Study of the Week: DNA, Malware and Mayhem - How Hackers Might Hijack Biology
It started, as all great modern horror stories do, with a drop of clear liquid in a university lab. Harmless to the eye, innocuous to the touch, and, as it turns out, perfectly capable of hacking a computer.
Yes, you read that correctly. A group of researchers at the University of Washington successfully encoded malware into synthetic DNA. When that strand was processed by a DNA sequencing machine, the malware triggered a vulnerability in the software and took control of the computer. Not some theoretical cyberpunk nonsense. This happened in 2017. And no, they weren’t on hallucinogens at the time.
Now, before you start wrapping your genome in tinfoil, this was what scientists call a “proof of concept.” In other words: don’t panic just yet. The researchers had to rig the system to make it work, they fed the DNA into an old, vulnerable version of the sequencing software and had the exploit practically gift-wrapped for the demonstration. You’re not going to hack MI6 with a cheek swab and a PCR kit. At least, not this week.
Still, the implications are hard to ignore. Because while the attack was artificial, the vulnerability was real. Many of the programs used to process genetic data are open-source, barely maintained, and often developed by people whose last cybersecurity training was probably a warning not to open spam emails. These tools now live at the centre of medicine, agriculture, and pandemic response, and they’re often plugged into networks, cloud servers, and automated pipelines. All of which makes the situation ripe for exploitation.
And let’s talk about that open-source bit for a moment. The reality is that a huge portion of the bioinformatics ecosystem runs on code that’s been cobbled together by underfunded academics, grad students, and lone developers with more coffee than sleep. Maintenance? Minimal. Security audits? Rare. Documentation? Best not to ask. The reason isn’t laziness, it’s resources. Open-source software often fills critical gaps that commercial tools ignore, but the people keeping it running are doing it out of necessity, not profit. And while massive biotech firms happily build billion-dollar platforms on top of this scaffolding, their contributions to actually maintaining the code that underpins it all? Let’s just say it's a bit like watching someone win the lottery and then forget to tip the bartender. But who am I to judge.
Let’s not forget that DNA is no longer the sacred scroll of biology. It’s just data. A string of four letters, A, T, C, and G, that can be digitised, emailed, synthesised by machines, and interpreted by code. Which is exactly what the hackers at Washington played with. They mapped a buffer overflow exploit, a classic trick in the hacker’s playbook, onto a strand of DNA, had it sequenced, and watched the malware leap from molecule to machine like a well-trained biochemical ninja.
Naturally, this raised a few eyebrows in both the cybersecurity and synthetic biology communities. Suddenly, "digital hygiene" had to extend into the wet lab. If data can be encoded into DNA, and DNA can be read by networked machines, then biology becomes yet another attack surface. Or as one researcher rather bluntly put it: "We've just taught bacteria how to phish."
A few years later, things escalated. Two Israeli researchers, Dor Farbiash and Rami Puzis, introduced the concept of a DNA injection attack and this one didn’t require sloppy software. Their idea was devilishly elegant: hide harmful genetic sequences inside an innocent-looking DNA order. Send it off to a synthesis company, have it delivered to a lab, and let the automated workflow do the rest. No breaking into buildings, no bribing lab techs. Just trick the system into building something it shouldn’t. A kind of biological supply chain attack, only instead of dodgy USB drives, you're using double helices.
It’s the biotech equivalent of slipping anthrax into a birthday card, except you’ve trained the postal system to assemble the anthrax for you en route.
All of this might sound a little exaggerated, and perhaps it is, for now. But it’s not unthinkable. As synthetic biology becomes more powerful, more accessible, and more digitised, the tools used to edit life itself are being treated with the same lax security we once applied to coffee shop Wi-Fi. Code is code, whether it's running on silicon or inside a cell. And if there's one thing hackers love, it's poorly secured code.
We already trust machines to churn out mRNA for vaccines, to read thousands of genomes for cancer research, and to develop crops in biotech firms. These processes rely heavily on automation, robotic pipettes, gene printers, cloud-based design platforms. Each one is a potential vector for attack. Even the companies synthesising DNA sequences often rely on automated screening tools to prevent the manufacturing of dangerous pathogens, tools which, according to some researchers, can be fooled with surprisingly little effort.
And herein lies the problem: biology has grown up in a world that still thinks of computers as "tools" rather than attack vectors. The idea that someone could weaponise DNA itself, not to infect a body but to breach a firewall, sounds absurd. Until it isn't.
The researchers behind the original malware-in-DNA experiment stressed repeatedly that their goal wasn’t to spark hysteria. They wanted to draw attention to a blind spot. DNA sequencing software is increasingly sophisticated but rarely built with security in mind. Lab pipelines are full of unvetted components. And most biologists, for entirely understandable reasons, don’t think like hackers. That needs to change.
Fortunately, the cavalry has started to arrive. In 2022, a team introduced a deep-learning tool to detect maliciously encoded DNA sequences, the biological equivalent of antivirus software, except trained on gene patterns instead of file headers. The early results were promising, with near-perfect accuracy in spotting Trojan horse DNA. It’s a start. But as anyone who’s ever tried to update a 15-year-old lab computer knows, installing new software isn’t always so straightforward.
Meanwhile, national standards bodies like NIST have begun issuing guidance on securing bio-cyber systems. There’s talk of cryptographic provenance, stricter access controls, and chain-of-custody protocols for synthetic DNA. All good stuff, though we’re still playing catch-up.
In the end, this isn't just about DNA and malware. It’s about the convergence of two fields, biology and computing, that have historically existed in different universes. But that separation is over. We are now editing DNA with algorithms, designing proteins in the cloud, and uploading the blueprints for life to GitHub.
Which means the bio-lab is now just another node on the network. And like any node, it can be compromised.
We used to worry about computer viruses. Then biological ones. Now, apparently, we need to worry about biological computer viruses. The future is here, and it’s running Linux… and maybe a plasmid or two.
So the next time you’re in a lab and someone says “this sequence looks a bit suspicious,” don’t roll your eyes. That bit of code might be more than just a mutation. It could be malware. Just with a PhD in biochemistry.
References:
Ceze, L., Organick, L., Koscher, K., Ney, P., & Kohno, T. (2017) Computer security, privacy, and DNA sequencing: Compromising computers with synthesized DNA, privacy leaks, and more. USENIX Security Symposium, 765–779. Available at: https://dnasec.cs.washington.edu/dna-sequencing-security/dnasec.pdf [Accessed 8 July 2025].
Farbiash, D. and Puzis, R. (2020) Cyberbiosecurity: DNA Injection Attack in Synthetic Biology. arXiv preprint arXiv:2011.14224. Available at: https://arxiv.org/abs/2011.14224 [Accessed 8 July 2025].
Islam, M.S., Ivanov, S., Awan, H., Drohan, J., Balasubramaniam, S., Coffey, L., Kidambi, S. and Sri-saan, W. (2022) Using Deep Learning to Detect Digitally Encoded DNA Trigger for Trojan Malware in Bio-Cyber Attacks. arXiv. Available at: https://arxiv.org/abs/2202.11824 [Accessed 8 July 2025].
