Philip Durachinsky was about 13 years old when he started hacking computers.

Over the next decade, he exploited malware to spy on people through their computer microphones and cameras. By the time he was 27, he had collected million of images of unknowing victims—including children in pornographic photos.

The FBI caught him about a year ago, but didn’t know how dangerous he was at the time. It turns out Durachinsky also had access to a government agency responsible for nuclear weapons.

“Potentially Embarrassing”

Durachinsky, now 28, has been indicted for violating the Computer Fraud and Abuse Act, including wiretapping, production of child pornography, and aggravated identity theft. Prosecutors say he developed “Fruitfly” to infect Mac computers but also created a version for Windows computers.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” Acting Assistant Attorney General John Cronan said.

The Justice Department said in a press release that Durachinsky stole passwords, tax, bank and medical records, photographs and “potentially embarrassing communications.”  The malware also infected computers owned by companies, schools, a police department, and government agencies.

“And perhaps most embarrassingly,” Courthouse News reported, “a computer owned by a subsidiary of the U.S. Department of Energy, which is responsible for the safe handling of nuclear materials and the maintenance of the nation’s nuclear arsenal.”

Fruitfly Malware

Using the Fruitfly malware, Durachinsky controlled computers remotely to access stored data, upload files, take screenshots, and log keystrokes. He then used stolen login credentials to download information from websites, including photos and emails.

The FBI seized his laptop, hard drives, and vaults that had 20 million files. Prosecutors say he stored millions of images on his computer and kept detailed notes of his activities.

They discovered his crimes after Case Western Reserve University notified authorities that more than 100 computers had been infected with the malware. Investigators traced them back to Durachinsky’s IP address.

Durachinsky was a student there. He has been charged with crimes dating back from 2011 until his arrest last January.