Federal authorities said Tuesday that months of secret cooperation from the former head of the hacktivist group LulzSec, aka “Sabu,” had prevented over 300 cyber attacks and resulted in the arrests of two suspects and the indictments of six, yielded suspects responsible for attacks on entities from the Tunisian government to PayPal and the television show X-Factor.
Court documents describe “Sabu,” real name Hector Xavier Monsegur, as an “influential member of three hacker organizations — Anonymous, Internet Feds, and Lulz Securty (also known as “LulzSec)” and say the schemes he participated in were no joke.
“Although the members of LulzSec and their co-conspirators claimed to have engaged in these attacks for humorous purposes (‘lulz’ is Internet slang which can be interpreted as ‘laughs,’ ‘humor,’ or ‘amusement’), LulzSec’s criminal acts included, among other things, the theft of confidential information, including sensitive personal information for thousands of individuals, from their victims’ computer systems; the public disclosure of that confidential information on the Internet; and overwhelming victims’ computers with bogus requests for information (known as ‘denial of service’ or ‘DoS’ attacks),” prosecutors said in a court filing.
The other five hackers charged with participating in the activities of Lulz Sec, Anonymous and Internet Feds included: Ryan Ackroyd, also known variously as “kayla,” “lol,” and “lolspoon”; Jake Davis, also known as “topiary,” and “atopiary”; Darren Martyn, known by the names “pwnsauce,” “raepsauce,” and “networkkitten”; and Donncha O’Cearrbhail, also known as “palladium.” Davis, 19, had previously been arrested and charged in the UK in July 2011.
Another suspect, Jeremy Hammond, known by a bewildering array of pseudonyms including “Anarchaos,” “sup_g,” “burn,” “yohoo,” “POW,” “tylerknowsthis,” “credible threat,” 27 was arrested in Chicago on Monday and appeared before a judge before being transferred to New York, the Associated Press reported.
All of the suspects are eligible to receive maximum 10-year prison sentences for each of their respective charges in the U.S.
According to indictments posted to the web Tuesday from the Justice Department and the FBI, Monsegur plead guilty August 2011 on 12 counts related to cyber attacks he led, perpetrated or assisted in. The attacks Monsegur admitted to included some of the most infamous ever perpetrated by Anonymous, Lulz Sec and the lesser-known Internet Feds group. He faces a maximum of 124 years in prison.
Those attacks, which took place from late 2010 through the summer of 2011, included a staggering array of targets: Federal cyber security contractor HBGary Federal, FBi affiliate InfraGard, Visa, MasterCard and Paypal, Sony, Fox Broadcasting, the Tribune Company (publisher of the Chicago Tribune), the Los Angeles Times, and PBS, among other private companies; and government websites of Zimbabwe, Yemen, Algeria and Tunisia.
A timeline of Lulz Sec’s 50 days of cyber attacks, conducted between May and late June 2011, is available on The Washington Post. Panda Labs, a cyber security firm, compiled a list of the “Operation Avenge Assange” or “Operation Payback” attacks that Mosegur admitted to participating in along with other members of Anonymous throughout several days in late December 2010. Those attacks were undertaken, according to participants, in retaliation for the decisions by Visa, MasterCard, PayPal and Amazon to stop processing payments for Wikileaks following the “Cablegate” release of 250,000 classified diplomatic cables.
Monsegur, 28, of New York, was first arrested in his home city of New York on June 7, according to federal court records. Despite being the apparent leader of an organization charged with causing financial harm on a wide variety of entities, he was released on his own signature under an agreement that said he would be supervised by the FBI (instead of a parole officer) “with respect to travel and reporting and all other issues.” The reason? He was cooperating with the FBI.
It took him a few weeks after his release to get back in the swing of things.
His last tweet came yesterday. “Die Revolution sagt ich bin, ich war, ich werde sein,” he wrote, which translated from German means “The revolution says I am, I was, I will be.”
Sabu’s real identity had actually been released to the Web on June 25, reportedly by another hacker operating under the username The Jester, but that information remain uncorroborated until the FBI’s indictment on Tuesday.
“tick tock toldya,” The Jester tweeted on Tuesday in response to the news of Sabu’s cooperation with the FBI.
Monsegur, was an unemployed single-father of two young children, a fact that contributed to his desire to cooperate with the FBI in exchange for facing according to Fox News, which originally broke the story of the FBI’s takedown of the Anonymous suspects and Mosegur’s double cross.
Members of Anonymous and other sympathizers on the Web took to Twitter and Internet Relay Chat (IRC) channels to express shock, disbelief and then resolve to continue their operations, in the wake of Monsegur/Sabu’s apparent betrayal. Some even threatened to attack Monesgur’s family members.
Others online took the opportunity to recall their interactions with “Sabu,” as he was then only known, following his arrest and during the time he was an informant, especially given that an FBI source told Fox News that “90 percent of what you see online” from Sabu during his career with the FBI was “bullshit.”
“As he was giving information to authorities that’s leading to a number of arrests today, he was telling me about how horrible it was to see young kids getting doxed and busted,” wrote Derek Mead at Vice Motherboard. “Judge that move for yourself, but I’m not amused.”
Wikileaks, which recently published emails widely thought to have been gleaned from a cyber attack perpetrated by another suspect, Hammond, on the American private intelligence outfit Stratfor, tweeted a link to an August 2011 chat exchange between Sabu and another hacker under the alias “Virus” or “Mike Virus.” In the exchange, Sabu accuses Mike Virus of being a snitch and adamantly denies he himself is one.
And yet, Sabu did seem to allude to his informer status at one point in the exchange, writing: “at least inform for the FBI or secret service not the NYPD LOL thats like lowest of the lowest form.”
Mike Virus, tweeting from his or her own Twitter account on Tuesday, savored the vindication of his suspicions of Sabu: “Just call me “Mike “The Prophet” Virus” for now on.”
Meanwhile, throughout the day on Tuesday, the FBI was reportedly conducting interviews with other hackers suspected of or self-identified with the Anonymous movement.
Anonymous collaborator and sometimes spokesman Barrett Brown, told the New York Times that his Dallas home was raided by the FBI and that three agents came to his mother’s home, where he was staying last night.
“I received an advance warning of the raid and put all my laptops in very specific places where they couldn’t be found,” Brown said.
“Oh my, looks like it’s my turn for an #FBI visit!” tweeted a popular Anonymous user under the name USAnonymous, later claiming he was tweeting while being interrogated by the FBI.
In response to a question from TPM regarding what specific information the FBI allegedly sought from USAnonymous, the user tweeted: “Information on Stratfor, upcoming Ops (OpLove and Project Thermite) More info soon.”
It wasn’t clear what “operations” the user was referring to, or if he or she was simply joking.
In the meantime, other users claiming to be affiliated with Anonymous and its sub-group, the AntiSec movement, continued to tweet and post information they said was related to ongoing hacks of agrochemical giant Monsanto and the Los Angeles County Police Canine Association (LACPCA).
Monstanto and the LACPCA were not immediately available for comment.
The day culminated with self-identified Anonymous participants eyeing each other with renewed suspicion.
“HEADS UP: Paragraph 10 of Sabu’s information discusses another unnamed informant involved with Internet Feds,” tweeted YourAnonNews, a popular Twitter account identified with Anonymous.
Ed note: TPM was itself the victim of a DDoS attack perpetrated against the website in September 2011 after publishing mug shots of earlier Anonymous suspects arrested. That investigation is ongoing.
