by Parmy Olson
Sabu was unflinching when he denied to hackers, and in interviews, that he was “Hector Monsegur,” using the implausibility of the situation to his advantage and tweeting on June 26, 2011, “How many of you actually fell for that bad whois info? Haha. First off ‘hector montsegur’ has been posted every day for the last six months.” He repeated this line to others in private.
Surprisingly, though, Sabu admitted to his closest hacker friends that the several acts of doxing him—and there were others besides Emick who came up with Hector Monsegur—were correct. This, again, was bizarre, but many assumed it was Sabu’s usual nihilism, the guy whose favorite saying was, “I’ve gone past the point of no return.” Sabu seemed to relish the trouble he was getting himself into and at some point down the line, they figured, he would get busted.
In late November of 2011 and then again in January of 2012, a hacker confronted Sabu about not hacking into any targets himself. “Man, get your hands dirty for once,” the hacker told him in exasperation, adding that it was the only way to prove to others that he was not a snitch. Sabu responded with histrionics, claiming he had done plenty for the cause already, then adding that “haters” wanted to hunt him down. As Sabu ranted, the hacker typed out an emoticon for weariness, -.- , and went back to work.
Despite their suspicions, most of Sabu’s associates never really believed that this veteran revolutionary hacktivist who was so passionate about his cause could really be a snitch.
“The idea was so horrid. And we weren’t sure who to trust to talk about it,” the same hacker said. Sabu had such a strong psychological hold on his crew that they actually feared asking around about his true intentions lest the volatile figure suddenly flip out on them.
While Sabu was an informant, his lies were aimed at not only other hackers but also journalists. Together with his FBI handlers, he would lie to reporters who hoped for an online interview. Sometimes the reporters were speaking to federal agents, other times it was Sabu but with the agents looking over his shoulder. In the end, it was just another disinformation campaign.
Throughout his volatile year with Anonymous, Sabu had proved himself to be a masterful liar. But there was one thing he could not seem to fabricate: his name. At one point in 2011, before his FBI arrest, Hector Monsegur dropped the nickname Sabu online and started trying to use the new nickname Kage or Kaz in private IRC channels. The goal was to start anew, burn the old Sabu name, and avoid arrest and doxing. Had he maintained the new names, he might never have been raided by the FBI and might still be living with his two kids in his Lower East Side apartment today, watching YouTube videos and paying the bills with stolen credit card numbers. But Monsegur couldn’t manage the new online identity. After a few weeks, he went back to using Sabu.
This was the dilemma for hackers in Anonymous. There were practical problems when someone who was well connected in the hacker underground, like Sabu, took on a new name. He would lose his contacts and the trust he had with them. Sabu had brought in dozens of useful contacts from his time underground to work with LulzSec, Anonymous, and Antisec. Hector Monsegur could never have orchestrated all that collaboration without the name Sabu. In the end, ego and a thirst for control got the better of him.
By early 2012, FBI administrators had begun to go back and forth over when they should out Sabu as their informant. So far, he had helped fix a number of vulnerabilities in targeted networks, helped identify Jeremy Hammond, and helped bring charges on Donncha “Palladium” O’Cearrbhail, from Ireland. In early January of 2012, O’Cearrbhail (a Gaelic name that’s pronounced “Carol”) had hacked into the Gmail account of a member of the Irish national police, an officer who routinely sent e-mails from his official police account to his Gmail account. One of the e-mails contained details of a conference call that was to occur on January 17 between FBI agents and Britain’s Metropolitan Police to discuss the LulzSec and Anonymous investigation. Palladium quickly notified Sabu that he would be listening in and recording it.
“I am happy to leak the call to you solely,” he said excitedly. “This will be epic!”
After recording the eighteen-minute call, Palladium passed the audio file to Sabu, who then passed it to the FBI to corroborate that it was real. It was. When Sabu didn’t publish the file online, someone else put it up on YouTube, much to the delight of the Anon community and embarrassment of the FBI. Behind the scenes, the FBI went on to identify Palladium (thanks to a search warrant they’d gotten on a friend’s Facebook account) and level a significant charge against the hacker (thanks to Sabu’s chat logs). Sabu had helped gather evidence against five people, all told: Topiary, Kayla, Tflow, Sup_g (Jeremy Hammond), and Palladium.
In early 2012, police on both sides of the Atlantic got ready to press charges against the five Anons. The time to out Sabu was soon, but choosing a date wasn’t easy.
“There were constant problems with the relationships between the British authorities and the FBI,” said one person with knowledge of the FBI investigation into LulzSec and Anonymous. Though Sabu was in New York, at least four LulzSec hackers lived in the British Isles, which meant Britain’s Metropolitan Police were more eager than their American counterparts to pull the trigger and charge them. While the Americans had a major informant who could help them grab more hackers at large, the Brits had four hackers they were ready to send through the court system.
The FBI wanted to capitalize on their Lower East Side snitch as much as possible. He had helped patch those flaws, and the announcement of his arrest and the revelation of his duplicity would devastate the socially disruptive ideas of Anonymous and Antisec. But the Feds could not know for sure how useful Hector Monsegur would continue to be. Though he was smart and well connected, he was also a loose cannon. One evening in early February, a cop from the NYPD encountered Hector at another apartment in his neighborhood. He asked Hector for his ID.
“My name is Boo. They call me Boo,” Hector replied. “Relax. I’m a federal agent. I am an agent of the federal government.” It seemed that Hector had started to believe that he was both Sabu and a bona fide FBI agent. That same evening he was charged with criminal impersonation.
Just as complicated: In monitoring Sabu, the Feds were getting a look at how quickly things moved in the worlds of Anonymous and Antisec. Sabu saw scores of ideas for attacks floated every day, and while some got thrown out, others were followed up faster than the FBI’s red tape might allow. Hackers bragging on Twitter, Internet drama, lulz—this was all new territory for the FBI.
When London’s Met finally told the FBI that they had a “drop-dead” date of March 7 to arrest and publicly charge the person alleged to be Kayla, a date from which they could not budge, the Feds agreed to out Hector just before that deadline too. Everything would come out into the open at the same time: the suspected identities of Kayla, Pwnsauce, Palladium, and Stratfor hacker Sup_g, and the news that Sabu had been working with the FBI for an extraordinary eight months. It was a bombshell, and the police were about to drop it squarely on Anonymous.
Chapter 27
The Real Kayla, the Real Anonymous
Seven months earlier, on September 2, 2011, British police had pulled up to a family-sized house in the quiet English suburb of Mexborough, South Yorkshire. It was a cold and gray morning. One of the officers had a laptop open and was watching the @lolspoon Twitter feed, waiting for the hacker known as “Kayla” to post another tweet. When she did, several more burst in the house through a back entrance, climbed the stairs to the bedroom of Ryan Mark Ackroyd, walked in, and arrested him. Ackroyd was twenty-five and had served in the British army for four years, spending some of that time in Iraq. Now he was unemployed and living with his parents. Appearance-wise he was short, had deep-set eyebrows and dark hair in a military-style crew cut. When he spoke, the voice that emerged was a deep baritone, and the accent strongly northern English. Ackroyd’s younger sister, petite and blond, was, perhaps tellingly, named Kayleigh.
In the same way police had sim
ultaneously questioned Jake Davis’s brother, detectives also synchronized Ackroyd’s arrest with that of his younger brother, Kieron, who was serving in the army in Warminster, England. After questioning Kieron, the police released him without charge. Kieron and Kayleigh Ackroyd seemed close as siblings, with Kayleigh regularly posting on her younger brother’s Facebook wall, encouraging him at one point on a forthcoming driving test. “You’ll get the hang of it,” she said in January 2011. But their older brother, Ryan, never appeared in their public conversations.
“He is the archetypal English infantryman,” said one person who knew of Ackroyd. “He will stand to attention and if he’s told to jump he’ll ask how high—that type of personality. He’s either exceedingly clever to pull this off, or it genuinely isn’t him.”
“She’s a soldier in the UK,” Sabu said quietly during a phone interview on November 5, when asked who he thought Kayla was. “It’s a guy.” Then he seemed not to be sure, saying he’d heard it was someone who shared the “Kayla” identity with a group of transgender hackers. “I don’t know what the fuck it is. They’re all weird transvestites and shit. I’m brain-fucked about it.”
In any case, on that cold morning in September 2011, Kayla’s once-prolific Twitter feed as @lolspoon went quiet. (It has remained inactive ever since.) Then in March of 2012, as the FBI got ready to go public with the truth about Sabu, British authorities got the go-ahead to charge Ryan Ackroyd with two counts of conspiracy to hack a computer network.
On March 6, 2012, Fox News, the subject of multiple taunts by Anonymous and LulzSec and at least one hack in 2011, announced to the world that Sabu, the “world’s most wanted hacker,” was an FBI informant.
“EXCLUSIVE: Infamous International Hacking Group LulzSec Brought Down by Own Leader,” the headline read. Fox had been working on the story for months and sourced much of its info from FBI officials and a few hackers who knew Sabu. It outed Sabu as Hector Monsegur and reported that police were arresting and charging five other men, largely based on evidence that Hector “Sabu” Monsegur had gathered.
“This is devastating to the organization,” the story quoted an FBI official as saying. “We’re chopping off the head of LulzSec.”
Every major news outlet picked up on the item, most of them sourcing the Fox story. Journalists descended on the Jacob Riis housing projects, taking pictures of Sabu’s apartment door; knocking on it but hearing nothing. Others talked to the neighbors, who gave Hector Monsegur mixed reviews. He had been quiet but friendly, they said, and would smile at people he passed by in the hall. One elderly neighbor who lived below confirmed she had complained to the Manhattan community board about the sounds of “shouting children, barking dogs, screaming and ‘pounding’” that came from his apartment, usually lasting until four o’clock in the morning.
The snitch revelations stunned thousands of people who followed or supported Anonymous. Some of the more popular Anonymous Twitter feeds simply tweeted the news, unable to provide much comment. One suggested the arrests were like cutting off the head of a hydra; more would grow back. Anonymous, the implication was, would bounce back from this.
Jennifer Emick had a field day, pointing out on Twitter that Anonymous was now as good as dead.
Gabriella Coleman, a Wolfe Chair in Scientific and Technological Literacy at McGill University in Montreal, was one of the rare few to meet Sabu in person while living in New York. He was not so different from his online persona, she remembered. Though she’d studied Anonymous for years, Coleman was in shock. She had suspected Sabu was up to something (why else would he meet?), but on the day the news came out she claimed it was “an all together different thing to experience it and know it.” Just before he was outed, Sabu had been allowed to notify family and friends by telephone of what was about to happen. Coleman was one of the people he called. When recounting that final conversation, Coleman described it as “part apology, part ‘It-is-not-what-it-seems.’”
When key people in Anonymous and Antisec heard the news, there was shock at the extent of Sabu’s cooperation. But there was just as much surprise at what the FBI had been privy to during their exploits on Stratfor, the intercepted FBI-conference call, and other attacks.
“If I was Stratfor, I’d be pretty pissed off at the FBI,” said one hacker. “They were basically sacrificed to arrest one guy [Jeremy Hammond]. What the fuck man…what kind of investigation is this?” Other hackers who had consorted with Sabu were now “freaking out” and many said they would go dark for some time.
“I knew something was shifty,” Jake Davis said soon after hearing about the extent of Sabu’s betrayal against the people he had started LulzSec with. Jake was, as usual, cool about the news. He did not seem angry at Sabu, perhaps because he had already built up resentment against the former friend who had pushed him to take up the Antisec cause. What shocked Jake more was how the FBI had apparently carried out their investigation by monitoring cyber attacks as they happened. “I didn’t think the FBI were that insane.”
Now it was clear: Sabu, Topiary, Kayla, Tflow, and Pwnsauce, five of the six core members of LulzSec (it is not known what happened to AVunit) had been arrested. It seemed almost impossible to become a hero in Anonymous and avoid handcuffs. But did that spell the end of Anonymous? Jake’s final tweet as Topiary had been “You cannot arrest an idea,” and it rang true. In Anonymous, there were no real leaders but symbols and smaller groups who occasionally worked together. There were even different cultures: the old-school EFnet hackers like Sabu who had embraced the vision of Antisec, the 4chan users like William who loved Anon because it helped him “waste a night.” And there were those who fell somewhere in between, like Topiary, Kayla, and Tflow, who saw Anonymous as a broad means to find fulfillment, have new experiences, and make a difference in the world in a way that suited their enjoyment of computers and the Internet. Tying Anonymous all together and destroying it was impossible.
This was a phenomenon that came from the nascent world of memes, crowd sourcing, and social networks, things that had a viral-like quality that could not be predicted, controlled, or stopped. As some members were arrested, others joined. The FBI said that they were “chopping off the head of LulzSec,” but by March of 2012, after LulzSec had been disbanded for more than nine months, other hacker cells were taking up the Antisec cause; in February of 2012 alone, supporters of Anonymous had taken credit for attacking the websites of the CIA, Interpol, Citigroup, and a string of banks in Brazil, among other targets.
Then there was the growing international movement called “Occupy,” which emerged in September 2011 and saw tens of thousands take to the streets in major capitals to protest social and economic inequality, often using the slogan “We are the 99%.” Activist-style supporters of Anonymous largely showed their support for Occupy, promoting it on Twitter and blogs and wearing the V for Vendetta masks at protests. Police had arrested more than 6,800 people in connection with the Occupy movement as of April 2012, by which time it had gone into hiatus. But as observers marveled at how this apparently leaderless global crowd could organize itself so extensively online and in physical demonstrations, they only had to look at Anonymous to see it had already been done before.
For the FBI, getting Sabu as an informant had been a coup, but chasing the day-to-day glut of bragging, secret discussions, conspiracies, and threats probably soon turned into a bureaucratic nightmare. Although they had Sabu working for them for eight months, it is not clear how instrumental he was in initially identifying any of the five hackers that were charged on March 6—at most, he may have helped drum up charges.
Sabu was outed, but Anonymous seemed to refuse to be destroyed. Later that evening on March 6, a group of hackers announced that Anonymous had hacked into and defaced the website of Panda Securities, the same IT company that had observed the Anonymous DDoS attacks on PayPal in December of 2010. Their message: it isn’t over.
Then, over the subsequent days, the hackers who had worked with Sabu brainsto
rmed about new ways to work together.
“Sabu’s shit makes things different now,” said one. “We mistrust a lot more.” By mid-March the hackers were discussing other methods of talking to one other besides IRC and how they could raise standards for new people to join private discussions. Anonymous as an activist movement would stay public, but the hacking activities would go farther underground. Anonymous had emerged from the shadows, the hacker added, and it would go back into the dark for a while. “But don’t worry. We exist.”
Anonymous had already been changing. The software tools its supporters used, for instance, were becoming easier to disseminate. When members of Anonymous launched DDoS attacks on several companies in January of 2012 to protest the shutdown of Megaupload, a video-streaming site, they didn’t use the traditional LOIC program. There was no need to download anything. By then, supporters could launch LOIC directly from a web browser. That meant that by posting a link on Twitter or Facebook, organizers tricked hundreds, perhaps thousands, of oblivious web surfers into joining the attack. The attack method, dubbed mobile LOIC by digital security company Imperva, was used as early as August of 2011 in the first of several DDoS attacks against the Vatican and became more popular over the following months.
By early 2012, Anonymous attacks were no longer carried out by thousands of volunteers, as with the Payback attacks for WikiLeaks. Just like Chanology’s real-world protests, they were a one-off, as if Anonymous was learning what worked and what didn’t. Anonymous was shifting from mass gatherings and DDoS attacks to small groups stealing data, like LulzSec. For this, more were using the web tool Havij. After LulzSec used it to collate data during the PBS heist, a splinter group called CabinCr3w used Havij (or something like it) to expose the personal data of five hundred police officers in Utah, while other Anons used Havij to try to steal data from the Vatican in August 2011. Imperva’s studies showed that only a year after its creation by what are believed to be Iranian programmers, Havij had become, by the summer of 2012, one of the most popular tools for SQL injection attacks. The program was so simple that one Imperva executive taught his eleven-year-old how to use it in fifteen minutes. The free-to-download tool performed SQLi automatically, even filtering data into helpful categories like “Passwords” and “Credit card numbers.” With the right free programs and just a few clicks, it seemed almost anyone could be a hacker.