Skip to content
A+
Naked Security Naked Security

Student charged by FBI for hacking his grades more than 90 times

The 22-year-old student used a keylogger he called the "Hand of God."

In college, you can use your time to study. Or then again, you could perhaps rely on the Hand of God.

And when I say “Hand of God,” what I really mean is “keylogger.”

Think of it like the “Nimble Fingers of God.”

“Hand of God” (that makes sense) and “pineapple” (???) are two of the nicknames allegedly used to refer to keyloggers used by a former University of Iowa wrestler and student who was arrested last week on federal computer-hacking charges in a high-tech cheating scheme.

According to the New York Times, Trevor Graves, 22, is accused in an FBI affidavit of working with an unnamed accomplice to secretly plug keyloggers into university computers in classrooms and in labs. The FBI says keyloggers allowed Graves to record whatever his professors typed, including credentials to log into university grading and email systems.

Court documents allege that Graves intercepted exams and test questions in advance and repeatedly changed grades on tests, quizzes and homework assignments. This went on for 21 months – between March 2015 and December 2016. The scheme was discovered when a professor noticed that a number of Graves’ grades had been changed without her authorization. She reported it to campus IT security officials.

The FBI affidavit claims that Graves changed his grades more than 90 times during those 21 months. He also allegedly changed grades on numerous occasions for at least five of his classmates.

Grades were allegedly tweaked in a wide range of classes, including in business, engineering and chemistry.

The FBI said it spoke with one student who told them that Graves shared copies of about a dozen exams before students sat down to take them. According to the FBI, the student said that he/she accepted the stolen exam, given that everybody else was doing it and they didn’t want their grade to suffer in comparison:

He/she knew Graves was providing the copies to other students and did not want the grading curve to negatively impact his/her scores.

When investigators searched Graves’ off-campus apartment in Iowa City in January. They seized keyloggers, cellphones and thumb drives that allegedly contained copies of intercepted exams. The FBI says one of the phones contained a screenshot showing Graves being logged into a professor’s email account. It highlighted an attachment entitled “exam,” according to the FBI affidavit.

Some of the alleged discussions found in text messages on Graves’ phone:

  • Graves instructing a classmate to go to a microeconomics class to confirm that the teacher logged into her account and “that we acquired the info.”
  • Graves and an associate referring to a keylogger as a large tropical fruit. “Pineapple hunter is currently laying in wait in a classroom already,” Graves allegedly wrote.
  • A student identified as A.B. in court documents urged Graves to use the keylogger to steal an upcoming test, saying “I need 100 on final just to get B- at this point.” Graves’ reply: “Or we could use the time to study?”
  • A student identified as Z.B. asked Graves whether he had told a classmate “about the Hand of God on that test.” Graves’ reply: “No. The less people know the better.”

The university told the FBI that the cheating scheme cost the school $68,000 to investigate the breach and to beef up its IT security. Earlier this year, the university warned students that those involved could face expulsion or suspension. Investigators searched the homes and devices of at least two other students, but they haven’t been charged.

I don’t know how much of an altitude boost Graves gave his grades. Not that it matters. Criminal behavior is criminal behavior, whether you’re popping your A up to an A+ or dragging your Fs up to straight As – as did a former Purdue University student who was sentenced to 90 days in jail plus 100 hours of community service for his part in a keylogger scheme.

Is it child’s play to plug in a keylogger? Yes. Literally.

Eleven Southern California kids got kicked out of school for grade hacking with the devices back in 2014.

Keyloggers are cheap, they’re easy, and the targets – schools and universities – too often have paltry budgets for equipment, software and skilled administrators.

You would imagine that it would make sense to use multifactor authentication to protect at least the most grade-hacking-targeted areas of a school’s network – the grading and testing parts of the system. But somehow, even a technology powerhouse like Purdue has been preyed on by keylogger-bearing, ethics-bare students.

Readers, do you have insights into what’s keeping schools from securing themselves? Please do share them in the comments section below.


22 Comments

This cheating it’s. Not new…many years ago at Utep, a graduate student stole Copies of tests and gave them to me embers of graduate level statistics class…when I heard about it, I reported it as the teacher graded on curve and too many high grades would screw grades..so I don’t understand why students didn’t report the access .

Reply

the cheating scheme cost the school $68,000 to investigate the breach and to beef up its IT security

So, the school gets to bill the attacker for the cost of implementing security afterwards rather than investing in security prior to the breach.

do you have insights into what’s keeping schools from securing themselves?

Schools are waiting to get attacked so that they can make the attacker pay for the security that they should have in place from the beginning.

Reply

He could most certainly have avoided having to pay had he done the right thing and not decided to be a scumbag criminal. There has to be consequences – huge consequences – for these criminally-minded people.

Reply

Having worked 35 years in “ivy league” higher ed, most of them in tech departments (including AI back in early 90s, and in the very early days of internet up until about 2010) I would say that distrust from old-school academics very heavily outweighed any support for funds to keep up technologically. There was a kind of antagonistic envy at play; why can’t we get better equipment for basic science research rather than technology that is vulnerable and expensive to upgrade. Rather short-sighted in the end, as technology is at the heart of advances in basic sciences, engineering, health sciences and almost every discipline today. But, we are human, and humans often resist learning to do things in a new way. Snafus like “Pineapple” just add fuel to the naysayer’s arguments, rather than get them to see the problem would have been much cheaper to solve pro-actively and technically on a systemic basis.

Reply

Seriously, the FBI doesn’t have anything better to do than catch students cheating on tests. Please tell me this is fake. We’ve got terrorists mowing people down, pedophiles and murderers and this is what they’re involved in. Sigh…

Reply

Once he’s done paying fines and serving time, maybe this extracurricular project could earn Graves a couple extra points for his cyber security class, but…
“No. The less people know the better.”
His English 101 prof will likely be willing to donate them in a direct transfer.
#WeirdAl #WordCrimes

Reply

A Purdue student received 90 days and 100 hours of community service?? There is most of the problem. Let him/her be banned from all colleges and see how life treats them working a blue collar job like many of other people.

Reply

Extending too much credit to hacking here. That word has changed so much over the years that someone leaving their facebook on is being hacked now.

By what I read, I’m sure they’re plugging USB drives that collect typed information. Keylogging is a relatively simple software that is easily detected UNLESS, it’s a USB. If it’s plugged in the computer will almost always trust it as the intent of the user. Leave it there for a day or more, unplug it and go over the recorded information. Most schools run on a security server for both faculty and students, there isn’t an access issue if a student has the information.

That $68,000 price tag isn’t a thing against a plug. What are they paying for, education courses for teachers to make sure nothing unusual is plugged into their case?

Reply

The comment about schools waiting to get attacked is completely asinine. There are major many major websites didn’t implement two factor until the last few years. My school, a large engineering school in the southern US, implemented two factor last year for faculty and staff. Students were required to use two factor this year. It’s possible that Purdue already had a plan in the works.

Reply

Can we check the income of the colleges and universities that are claiming “paltry budgets for equipment, software, and skilled administrators.”? With the amount of money they are bringing in off the backs of students borrowing money at an unbelievable rate, it’s personally insulting that any department in any of these institutions has a paltry budget. It’s just a sickening claim!

Reply

I worked as a sys admin for higher ed nearly a decade… all i can say is that the idea of a budget doesn’t really exist and the main focus of spending is two things: administrators (school admins not sys admins) and sports.

It was unbelievable to me that the word “student” was brought up so rarely in meetings that i can recall hearing it no more than a handful of times over the years.

Reply

I just don’t understand why it is a federal crime.

Reply

Pretty much if it has to do with anything Cyber related it is going to the FBI as pretty much no local department has the ability to investigate etc. even if it is the state version of the FBI.

Reply

Silly question, but what do you think might have allowed the key-logger to be installed and then go undetected? No least privileges perhaps? Also, any anti-virus worth its salt could have picked up the key-logger.

Reply

The students used hardware keyloggers, which antivirus programs can’t detect.

From the article:
1) “. . . to secretly *plug* keyloggers into university computers”
2) “Is it child’s play to *plug* in a keylogger? Yes. Literally.”

Reply

I believe if the university protocols and security measures were so inadequate that a student with a usb stick and a simple freeware could go so far as to steal exam questions and “change grades 90 times” effortlessly, it should be the university officials who must be prosecuted. That’s because it’s their responsibility to make sure all students participate in and receive grades from exams legitimately.

Reply

I’m sorry but the first thing I learned in information security class is the biggest oxymoron out there is Information Security….

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!