Not the same, but similar story... 6-8 years ago, I chatted directly with the person responsible for breaking into a web server on the server itself. It's a strange feeling to ssh in and watch someone browsing through files. I did a 'echo "hello?" | wall', showed the guy how to answer me back, and we eventually moved the conversation to IRC. I was using some website to convert English to Portuguese.
Turns out it was a (young) teenager from Brazil. His compromise was that he wouldn't touch our files or deface our websites so long as he could remain in control of the server. I carelessly tried to kick him off, uninstall the rootkit and restart the server only to find out that he could continue to use the same exploit to get access. Then we just called our host and asked them to take down the box. Lost a whole day to it, but I walked away understanding a little bit more about motivation, and learned about an exploit that I hadn't known about previously.
Turns out it was a (young) teenager from Brazil. His compromise was that he wouldn't touch our files or deface our websites so long as he could remain in control of the server. I carelessly tried to kick him off, uninstall the rootkit and restart the server only to find out that he could continue to use the same exploit to get access. Then we just called our host and asked them to take down the box. Lost a whole day to it, but I walked away understanding a little bit more about motivation, and learned about an exploit that I hadn't known about previously.