anonymous and LulzSec that would emerge decades later.

And it remains one of the few significant cyber attacks where the perpetrator was never identified. A true ghost in the machine.

The WANK worm proved something the cybersecurity world still grapples with today. A few lines of code, written by someone clever and angry, reach into the most powerful institutions on Earth and make them afraid. And if you are smart about how you do it, you walk away clean.

Over 35 years later, whoever wrote the WANK worm is still out there. Still anonymous. Still free.

more insights

Cicada 3301

March 16, 2026

Cicada 3301: The Internet’s Greatest Unsolved Mystery On January 4, 2012, a black-and-white image appeared on 4chan’s paranormal board. The message was simple: “Hello. We

Read more >

The Invisible Mercenaries

February 27, 2026

The Invisible Mercenaries: How Anonymous Cyber Hit Men Built a Shadow Industry Law Enforcement Still Cannot Dismantle In 2017, a federal courtroom in Minneapolis revealed

Read more >