Can a Teenager Go to Jail for Hacking? What Parents (and Teens) Need to Know

If you are a parent who just discovered what your teenager has been doing online, or a young person who has realized that the community you were part of has crossed a line, this post is for you. Not to alarm you. To help you understand what you are actually facing and what you can do about it.

I spent years investigating and prosecuting cybercrime cases as a federal prosecutor in the Southern District of Florida, including as the district's Computer Hacking and Intellectual Property (CHIP) Coordinator. The cases that stayed with me longest were not the organized criminal networks or the nation-state actors. They were the teenagers, often technically gifted, often genuinely unaware of how serious their exposure had become. And almost always, their parents had no idea anything was wrong until federal agents knocked on the door.

The earlier a family understands the landscape and engages counsel, the more options remain available.

How It Usually Starts

The cybersecurity world has a legitimate and genuinely valuable culture of skill-building that looks, from the outside, exactly like gaming. Capture the Flag (CTF) competitions challenge participants to find and exploit vulnerabilities in intentionally vulnerable systems. Platforms like Hack The Box and TryHackMe offer simulated environments where users level up by compromising practice machines. The Air Force Association sponsors CyberPatriot, a national youth competition that has directed hundreds of thousands of students toward cybersecurity careers.

These are legitimate pathways. Many of the best security professionals working today started there.

But alongside those communities, and often overlapping with them, are Discord servers and Telegram channels where the goals look the same but the targets are not practice machines. They are real systems. The participants are often minors. And the line between a game and a federal crime is not marked.

Journalist Jack Rhysider has documented this world more accurately than most. His podcast Darknet Diaries covers real cybercrime cases with nuance that is rare in this space. His episode on the "com" scene, the loosely organized online communities that produced the group eventually charged as Scattered Spider, captures exactly how a teenager ends up in serious federal exposure while still believing, genuinely, that they were just playing.

Where the Legal Exposure Starts, and It Is Earlier Than You Think

The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, is the primary federal statute here. It is broad. A protected computer includes essentially any internet-connected device. Unauthorized access, whether that means using someone else's credentials, logging into a system without permission, or exceeding what you are authorized to do, can be a federal offense even when nothing is stolen and nothing is permanently damaged.

This matters because the most common early conduct in these communities looks harmless from the inside. Someone shares leaked credentials. Someone logs in to see what is there. No money changes hands. Nothing is deleted. Under the CFAA, that can be a federal felony.

From there, escalation tends to be gradual and feel internally consistent. SIM swapping, convincing a mobile carrier to transfer a victim's phone number to a SIM card the attacker controls, becomes a tool for bypassing two-factor authentication on financial accounts. Credential stuffing automates the login attempts. DDoS attacks get used for leverage or status within the community. Each step feels like the next level.

The Scattered Spider prosecutions are instructive. The defendants charged in 2024 were young adults when arrested. The indictment alleges wire fraud, identity theft, and conspiracy arising from SIM swapping attacks against major U.S. companies, with alleged losses in the tens of millions of dollars. The tradecraft was not technically exotic. It was social engineering, phone calls, impersonation, urgency, executed by people who had been practicing this, in some form, since they were teenagers.

How the Government Builds the Case

If you or your child is already under investigation, or suspects they may be, it is important to understand that online conduct is traceable and the government is patient.

Discord and Telegram records can be subpoenaed. Both platforms comply with valid legal process. Direct messages, server memberships, account creation data, and IP logs are all subject to production. Investigators work outward from a known account to co-conspirators within the same communities. These communities feel close-knit. Under legal pressure, they are not loyal.

VPNs offer less protection than most people believe. Behavioral patterns persist across VPN sessions, including timing correlations, reused usernames, and logins to personal accounts made while connected to criminal infrastructure. Operational security mistakes are what break these cases open. They are extremely common.

Cryptocurrency transactions are traceable. They are permanent and public at the blockchain level. The IRS Criminal Investigation unit and the FBI's cyber division have invested significantly in blockchain analysis. Converting crypto to cash does not end the trail. In most cases it narrows it.

Home devices matter. Search warrants routinely cover home computers, gaming consoles, and school-issued devices. Evidence on shared family computers has been used in prosecutions. Wiping a device after learning of an investigation creates additional criminal exposure, not less.

Investigations of this kind can run for years. A defendant charged at 20 may have been under investigation since 16. The gap between conduct and charges is not reassuring. It is the government building its case.

The Charges and What They Actually Mean

In cybercrime cases involving teenagers, prosecutors do not limit themselves to a single statute. They build stacks, and the combination of charges is often more consequential than any single count.

Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The foundation of most cybercrime prosecutions. CFAA violations range from misdemeanors at the low end to up to 20 years at the high end, depending on the nature of the conduct, the dollar amount of losses, and the number of victims. The sentencing guidelines escalate steeply with loss amount.

Wire Fraud, 18 U.S.C. § 1343. Wire fraud is not a mere add-on charge. It is often the centerpiece. The statute requires a scheme to defraud and use of interstate wire communications to execute it. In the cybercrime context, that standard is easily met. A SIM swap that reroutes a victim's phone number, a credential-stuffing attack that accesses a financial account, a social engineering call that induces a carrier employee to transfer access, each of these can independently support a wire fraud charge. Each wire transmission in furtherance of the scheme is a separate count, and each count carries up to 20 years. A case involving dozens of victims can produce dozens of counts. The government does not need to charge them all to use them as leverage.

Money Laundering, 18 U.S.C. § 1956 and § 1957. This is where many families are caught off guard. The moment stolen funds move, from a compromised account into a cryptocurrency wallet, from one wallet to another, or from an exchange into cash, the government has the ingredients for a money laundering charge. Under § 1956, conducting a financial transaction with proceeds of specified unlawful activity, which includes both CFAA violations and wire fraud, with intent to promote the scheme or to conceal the source of the funds, carries up to 20 years. Under § 1957, simply engaging in a monetary transaction involving more than $10,000 in criminally derived proceeds, even without any concealment intent, carries up to 10 years.

In practice, this means that a teenager who SIM-swapped a victim's account, moved stolen cryptocurrency through two wallets, and cashed out $15,000 at an exchange has not committed one crime. They have committed several, across at least three federal statutes. The money laundering count is often what drives the most significant sentencing exposure, and it attaches to conduct that defendants frequently describe as just moving money around.

Cryptocurrency mixing services and privacy coins do not solve this problem. Using them with knowledge that the underlying funds are proceeds of crime can support the concealment prong of § 1956 independently of the underlying offense. They tend to make things worse, not better.

Aggravated Identity Theft, 18 U.S.C. § 1028A. This charge carries a mandatory two-year consecutive sentence that a judge cannot reduce regardless of the defendant's age, background, lack of criminal history, or any other mitigating factor. If a defendant used another person's credentials to access any system, this charge is available. A plea that includes it forecloses judicial discretion at sentencing entirely. Experienced counsel can sometimes negotiate agreements that exclude it, but only by engaging before the plea is on the table, not after.

There Is a Path Forward, but Timing Matters

Young people in this situation are not without options. The law leaves meaningful room, particularly for first-time offenders who are young, who lacked financial motivation, and who can credibly demonstrate a path forward, for outcomes that may better reflect the full picture of who the defendant is. Accessing those outcomes requires moving early and moving through experienced counsel.

Get counsel before agents arrive if at all possible. Experienced CFAA defense counsel can sometimes make contact with the government before charges are filed, assess the scope of the investigation, and position a client for cooperation or diversion before the charging decision is made. That window closes when the indictment comes down.

Do not delete anything. Destroying or modifying evidence after learning of an investigation is obstruction under 18 U.S.C. § 1512. It compounds the exposure significantly. Nothing should be wiped, deleted, or overwritten.

Do not speak to investigators without counsel. Regardless of how informal the conversation feels. This applies to the young person and to parents equally.

Age matters, and so does motivation. Defendants under 18 at the time of the offense may be prosecuted under the Federal Juvenile Delinquency Act, 18 U.S.C. § 5031, which provides different procedural protections and potentially different outcomes than adult prosecution. Transfer to adult status is possible for serious offenses but is not automatic. The case of Graham Ivan Clark, the Florida teenager who orchestrated the 2020 Twitter hack at age 17, illustrates how state prosecutors can pursue adult charges through direct filing, bypassing the federal juvenile framework. Youth is a factor. It is not immunity.

Many teenagers in this world were not there for the money. They were there for the community, the status, and the technical challenge. That is not a legal defense, but it is deeply relevant at sentencing under 18 U.S.C. § 3553(a). A technically motivated teenager with no prior record and a genuine future in legitimate cybersecurity is not the same sentencing profile as a financially motivated adult offender. Counsel who understands how to build and present that case can make a real difference in outcome.

Diversion programs exist. Some U.S. Attorney's Office districts have developed programs for young, first-time cyber offenders that redirect defendants toward legitimate cybersecurity careers rather than incarceration. The DOJ's CHIP Network includes prosecutors experienced with this population who, in appropriate cases, have supported outcomes that preserve a young person's future. They are most accessible to defendants who engage early, through counsel, before charges are filed.

If You Are a Young Person Reading This

The community you were part of probably did not feel like crime. It felt like a game, a competition, a place where your skills were recognized. That experience is real, and it is also how federal cases begin.

If you are worried about your exposure, or if someone in your community has already been arrested, do not assume that silence protects you. It does not. Talking to a lawyer, confidentially, is not an admission of anything. It is information. At this stage, information is what changes outcomes.

If You Are a Parent Reading This

Your instinct to protect your child is right. The way to act on it is not to delete evidence, confront the situation alone, or hope it resolves. It is to get experienced counsel involved now, before a search warrant, before charges, while the situation is still shapeable. In my experience, early engagement gives families more options and more time to shape the outcome.

Frequently Asked Questions

What is the Computer Fraud and Abuse Act, and does it really apply to a teenager who did not steal anything?

Yes. The CFAA, 18 U.S.C. § 1030, covers unauthorized access to any internet-connected computer, even where no data is permanently taken and no financial harm is intended. Using another person's credentials to log into a system, or accessing a system beyond what you are authorized to do, can be a federal offense. The statute does not require financial gain or damage as elements of the basic offense.

Can a teenager be charged as an adult?

Yes. The Federal Juvenile Delinquency Act generally provides for juvenile proceedings for defendants under 18, but transfer to adult status is possible for serious offenses. State prosecutors can also file adult charges directly under state law in many jurisdictions. The analysis is fact-specific and not predictable without counsel familiar with the district.

My child did not make any money. Does that help?

It matters significantly at sentencing, though it does not preclude charges. The absence of financial motive is directly relevant to the sentencing analysis under 18 U.S.C. § 3553(a), and experienced defense counsel can present that distinction in a way that meaningfully affects outcome.

My child moved cryptocurrency around after the hack. Does that make things worse?

Potentially, yes. Moving funds that are proceeds of a CFAA violation or wire fraud, even between your own wallets, can constitute money laundering under 18 U.S.C. § 1956 or § 1957 if the transaction was designed to conceal the source of the funds or if the amount exceeded $10,000. Using a mixing service or privacy coin makes the concealment argument easier for the government, not harder. Counsel needs to understand the full picture of what happened, not just the intrusion but everything that came after it, before any plea discussions begin.

Federal agents asked to speak with my child. What do we do?

Do not allow your child to speak with investigators without counsel present. Do not consent to searches beyond what a warrant requires. Do not volunteer information. Do not delete or modify any device, account, or record. Contact a federal criminal defense attorney before any further contact with the government.

Is it too late if charges have already been filed?

No. Charges change the landscape but do not eliminate options. Cooperation, plea negotiations, and sentencing advocacy all remain available. Experienced counsel can still make a significant difference in how a case resolves.

Brooke Watson is a Partner at Dynamis LLP, based in Miami, Florida. She is a former federal prosecutor and former Deputy Criminal Chief of the U.S. Attorney's Office for the Southern District of Florida, where she also served as the district's Computer Hacking and Intellectual Property (CHIP) Coordinator. She advises clients on white-collar defense, cybercrime investigations, government enforcement, and complex litigation. To speak with Dynamis LLP about a federal criminal matter, visit dynamisllp.com.

This post is intended for informational purposes only and does not constitute legal advice. Readers should consult qualified counsel regarding their specific circumstances.