LulzSec Leader Turns Informant As Feds Arrest Key Members Of Hacking Group

Arrests of 'Sabu' and five others connected with major hacking attacks, including that of Sony, Fox, PBS, HBGary Federal, is big news -- but security experts warn that it's no time to let down your guard for this brand of threat
Interestingly, when Sabu returned to Twitter last summer, the tone of his tweets was noticeably different, which in hindsight reflected his new role with the feds and their oversight of his account. "I heard some things [about this] through the grapevine that didn't make any sense until today. His tweets were different as the constant 'FU' attitude just wasn't there anymore. The tone of the banter did change a bit over the summer," AppSecInc's Shaul says.

The financial charges revealed today against Sabu/Monsegur and "others" also shed some light on a money-making side to the operation. Sabu/Monsegur and others allegedly stole routing and account numbers for more than 12 bank accounts as well as their owners' personal information. "From at least in or about 2010, up to and including on or about June 7, 2011, MONSEGUR, using a computer located in New York, New York, transmitted to a co-conspirator not named as defendants herein the aforementioned routing and account numbers, together with certain personal identification information of others, knowing that the co-conspirator would use that information to try to obtain monies to which the co-conspirator was not entitled," the FBI said in its release today.

Meanwhile, the FBI nabbing Sabu should come as no surprise, experts say. He had actually been outed a couple of times last year, and the members of LulzSec -- and Anonymous -- have made missteps that left footprints for the feds to follow. "No. 1, LulzSec was on such a rampage that forced such attention to them and gave law enforcement zero choice. No. 2, when you hack just for the sake of hacking, you're going to make mistakes," Imperva's Rachwald says.

Rachwald says a LulzSec chat log from a few months ago says it all: Topiary and others were discussing LulzSec's interaction with the media. "Sabu and I got a bit carried away and gave LulzSec away a bit," he said in that chat post.

F-Secure's Hypponen says he put two and two together today and realized that Sabu had been the hacker who had reported a vulnerability in an F-Secure product seven years ago when he was with a hacker group called TigerTeam. "At the time, he didn't seem suspicious in any way," Hypponen says. "It was weird that he wasn't using his full name -- just Xavier."

In a Twitter exchange with Sabu a few weeks ago, the LulzSec head referred to "rooting" F-Secure's gateway boxes six years ago. At the time, Hyponnen thought he was referring to something else or trying to intimidate him.

"I didn't make the connection until today," he says. But it's unclear why Sabu would have hinted to Hyponnen about the hack several years ago.

And the hacker known as the jester aka th3j35t3r also had IDed Sabu in the past, and another member of Anonymous had posted Monsegur's personal information last summer on Pastebin.

"A lot of stuff the Jester said way back when ... was dead on," says Thomas Ryan, co-founder and managing partner of cyberoperations and threat intelligence at Provide Security. "Then it was a bait and chase game."

The full FBI press release is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.