Pwned by the Owner: When a Hacker Tracks Down His Stolen Computer
Someone stole the wrong computer.
Back in 2008, a burglar broke into a Boston apartment through a second-floor window. They grabbed a Mac G4 Quicksilver desktop and two backup drives. The owner was Zoz, a hacker and co-host of the TV show Prototype This. He loved this machine. All his music, photos, and video projects were gone.
Most people would file a police report and move on. Zoz is not most people.
For months, he searched eBay and Craigslist. Nothing. He had friends check flea markets in Boston. Still nothing. The computer seemed gone forever.
Then two years later, something strange happened.
The Machine Comes Back Online
Zoz had set up his Mac to automatically update a DynDNS domain whenever it connected to the internet. This was supposed to help him access the machine remotely. Years passed. DynDNS kept sending renewal emails. He kept clicking yes, never thinking he would need it.
One day in 2010, he checked his DynDNS account. The domain was active. Someone had connected his stolen computer to the internet.
He ran an nslookup command. The results showed his Boston computer was now online in Las Vegas. On a dial-up connection.
Breaking Into His Own Computer
Zoz tried to SSH into the machine. It worked. The thief never changed the passwords. Even better, VNC was still running. He could now watch everything the thief was doing in real time.
This is where things got interesting. The thief had made a huge mistake. He used the stolen computer for everything. Banking, dating sites, social media, online shopping. He left a digital trail everywhere he went.
Zoz started building a profile. He examined browser cookies and found the guy’s internet habits. He accessed the Mac Keychain, which stores passwords. Since the system auto-logged into the thief’s account, Zoz could see everything.
But the real goldmine was the keylogger. Zoz had installed one on his machine years earlier. Every keystroke the thief made was logged and sent back to Zoz. Names, emails, birth dates, addresses, login credentials. All of it.
Meet Melvin Guzman
The password patterns revealed a name: Melvin Guzman. His Gmail was mrguzmanmel@gmail.com. On Facebook, Yahoo, eBay, Black Planet, and Mocospace, he used variations of “timrican,” “fricanpapi,” and “1flyricanpapi.” His passwords all contained “guzman85.” He was probably born in 1985.
Through VNC, Zoz watched Guzman log into his credit card account. The screen showed his full name, street address, and bank security image. Everything visible through the remote desktop.
What was Guzman doing with this stolen computer? Taking selfies for dating sites. Lots of them. He would craft one message and then paste it to hundreds of women using Ctrl+V over and over. Zoz called this the “nuke from orbit approach.”
The best part? Guzman was enrolled in an online criminal justice course. The irony was perfect. Here was a guy using a stolen computer to study criminal behavior.
The Amateur Makes Every Mistake
Guzman was not a sophisticated criminal. He was an amateur who made every wrong move possible. He connected a stolen computer directly to the internet without wiping the hard drive. He used it for personal banking. He never considered someone might be watching.
Zoz’s DEF CON 18 presentation included a gallery of Guzman’s selfies. The audience laughed at the criminal’s incompetence. The guy had no idea he was being monitored the entire time.
Getting the Computer Back
Zoz gathered everything: name, address, email, social media accounts, photos. He turned it all over to the Boston Police Department. Using the street address from the credit card records, police found the stolen computer and Guzman in Las Vegas.
The recovery happened fast. Zoz submitted his DEF CON slides right before the deadline. According to him, police recovered the computer the next day.
The Security Paradox
Here’s the twist. Zoz’s poor security practices are what saved him. He left SSH and VNC enabled. He didn’t encrypt his hard drive. He allowed auto-login. These were all bad security choices.
But they let him recover his computer. If he had implemented proper security, the thief couldn’t have logged in. The machine would never have reconnected to the network. Zoz would have no digital footprint to follow.
This worked because Guzman was an amateur. A trained professional would have wiped the drive immediately. They would have known how to bypass these measures. Zoz got lucky. His weak security only worked against a weak threat.
He also used rsync scripts to automatically pull files whenever the computer came online. He joked that Guzman was probably paying for the bandwidth while Zoz quietly downloaded gigabytes through that dial-up connection.
Lessons Learned
Zoz shared practical security recommendations at DEF CON. Register your hardware serial numbers. Enable dynamic DNS. Use off-site backups. He sent his backup drives to his parents in Australia after this incident.
The most important lesson is threat modeling. Match your security to the actual threats you face. Too much security prevents recovery. Too little security invites theft. You need to find the balance.
But the real takeaway, the one that became legendary in hacker circles, was simple: Don’t mess with a hacker’s machine.
This DEF CON 18 presentation went viral. The story shows what happens when technical knowledge meets persistence. Criminals leave digital traces. Those traces lead right back to them. For Zoz, a stolen computer became a masterclass in digital forensics.
The moral of the story? If you’re going to steal something, make sure the owner doesn’t know how to track you down from 3,000 miles away using nothing but a DynDNS account and a keylogger.
Melvin Guzman learned this the hard way.
