Marion Correctional Institution Inmates Ran a Hidden Hacking Operation From Inside Prison for Months

A post by @0xSweep on X brought this case back into the timeline recently and I am not entirely sure whether I had come across it years ago and forgotten it or whether it had somehow slipped past me entirely. Either way, I caught it this time. Two inmates running a months-long hacking operation from inside an Ohio state prison, using computers they built from recycled parts and hid in a ceiling, is not the kind of story you scroll past.

After reading through the full Ohio Inspector General file, case 2015-CA00043, issued April 11, 2017, I can say the viral summary is accurate but incomplete. The actual document is more detailed, more damning, and more strange than what most of the posts going around are describing. The story is not just about two guys and a ceiling. It is about a prison environment that was so poorly managed and so loosely controlled that a months-long cybercrime operation built from salvage computers went undetected until the bandwidth usage finally got loud enough to trigger an automated alert.

This happened at Marion Correctional Institution in Marion County, Ohio, a medium-security facility that housed around 2,500 inmates at the time. The Ohio Department of Rehabilitation and Correction was notified on August 7, 2015, that staff had discovered two unauthorized personal computers hidden on plywood boards in the ceiling above a closet in a training room. The machines were connected to the ODRC network and were not owned by the State of Ohio. That notification triggered the Inspector General investigation. The report was two years in the making.

How It Started: The RET3 Recycling Program

The context matters because the operation did not come out of nowhere. Marion Correctional Institution ran a program called the Green Initiative, a collection of inmate-operated work programs covering recycling, aquatics, horticulture, and related conservation work. One of those programs was RET3, a partnership with a Cleveland-based nonprofit electronics recycler. The arrangement worked like this: RET3 collected obsolete computers from businesses and schools, delivered them to the prison on skids, and inmates broke them down into parts. The parts went back to RET3 for processing.

That program put inmates in daily contact with computer hardware, components, cables, and related materials inside a prison environment. On paper, it was a job-skills and conservation program. In practice, according to the Inspector General, it created an environment where inmates had unsupervised access to computers and parts with very little accountability around what left the recycling area and what stayed.

Inmate Adam Johnston served as the executive committee treasurer for the Green Initiative, putting him at the administrative center of that operation. Randy Canterbury, a longtime ODRC employee who had overseen the Green Initiative including RET3, retired from ODRC on May 30, 2015, and almost immediately became a RET3 contractor on June 1, 2015, continuing to oversee the same work at the same institution. His former office was on the third floor of the administration building, in the P3 training room, the same room where the hidden computers were eventually found.

Building the Operation

Johnston later admitted everything to investigators in detail. He said the two computers came from the RET3 area and were built by inmate Scott Spriggs using parts from machines in the recycling program. Johnston described imaging a hard drive using Acronis, pulling a network card from another inmate computer, and installing it. He described running cable from the hidden machines to the network switch in Canterbury’s office, one connection into the inmate switch, the other into the staff side of the network.

His exact words to investigators: “Put it in there, plugged it in. Plugged it in that one into the inmate switch. The other one into the other ones. Remote desk top into the computer. And then… bam. I’m on the network.”

Moving the machines was its own operation. Johnston used a hygiene cart and hid the computers in a box with hygiene items. He moved them approximately 1,100 feet from the RET3 area to the third-floor P3 training room, past a corrections officer, through a crash gate equipped with a metal detector, and up an elevator. He later admitted he returned to the training room multiple times unsupervised, during late afternoons and evenings, to make modifications.

The forensic operating system timestamp recovered by ODAS investigators showed the hidden computer’s operating system was installed on April 1, 2015. Canterbury did not retire until May 30. That means the machines were likely in place and operational while Canterbury was still an ODRC employee working in that same space.

Inmate Spriggs told investigators exactly how this kind of movement through the institution was possible: “The regulars are less likely to even stop you. So if it’s their post they’re less likely to even say a word to you.” He also acknowledged that placing two computers in a ceiling and running cables to a network switch would require a significant amount of unsupervised time, and that the time was available.

What the Machines Were Used For

Once the computers were in place, Johnston used them to access the ODRC Departmental Offender Tracking System, known as DOTS, using Canterbury’s login credentials. He admitted to investigators that he obtained Canterbury’s password by shoulder surfing, watching Canterbury type it in while Johnston was working nearby in the training room.

Johnston searched the inmate directory looking specifically for a young prisoner serving a lengthy sentence. He chose inmate Kyle Patrick, who had been incarcerated at the Mansfield Correctional Institution since June 2014. Through DOTS, Johnston obtained Patrick’s date of birth and Social Security number. He then used that information to submit five online credit and debit card applications in Patrick’s name, using a Dayton-area mailing address belonging to a neighbor of Johnston’s mother.

Johnston also accessed a Bloomberg Business article describing how to file fraudulent tax returns and route refunds to prepaid debit cards. He admitted to investigators that submitting false returns and having the refunds wired to the debit cards was one of the schemes he intended to pursue. He also ran Kyle Patrick’s name and Social Security number through TINCheck to verify the information before using it.

Beyond the fraud activity, the hidden computers were used to search unauthorized inmate records including disciplinary data, sentencing information, and inmate locations. They were also used to create inmate passes granting access to restricted areas inside the prison, a direct institutional security risk on top of everything else.

The Hacker’s Toolkit

ODAS OIT conducted a separate forensic analysis of the two hard drives and reported finding what it described as a large hacker’s toolkit with numerous malicious tools for possible attacks. The list was extensive: CC Proxy, Cain password recovery tool, Zed Attack Proxy, Wireshark, Nmap, ZenMap, SoftEther VPN, OpenVPN, Jana Server, Yoshi email spamming tool, AdvOr Tor Browser, Paros Java-based proxy, Webslayer brute-force tool, VirtualBox with Kali Linux installed, TrueCrypt, and THC Hydra.

ODAS also found self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, pornography, and articles about making drugs, explosives, plastics, and credit cards.

The ODAS conclusion was direct: malicious activity had been occurring within the ODRC inmate network, and inmates appeared to have been conducting attacks against the ODRC network using proxy machines connected to both the inmate and department networks. Investigators also found evidence pointing toward bitcoin wallets, Stripe accounts, bank accounts, and credit card accounts. The phrase “hacking operation” in the X post that kicked this story back into circulation is accurate, it is supported specifically by what was on those drives.

Johnston’s Mother and the Outside Connection

The case extended beyond the prison walls. Karen Gallienne, Johnston’s mother, became directly involved in the scheme. Investigators reviewed 17 phone calls between Johnston and Gallienne recorded between April and August 2015 and later interviewed her directly.

Gallienne admitted to investigators that she provided Johnston with the address of her neighbor Stephen Seifert, 1484 Willamet Road in Dayton, to use as the mailing address for the fraudulent card applications. She knew Johnston was submitting applications in Kyle Patrick’s name. When a MetaBank Visa debit card arrived in Patrick’s name, Gallienne called Johnston and read him the card number, expiration date, and activation code so he could activate it remotely. She explained Johnston’s reasoning to investigators herself: “He didn’t want to put my name on anything.”

When Ohio State Highway Patrol executed a search warrant on Gallienne’s residence on November 5, 2015, they found and recovered the MetaBank Visa debit card issued to Kyle Patrick.

After Johnston was transferred to Grafton Correctional Institution during the investigation and placed in segregation with his phone access blocked, he still managed to make five calls to his mother by using another inmate’s PIN number. GCI had blocked Johnston’s PIN but had not blocked Gallienne’s phone number.

The Warning Signs That Were Ignored

One of the most important parts of this case is what happened before the hidden computers were physically found, because there was significant warning, and the institution did not act on it the way it should have.

ODRC IT began receiving Websense alerts on July 3, 2015, showing Canterbury’s login credentials being used to attempt proxy avoidance. The alerts continued on July 4 and July 6, both days Canterbury did not work. A July 6 email from ODRC IT to the CIO described the user spending three hours searching for methods to get around the proxy server and being blocked from hacking and file sharing sites.

By July 21, the ODRC CIO had emailed Warden Jason Bunting directly with the unauthorized computer’s name and information. Brady, the MCI infrastructure specialist, received an email on July 24 specifically identifying the switch port the computer was plugged into, port 16 in the P3 training room. Brady later told investigators he misread the email and checked port 10 instead. He did not re-read it and go back until Monday July 27, at which point he followed the cable into the ceiling and found the machines.

By his own admission, Bunting knew the activity involved an unauthorized computer being used when Canterbury was not on site. He knew it had accessed DOTS. He knew credit card applications had been submitted. He told investigators directly: “I knew obviously illegal activity was going on.” When investigators asked why he had not notified the Ohio State Highway Patrol, Bunting answered: “I don’t have that answer for you.”

Neither Bunting nor MCI Investigator Michael Hundley notified the OSHP trooper assigned to MCI, who shared an office with Hundley, or the Inspector General’s office during the weeks between the initial alerts and the physical discovery of the machines.

How the Scene Was Handled After Discovery

ODRC policy required that suspected crime scenes be preserved and the Ohio State Highway Patrol be notified immediately. When Brady found the two computers in the ceiling on July 27, 2015, he called Lieutenant Tim Rayburn, who came to the room and photographed the machines. Then Brady had the two inmates who were with him, Aldridge and Watson, remove the computers from the ceiling and take them to his office.

When investigators later asked Rayburn why the scene was not secured and OSHP was not called, he said: “I don’t have an answer for that.”

MCI Major Sam Grisham, when interviewed, said it plainly: the P3 training room should have been handled as a crime scene and OSHP should have been notified when the computers were found. It was not. Inmates removed the evidence. The area was not secured. The OSHP Computer Crimes Unit did not take possession of the machines until August 10, two weeks after they were pulled from the ceiling.

The evidence issues did not stop there. Investigators later discovered that CCleaner had been run at least ten times on a computer in the P2 reentry office between August 17 and August 18, 2015, well after the hidden machines had been found, and right before that area was secured for evidence collection. The P2 office was accessible to unsupervised inmates who had the generic login credentials for the machine.

On October 19, investigators discovered that documents and books had been removed from the One Stop Area and from the inmate office used by Spriggs, Johnston, and Transkiy on P2, while those areas were supposed to be secured as part of the investigation.

The Broader Failures Behind the Operation

The DOTS system had its own documented vulnerability at the center of this case. In October 2014, the Inspector General had already alerted ODRC that DOTS was displaying inmate Social Security numbers to all users and that the exposure was too broad. ODRC’s fix was a filter that covered SSNs with zeros on the display. Johnston told investigators that once you were logged into DOTS, adjusting the browser view settings made the actual Social Security numbers visible again. The Inspector General reported that vulnerability back to ODRC during this investigation and noted it had still not been properly fixed. As of the 2017 report, ODRC had finally addressed it.

Password policy was another failure. ODRC’s own Information Technology Systems Password and Account Security policy required IT systems to automatically compel password changes every 90 days. That was not being enforced. Canterbury told investigators he had probably not changed his password in several years. That stale credential is what Johnston used to get into DOTS.

On asset management: Ohio State Highway Patrol seized hard drives from 308 computers across the Lifeline, One Stop, RET3, and P2 areas. Of those 308 machines, 291 had no State of Ohio fixed asset tag and no assigned inventory number. Brady admitted pulling computers from the RET3 salvage stream to replace outdated machines in other areas without tagging them. He also admitted authorizing inmates to wipe hard drives, and acknowledged to investigators that an inmate wiping a drive could copy, transfer, or access whatever information was stored on it before running the wipe.

RET3 owner Ken Kovatch told investigators separately that he believed he had donated 93 computers to MCI in 2013 for the Lifeline program. When he recently looked for them, he found six.

What the Inspector General Concluded

The Inspector General found reasonable cause to believe wrongful acts or omissions occurred across five separate areas: failure to report suspected illegal activity, failure to follow crime scene protection policy, failure to supervise inmates and protect IT resources, failure to follow password security policy, and failure to follow the State of Ohio asset management policy. The findings were referred to the Marion County Prosecutor’s Office and the Ohio Ethics Commission.

The recommendations that followed were straightforward: enforce inmate supervision, remove inmate access to administrative IT hardware and wiping software, enforce password rotation, secure network cables and switches, restructure the reporting chain so institutional investigators are not reporting directly to the warden, and conduct a full IT inventory at Marion Correctional Institution.

Why This Case Still Lands

The reason this story is catching attention in 2026 on X, a decade after it happened, is that it does not fit the usual shape of a prison contraband story and it does not fit the usual shape of a cybercrime story either. It sits at the intersection of both and adds a layer that neither category usually includes: a months-long, active fraud operation built on stolen inmate identity data, conducted from behind bars, with outside coordination, using tools that would look familiar to anyone in security.

The Inspector General, in a line quoted from the investigation, compared it to an episode of Hogan’s Heroes. That comparison is not entirely wrong, but it undersells the real damage. Another inmate had his Social Security number stolen, his identity used in financial applications, and his personal data run through fraud-verification tools, all while incarcerated and unable to do anything about it. Kyle Patrick did not know Johnston and had never been incarcerated with him. He became the target because he was young, serving a long sentence, and his identity was accessible through a poorly secured state system.

What makes the case worth reading in full is that it shows exactly what happens when physical security, IT security, and institutional supervision all fail at the same time. None of those three things failed dramatically. They all failed quietly, incrementally, through inattention and lax habits. Inmates had unsupervised time. Hardware moved without accountability. Passwords were not rotated. Alerts were not escalated. Scenes were not preserved. The cumulative result was a prison cybercrime operation that ran for months and only stopped because it generated enough bandwidth to finally break through the noise.

The full Ohio Inspector General file, case 2015-CA00043, is publicly available through the Ohio Office of the Inspector General.