Bit by Bit
Season 1
Number 12
Writer Thomas Hoppe
Director Aaron Lipstadt
Original Airdate May 13, 2015
Previous Episode: Ghost in the Machine
Next Episode: Family Secrets

Bit by Bit is the twelfth episode in Season One of CSI: Cyber.


The cyber team investigate when a power outage in Detroit is used to mask a jewelry story robbery-homicide in which the jewels were not the target.


Botnet - when hackers secretly control numerous individual's computers to conduct illegal activities.

Krumitz is seen running into a house and into an upstairs room, where he frantically types something up on a computer. He runs back downstairs and is alarmed to find Avery standing next to a young boy. She implores him to "join her and his brother" before we see someone holding them at gunpoint.

Thirty-six hours earlier, a 25-block section of downtown Detroit, Michigan experiences a blackout. Avery and her team arrive on the scene and label the blackout as a cyber intrusion; someone has hacked the power grid and locked out every computer by erasing the startup disk. Even if the disk is successfully recovered and the system is rebooted, Nelson and Raven will have to counter-hack the target to try and get the power back on. Raven astutely notes that only a 25-block section was affected, meaning this was a precision attack. Avery believes that this attack is camouflage for another phase of the outage.

The blackout is affecting the government and financial districts of Detroit, meaning that it could be a way of disabling security alarms and gaining access to one of a number of businesses in the area. Figuring the target is going to want to make a quick getaway without getting stuck in traffic, Avery has Elijah focus on the streets on the fringe of the blacked out area. Nelson and Raven regain control of the system; however, the power hasn't come back on because the hacker is still in the system. Knowing that the hacker is still active because he needs to maintain a live connection to the power station, Avery has Nelson inject malicious code into the patch Raven is writing. The goal is to infiltrate the hacker's laptop before he gets booted off, allowing the team to keep track of him after the fact.

A hooded figure is seen breaking into a jewelry store vault using a laptop that cracks the vault's code. His sole motive appears to be obtaining information, not stealing jewelry; he sticks a flash drive into a laptop, downloads information, and quickly leaves the vault. However, before he can leave the store, he's caught by the store owner's son, Benjamin. The intruder shoots Benjamin dead and departs.

It's determined that the thief used an auto safe dialer to cycle through the many combinations and find the right one; this is why his laptop needed a live connection to the power grid. Elijah accesses the laptop in the vault and discovers one thing on it: a bitcoin account with a zero balance. Benjamin's father confirms that there was nearly $500,000 worth of bitcoin in the account and that there was only one other person who new the laptop was in the vault: Benjamin's older brother, Stephen. Taking bitcoin over the jewelry would not only be hassle-free, it would essentially be untraceable, as there are no serial numbers.

With the power back on, the jewelry store camera shows someone entering the store. The person isn't recognized by Benjamin's parents, and facial recognition comes up empty. Krumitz explains to Simon that bitcoin isn't actually anonymous, as each transaction is listed as a long sequence of randomized numbers. While a transaction can't be tied to a person, it can be tied to an account. Since they know the amount they're looking for along with the time and date the bitcoin was stolen, they can pinpoint the transaction. Every bitcoin account is protected by a 64-character passkey; however, Krumitz sees that the thief's account actually requires two passkeys, suggesting an accomplice.

The malicious code Nelson injects gives the team a hit, providing the exact location of the bitcoin thief's computer. However, when the team gets to the motel room in question, they find the thief dead. The victim is identified as Bryan Kramer, a thief who made a living by tracking charitable contributions from bitcoin accounts to identify his targets and rob them. Evidence shows that Bryan was tortured; he was cut open multiple times and patched back up with superglue, something Elijah recognizes as a battlefield technique. The laptop's hard drive is missing, seemingly making the torture unnecessary. Elijah notes that the dresser in the room was used to barricade the door. He concludes that the bitcoin passkey wasn't on the hard drive, as Bryan had removed it when he realized someone was breaking in. When the killer couldn't access the bitcoin account, he tortured Bryan for the passkey. Though the hard drive is missing, Nelson freezes the RAM chip inside and preserves any information that's left.

Benjamin Christos' brother, Stephen, is located and brought in for questioning. His phone records show that shortly after learning about his brother's death, he checked the store's bitcoin account, saw it was at zero, and contacted bounty hunters over email to negotiate a recovery price for the stolen bitcoin. Stephen insists that he was only looking out for his parents, as they invested everything they had into bitcoin, which he thought was a terrible idea. He's shown a picture of Bryan's body and informed that it's the work of the bounty hunters. Stephen says that he was only provided with an email address and a website, which turn out to be a wild goose chase.

The degraded images retrieved from the RAM in Bryan's laptop reveal a botnet. Krumitz describes it as a massive group of maliciously infected personal computers from all around the country harnessed together—a "network of computers used for evil." The people who own the computers have no idea they're part of the botnet, and the hacker gains full control over them once they're infected. There are 20,000 computers in the network, and Krumitz discovers that two separate messages were sent to two separate computers somewhere in the botnet. The two messages are likely the two passkeys, and the owners are unaware they're secretly storing them. Because the RAM was too degraded, there's no way of telling which two people have the passkeys. However, the bounty hunters have Bryan's hard drive, which means they know which two people to target—a "digital treasure map." In Oklahoma City, Oklahoma, a man is seen getting home from work and stumbling upon someone hacking into his computer. After a brief fight, he's knocked out by the hacker's accomplice.

Krumitz gets access to the server farm housing the botnet's command and control server, which has a record of every interaction the bounty hunters made with the botnet. However, while performing a live acquisition to obtain the information the bounty hunters have, he encounters a problem—the drive is completely corrupted. Worse yet, the drive is being overwritten, erasing all data.

Monitoring of Stephen's email activity shows that he received a new message from the bounty hunters—they're upping their price due to "unforeseen complications." Raven discovers that the bounty hunters made a mistake, having sent the message from a computer that had a parental control program installed. The parental controls give the team an exact address on the bounty hunters, which leads them to the man who was ambushed in his home, Edward Gaines.

Avery decides to work the case from the inside, instructing Krumitz to willingly connect a computer to the botnet. By taking the botnet's malicious code off of Edward's laptop and infecting one of theirs, they'll have the same information the bounty hunters have. Krumitz pings the network, finding that the computer with the other passkey is in Albuquerque, New Mexico. However, Nelson notices that the IP address is dynamic as opposed to static. He explains that every time a computer with a dynamic IP address turns on, it gets assigned a new IP address randomly from its Internet service provider. When it's turned off, the IP address will be assigned to a different device. Since the bounty hunters are using the IP address recovered from Bryan's hard drive, they're heading to the wrong location. There's no telling what they'll do to the next victim when they're unable to recover the passkey.

Raven cross-references footage from traffic cameras near Edward's house and security cameras near the motel where Bryan's body was found. She gets a hit, identifying the bounty hunters as Jeremy and Henry Spitz, brothers who were dishonorably discharged from the military. Their rap sheets include a long history of violent behavior resulting in arrests.

It's determined that the brothers are mistakenly heading to Denver, Colorado. Avery evacuates the Schaeffer family from their house, allowing Krumitz and Nelson to take over. Meanwhile, in Albuquerque, the computer with the other passkey is located; Raven sends the code to Nelson. Krumitz informs Avery that they embedded a decoy passkey on the computer in the house and infected it with malicious code. When the bounty hunters try to use the passkey, their computer will be infected and the team will gain complete control over it.

Proof will be needed that the passkey was on the bounty hunters' computer in the first place, so the entire operation will be screen-captured. A problem arises when Krumitz loses connection on the home computer; he runs inside to restore connection. With the bounty hunters closing in, Avery ditches her post and runs into the house, as well. Krumitz restores the connection and runs downstairs, where he's met by the two gun-toting bounty hunters. Avery implores him to join her and "his brother"—the Schaeffer's young son stopped home briefly to pick up a video game for his sleepover, something Avery caught on the security cameras.

Krumitz is held at gunpoint by Henry Spitz and instructed to access the Schaeffer's computer. Henry has Krumitz looking in the wrong place for the passkey, meaning he'll miss the decoy file. Nelson hacks into the computer and makes the decoy file visible, which Krumitz puts onto the flash drive Henry gives him. Downstairs, Jeremy Spitz looks at Schaeffer family photos and realizes something is off. When Nelson deactivates their Internet, the brothers realize they've been set up.

With things getting tense, Krumitz springs into action, incapacitating Henry with a few punches to the chest. The SWAT team enters and shoots Jeremy, knocking him to the ground. Henry picks up his brother's gun and goes to fire; however, Krumitz pulls out his gun and shoots Henry in the chest, wounding him. Nelson is able to recover the stolen passkey, putting both brothers behind bars for a long time.

The stolen passkey is returned to a thankful Ellis Christos, who vows to get out of the bitcoin business. Stephen arrives and apologizes to his father for everything he put him through.


Main Cast[]

Guest Cast[]

  • Tony Amendola as Ellis Christos
  • Brandon Barash as Stephen Christos
  • Neil Brown Jr. as Local Detective
  • Robin Karfo as Tabitha Chistos
  • Lucas Kerr as Henry Spitz
  • Blake Shields as Jeremy Spitz
  • Frank Krueger as James Schaeffer
  • William McMullen as Jeffrey Schaeffer
  • Eric Normington as Russ Williams
  • R.C. Ormond as Edward Gaines
  • Christel Smith as Karen Schaeffer
  • Lisagaye Tomlinson as Nelson's Mother
  • Delila Vallot as Julie Irons
  • Al Woodley as Nelson's Father
  • Alysson Da Silva as Civilian
  • Marty Kimble as Bryan Kramer


  • How Sweet It Is (To Be Loved by You) by Marvin Gaye

See Also[]

CSI:Cyber Season 1
Kidnapping 2.0CMND:\CrashKiller En RouteFire CodeCrowd SourcedThe Evil TwinURL, InterruptedSelfie 2.0L0m1sClick Your PoisonGhost in the MachineBit by BitFamily Secrets