LulzSec Leader Flipped By Feds, Helps Indict Fellow Hackers

Start your day with TPM.
Sign up for the Morning Memo newsletter

Updated 12:15 am ET, Tuesday, March 6

Hector Xavier Monsegur, an unemployed 28-year-old father of two who lives in public housing in New York, is allegedly the man behind the screenname “Sabu,” leader of the hacker group LulzSec and has been working with FBI agents to go after other members of the organization, Fox News first reported Tuesday.

The Justice Department at noon on Tuesday unsealed an indictment filed in the Southern District of New York charging that Mosegur “willfully and knowingly caused the transmission of a program, information, code and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer,” causing “at least $5,000 in aggregate loss,” in the August 2011 cyber attacks on security firm HBGary Federal, a government contractor. The indictment was originally filed in California in August 2011.

A longer indictment document obtained by the New York Post describes Monsegur’s role in more elaborate terms, painting a portrait of a highly skilled hacker with wide reach and grandiose aims. Monsegur is said to have been active as a “rooter,” one who identifies and exposes system vulnerabilities for purposes of exploitation and was a member of at least three distinct hacker groups: Lulz Sec, Anonymous and Internet Feds.

In addition to the HBGary Federal hack, which was said to be carried out by Internet Feds, Monsegur is charged with participating in “Operation Payback,” the series of Anonymous attacks against PayPal, Mastercard and Amazon perpetrated by Anonymous in December 2010 in retaliation for their sudden halting of payment processing for Wikileaks. He’s also named as participating in hacks against the governments of Tunisia, Yemen, Algeria and Zimbabwe as part of Anonynous and Sony, Nintendo, Fox, PBS, FBI affiliate websites, among others, as part of Lulz Sec, causing at least $5,000 in damages to those systems.

A law enforcement official earlier confirmed to TPM that several charges would be unsealed against other alleged members of LulzSec in the federal court in the Southern District of New York later today.

Monsegur, according to Fox News, pleaded guilty to 12 hacking-related charges back on Aug. 15. The report identified the remaining LulzSec leaders arrested or charged as Ryan Ackroyd (aka “Kayla”) and Jake Davis (aka “Topiary”) of London; Darren Martyn, (aka “pwnsauce”) and Donncha O’Cearrbhail (aka “palladium”) of Ireland; and Jeremy Hammond (aka “Anarchaos”) of Chicago.

The FBI on Tuesday raided a home in Chicago in connection with the investigation into Lulz Sec, The Chicago Tribune reported.

Two Irish university students, including one male teenager, whose names have not been publicized, were among those arrested in connection on Tuesday with the group’s attacks, according to The Irish Times.

“LulzSec,” short for “Lulz Security,” was a splinter group of the hacktivist collective Anonymous, that first made its presence known in May 2011, claiming credit for hacking the reality TV show “The X Factor,” and releasing a series of contestants through a Twitter account.

The group’s attacks escalated over the period of nearly two months in the summer of 2011 to include the website of InfraGard, an FBI public-private partnership, and Unveillance, a security company, as well as Sony, porn websites, the website of the CIA, the Arizona Department of Public Safety and AOL and AT&T, among other targets.

Then, in late June, Lulzsec posted a message on the text-sharing website Pastebin that it was abruptly “retiring” after “50 days of lulz” (an internet permutation of “LOL” or “laugh out loud”). As a final parting gesture, Lulzsec posted internal corporate documents obtained by hacking AT&T and AOL.

Lulzsec outlined its philosophy in in its final message, with someone claiming to be affiliated with the group writing on Pastebin: “For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could. All to selflessly entertain others – vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy. It’s what we all crave, even the seemingly lifeless politicians and emotionless, middle-aged self-titled failures.”

Monsegur’s name was among those outed in a separate “dox,” or dump of information by, on June 25, around the same time of Lulz Sec’s retirement. That dump was reportedly perpetrated by another hacker working against Lulz Sec known as “The Jester.”

According to Fox, though, LulzSec’s members were only in semi-retirement at most. “Anarchos,” who was expected to be charged on Tuesday, was reportedly responsible for the hack on the website of intelligence firm Stratfor in late December. That attack was claimed by Anonymous. Wikileaks recently published emails that are widely thought to have derived from that attack.

Rumors of Sabu’s flipped allegiance had been circulating for at least several months. Gizmodo writer Sam Biddle reported on an online chat conservation he conducted last year with a hacker named “Virus,” who alleged as much.

Still, the news of Sabu’s apparent defection had on Tuesday morning thrown many members of the loosely organized hacktivist group Anonymous for a loop.

“I hope the news about @AnonymouSabu isn’t true,” tweeted a person under the account name “AnonNep.” “I wondered about the DM he sent me earlier. I still adore him for his support & friendship.”

“Is it believable that Sabu would work with feds…yes..so would most of us under a shit ton of pressure from feds…even if we like to think we wouldnt” wrote a user named “TORxd” in an Internet Relay Chat channel frequented by Anonymous.

“Shitstofrm said some months ago sabu was FBI Spy,” wrote another user under the name “obvious.” “Many said but who can we believe?[sic]”

Another user, named “Agent Suga,” posted a link to a “Dox,” a dump of identifying information, they said was related to Sabu/Monsegur.

“Let us begin our punishment. FBI web will be down, family of selected snitches, ex members will be punished in hardest way. Expect us!” wrote another user under the name AN0NYM0USLEADER.

Barrett Brown, once the self-described “spokesperson” of Anonymous and a journalist/activist with continued ties to the group, tweeted the following at 10:51 am: “My apartment was raided this morning by the FBI. Feds also came to another residence where I actually was. Sabu is a traitor. #Anonymous”

Ed note: TPM came under DDoS attack last year following the publication of booking photos of suspected Anonymous members.

Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Deputy Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: