by Parmy Olson
Here the operators were talking excitedly about all the new volunteers and media attention they were suddenly getting. They decided to pick a bigger target: the main PayPal website. They quickly chose dates and times and pasted the coordinates at the top of the main IRC channels, then tweeted them. Topiary and the others in #command expected that the call to arms would get stronger feedback than usual, but nothing prepared them for what happened next.
On December 8, just four days after AnonOps had first hit the PayPal blog, the number of visitors to AnonOps IRC had soared from three hundred to seventy-eight hundred. So many people were joining at once that Topiary’s IRC client kept freezing and had to be restarted. Lines of dialogue between people in the main channel, still named #operationpayback, were racing up the screen so quickly it was almost impossible to hold a conversation. “It was mind-blowing,” Topiary later remembered. “Insane.”
“Do you think this is the start of something big?” someone called MookyMoo asked amid the flurry in the main channel.
“Yes,” replied an operator named shitstorm.
Jokes were often being cracked about how the mainstream press had started reporting the attack. “They’re calling us hackers,” said one called AmeMira.
“Even though we don’t really hack,” another, called Lenin, replied.
The IRC network itself was seizing up because of the flood of users. “Are we being attacked or are there just too many people on this server?” one participant asked. Once the LOIC network itself was crashing, newcomers were told to set their “cannons” on manual mode, directly typing the target address and clicking “IMMA CHARGIN MAH LAZAR.”
At around the same time, Topiary watched two very important people enter the private #command room. Their nicknames were Civil, written as {Civil} and Switch. These were botmasters. Each had control of his own botnet, Civil with fifty thousand infected bots and Switch with around seventy-five thousand. Anons who owned botnets could expect to be treated with unusual reverence in Anonymous—with only a few clicks they had the power to bring down a website, IRC network, whatever they wanted. Switch had the bigger ego and could be unbearable to talk to at times.
“I have the bots, so I make the shots,” he would say.
Everything was controlled on IRC. Civil and Switch even controlled their botnets from private chat rooms with names like #headquarters and #thedock. The latter was fitting, since bots were often referred to as “boats,” as in “How many boats are setting sail?” And in the public channel, the thousands of new visitors only had to type “!botnum” and press enter to see how many people were using LOIC. The day before, December 7, the number of people joining the hive option of LOIC had been 420. For the attack on PayPal on December 8, it was averaging about 4,500.
Topiary noticed that Civil and Switch had their botnets prepared to help the attack but that they were waiting for the hordes with LOIC to fire first. Launch time was 2:00 p.m. GMT, when most people in Europe were at their desks and America was just getting into the office. With minutes to go, supporters and IRC operators posted out a flurry of tweets, links to digital posters, and posts on 4chan reminding everyone: “FIRE AT 14:00 GMT.” When 2:00 p.m. finally came around, the IRC channels, Twitter, and 4chan exploded with *FIRE FIRE FIRE FIRE* and FIIIIIRE!!! Along with all the junk traffic, the LOIC hive configured a message to PayPal’s servers: “Good_night_Paypal_Sweet_dreams_from_AnonOps.”
There was a rush of excitement as thousands of copies of LOIC all over the world started shooting tens of thousands of junk packets at PayPal.com, putting its servers under sudden pressure that seemed to be coming out of nowhere.
“If you are firing manually, keep firing at ‘api.paypal.com:443,’” a user called Pedophelia kept saying over and over in the main channel. “Don’t switch targets, together we are strong!”
An IRC operator nicknamed BillOReilly was in a chat room called #loic. Here he could steer the hive of LOIC users from all over the world to attack whatever website was next on the hit list. Anyone who looked in the channel saw a long list of each person who was using LOIC in the attack. Each participant was identified by six random letters and the country his or her computer was in (though many had spoofed that with proxy servers to avoid detection). The countries with the greatest number of participating computers were Germany, the United States, and Britain.
A few minutes into the attack, the IRC operators checked PayPal.com and found that the site was now running slowly—but technically it was still up. There followed much confusion in the horde. Was something wrong with LOIC or AnonOps, or did PayPal have DDoS protection that was too strong?
“The attack is NOT working,” someone named ASPj wrote to Kayla—a name Topiary didn’t recognize yet—in the main chat room. “I repeat, PAYPAL IS NOT DOWN.”
No one outside of #command knew this, but they needed Civil and Switch.
“Let’s add on a few thousand bots,” someone in #command said. Civil knew what he had to do. He typed in commands for all of his bots to join up to his botnet. The operator evilworks messaged Topiary. “Check out these bots,” he said, inviting him into Civil’s botnet control room, eager to show it off.
In the botnet control room, which was like any other chat channel, Topiary could see a list of Civil’s bots suddenly running down the screen in alphabetical order as they started up around the world. There were a few hundred in the United States, a few hundred more in Germany; all were invisibly connected to this IRC channel. Each bot had nicknames like:
[USA | XP] 2025
[ITA | WN7] 1438
It was very similar to the list that BillOReilly was seeing in his room, except these were computers that were infected with a virus that had linked them to Civil’s botnet. These were not voluntary participants. None of the computers in this room belonged to people who wanted to be part of the attack. They were, as the phrase went, zombie computers.
If one of the bots suddenly turned off, it was probably because a random person in Nebraska or Berlin had switched off his or her computer for the day, and the list would go down by one. Civil thus didn’t like using all fifty thousand of his bots at once; instead, he switched between a few thousand every fifteen minutes to let the other ones “rest.” Once the botnet was firing, the people behind each infected computer would notice that their Internet connection had become sluggish. Thinking there was a router problem, they’d usually start fiddling with their connection or switching off all together. Constantly refreshing the bots ensured their owners didn’t switch off or, worse, call the IT guys. (Incidentally, some believed that the best people to infect with viruses so they could join into botnets were those on /b/—they left their computers on all day.)
Civil gave the command to fire. It looked something like this:
!fire 30000 SYN 50 296.2.2.8
A SYN was a type of packet, and this meant flooding PayPal.com with thirty thousand bots at fifty packets each for thirty seconds. The type of packet was important because simply flooding a server with traffic wasn’t always enough to take it offline. If you think of a server like a call center manned by hundreds of people, sending “ping” packets was like calling them all and simply saying “Hello” before hanging up. But sending “SYN” packets was like calling all the workers and staying on the line saying nothing, leaving the other end repeatedly saying “Hello?” The process sent thousands of requests, which the server could not ignore, then left it hanging.
Within a few seconds the PalPal site had gone down completely. It would stay down for a full hour. The thousands of Anons in #OpPayBack cheered at having taken down the world’s biggest e-payment website. Mainstream news sites, from the BBC to the New York Times to the Guardian, reported that the “global hacking group” Anonymous had brought down PayPal.
Panda Security’s Correll hopped on IRC using the nickname muihtil (lithium spelled backward) and sent a message to Switch himself, asking about the size of his botnet and clarifying that he was a security researcher. Swi
tch was surprisingly happy to answer that his friend (presumed to be Civil) had helped in the attack by offering thirty thousand bots, while there had been five hundred in the LOIC hive, and that Switch himself had attacked with thirteen hundred bots.
What this confirmed was that around 90 percent of all the firepower from the attack on PayPal.com had come not from Anonymous volunteers but from zombie computers.
Topiary quietly started thinking about the true power of the hive. When he had joined the #command channel two days earlier, he had thought that the Anonymous DDoS attacks were primarily caused by thousands of people with LOIC, with backup support from the mysterious botnets. Now he realized it was the other way around. When it came to hitting major websites like PayPal.com, the real damage came from one or two large botnets. Thousands of LOIC users could have taken down a smaller site like Scientology.org, but not the planet’s biggest e-payment provider. In practice, finding someone willing to share his botnet was more useful than getting thousands of people to fire LOIC at the same time.
Correll’s observations were reported by Computerworld.com but largely ignored by the mainstream media. Someone nicknamed skiz pasted a link to the story in the AnonOps main chat room, saying skeptically, “They claim Anonymous used a 30,000 person botnet. :D.” Most of these eager volunteers did not want to believe that botnets had more firepower than their collective efforts.
The operators in #command did not like to advertise it, either. Not only could that information put off others from joining, but it could bring unwanted attention to their channel, both from other hackers and from the police. But Civil and Switch continued bragging about how large and powerful their botnets were. Spurred on by the media reports and their audience in #command, they were eager to show off again. The operators agreed that since they had the power to launch another attack, they should. They duly planned a second attack on PayPal for December 9. Once again they chose the morning—eastern standard time—to get the attention of American Internet users and the media.
This time, though, there was less enthusiasm and coordination. Only a day had passed since seventy-eight hundred people had been in the main AnonOps chat room, but the numbers using LOIC had started tapering off. Then, when it came time to fire on PayPal a second time, volunteers in the chat room, #operationpayback, were told to wait. They were not told why. Topiary was also in #command waiting for the attack to happen so he could write his first press release. The problem was that in some unknown part of the world Civil was still sleeping.
“Do we have anything to write about?” asked Topiary. “Because nothing’s happened.”
“No, we have to wait for Civil to come online,” was the reply.
An hour later, Civil finally signed into #command and made a few grumpy remarks. As the operators told the hive to fire their (largely ineffective) cannons, Civil turned on his botnet and took down PayPal.com. He then signed off and went to have his breakfast.
As Topiary watched, the secret power of botnets was reconfirmed. The botnets had boosted the first PayPal attack, since the hive was so big, but the second time around just one botnet had done all the work. The second attack also wouldn’t have happened if Civil had not been bragging. But the operators still wanted Anonymous and the media to think that thousands of people had been responsible. Ignoring these uncomfortable truths, Topiary wrote up a press release about the “hive” striking back.
After the second PayPal attack, there was more bragging from Civil and Switch and the AnonOps operators told them they could hit MasterCard.com on December 12. They broadcast the date and time of the attack across the Internet, knowing that, with the botnets doing most of the work, it would be fun but not crucial to get another horde of people firing. This time around, only about nine hundred people had hooked up their LOICs to the AnonOps chat network and fired on MasterCard.com. It didn’t matter. Thanks to Civil and Switch, the website for one of the world’s biggest financial companies went down for twelve hours, and right on schedule.
Over time, a handful of other people with botnets would help AnonOps. One of them was a young hacker named Ryan. Aged nineteen and living with his parents in Essex, England, Ryan’s real name was Ryan Cleary. In the offline world, Ryan, who would later be diagnosed with Asperger syndrome, rarely left his room, taking dinner from a plate that his mother would leave outside his bedroom door. But his dedication to becoming powerful online had paid off; over the years he amassed servers and what he claimed was a 1.3 million-computer monster botnet. Other online sources put the number at a still-enormous one hundred thousand computers. Though he rented the botnet, he also sublet it for extra cash.
Like Civil and Switch, Ryan was happy to brag about his botnet to operators and hackers and keep its true power a secret from new volunteers. Later in February, for instance, when about fifty people on AnonOps announced they were attacking small government websites in Italy, Ryan quietly used his botnet for them. As the attacks were happening, whenever anyone typed “!botnum” to learn the number of people using LOIC, it would say 550.
“Did you just add 500 computers to your botnet?” Topiary would privately ask Ryan.
“No,” Ryan would reply. “I just changed the LOIC commands to make it look like 512 people were using it.” What this meant was that Ryan not only wielded the real firepower, he was deliberately manipulating other Anons so that they would think they were causing the damage instead. It was not hard to do this. If you were controlling the network of LOIC users, you could spoof the number of people using the tool by typing +500 or even +1000 into the corresponding IRC channel. This ability to fake numbers was an open secret in #command, but people brushed the topic aside whenever it came up. Anonymous was “Legion,” after all.
“It didn’t seem sketchy at all,” said one source who knew about the botnets being used to support AnonOps in December 2010 and January 2011. “More fun trickery I guess.” The upper tier of operators and botnet masters also did not see themselves as being manipulative. This is partly because they did not distinguish the hive of real people using LOIC from the hive of infected computers in a botnet. In the end they were all just numbers to them, the source added. If there weren’t enough computers overall, the organizers just added more, and it didn’t matter if they were zombie computers or real volunteers.
Botnets, not masses of volunteers, were the real reason Anonymous could successfully take down the website of PayPal twice, then MasterCard.com for twelve hours on December 8 and Visa.com for more than twelve hours on the same day. According to one source, there were at most two botnets used to support AnonOps before November 30, rising to a peak of roughly five botnets until February, before the number of botnets went down to one or two again. Only a handful of people could call the shots with bots. For the most part, they were not lending their firepower for money. “People offered things because they believed in the same idea,” claimed the source. More than that, they liked showing off how much power they had.
Naturally, with ego such a big driver of the early December attacks, discussions in #command soon broke down. After Civil, Switch, and the nine hundred people fruitlessly using LOIC hit Mastercard.com, the small group in #command decided, on a hubristic whim, to attack Amazon.com the next day, December 9, at 10:00 a.m. eastern standard time. That’s when the operators realized that Civil and Switch had disappeared.
The operators pushed the attack time to December 9 at 2:00 p.m., hoping the botmasters would return. At 1:30 p.m., the entire AnonOps IRC network went down. It turned out that Civil and Switch had been squabbling with some of the operators in #command and were now using their botnets to attack AnonOps in retribution. When the IRC network came back online about an hour later with a few hundred participants, nobody wanted to attack Amazon anymore. There weren’t enough bots and there didn’t seem to be a point.
Topiary estimated that LOIC users represented on average 5 percent to 10 percent of the damage done against sites like PayPal, MasterCard, and Visa in early December 20
10, and in the months that followed less than 1 percent, as fewer people stayed involved. Another source close to the operators at the time estimated more graciously that the LOIC tool contributed about 20 percent of DDoS power during AnonOps attacks in December and January. The truth became especially hard to accept when, seven months later, the FBI arrested fourteen people who had taken part in the PayPal attacks by downloading and using LOIC. These users included college students and a middle-aged woman.
“People who fought for what they believe in shouldn’t be told what they did was in vain,” the source close to the operators said. In a small way, LOIC did help. It made people feel they were contributing to something, which encouraged more to join. Plus, Civil, Switch, and other botmasters might not have helped if they hadn’t seen the groundswell of support.
Regardless, Topiary decided to stick to the party line on December 10 when he was contacted by a reporter from state-backed TV network Russia Today and invited to give his first ever live television interview, an audio discussion over Skype. He was nervous in the moments leading up to the interview, but when it came to it, he proclaimed as confidently as he could that the hive had hit back at PayPal and others.
“We lied a bit to the press,” he said, many months later, “to give it that sense of abundance.” The press liked reporting on this new powerful phenomenon of a hive that nobody seemed able to quantify. “They liked the idea and amplified the attention.”
“Lying to the press” was common in Anonymous, for understandable reasons. Here was a network of people borne out of a culture of messing with others, a paranoid world whose inhabitants never asked each other personal questions and habitually lied about their real lives to protect themselves. It was also part of Anonymous culture to make up random, outrageous statements. If, for instance, someone was about to leave his or her computer for a few minutes to get coffee, he or she might say, “Brb, FBI at the door.” Not only was there a sense of a higher purpose to Anonymous that made it seem okay to inflate figures and lie to the media; Anons were also part of a secret institution that no one in the real world understood anyway.