How an Ethical Hacker Works: “Rape with Consent”, Penetration Tests, North Korea and Elections on Facebook

The word hacker still makes many people imagine a teenager in a hoodie breaking passwords in a dark basement. Today’s reality is much more interesting – and far more professional. This article, inspired by a podcast interview with an ethical hacker, explores:

• what the work of an ethical hacker really looks like,
• what the phrase “rape with consent” is trying to describe,
• how banks, companies and cloud environments are tested,
• why North Korea steals cryptocurrencies and what Cambridge Analytica has to do with it,
• and most importantly: how you can get hacked without even realising it.

What an Ethical Hacker Really Does

An ethical hacker does many of the same things as a “classic” attacker – trying to get into places a normal user should never reach. The crucial difference is simple: they do it with written permission from the client and with clearly defined rules.

A typical day might involve testing a new web application, an internal banking network or a cloud environment in a large company. The goal is to find vulnerabilities and weak spots before someone with less ethical intentions discovers them.

If you want to see how such a project looks in practice, check out Haxoris penetration testing services.

“Rape with Consent” in Cybersecurity

In the podcast there is a phrase that is hard to ignore: “rape with consent”. It is, of course, an exaggerated metaphor – but it captures the core idea of ethical hacking quite well.

Without consent, breaking into systems, bypassing security controls or escalating privileges would simply be a crime. With written approval from the client, however, it becomes a service: the company is essentially saying:

“We would rather have an ethical hacker point out a hole in our security today
than have an anonymous attacker exploit it for ransom three months from now.”

A penetration test is therefore a controlled violation of boundaries – followed by a report and concrete recommendations on how to fix and harden the system.

How Bank, Corporate and Cloud Security is Tested

Penetration tests are essentially crash tests for IT systems. In practice, roughly half of all projects are web applications – online banking, customer portals, SaaS solutions or internal tools.

Haxoris specialises in end‑to‑end penetration testing – from web apps and infrastructure to IoT and AI/LLM integrations.

Types of Penetration Tests

Black‑box testing simulates an external attacker:

• the hacker knows almost nothing about the system,
• has no credentials or internal documentation,
• only sees what is publicly available on the internet.

In real projects, a grey‑box approach is often more practical – the client provides a test environment, accounts with different roles and a basic system overview. That allows you to test not just authentication (login) but also authorisation:

• does a user see data they should never see?
• can a regular user perform actions that should be reserved for admins?
• can they bypass permission checks via the API or direct URL access?

What Exactly Gets Tested

In banking, fintech and large enterprises, typical focus areas are:

• Web applications & APIs – classic issues like SQL injection, XSS, weak sessions, broken access control, and business logic flaws.
• Internal infrastructure – Windows domains, VPNs, servers, workstations; the goal is to see whether an attacker can move from one compromised machine to “crown jewel” systems.
• Cloud environments (AWS, Azure, GCP) – this is where cloud penetration testing comes in: reviewing IAM roles, firewall rules, exposed services, storage and network segmentation.
• Wi‑Fi and networks – weak passwords, poor segmentation, outdated firmware, rogue access points and more.

When the Same Issues Show Up Every Year

One uncomfortable truth mentioned in the interview: some companies order penetration tests every year – and every year the same issues show up.

Why? For part of the market, a pen test is mainly a “checkbox in an audit report”. Without real motivation to fix findings, the test becomes a formality.

North Korea, APT Groups and Cryptocurrencies

In cyberspace, it’s no longer just lone individuals. There are APT groups (Advanced Persistent Threats) – hacker teams funded or directly run by nation states.

They are most often associated with countries like:

• North Korea,
• Russia,
• China,
• and at times Iran or other actors.

As the guest notes, North Korea is a “poor country with very rich hackers”. They specialise in stealing cryptocurrencies – from exchanges, DeFi projects or poorly secured services.

Crypto is ideal for them: easy to move, relatively anonymous and useful for evading sanctions. Several of the largest crypto hacks in recent years have been attributed to North Korean groups.

If you want to see what a simulated, complex attack on an organisation looks like in a safe setting, have a look at Haxoris Red Teaming – essentially a “full‑scope cyber drill” that shows what a real APT group could achieve.

Cambridge Analytica and Elections on Facebook

Hacking isn’t only about servers and passwords. Even more dangerous is hacking human psychology.

The Cambridge Analytica scandal showed how Facebook data can be used to:

• profile voters based on emotions, fears and frustrations,
• run highly targeted campaigns that “push the right buttons”,
• shape public opinion in favour of specific candidates or parties.

According to reports, similar models were used not only in the US and UK, but in dozens of other countries – often in “banana republics” where a single party effectively bought the election via Facebook.

From a technical standpoint, no server was hacked. What was hacked were billions of newsfeeds – and millions of minds.

How You Can Get Hacked – Without Noticing

You can use Mac, Windows or Linux, have antivirus, firewall and VPN – and still get caught. All it takes is a stressful moment, a badly timed call or a single SMS you click too quickly.

Phishing in Practice

The podcast features a story that should be a warning even for seasoned professionals. An ethical hacker receives an SMS about a domain expiring:

• the domain name is correct,
• the expiration date is correct,
• the registrar name is correct.

The reason? The provider had a historical data breach. Attackers had real data – they just wrapped it into a convincing SMS. The hacker was stressed and in a hurry, almost clicked… Only during payment did something feel off, and he stopped.

This is modern phishing: precise, personalised, well‑timed. If you want to safely simulate phishing and smishing on your employees, take a look at Haxoris social engineering services.

Social Engineering: Attacking People, Not Firewalls

An attacker doesn’t always need a vulnerability in code. Often, a vulnerability in human behaviour is enough – fear, routine, trust, authority or urgency.

Typical social‑engineering scenarios include:

• a fake “bank support” call with an urgent request,
• a SMS from a courier asking you to “pay a small fee”,
• an email allegedly from tax authorities or the police,
• fraudulent investment advice via popular social networks.

Social engineering is one of the most successful attack techniques – which is why it’s a key part of serious Red Teaming engagements and phishing campaigns.

Practical Tips to Protect Yourself

• Don’t act while you’re stressed. If someone says you must “do something in the next 10 minutes”, that alone is suspicious.
• Avoid clicking links in SMS and emails from “banks” or “authorities”. Type the URL manually or use the official app instead.
• Verify via a second channel. If “the bank” calls, hang up and call back using the number from the official website.
• Enable 2FA. Multi‑factor authentication is one of the simplest yet most effective protections.
• Keep systems up to date. Updates are not just annoying pop‑ups – they patch known holes that attackers actively look for.
• Educate your team. People are often the weakest link – training and phishing simulations can significantly reduce risk.

Key Takeaways for You and Your Organisation

To wrap up, a few key messages from the episode:

• The ethical hacker is a partner, not an enemy. They do what a real attacker would do – but early, safely and with a report.
• A penetration test only makes sense if you act on it. Otherwise it’s just a PDF in a folder.
• The biggest vulnerability is not technology, but people. Processes, culture and training matter just as much as firewalls.
• States and companies have long understood that data = power. From North Korean crypto heists to Cambridge Analytica, cyberspace has become a real battleground.
• Even experts can fall for attacks. The difference is whether they learn from it – and adjust processes so the same mistake doesn’t happen again.

And one sentence that deserves a place on the wall of every server room:

Security is not a state – it’s a process.
There is no “we’re done, we’re secure”. There is only “today we’re a bit less vulnerable than we were yesterday”.