How U.K. Police Busted Anonymous SuspectOperation Payback operators' identities unearthed largely through "social leakage" -- highlighting differences between U.S. and British hacker investigations.
Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)
Are U.S. authorities focusing too much on busting low-level hacktivist operators, at the expense of taking down the leading lights?
The difference in style can be seen in the approach that U.K. investigators have taken to prosecuting the ringleaders of Operation Payback, which was the Anonymous-branded attack campaign that targeted businesses, including PayPal and MasterCard, with distributed denial of service (DDoS) attacks for their having blocked payments to WikiLeaks. PayPal said the attacks resulted in losses of £3.5 million ($5.6 million).
According to Ray Massie, a freelance computer forensic and open source training consultant who led Britain's Operation Payback investigation as a detective sergeant with London's Metropolitan Police Service, his team focused on the people who organized the attacks and picked the targets, rather than low-level operators. "We went after organizers and facilitators rather than foot soldiers. U.S. authorities went after a mix," Massie told The Register.
[ For more about busting bad guys based on digital tracks, read How Digital Forensics Detects Insider Theft. ]
By comparison, U.S. authorities have ended up prosecuting a large number of people who downloaded a DDoS tool promoted by some of the leaders of Anonymous, and which attacked targets selected not by the downloader, but by leaders of Anonymous. The DDoS tool in question was known as the Low Orbit Ion Cannon (LOIC), and less advanced LOIC users didn't seem to realize that the tool often coded their IP address into the packets it generated. Many of the attacked organizations recorded these packets and shared them with authorities, who used service providers' subscriber records to identify LOIC users' real identities, then began making arrests.
Of course, U.S. authorities have also busted multiple alleged leaders of the supposedly leaderless Anonymous hacktivist collective, including Sabu -- real name: Hector Xavier Monsegur -- who also served as the leader of LulzSec.
But British authorities have limited their efforts to prosecuting the organizers behind Operation Payback, as highlighted by the case of Northampton, England-based Christopher Wetherhead (aka "Nerdo"), 22. Last week, he was found guilty in Southwark Crown Court of one count of conspiracy to commit unauthorized acts with intent to impair the operation of a computer, in violation of the U.K.'s 1990 Computer Misuse Act.
In his defense, Wetherhead maintained that he only moderated the AnonOps IRC channel. But Scotland Yard's Police Central eCrime Unit had studied numerous Anonymous IRC logs and found nickname (NIC) clues that helped them identify the British leaders of Operation Payback
"In a nutshell we identified Weatherhead via the IRC network," former detective constable Trevor Dickey, who now works in the private sector, told The Register.
"We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of NICs such as admins and operators," he said. "We then did some keyword searching and spent a lot of time looking [at] social leakage. Combining all these elements we then identified the NICs of interest and did open source research on them. Weatherhead was easy to identify as he had been using the NIC of 'Nerdo' for quite some time."
The other suspects likewise were also identified in large part via social-network leakage. "We were able to tie their digital identities to real life identities," Massie told The Register. "Now that the suspects are in their 20s, they are security conscious, but they were using the same nick when they were a kid on gaming forums or elsewhere. They made mistakes."
Prosecutors also found evidence that Wetherhead had contracted for services with bulletproof hosting provider Heihachi in Russia, on behalf of Anonymous. The prosecutor described Heihachi as providing a "safe haven" for cybercriminals.
Thanks to that police digital forensic work, a jury of six men and five women took just two hours to return a guilty verdict against Weatherhead, saying he'd had an "integral role" in the attacks, reported The Guardian.
Three other men -- Jake Alexander Birchall, 18, of Little Neston, Cheshire; Ashley Rhodes, 27, of Bolton Crescent, London; and Peter David Gibson, 24, of Hartlepool, Cleveland -- earlier this year pled guilty to the same charge.
Judge Peter Testar told Wetherhead that he and his co-conspirators might do jail time as a result. All four men are due back in Southwark Crown Court in January 2013 for pre-sentence reports.
Stay ahead of the eCommerce technology curve. Watch our webcast, Next Generation e-Commerce Strategies for B2B Sales and Marketing, to learn the strategies and tactics you can use to more efficiently give your clients what they want, keep them happy and increase sales. Register now.