Anonymous: 10 Facts About The Hacktivist Group

The FBI announced Monday that it arrested John Anthony Borell III, 21, on charges of participating in two January 2012 Anonymous attacks against police websites in Utah.

Borell was arrested in Ohio on March 20, 2012, and indicted by a federal grand jury on April 4, 2012, on two counts of computer intrusion involving SQL injection attacks. Each count carries a maximum penalty of 10 years in prison and a $250,000 fine.

The first attack involved the Salt Lake City police department website, slcpd.com. The attack caused $33,000 in damages, said the site's administrator. The attacker also released to Pastebin a database dump containing 473 records containing police officers' usernames, hashed passwords, full names, titles, email addresses, and phone numbers.

In the second attack, against the Utah Chiefs of Police Association website, www.utahchiefs.org, the attacker released a list containing the name, email address, and hashed password for 24 Utah chiefs of police. The website administrator, according to the FBI, said the attack had caused $150,000 "in damages accrued in responding to this hacking event."

[ What lessons can IT learn from hacktivists? See Anonymous Vs. DNS System: Lessons For Enterprise IT. ]

Borell, who had been detained at a halfway house in Ohio after his arrest, was arraigned Monday in federal court in Utah. He pled not guilty, according to an Associated Press report.

The case contains an ironic twist for an alleged Anonymous member: authorities said they busted Borell after he failed to properly anonymize his identity. Apparently, it's an Anonymous and LulzSec career hazard, as authorities recently tracked down another alleged CabinCr3w and Anonymous participant, Higinio O. Ochoa III, 30, in Galveston, Texas, after he uploaded iPhone snaps of his bikini-clad girlfriend holding written taunts against the bureau. According to court documents, Ochoa (a.k.a. Anonw0rmer) failed to excise the GPS coordinates stored in the image metadata, which led investigators to the house of his girlfriend in Australia, and on to him.

Meanwhile, LulzSec leader and Anonymous heavyweight Sabu, real name Hector Xavier Monsegur, logged into a chat board just once--or according to some accounts, twice--without disguising his IP address. After that, it was apparently just a matter of time before investigators were able to tie Monsegur to the Sabu handle, and arrest him.

A sealed 29-page complaint against Borell, submitted by FBI special agent Eric Zimmerman on March 16, 2012, and unsealed by the court Monday, details how the FBI tracked down Borell. Notably, the Twitter user @ItsKahuna had taken credit for, and revealed inside knowledge about, both of the attacks against the Utah law enforcement websites, and signed the tweets with hashtags for Anonymous, as well as CabinCr3w.

The bureau sent a search warrant to Twitter on February 17, 2012, requesting information relating to three Twitter accounts: @ItsKahuna, @Anonw0rmer, and @cabincr3w. "On March 2, 2012, Twitter provided information for the above accounts ... [including] IP addresses used by the accounts, all Twitter messages sent using the accounts, direct messages sent to and from the accounts, and basic user information for the accounts, such as the email address that created the account," said Zimmerman in the court documents.

In short order, investigators traced one of the IP addresses used to log into the ItsKahuna Twitter account to a house in Toledo, Ohio. On December 22, 2011, ItsKahuna had tweeted: "Neighbors I thank you for installing a new router today and choosing WEP to protect it. I much appreciate the extra bandwidth for torrents." Zimmerman said that FBI agents conducting surveillance on Borell saw him entering and exiting a residence "approximately 312 feet" away from the residence to which the IP address had been assigned.

According to the complaint, ItsKahuna also sent a direct Twitter message to "anon_cutie" with a link to two photographs of himself, saying, "No one has any idea who I am or what I look like, so lets (sic) keep it that way and NOT share these with anyone mkay :P." The FBI said both photographs matched Borell's driver's license image.

How did ItsKahuna get his start in hacking? In one direct Twitter message, he told "missarahnicole" that "Operation Payback was my first op, then I just started working in things. I've gone by other nicks before but changed when I got doxed," meaning his identity would have been publicly disclosed by others. According to court documents, on February 19, 2002, ItsKahuna also sent this direct Twitter message to "EduardKovacs": "Working On #OpPiggyBank hacking police sites with CabinCr3w lately, I've lost count of how many at this point lulz."

Interestingly, ItsKahuna regularly chatted with "MissAnonFatale," who claimed via Twitter to be engaged with Anonw0rmer, who authorities allege is Ochoa. Accordingly, that would seem to make MissAnonFatale his Australian girlfriend, and in fact in one chat with ItsKahuna, MissAnonFatale talks about how her boyfriend "still needs to get a passport (halfway thru processing) & a visa into Oz."

The bureau said that Borell also lined up with various biographical details that ItsKahanu revealed via Twitter, such as his age, as well as the "Kahuna Pentagon Leak Log" posted to Pastebin, which includes this excerpt from a chat transcript (edited for formatting and grammar) between ItsKahuna and "Presstorm": "I talked to my lawyer, the benefit of having a father as an attorney is I have connections, he will be representing me. He said when the FBI shows up don't tell them anything and give them his card and tell them if they need to talk they should go through him."

In fact, Borell's father is a lawyer based in Toledo, Ohio. He told Ars Technica that he is not representing his son in court, and declined all further comment.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)