The Crime That Leaves Nothing Missing

Samuel Klutse · May 22, 2026 · 13 min read

Updated May 24, 2026

philosophy technology security

When Nothing Is Missing

An open book lying on a dark wooden table Photo by Aaron Burden on Unsplash

Let’s imagine this. You come home from work, Everything looks right. The front door is still locked, the windows are intact and your laptop is on the desk. Your journal is on your nightstand, exactly where you left it. Then, you walk through every room, and realize that nothing has been moved and nothing is missing. You feel great about it.

But sometime that afternoon, while you were still out, someone slipped into your house. He sat at your desk, and opened your journal. He then photographed every single page, every entry, every confession. Every little secret you trusted to your jounal. He then just put the journal back exactly where he found it, locked the door behind himself, and left.

Your most private thoughts could be anywhere. In a forum, on a leak site, in an email to your boss, mother or even to a stranger you have never met. You will not know until you see it. And you may never see it.

Now my question to you is. Were you robbed?

Let’s hold that question for a second, because the honest answer is harder than it sounds.

The Old Vocabulary

There is a vocabulary for crime, and it is as old as crime itself, if I may put it that way. It’s older than the country we live in, older than the language we speak in, older than the very idea of property as we understand it. The words around crime have weight, precisely because they have been used for so long.

Theft. Vandalism. Extortion. Trespass. Fraud. Burglary. Assault. Each one of these is a particular shape of harm. Each, comes with an image already in our heads. A hand reaching into a pocket; a broken window; a threatening letter on the kitchen counter; a stranger inside the house; a forged signature at the bottom of a contract. The vocabulary is so old, we forget it is a vocabulary at all. It feels so natural.

Every one of those terms assumes something in common. It assumes a witness, or at least the possibility of one. It assumes a moment in time when the crime happened. It assumes something became absent. A wallet, a bike, a piece of property, a peace of mind. It also assumes an evidence of the crime, even if it is never found. It assumes, in other words, that Crime has a shape.

And Then It Ended

An empty picture frame Photo by Shan Chick on Pexels

I think, with the ascension of technology, we have quietly forgotten one thing: Old crimes kind of had an ending.

Some examples would be a stolen wallet was returned or it was not. A thief was caught or got away. A case was opened, investigated, sometimes solved, sometimes not. The insurance paid out, or did not. The story closed, whether or not justice was actually done, the sentence had a period at the end.

It is hard to think of a single classical crime where the victim never finds out what really happened. The thief gets away, but the wallet is either gone or it is not. You do not lie awake fifteen years later wondering whether your stolen bike is currently being ridden in another country. You know the bike is gone. You bought a new one. The story ended. Or I would say, mostly ended, because if I am being honest, the physical world has its own exceptions, and they are worth pausing on, for a second.

In September 2000, an unemployed bricklayer in Poland walked into the National Museum in Poznań, cut a Monet out of its frame, and replaced it with a copy he had painted on cardboard. For nearly ten years, visitors and museum staff walked past that cardboard and saw a Monet, until a fingerprint match from an unrelated alimony case led police, in January 2010, to the original hidden behind a closet wall in the thief’s home. In November 2023, the British Museum announced that a senior curator had been quietly removing items from the collection and selling them on eBay for roughly fourteen years; about two thousand pieces in total, gone without anyone in the institution noticing.

The contrast I am drawing here is not absolute. It is statistical. Most physical thefts, eventually, end. A few do not. And the few that do not end, happen to look like what happens in the digital world all the time. The ten-year cardboard Monet is what cyber theft looks like in principle. The original and the copy are part of the story. The fourteen years of unnoticed British Museum withdrawals are what cyber theft looks like in practice. There was a removal in this case.

In the physical world, theft usually has an end. In the digital world, it does not even have a shape.

The Copy That Doesn’t Subtract

Here is the strange thing nobody quite tells us when we grow up. Theft, as the law and our intuition both define it, requires something to go missing. The classical legal phrase is taking and carrying away. The thief, by definition, has what was yours. You no longer have it. That is what the word means.

Now let’s try to apply this to data. Someone breaks into a server, copies a database and then leaves. The database is still on the server, “untouched”, identical to the moment before they arrived. Nothing has been taken. Nothing has been carried away. And yet something is unmistakably gone, even though nothing has moved.

What is gone is the exclusivity, the privacy, the control. These are real things, and in most cases, they are worth more than the data they were protecting. Our legal frameworks, built across centuries for a world where copying a long document required a scribe and several months, do not quite know, what to call this.

This is why a lot of countries, between the 1980s and now, had to write entirely new statutes for things we already had perfectly serviceable words for:

Computer Misuse Act in the United Kingdom.
Computer Fraud and Abuse Act in the United States.
Cybercrime directives in the European Union.

These were created not because, old laws were wrong but because, they had no place to put the copy that doesn’t subtract. The leading English precedent is Oxford v Moss (1979): a student took an exam paper, photocopied it, and returned the original. He was later found not guilty of theft on the grounds that nothing had been taken. The copy did not susbtract the original like in the aforementioned Monet case.

Nine Thousand Schools

An abandoned lecture hall with rows of empty seats Photo by Yifan Lai on Pexels

Till now everything I have been saying, can sound theoretical, but here is a story from this month (May 2026).

Toward the end of last month (April 2026), a black-hat criminal hacker and extortion group named ShinyHunters quietly walked into the servers of Canvas. According to Inside Higher Ed, Canvas LMS is the learning management system, roughly 41 percent of higher education in North America, runs on. Tens of millions of students and teachers, in nearly every time zone log into Canvas to submit assignments, post grades, run discussions, and send each other messages that are private.

The attackers stayed long enough, to copy the data of roughly 275 million users across about 8,809 institutions, 3.65 terabytes in total, according to ShinyHunters’ own public claim, first reported in detail by The Hacker News. Instructure then confirmed that names, email addresses, student IDs and private messages were exposed on their incident-update page. Instructure also stated that no passwords, dates of birth, government IDs, or financial information were affected. The hackers left without breaking anything.

CNN’s coverage of the incident, emphasized that the outage caused by the hack, happened during the finals week at many North American universities.

How the hackers got into the servers, and had access to the data matters. It does not carry weight however, for the argument I am making here. The mechanics around the attack, the architecture, the bug, the public commit that mentioned the surfaces that were still vulnerable and more have been delved in separately in my other article: The Canvas Case Deep Dive.

After a successful attack, the hackers asked for a ransom. On May 11, Inside Higher Ed reported that Instructure, the company that owns Canvas, had paid an undisclosed amount in exchange for, what the attackers called shred logs. A digital confirmation that the stolen data had been deleted. The payment came one day before the leak deadline. A figure of around ten million dollar has circulated across industry coverage as an unconfirmed estimate, though Instructure has not disclosed the amount.

Shred Logs

That is the phrase, I want us to sit and reflect with for a second. Shred logs.

What is a shred log, exactly? It is a file, a log file, a receipt. It says, in effect: we deleted the data we took from you. It is signed by the people who took the data from you in the first place. And here is the part that, once you see it, you cannot un-see: there is no possible thing the attackers could have shown that would have actually proven the data was destroyed. Do you take a criminal word for it?

Let’s think about that for a second.

If the attackers had filmed themselves dragging the files into a trash icon and clicking empty, that would prove they had deleted one copy. It would prove nothing about the other copies.
If they had hired an independent forensic firm to audit their systems, the audit could only verify the systems the firm was shown.
If they had signed an affidavit, that affidavit would be unenforceable; the people signing it operate in jurisdictions without extradition treaties, under pseudonyms that mostly exist on Telegram channels and dark-web forums.

My whole point here is data, once copied, cannot be uncopied. There is no cryptographic operation, no forensic procedure, no legal mechanism that proves all copies of a file across the entire internet have been destroyed. Proving the absence of every copy is a problem we do not know how to solve, and probably never will. As Help Net Security framed it the day after the settlement, the FBI’s standing public position has long advised victims not to assume that paying a ransom results in destruction.

What Instructure bought by paying the ransom in May 2026, is in my opinion, a delay in the public leak. It was, given the constraints they were operating under, almost certainly the right thing for them to do. It surely bought them time to notify, to harden, and to restore enough confidence to survive the news cycle. But it does not buy them, and could not buy them, the actual destruction of the data. The history of ransomware groups such as Maze, Conti, LockBit, REvil, ShinyHunters themselves, is a history of paid victims later finding their data published anyway. Sometimes it takes years. Sometimes through a different group entirely. Incident-response firms like Coveware, which has tracked ransomware negotiations across thousands of cases, operate on the assumption that retained copies are the default; not the exception.

You cannot return a copy. You can only promise it was burned.

Maybe the Story Doesn’t End Here

A close-up of fingerprints on paper Photo by cottonbro studio on Pexels

The way I ended the last section can sound pessimistic. I want to be careful not to leave you with pessimism. Although the unverifiability of destruction is real, so is something else, and it is worth holding both at once.

In May 2021, the Colonial Pipeline ransomware attack emptied gas stations across the American East Coast and ended, weeks later, with the FBI quietly recovering roughly $2.3 million of the $4.4 million ransom by obtaining the private key to the bitcoin wallet the attackers had moved the funds into. The cryptocurrency the attackers believed made them untraceable turned out to be one of the most traceable forms of value humans have ever invented.

In December 2023, the FBI and a coalition of international agencies seized the infrastructure of the BlackCat ransomware group, posted a takedown notice on the group’s own leak site, and released a decryption tool that allowed roughly 500 victims to recover their data without paying.

In February 2024, Operation Cronos, led by the United Kingdom’s National Crime Agency, with the FBI, Europol, and ten countries, seized the entire infrastructure of LockBit. At that time, the group was the most prolific ransomware group in the world. They obtained more than a thousand decryption keys and the lead developer was unmasked.

And as for ShinyHunters specifically: one of its key members, a French national named Sebastien Raoult, was arrested in Morocco in 2022, extradited to the United States in 2023, and sentenced in January 2024, per the U.S. Department of Justice, to three years in federal prison and five million dollars in restitution. The receipts, for him, turned out to be readable after all.

None of this gives the 275 million Canvas users their privacy back. None of it makes the data uncopied. But it does something quieter, and worth holding onto. It reminds us, that the story we tell ourselves about cybercrime, that the attackers are ghosts, the data is gone forever, the institutions are powerless, is not quite the whole story.

It may be the story as we know it today. Tomorrow, a wallet gets traced. A server gets seized. A name surfaces in a court filing in a city no one was watching.

The crime that leaves nothing missing is still a crime. And the people who took something from you, even when they took nothing, are not always as ghostly as they want you to believe.

For the nerdy fellas who want a deep dive into the attack, you can check my other article: The Canvas Case Deep Dive.

Till the next one, Stay safe and stay blessed!