We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency

by Parmy Olson

  The online poll by Johnny Anonymous was described to me in a Skype interview with Johnny Anonymous himself, conducted on March 7, 2011.

  Descriptions of Kayla’s obsessive attempts to keep her identity hidden are sourced from interviews with Kayla, conducted largely by e-mail, in March of 2011. I was first introduced to Kayla (and Sabu, Tflow, and the others who would later make up LulzSec) by Topiary. Details of Kayla’s life experiences and getting hacked by a man who “screamed” down the phone at her came from interviews also conducted in March of 2011. Kayla’s involvement in the Gawker hack, which has been reported by Gawker itself, was mentioned in an Internet Relay Chat interview with the hacker on May 23, 2011, in which she described in detail how she and a group of online friends in the IRC channel #gnosis carried out their hack over the course of several months. Confirmation of the existence of Kayla’s “tr0ll” IRC network came from archived web pages and Pastebin posts that mention the network, and a source who did not wish to be named. In addition to telling me about the “vulnerability in the servers hosting Gawker.com,” Kayla explained that she and the other hackers managed to obtain user and password details for the site’s root, MySQL. These are key features that gave them almost unfettered access to the website’s database.

  The vulnerability that Kayla found in the United Nations website was shown to me in an IRC chat with Kayla in the summer of 2011.

  Dialogue from #InternetFeds came from screenshots of the private IRC channel e-mailed to me by Matthew Keys.

  Regarding the WikiLeaks IRC network, where Kayla first met q, anyone could access it via a browser at chat.wikileaks.org. Several sources close to WikiLeaks confirm q (real name known but not disclosed here) had habitually lied to supporters, and that he and Assange were close, like a “stepson to Assange,” according to one.

  Chapter 11: The Aftermath

  The opening paragraphs of this chapter are sourced primarily from phone interviews with Aaron Barr. I have seen the comment about Barr’s children that prompted him and his wife to temporarily flee their home on Reddit.

  Details about HBGary Inc.’s hiring of law firm Zwillinger & Genetski are sourced from phone interviews with lawyers Marc Zwillinger and Jennifer Granick. The detail about Ted Vera’s and Greg Hoglund’s passwords came from interviews with Topiary.

  The subsequent quotes from Aaron Barr are sourced from a phone interview with Barr that took place early that Monday morning, just hours after the Super Bowl Sunday attack. HBGary's open letter was until recently viewable here: http://www.hbgary.com/open-letter-from-hbgary.

  The hackers stored the social security numbers of HBGary employees and other data on a private Web text application called Pirate Pad, which anyone from the group could edit. The online document was later deleted. Stolen data like this often wound up gathering dust somewhere in the cloud, or on someone’s computer—forgotten until an arrest turned it into evidence.

  The account of Kayla informing Laurelai Bailey of the HBGary attack and then inviting her into the private IRC channel for the company’s attackers, #HQ, is sourced from interviews with Bailey. Those interviews were also the source for details about Barr’s controversial proposals to Hunton & Williams. In order to stumble upon Barr’s all-important WikiLeaks connection, Laurelai had to first port Barr’s published e-mails onto an e-mail client called Thunderbird, then transfer them to Gmail. This allowed her to search through the e-mails using key words like “WikiLeaks.”

  The notion that Topiary, Sabu, and Kayla didn’t know about the anti-WikiLeaks proposals in the days immediately after the attack were conveyed to me by Topiary, who I was interviewing at the time. I had also been following developments after the attack and noticing that his small group was trawling through Barr’s e-mails, looking for something controversial, before Laurelai spotted the motherlode.

  Dialogue between the group in the #HQ room comes from logs that were eventually leaked by Laurelai to Jennifer Emick (see chapter 14). Details about the publication of the HBGary e-mails and snippets of content were sourced from the HBGary viewer itself, http://hbgary.anonleaks.ru (now offline).

  Details about the investigation into HBGary, its partners, and their military contracts by U.S. congressman Hank Johnson were confirmed in a phone interview with Johnson on March 23, 2011. I first heard about the investigation on March 17, when, late that evening, Topiary saw a Wired story saying that Congressman Johnson had started investigating the U.S. military’s contracts with HBGary Federal, Palantir Technologies, and Berico Technologies. Soon after, at least ten Democrats from the House of Representatives had signed a petition to launch an investigation into Hunton & Williams and the three security firms.

  The “growing sense of unease” among the hackers comes from observations of their sometimes paranoid conversations in #HQ as well as from testimony by Topiary, who was also the source for the information about the regular phone calls with Sabu and the coded greeting “This is David Davidson.” Sabu’s mistrust of Laurelai is clear from his comments in #HQ, but was also corroborated by testimony from Topiary.

  Jennifer Emick has confirmed that she was behind the Twitter handle @FakeGreggHoush; this has been an open secret in Anonymous since Backtrace was doxed in the early summer of 2011. I relied on interviews with both Emick and Bailey to piece together how and why Bailey ended up passing her the #HQ logs.

  Part 2

  Chapter 12: Finding a Voice

  The opening paragraph, describing Topiary’s popularity on AnonOps, including details such as the number of private messages he was regularly receiving, are sourced from interviews with Topiary as well as from observations of chat logs, IRC conversations, and statistics showing the number of times people were reaching out to him through Twitter. The detail about requests to hit various targets, such as Facebook, also comes from those interviews. According to Topiary, people sometimes directly e-mailed supporters in AnonOps or sent messages to certain representative blogs. It was difficult to track the way Anonymous chose its targets, since it was often done chaotically, spontaneously, and behind the scenes. However, for the most part, target requests that came from outside Anonymous were rarely pursued.

  Details about Westboro Baptist Church are sourced from various news reports as well as from Louis Theroux’s engrossing BBC documentary The Most Hated Family in America, first aired in 2007. The detail that Nate Phelps had accused his father, Fred, of abuse is sourced from a number of press reports including Nate Phelps’s official website, which in its “Bio” page refers to his father’s “extreme version of Calvinism” and “extreme physical punishments and abuse.”

  The February 18 press release announcing that Anonymous was going to hit Westboro—the first such announcement—appeared on AnonNews.org. The detail about an IRC operator running a search of the network’s chat channels to find the organizers was sourced from interviews with Topiary. IRC operators, both within AnonOps and in other networks, regularly ran searches to keep an abreast of any odd operations that no one knew about, such as conspiracies to take down the network or improper discussions about child porn. Sometimes trolls would create a child porn channel to try to make AnonOps look illegal. This was the only topic of discussion that was banned on AnonOps IRC; everything else was fair game. Similarly, talk of hacking was banned on other networks, which was why Tflow and the other supporters of Operation Payback migrated from networks like EFnet, Freenode, and Quakenode in late 2010—these IRC operators did not like the heat.

  The follow-up press release about attacking Westboro, written by five writers in #philosoraptors, originated when one person started writing it on his computer and then uploaded it to Pirate Pad so others could edit it. “Dear Phred Phelps and WBC Phriends,” it began. This release was much more in line with the irreverent, clownish tone of Anonymous. It went on to say, “Stay tuned, and we’ll come back to play another day. We promise,” and added a reprimand: “To the Media: Just because it’s posted on AnonNews doesn’t mean every single Anon is in agreemen
t.”

  Details about The David Pakman Show, Pakman himself, and the live Westboro hack are sourced from a phone interview with Pakman that took place on November 18, 2011, as well as from interviews with Topiary. Comments made by Shirley Phelps-Roper on Pakman’s show are sourced from YouTube videos. All dialogue from the show regarding the live Westboro hack was sourced from the main YouTube video of the program. Pakman’s and Topiary’s accounts differ about how much Pakman knew of what was going to happen to Westboro’s website during the show. Pakman denied ever knowing that Topiary or anyone else from Anonymous was going to hit the Westboro site in the middle of his show. “No. Absolutely no,” Pakman said in the phone interview, conducted about eight months after the event. “They basically said, ‘We’ll come on your show to talk about this.’ It was very vague. I said, ‘I’m interested. Would you be able to come on with Shirley?’ and they said yes. I reached out to Westboro.…They both said yes. The timing worked out.” Today the number of hits on the video of the live Westboro hack has approached the two million mark and it is the most popular video ever posted for The David Pakman Show.

  Regarding Topiary’s deface messages: he wrote all of them in a very simple text-​editing program called Notepad++. Every PC has Notepad in its Accessories folder, but Notepad++ is a free program that one-upped the original Notepad by allowing users to organize their documents in tabs, enabling them to have multiple open files. Topiary only had to hit the left arrow key on his laptop to get different text formats, a list of links to vulnerable websites, or other Anonymous press releases he hadn’t read yet. He would make all his deface messages compatible with the Web language HTML by converting them at a website called Pastehtml.com. If Topiary copied and pasted a two-hundred-word message directly from Microsoft Word, it would likely show up in Pastehtml.com with the Anonymous logo too far to the left, or with odd spaces within the text, which he’d have to then tinker with in the so-called source code, the complicated programming commands behind the text. Writing it in Notepad++, on the other hand, meant it was automatically “cleaned up,” so that when it was converted into an HTML file it looked exactly the same online as it did offline on his computer. No tweaking required. In total, Topiary produced approximately ten deface messages using this method for Anonymous, and helped others to produce an additional ten. The use of a simple program, combined with Topiary’s basic knowledge of HTML, are the reasons that all his messages, which made up the majority of defacements reported by the news media in the spring of 2011, appeared as plain text on a white background.

  Chapter 13: Conspiracy (Drives Us Together)

  The opening paragraphs of this chapter are sourced from interviews at the time (and then months afterward for hindsight) with Topiary. Sabu and Kayla had moved on from the HBGary attack and were not involved in reading through Barr’s e-mails. Both also claimed to have busy lives outside of Anonymous and the Internet. In my phone interviews with Sabu, for instance, he was often being interrupted by people in his household and by other phone calls.

  Details about Barrett Brown’s experience delving through the HBGary e-mails, forming a team of researchers, and his personal life are derived from my phone interview with Brown, conducted on November 24, 2011. Further details about his dealings with Topiary and other Anons have come from interviews with Topiary. I also sourced an audio recording of Brown’s phone interview with William Wansley, which he uploaded to the media-sharing site MediaFire.com. I had been alerted in advance to the Radio Payback appearance of Brown, Topiary, and WhiteKidney and was taking notes as it happened, before I downloaded the audio file itself. The description of the NBC Nightly News broadcast with Michael Isikoff was taken from my viewing of the video online. The note that Brown’s “bones ached” because of withdrawal from Suboxone, along with the point about his relapse in New York in April of 2011, were sourced from my phone interview with Brown. Some extra details about Operation Metal Gear and its research were sourced partly from Brown’s Project PM wiki, http://wiki.echelon2.org/; partly from the Metal Gear website, http://opmetalgear.zxq.net/, before it became disused; and partly from the Booz Allen Hamilton website.

  Descriptions of the general opinion among Anons toward Brown were sourced from discussions with a handful of Anons, including William, as well as from my observation of relevant comments on AnonOps IRC. Brown thought he saw a connection to HBGary’s interest in bidding for a contract to sell the U.S. military personnel management software, a technology that essentially allowed the user to spy on others over the Internet and social media.

  Details about the young man nicknamed OpLeakS and his offer of apparently explosive information from Bank of America were sourced from interviews with Brown and Topiary, with further details coming from the bankofamericasuck.com website, OpLeakS’s Twitter feed, and a variety of news reports. E-mails posted on OpLeakS’s website clearly showed the name of the disgruntled Bank of America employee who was “leaking” information, Brian Penny.

  When he used the term “nerdy hacker group,” Topiary was referring to the hacker groups of the eighties and nineties, some of which used skull-and-crossbones imagery and generally took themselves too seriously.

  It was not unusual in Anonymous to hop from one operation to another, reflecting the sometimes limited attention spans of its groups and supporters. Along with Operation Metal Gear, there was Operation Wisconsin, Operation Eternal Ruin, and operations focused on Libya and Italy, each of which had anywhere from two to a dozen people involved. In early 2011, the original version of Operation Payback, launched against copyright companies, came back for round two by targeting more copyright-related websites. Topiary observed, however, that its proponents kept switching targets—for instance, they called agcom.it a target, causing a few people to be fired but failing to generate enough momentum to take the site down—providing others with a reason to move on to something else. Frequently switching targets is one of the crucial reasons why Operation Payback had dwindled to around fifty people in October of 2010 and nearly died out—until WikiLeaks came along by chance, and thousands of people suddenly jumped in.

  Chapter 14: Backtrace Strikes

  The opening paragraphs of this chapter are sourced from interviews with Jennifer Emick, with some added details—including the name of her Skype group, the Treehouse—coming from Anonymous-related blogs.

  Details about the arrests in the Netherlands and Britain are sourced from various mainstream news reports. The U.K.’s Metropolitan Police announced on January 27 that they had arrested five people in morning raids across the country. According to a report in The TechHerald at the time, they were allegedly tracked with “little more than server logs and confirmation from their ISP.”

  Descriptions of what Emick was finding on DigitalGangsters.com were originally sourced from Emick and corroborated by my own observations of the website, especially its “About” page. I also interviewed a member of the forum site nicknamed Jess, who was a close friend of the twenty-three-year-old Seattle woman on the site who went by the name Kayla and whose real name is Kayla Anderson. Jess confirmed that the woman is not the same Kayla of LulzSec, though she and her friend considered the hacker known as Xyrix as an acquaintance. It was most likely a coincidence, she added, that Xyrix was being connected to both a Kayla from DigitalGangsters.com and the Kayla of LulzSec. Emick doubted this account when I put it to her in November of 2011 and believed that there was a connection between the two Kaylas.

  Incidentally, Corey “Xyrix” Barnhill has denied being Kayla, both by leaving comments on online news reports about Kayla and by e-mailing me directly. The AnonOps Kayla also told me and certain members of Anonymous that she went along with rumors that she was Xyrix because it helped obfuscate her real identity.

  The descriptions of YTCracker and the story about the hack on DigitalGangsters.com were sourced from phone interviews with Bryce “YTCracker” Case himself, as well as from my observations of the deface message that was posted on his site when Corey “Xy
rix” Barnhill, Mike “Virus” Nieves, and Justin “Null” Perras had, according to Case, switched the DigitalGangster.com domains to point at their own servers.

  My own observation of DigitalGangsters.com showed posts advertising jobs that required hacking into websites via SQL injection, stealing databases of names and e-mail addresses, or just stealing addresses and sending them to spammers. A database with passwords was worth more, since spammers could then send spam from legitimate addresses. Occasionally a thread would start with a post seeking “freelancers” who could program in C, Objective-C, C#, VB, Java, and JavaScript. One post from June of 2010 had the title “DGs [Digital Gangsters] in Washington? Be my mail man in the middle,” followed by: “Heres how it works. A delivery gets shipped to your address, You open the package remove item, Reship the item to me in a new container with a false return address. when item arrives you get paid. interested?”

  The description of Jin-Soo Byun was sourced from interviews with Jennifer Emick and Laurelai Bailey; the note that Aaron Barr was helping her investigation was sourced from an interview with Barr. The details about Emick setting up the initial Backtrace investigation into Anonymous, and then tracking down “Hector Montsegur” [sic], are sourced from interviews with Emick. Descriptions of some of Sabu’s defaces come from screenshots provided by Sabu himself as well as from a blog post by Le Researcher, an anti-Anonymous campaigner who works with Emick. Another group that includes longtime EFnet user Kelley Hallissey claims it doxed Sabu in December 2010 and passed his details to Backtrace in February 2011. Emick denies this.