Jack, who became famous after demonstrating an ATM hack, died on Thursday – but coroners did not give details

Barnaby Jack, a hacker who was due to present his findings on the security vulnerabilities of implanted medical devices, has died.

The San Francisco medical examiner’s office said Jack, 35, died in the city on Thursday – but did not provide details on the circumstances surrounding his death.

Jack had exposed a security flaw in insulin pumps that could be made to dispense a fatal dose by a hacker 300ft away, pushing some medical companies to review the security of these devices.

He was also a popular and respected figure in the information security scene. Within that small scene, reverse engineers are especially close, said Matthieu Suiche, a friend of Jack’s and chief scientist at CloudVolumes Inc in an email. “We pretty much all know each other, or have lots of common friends,” Suiche said. “It’s almost like we all grew up together.”

He added: “There isn’t much to say except that Barnaby was one of the rare people in InfoSec who was a brilliant researcher but also a good friend to many of us.”

Suiche met Jack at the Black Hat conference a few years ago and said they had been really good friends since. He said he had drinks with Jack and his girlfriend in San Francisco just over a week ago.

He called his friend “brilliant”, and said Jack’s latest research on medical devices could help save the lives of many people. “In this world full of people fearfully complying and worrying, very few people are crazy enough to challenge the rules, to approach life in an unconventional paradigm and to speak up to contribute to change this world,” Suiche said.

Jack was due to speak at the Black Hat conference, which starts Saturday in Las Vegas. His presentation, “Implantable medical devices: hacking humans,” would have explained how these devices could be compromised and would have suggested ways to improve device security.

Black Hat said the room his discussion was meant to take place will instead be used as a place for his friends and colleagues to gather and remember him on 1 August, when the session was set to take place.

Black Hat said in a statement:

We have lost a member of our family. Everyone would agree that the life and work of Barnaby Jack are legendary and irreplaceable. Barnaby had the ability to take complex technology and intricate research and make it tangible and accessible for everyone to learn and grow from. Beyond his work in our industry, Barnaby was an incredibly warm hearted and welcoming individual with a passion for celebrating life. We all have a hilarious and upbeat story about Barnaby. He is truly a shining example of what we love about this community.

Black Hat will not be replacing Barnaby’s talk on Thursday, Aug. 1. No one could possibly replace him, nor would we want them to. The community needs time to process this loss. The hour will be left vacant as a time to commemorate his life and work, and we welcome our attendees to come and share in what we hope to be a celebration of his life. Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognize the legacy that he leaves behind.

Our deepest sympathies go out to Barnaby Jack’s family and loved ones. Words cannot adequately describe how much he will be missed, but it is certain that Barnaby will NEVER be forgotten.

At the time of his death, Jack was director of embedded security research at security firm IOActive. On Twitter, the company said: “Lost but never forgotten our beloved pirate, Barnaby Jack has passed. He was a master hacker and dear friend. Here’s to you Barnes!”

It was just going to be another boring President’s Day on the Internet, when along came a spastic, hilarious hacker with a taste for McDonald’s, Gucci Mane, and caps lock. Is a criminal mastermind behind the @BurgerKing (and likely @Jeep) takeover? Nope—just a guy who plays shows in Rhode Island who left an unfortunate Internet paper trail.

The path to the hilariously defaced @BurgerKing account (and @Jeep, in the exact same style) bends and whirls all the way back to 2005, when a crew of teen hackers known as Defonic Team Screen Name Club infamously cracked Paris Hilton’s T-Mobile Sidekick. Almost every noun in that sentence has aged poorly, and one juvenile member of the DTSNC was nabbed by cops and thrown into probation. Eight years later, it seems that a member of that crew—Tony “iThug” Cunha, an esteemed former hacker of MySpace pages—is back in action, and making the kind of juvenile screw-ups you’d expect from a 15-year-old.


— @ LIL INTERNET (@LILINTERNET) February 18, 2013

Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England

When @BurgerKing was first cracked into yesterday—mostly likely by resetting a password via compromised email account—the tweets were a leafblower of shoutouts references, and repeated self-identification as someone named iThug. Many of tweets were aimed at personal friends—relatively unknown figures in the haute-obscure Internet DJ clique—who in turn replied to whoever had seized @BurgerKing.

That was yesterday—a virtual repeat of the prank hit @Jeep around 24 hours later. The exact same M.O. And it followed a heavy handed Twitter threat:

Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England

Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England

iThug followed up on one of those Twitter shoutouts by bragging to a girl (and pal from the Boston music scene) in question with his real-life Facebook account (deleted immediately after @Jeep was taken over, mind you). Using his real life name. He just had to show off (this post has also been deleted post-Jeep).

SMS transcripts obtained by Gizmodo (removed by request of sender) pointed us to the Facebook wall in question, which in turn pointed to Tony Cunha’s incriminating Facebook account URL (, further corroborated by a handful of Facebook event pages for parties Cunha has has DJed in the Boston and Providence, RI areas under the iThug name—a pastime of his after the MySpace hacking market dried up. Some of the event descriptions aren’t so subtle:

oh sh*t… it’s iThug.

If you know him, then your probably already excited. If not, well lemme just say dude has more house than Century21.

Either way on 10/7,.. turn off your computer & hide yr logins because Lovelife’s own Executive Hacker is coming to MakeItNew this Thurs.


(Emphasis added)

Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England

A video of an iThug/Cunha DJ set was also uploaded by an account named DTSNC—the initials of his old (and perhaps current) hacker crew, which @BurgerKing made repeated references to yesterday.

Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England

Other traces of the Chuha’s online (and offline) existence dot the web, like a profile on The Fancy, where he shows a particular interest in expensive shoes and backpacks. And calls himself iThug. This account was also locked after @Jeep was hacked. Suspicious!

Exclusive: The Burger King and Jeep Hacker Is Probably This DJ From New England

But the brag seals it. The same impulse that’s brought down many a hacker before now—King Sabu himself self-destructed because of how much he loved to pile up groupies and notoriety—is what pushed Tony Cunha into lol-winking a claim of responsibility for the hack on a girl’s wall. Because really, after everyone stops caring about the week Burger King and Jeep’s corporate Twitter accounts were hacked, the fleeting impression you left on a girl you haven’t seen in a few years might be the only thing you have left.