by Parmy Olson
“If he publishes, that old sack of crap is completely ruined,” Topiary said. They were planning to let the story do the rounds for five days, then deny it on Twitter, posting a link to all their logs with the journalist. But Chen never published anything. Like Hijazi, he had been playing along with LulzSec’s story in the hope of teasing out some truth, which he realized he wasn’t getting. The lack of a story was disappointing for LulzSec’s members, but they were managing to keep outsiders from getting too close; for now, at least.
By early June the members of LulzSec were working flat-out on several different misinformation campaigns and the odd operation and trying not to think about the potential damage caused by M_nerva. One light in the darkness was that they had racked up five hundred dollars in Bitcoin donations. Topiary controlled the Bitcoin account and was passing some of the money to Sabu to buy accounts with virtual private networks, like HideMyAss, to better hide their ring of supporters and also to get more server space. Turning that money into untraceable cash was a drawn-out task but relatively easy. The Bitcoins bought virtual prepaid cards from Visa, with the help of fake names, addresses, personal details, and occupations at fake companies, generated in seconds on the website fakenamegenerator.com. As long as the contact address matched the billing address, no online store would question its authenticity. The Visa account was used to get in the online virtual world Second Life and buy the in-game currency Lindens. Convert that money into U.S. dollars via a currency transfer site (recommended by Kayla) called VirWoX, then put those dollars into a Moneybookers account. Finally, transfer that money into a personal bank account. That was one method. Another more direct route, which Topiary often used, was to simply transfer money between a few different Bitcoin addresses:
Bitcoin address 1 → Bitcoin address 2 → Bitcoin address 3 → Liberty Reserve (a Costa Rican payment processor) account → Bitcoin address 4 → Bitcoin address 5 → second Liberty Reserve account → PayPal account → bank account.
If even the hint of a thought occurred to him that there weren’t enough transfers, he would add several more paths.
Then on Monday, June 6, Topiary checked the LulzSec Bitcoin account. Holy shit, he thought. He was looking at a single, anonymous donation of four hundred Bitcoins, worth approximately $7,800. It was more money than Topiary had ever had in his life. He went straight into the core group’s secure chat room.
“WHAT THE FUCK guys?!” he said, then pasted the Bitcoin details.
“NO WAY,” said AVunit. “LOL. Something has gone wrong.”
“Nope,” Topiary said. He pasted the details again.
Suddenly they all stopped what they were doing and talked about splitting the money: $1,000 each and the rest to invest in new servers. They started private messaging Topiary with their unique Bitcoin addresses so he could send them their shares. Topiary had no intention of keeping quiet about the money or cutting a bigger slice for himself. Everyone was funneling the money through various accounts to keep it from being traced. Who knew if the donation had come from the Feds or opportunistic military white hats?
“Guys be safe with the Bitcoins please,” said AVunit. “Let it flow through a few gateways.…Use one bit to get out of financial trouble and then sit on the rest.”
“Okay, beginning the sends,” Topiary said. “All of you are now $1,000 richer.”
“Excuse me while I light up a victory cigar,” said Pwnsauce.
“I’m just going to stare at it,” said Kayla. “Let it grow as Bitcoin progresses.” So volatile and popular was the value of the Bitcoin crypto currency that by the following day one Bitcoin had risen to $26 in value, making their big donation worth $11,000. Three months prior it had been one to one with the dollar.
“I’m honestly sorry you guys aren’t here,” said AVunit, “because I’m going to open a bottle of great whiskey. One of the Highland Scottish.” Topiary barely noticed the reference to where he lived.
“Now let’s all have some sex,” Tflow said.
Everyone was beaming inside, forgetting the enemies and the heat. Sabu took the chance to congratulate his crew. “Thanks, team,” he said. “We all did great work. We deserved it.”
For Sabu, the celebrations would not last long. The next day, Hector “Sabu” Monsegur finally got a knock on the door from the FBI.
It was late in the evening on Tuesday, June 7, and two agents of the Federal Bureau of Investigation had entered the Jacob Riis apartment building and were heading for the sixth floor, where Hector Monsegur lived and often partied with his family and friends. The FBI had been trying to pin down Sabu for months, and a few weeks prior they had finally managed to corroborate Backtrace’s pronouncment: Sabu had inadvertently signed into an IRC channel without hiding his IP address. Just the one time was all they needed. To make sure he cooperated, the Feds needed evidence that Monsegur had broken the law. So they subpoenaed Facebook for details of his account and found stolen credit card numbers he’d been selling to other hackers. That alone carried a two-year prison sentence. Knowing that he had two daughters and a family, the FBI now had some leverage.
The FBI had watched and waited for the right moment. Then on Tuesday, the agents got the call to move in. Amid the growing number of small groups who were, like Backtrace, trying to dox LulzSec, one had published the name Hector Monsegur, along with his real address. Sabu had recklessly kept hacking till now, perhaps reasoning that he had come too far already and that arrest was inevitable. But the FBI didn’t want to take any chances. They needed him.
The agents knocked on Monsegur’s maroon-colored door, and it swung open to reveal a young Latino man, broad-shouldered and wearing a white t-shirt and jeans.
“I’m Hector,” he said. The agents, who were wearing bulletproof vests as a standard precaution, introduced themselves. Monsegur, apparently, balked. According to a later Fox News report that cited sources who had witnessed the interaction, he told the agents that he wasn’t Sabu. “You got the wrong guy,” he said. “I don’t have a computer.” Looking into the apartment, the agents saw an Ethernet cable and the green, blinking lights of a DSL modem.
They probed Monsegur further, launching into a traditional good cop/bad cop routine. They told him that they wanted him to work with them as a cooperating witness, to help them corroborate the identities of the other LulzSec hackers. Sabu refused at first. He wasn’t about to snitch on his own team.
Then they told him about the evidence they had from Facebook that showed that he had sold stolen credit cards and told him that this alone would put him in jail for two years. What would happen to his girls if he went to prison? The good cop told Monsegur he could get a lesser sentence if he cooperated; he had to think of his kids. Monsegur was still holding back. That’s when bad cop piped up.
“That’s it, no deal, it’s over,” the other agent said, storming out of the apartment. “We’re locking you up.” Sabu finally relented.
“It was because of his kids,” one of the agents later told Fox. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”
The following morning at ten, Monsegur appeared in the Southern District Court of New York with his new lawyer, Peggy Cross-Goldenberg, and agreed before a judge to let the FBI monitor his every movement—both online and in real life. It would take a few more months for prosecutors to formally charge him on a stream of other counts related to computer hacking, but his punishment would be agreed as part of a settlement. From Wednesday, June 8, on, Sabu was an FBI informant.
Monsegur, who had climbed to the pinnacle of the international hacker community thanks to his technical skills, charm, and political passion, was now feeding information about his friends to the FBI.
As Hector Monsegur was being arrested in his secret New York apartment, thousands of people were talking about his crew of audacious hackers. Twenty-five thousand more people had started following LulzSec’s Twitter feed after the Infragard hack, and it now had sevent
y-one thousand followers. The name was getting 1.2 million hits on Google. Topiary found that he would spend a few seconds thinking of something silly to tweet, then he would tweet it to find it immediately quoted in a news headline. When he tweeted a link to the group’s public IRC channel, irc.lulzco.org, one Sunday evening at six, more than 460 people quickly piled in for random chatter and a chance to rub virtual shoulders with the most famous hackers on the planet. “Join the party,” he had announced. “We’re enjoying a peaceful Sunday.”
“LulzSec, you guys rock!” said one visitor.
“I need someone to take down my school’s cheap ass website, for the lulz,” said another.
“Hey can anyone hack this douche for me?” asked someone else who then posted an IP address. Each time another group of twenty or thirty people joined the chat, someone would shout, “Here comes the flood!”
“You guys released my mom’s e-mail,” said another fan on Twitter. “I LOL’ed.”
Meanwhile journalists were struggling to keep up with the fast-paced developments. No sooner had LulzSec released Sony’s development codes than it uploaded the user database for porn site Pron.com, pointing out users who had .gov and .mil e-mail addresses with the note, “They are too busy fapping to defend their country.” One American fighter pilot had used the password mywife01 while the e-mail address [email protected] had used karlmarx.
Australian IT security expert and the blogger behind cyber security blog Risky.Biz, Patrick Gray, wrote up a blog post called “Why We Secretly Love LulzSec.” It got re-tweeted hundreds of times and said, “LulzSec is running around pummeling some of the world’s most powerful organizations into the ground…for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn’t any.” His kicker at the end voiced what many in the cyber security industry were thinking: “So why do we like LulzSec? ‘I told you so.’ That’s why.”
LulzSec’s flagrant use of often simple SQL injection methods had brought home how vulnerable people’s private data was, and done it more compellingly than any IT security’s marketing campaign had. Cisco even capitalized on the interest, at one point sponsoring promotional tweets at the top of any search results for the group on Twitter.
Then a white hat security company did the same. The next morning Topiary woke up to see news reports of LulzSec’s supposed latest attack, defacing the home page of digital security company Black & Berg. Its home page had a large title saying “Cybersecurity For The 21st Century, Hacking Challenge: Change this website’s homepage picture and win $10K and a position working with Senior Cybersecurity Advisor, Joe Black.” Directly after that was: “DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ.” Under the title was a photo of a U.S. federal building covered by the black-and-white image of LulzSec’s ritzy monocled man. The International Business Times quickly posted a story headlined “LulzSec Wins Hacking Competition, Refuses $10K Award,” then quoted Joe Black himself commenting, “What can I say? We’re good, they’re better.” When the Times asked Black how LulzSec had done it, he replied: “I’m going to go with reconnaissance, scanning, gain access, maintain access, and cover tracks.”
But when Topiary asked the team about the Black & Berg attack, nobody knew anything about it, and this deface message didn’t have any of the nutty creativity that marked their other attacks. Topiary didn’t know it at the time, but Black had most likely defaced his own site to get the white hat firm some much-needed clients. (A year later the business had shut down and its founder had aligned himself with Anonymous and Antisec.)
In another part of the world, the hard-core hacker community in Brazil was forming its own version of LulzSec, called LulzSec Brazil. Another hacker group calling itself LulzRaft briefly emerged. Other black hat hackers sent over more leads. Each day the LulzSec crew members were sent dozens of links to web pages that could infect them with viruses, but among them there were a few genuine security exploits, and plenty of data dumps left and right; 1,000 usernames and passwords here, another 500,000 there. Often they were from gaming companies, a paradoxically popular target for hackers, since so many of them were gamers too. They wanted to leak through LulzSec because they were often too scared to do it themselves and didn’t want the data or exploit they had found to go to waste. The team had to be choosy about what it leaked—Topiary had learned from his time with AnonOps not to say yes to every request.
Though Topiary was finding it hard to keep a steady hand on things with so much happening at once, LulzSec was about to ramp up the pace of announcing hacks. The team was sitting on a mound of unused data, mostly provided by other hackers, that needed to get out. The Pentagon had given them a reason to finally drop Infragard, but soon they wouldn’t be waiting for the right moment. It would just be a fire sale of attack after attack.
Feeling the strain that Wednesday night, June 8, Topiary sent a message to Sabu asking if he was around and wanted to talk. He was hoping for a simple chat about security or maybe life in general. But Sabu didn’t respond. Just a few hours earlier, Monsegur had been in court signing agreement papers with the FBI. With Sabu offline for several hours now, Topiary battled a strange sense of foreboding.
“I’m starting to get quite worried some arrests might actually happen,” he remarked that evening, U.K. time, in a rare expression of emotion. It wasn’t the enemy hackers, Jester, or even the Bitcoin donation that had come out of the blue. Backtrace had just published the document claiming to dox the team members of LulzSec, though again, he was sure that all the names of his colleagues were wrong. “I just have a weird feeling something bad is inbound for us, I don’t know why.”
He remembered how he had mentioned similar concerns a few days earlier to Sabu after the M_nerva leak, and how Sabu had suddenly seemed more worried too. (This had been before Sabu’s arrest.) Topiary had always been the calm one in their group, Sabu’s brain of reason. Once Topiary started to get nervous, it was perhaps another signal to Sabu that they were in too deep. As the two had continued talking, they both decided that in spite of all the heat they were inviting, they could not just stop now. Momentum was too strong, expectations too high. They would carry on and run on faith in their ability to stay hidden. A small part of each of them had also accepted that arrest would probably happen at some point.
Did Topiary now fully trust Sabu and Kayla? In answering that question Wednesday night, he said that he trusted them “more than anyone else” in the group, and Sabu in particular.
“I treat Sabu as more important to me than mostly anyone online,” he said. “If I get arrested, I’m not snitching on them.”
But the niggling feeling came in part from knowing that Sabu had been social-engineering people for more than a decade and the weird fact that Sabu trusted him so much despite having known him for only a few months. For instance, Sabu had told Topiary his first name, Hector, a month before, had trusted him with his Google Voice number, had told him the names of a few of his friends, and even mentioned that he lived in New York City. When Topiary had asked a few weeks prior what Sabu knew about him, wondering if he had the same amount of information, Sabu had replied: “A U.K. guy that does good accents, which makes me think you’re not really from the U.K.” Topiary, who had an unusual Scottish-Norwegian accent developed from playing online games with Scandinavian friends, had never told Sabu his real first name or confirmed that he lived on the British Isles or named any of his friends. It was almost as if Sabu didn’t really care anymore about hiding his own true identity.
Topiary considered himself to be less reckless in that regard than Sabu. Plus, living in such a remote part of the world had made him feel safe. He doubted the police would even bother traveling up to the Shetland Islands.
Topiary went to bed. Getting to sleep was difficult. He tossed and turned, then had a strange nightmare and woke up at 5:00 a.m., shouting. He hadn’t done that in years. It was still dark outside, but he got out of bed and went into his living r
oom anyway. He sat in his gaming chair and signed in to #pure-elite. Suddenly, he was bombarded with messages.
“Sabu is gone,” one of the crew members said. The LulzSec team finally noticed that he had been missing for more than twenty-four hours.
Chapter 22
The Return of Ryan, the End of Reason
Topiary was anxious and confused. He was sure someone was lying. First Kayla had reported rumors on a public IRC network that Sabu had been raided. Then someone else had said his two daughters were sick and in the hospital. Then another person whom Topiary knew as a real-life friend of Sabu’s also claimed he had been raided. Then he heard the hospital story from yet another source. There was a fifty-fifty split on what had happened. Topiary wanted to believe the hospital story. Typically, in paranoid hacker circles or Anonymous, if someone disappeared from a public IRC for a while and without reason, people assumed the worst (an FBI raid). But if Sabu had suddenly wanted to go back underground, he would have told a few trusted people to say different things.
Topiary started calling Sabu’s Google Voice number every hour but got no answer. It was unusual for him not to be online for more than half a day. Topiary waited and hoped Sabu wasn’t in a cell being questioned or, worse, snitching. On IRC, Sabu was still logged on. Once his nickname had been idle for twenty-four hours, the team killed it, just in case Feds were watching.
“I’m quite worried,” Topiary said that morning.
Sabu had given him instructions the week before that if he was ever caught, Topiary should access his Twitter feed and tweet as normal while the team should keep announcing hacks. If the Feds did have Sabu, this could be his ticket to avoiding some charges. Topiary’s heart sank when he looked at Sabu’s Twitter account and was reminded of how much the hacker had motivated him. The short bio read: “To all Anons: you all are part of something amazing and powerful. Do not succumb to fear tactics that are so obvious and archaic. Stay free.” Sabu may have been hot-tempered, but he could also be inspiring.
