Sponsored By

Gawker Attacker Turned FBI Informant, Pursued Other Hackers

Unsealed court documents reveal that "Eekdacat" hacked Gawker, but related charges were dropped after the hacker helped the FBI nab other hackers.

Mathew J. Schwartz

May 16, 2014

7 Min Read

The hacker behind the notorious theft of up to 1.3 million passwords from Gawker media sites in 2010 has been revealed.

Thomas Madden, a.k.a. Eekdacat, was arrested on related charges at 6:15 a.m. on June 29, 2011, by FBI agents, according to newly unsealed court documents. But in return for the man's cooperation and in light of his autism, the Department of Justice deferred -- and ultimately dismissed -- charges related to the theft of passwords from Gawker, the Smoking Gun reported Thursday.

According to an "ex parte and sealed application and affirmation" filed in federal court -- on the day Madden was arrested -- by assistant US attorney Rosemary Nidiry, "the defendant actively is cooperating with the government... [and] has provided the government with detailed information concerning the activities of certain individuals who are suspected of being involved in unauthorized computer intrusions or 'hacks' into various computer networks of several well-known corporations."

[The Danish security group CSIS warns of a banking Trojan reaching customers in new countries. Read Zeus 'Gameover' Trojan Expands Global Reach.]

For Madden's safety, however, Nidiry argued that his assistance should be kept secret, and that court documents should refer to him as "John Doe" until the government wrapped its related observations.

This is the first time that the attacker behind the December 2010 hack of Gawker media sites has been identified. At the time of the hack, a self-proclaimed participant in the "Gnosis" hacking effort said it had been launched in response to the media site's "arrogance" at having told WikiLeaks supporters to "bring it on."

According to a criminal complaint filed June 27, 2011 -- the day after the Gawker hack -- Eekdacat told an online friend that he'd written the Gnosis-related communications and boasted that "over 1 million people got compromised because of me." He also said that the Gawker passwords were "crypt(3) salted MD5 and DES," and that he'd already cracked about 200,000 of them. In response to a question about whether Gawker's software was up to date, he said, "The encryption was over 10 years old I forget their OS was like 9 updates behind big updates."

Madden, who's now 26, declined to discuss his hacking activities with the Smoking Gun, except to say that he's had "no contact with those people" since his arrest.

An emailed request for comment sent to a Hushmail address through which Eekdacat previously communicated with InformationWeek bounced back with a "user unknown" error message.

For IT administrators, when it comes to stopping hackers of Madden's ilk, the takeaway isn't rocket science: Use up-to-date, patched versions of all Internet-connected software; properly secure passwords; and avoid purposefully antagonizing would-be attackers. Conversely, given the current hacking state of the art, businesses that fail to follow those basic precepts shouldn't be surprised if their sites and databases get hacked and their contents "doxed" for all to see.

One consolation for businesses that get doxed is that many hackers who publicly release stolen data have a difficult time avoiding arrest. According to the criminal complaint, for example, the FBI was handed Madden on a platter after he left online clues as to his actual IP address, which were spotted by a group of third-party researchers calling themselves the A-Team.

The complaint also cites a number of online chats between Madden and a fellow university student. According to the Smoking Gun, the FBI obtained the chats after Madden and the student had a falling out, after which Madden opened a Yahoo account under a fake name and emailed the other student's teachers, accusing him of cheating. Subsequently, the unnamed student shared the chat transcripts with the bureau, triggering an investigation by a criminal cyber intrusion squad lead by FBI agent Olivia Olson.

Those facts square with previous reports that Olson compiled two warrants relating to two confidential witnesses who were both arrested on June 29, 2011. Both were also put through psychiatric exams.

According to the complaint, while Madden went by Eekdacat in the online chats, he referred to himself at least once as Tom. In addition, the complaint noted that Eekdacat had been referenced in a document posted to Pastebin on June 25, 2011, by the A-Team that offered clues to LulzSec members' identities. The document included

an IP address for Eekdacat, which the complaint said traced to a cable modem account registered to Madden's residence in Troy, N.Y.

Interestingly, the A-Team document -- released the same day that LulzSec announced it was ceasing operations -- identified LulzSec leader Sabu as being one Hector Xavier Monsegur, which also turned out to be accurate.

But not all the information in document was accurate. It incorrectly said that the LulzSec spokesman known as Topiary was a Swedish man named Daniel Ackerman Sandberg. "The FBI were actually hunting someone from Sweden about a week before I was arrested, determined that he was Topiary," Jake Davis, the British then-teenager who was arrested on June 27, 2011, and later pleaded guilty to having been Topiary, said in an ongoing Ask.fm Q&A session. "In fact, there's an FBI search warrant somewhere that says in no uncertain terms that agents thought Topiary was this guy from Sweden. A real farce, probably bolstered in its falsity by Sabu."

After InformationWeek published a story on June 28, 2011, that detailed the A-Team's document, Wesley Bailey -- an Iowa man accused of being LulzSec member "Laurelai" -- emailed in response to a request for comment: "Im not part of lulzsec." (An Army network administrator named Wesley Bailey was later cited as being Laurelai by Parmy Olson in her 2012 book We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency.)

Also on June 28, Eekdacat responded to an emailed request for comment from InformationWeek -- since the A-Team document accused Eekdacat of having participated in the hack of HBGary and helped to release the Gawker data -- with the following statement, sent via Hushmail:

  • The "anonymous post" referred to in your article is the result of one hacker targeting another and those around him. This person attempted to tie the handles of friends of a person, myself included, to known members of Lulz Security in an attempt to publicly assassinate their characters.

    I have never been a part of any of the recent Anonymous-related activities over the past six months, including but not limited to Operation Payback, AnonOps, or Lulz Security. Additionally, I was not involved in the attack on Gawker Media and have no knowledge with regards to the methods or exploits involved in obtaining user data.

    Should the authorities wish to conduct their own investigation into the information posted, I am entirely willing to comply with their requests. However, please do not sensationalize one person's feud, as your article has only been stoking the flames.

Likewise, Eekdacat took to Twitter to publicly deny the alleged LulzSec association. "Apparently this whole #lulzsec connection rumor started from some rogue irc channel admin #awkward," he said.

Given Madden's alleged LulzSec participation, what's not clear is whether his arrest was due in any way to Monsegur, who was arrested three weeks earlier. Monsegur quickly pleaded guilty to the charges filed against him and turned government informant.

Three years later, while many other LulzSec and Anonymous hackers are now serving time -- Davis served his time and has been released -- Monsegur's sentencing has been repeatedly delayed by Department of Justice prosecutors "in light of the defendant's ongoing cooperation," according to court documents.

Last week, his sentencing was delayed for the seventh time since his arrest, though a related hearing has been scheduled for May 27. Last month, The New York Times detailed claims that, after Monsegur began working for the FBI and was monitored by the bureau around the clock, he coordinated hundreds of attacks against foreign websites.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights