While perusing recent CERT advisories, I read gnu.ftp.org was compromised in Mar 03 but discovered only this month. According to the annoucement, "The modus operandi of the cracker shows that (s)he was interested primarily in using gnuftp to collect passwords and as a launching point to attack other machines. It appears that the machine was cracked using a ptrace exploit by a local user immediately after the exploit was posted." This shows escalating privileges to root isn't the "end game," as this intruder sought to leverage that access to compromise others. This reminds me of the techniques espoused by el8 in their war on white hats.
Update: A year ago today Wired published a story on an underground zine called el8.3.txt which declared war on white hats.