He calls himself an ethical hacker who helps companies and individuals fight back against the bad guys operating online. Over the years, Charles Tendell also has emerged as a commentator in the news media about the threat posed by overseas hackers and is a former co-host of an online radio show about security.
But behind the scenes, Mr. Tendell, a Colorado resident and a decorated Iraq War veteran, started a new website called Hacker’s List that allows people to anonymously post bids to hire a hacker. Many users have sought to find someone to steal an email password, break into a Facebook account or change a school grade.
Mr. Tendell, 32, who owns a consulting firm in Denver called Azorian Cyber Security, confirmed on Tuesday that he was the sole owner of the website. He said Hacker’s List, which began as something of an “off the cuff idea,” grew far faster than he anticipated.
“I never expected it to turn into what it is,” said Mr. Tendell, a graduate of the University of Phoenix who became certified as an information systems security professional and an ethical hacker in 2011. “I was testing the waters and wanted to see if it works.”
The verdict is still out on whether Hacker’s List, which started in November, will work as a business. The propensity is for people to use it as a way to search for hackers willing to break the law as opposed to doing legitimate online investigations and surveillance.
The website has caused a stir in the online world because of its unusual approach to matching ordinary people looking to do a bit of private espionage with so-called hackers-for-hire. The company, which collects a fee for every completed assignment, has garnered considerable news coverage, including a front-page article in The New York Times in January, with much of the coverage focusing on the dubious legality of the requests.
Until now, the identity of the founder of Hacker’s List had remained a mystery. An employee of Hacker’s List named “Jack” had said on a number of occasions that the owner was not ready to talk.
The lack of disclosure surrounding Hacker’s List is one reason the hackers-for-hire service has drawn considerable scorn from security consultants, who say the website is an invitation to illegal and unethical behavior. Some lawyers have said the owners could be civilly liable for maintaining a service that permits customers to seek to hire hackers for illegal activities.
Others have wondered if the website is an elaborate online joke or a sting operation set up by federal authorities.
The website’s rules of operation repeatedly note that the service does not condone illegal activity, but that appears to have done little to stop people from seeking to hire hackers to carry out tasks that most would say break the law.
But Mr. Tendell said much of the criticism of Hacker’s List was misplaced. He noted that even if an illegal job were posted by an anonymous user, it would not necessarily be carried out. He said clearly illegal job postings were removed if someone complained, but he said what mattered were the jobs that were completed.
“No one is going to complete an illegal project through my website,” he said.
Still, Hacker’s List has had its share of operational hiccups since its debut, and its website has crashed a number of times. A few more than 4,000 potential jobs have been posted on Hacker’s List, but many of them have not received a bid from a hacker. Mr. Tendell said about 250 jobs had been completed since the website went online.
Some hackers have tried to disrupt the service, and more recently the service has banned hackers who were looking to defraud job posters.
A few days ago, Twitter suspended the Hacker’s List account, which automatically sends out new job postings. Twitter would not comment on the suspension but many of the account’s tweets promoted jobs like “hack a PayPal account.” Mr. Tendell said he did not know why Twitter suspended the account. (On Tuesday evening, Twitter lifted its suspension of Hacker’s List account, @hackerslist. A Twitter spokesman declined to comment.)
Mr. Tendell’s role in setting up Hacker’s List was unmasked in part by Erik Solomonson, a blogger who lives in New York and works for a web hosting company. He decided to do a bit of digging into the formation of Hacker’s List. Mr. Solomonson unearthed an archived domain registration statement for Hacker’s List from October, just before the website went live, that listed Mr. Tendell as the administrator and contact person for the site.
A few weeks later, Mr. Tendell’s name was removed from a revised domain registration. The name that replaced his was David Harper, who is said to live in New Zealand and could not be contacted.
The older domain registration for Hacker’s List also suggested there might be a tie-in with Neighborhood Hacker, another online hackers-for-hire firm that is also based in Colorado. Mr. Tendell said he had done work with Neighborhood Hacker but was not an owner of that company.
Mr. Solomonson said Mr. Tendell’s involvement with Hacker’s List pointed to how difficult it was for consumers to assess the legitimacy of firms that say they offer legal hackers-for-hire services.
It’s inappropriate for someone like Mr. Tendell, who calls himself a “white hat hacker,” to be involved in any way with an operation that potentially is profiting from illegal activity, Mr. Solomonson said.