LulzSec Leader Turns Informant As Feds Arrest Key Members Of Hacking Group

Arrests of 'Sabu' and five others connected with major hacking attacks, including that of Sony, Fox, PBS, HBGary Federal, is big news -- but security experts warn that it's no time to let down your guard for this brand of threat

Remember back last summer when LulzSec leader "Sabu" suddenly dropped off the grid after the arrest of several members of the Anonymous splinter group? Speculation at the time centered around whether he, too, had been swept up in the arrests. Turns out he indeed was nabbed by the feds, ultimately pleading guilty to hacking charges in August 2011 and serving as an informant on his fellow LulzSec members, according to information released today by the FBI.

Sabu, 28, who was identified by the FBI as Hector Xavier Monsegur, a.k.a. Sabu, Xavier DeLeon, and Leon, pled guilty to 12 counts of computing hacking conspiracies and other crimes, including the infamous hacks of HBGary Federal, HBGary, Sony, Fox, and PBS. An indictment filed with the Southern District of New York and released today identifies Monsegur as a so-called "rooter", or hacker, who finds vulnerabilities in victims' systems in order to hack them. The indictment says that from around December 2010 until June 7, 2011, he both exploited them himself or passed them to others to do the same. In addition, he provided "infrastructure" to other hackers for launching attacks on victim networks -- and also allegedly performed financial fraud.

The other members of the loosely affiliated hacking group named in the FBI charges were Ryan Ackroyd, a.k.a. Kayla, lool, and lolspoon; Jake Davis, a.k.a. Topiary and Atopiary; Darren Martyn, a.k.a. pwnsauce, raepsauce, and networkkitten; and Donncha O'Cearrbhail, a.k.a. Palladium. Palladium appears to allegedly have been behind the leaked law enforcement conference call earlier this year that was intercepted by Anonymous, and was also charged in a separate complaint with "intentionally disclosing an unlawfully intercepted wire communication," according to the FBI. Ackroyd and Davis were arrested last year.

Also arrested was Jeremy Hammond, aka "Anarchaos, "sup_g," "burn," "yohoho," "POW,""tylerknowsthis," and "crediblethreat."

Kroyd/Kayla, Davis/Topiary, Martyn/Pwnsauce, and O'Cearrbhail were all charged with hacking conspiracy in the Fox, Sony, and PBS breaches. Hammond/Anarchaos was charged with hacking crimes related to the Stratfor breach.

According to one source with information on the FBI investigation, Sabu is just one informant the FBI has secured inside the LulzSec/Anonymous collective. There will be more arrests as a result of members flipping on the group, the source says.

Perhaps most intriguing and significant about today's developments is that it took LulzSec's leader turning into an FBI informant to do the most significant damage to the hacking confab yet. While the arrests won't end Anonymous or the type of hacking LulzSec perpetrated -- some experts are anticipating retaliatory hacks soon -- it did make the first real dent on the group responsible for "doxing" and encouraging the distributed denial-of-service attacks against some major corporations and federal agencies, including law enforcement and the CIA.

These developments don't mean this type of threat is now over. "This is not a time to let down your guard if you're an enterprise security person. If you're running infosec, it's not time to take a deep breath. There are still a lot of attackers out there," says Josh Shaul, chief technology officer for Application Security Inc. "We've got to keep our guard up and remember what these people [who were arrested] did was expose the reality of our poorly secured world."

Shaul says the arrests do provide a narrow window for locking down security. "We have an opportunity while the hackers are regrouping to better secure ourselves," he says.

Historically, these type of turncoat scenarios tend to wreak havoc on these types of groups, experts say. "Sabu was, if not a leader, at least a cheerleader for Anonymous in many ways. I'm quite certain there is tons of paranoia inside Anonymous. If they can't trust Sabu, who can they trust?" says Mikko Hypponen, chief research officer at F-Secure. "What [these arrests] are going to do in reality, I don't know. But all active members will be looking right and left and assuming everyone is a snitch."

Meanwhile, calls for revenge are already being heard: YamaTough, the hacker who took credit for stealing Symantec's source code for pcAnywhere, already appears to be planning a response to the arrests. "Brother, we shall retaliate immediatelly with fury =) we aint done with symanted yet =) expect us FBI bitches very soon," he tweeted today. And AnonymousIRC apparently hacked and doxed the Delaware Correctional Officer's Forum emails and passwords in apparent retaliation for today's news, using the hashtags #DontBeSnitch, #Anonymous, and #AntiSec.

[UPDATE: And last night, members of LulzSec hacked into a Panda Security Web server that hosted the company's marketing campaigns and some of its blogs in retaliation for the arrests of the hacker group's compatriots. "Neither the main website nor were affected in the attack. The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years," said Pedro Bustamante, senior research advisor in the office of the CTO at Panda Security.]

The FBI outfitted Sabu, an unemployed father of two, with a special laptop and allowed to work from his home in New York City, according to a report. Not surprisingly, he tweeted misinformation to throw off reporters and his underlings. He was watched and monitored around the clock by FBI agents, and reported any vulnerabilities that were sent to him to the feds. According to the report, LulzSec's attack on 70 law enforcement agencies in August 2011 would have been far worse without information gathered with Sabu's help from chat rooms and other sources, according to the report.

[Anonymous dumped online what appeared to be incriminating emails, personal information of Texas law enforcement officers even while members were being arrested. See Two Alleged High-Profile Members Of Anonymous Arrested. ]

One FBI official told that the agency was able to give 300 U.S. government, financial, and other businesses a heads up on holes in their networks discovered by hackers and known by Sabu that could have been used against them. He even stopped the DDoS attack on the CIA under the urging of the feds.

Ultimately, Sabu's kids swayed him to cooperate with the FBI as an informant. "He didn't go easy,” a law enforcement official told "It was because of his kids. He didn’t want to go away to prison and leave them. That’s how we got him."

Next Page: Hints that something wasn't quite right in LulzLand. Interestingly, when Sabu returned to Twitter last summer, the tone of his tweets was noticeably different, which in hindsight reflected his new role with the feds and their oversight of his account. "I heard some things [about this] through the grapevine that didn't make any sense until today. His tweets were different as the constant 'FU' attitude just wasn't there anymore. The tone of the banter did change a bit over the summer," AppSecInc's Shaul says.

The financial charges revealed today against Sabu/Monsegur and "others" also shed some light on a money-making side to the operation. Sabu/Monsegur and others allegedly stole routing and account numbers for more than 12 bank accounts as well as their owners' personal information. "From at least in or about 2010, up to and including on or about June 7, 2011, MONSEGUR, using a computer located in New York, New York, transmitted to a co-conspirator not named as defendants herein the aforementioned routing and account numbers, together with certain personal identification information of others, knowing that the co-conspirator would use that information to try to obtain monies to which the co-conspirator was not entitled," the FBI said in its release today.

Meanwhile, the FBI nabbing Sabu should come as no surprise, experts say. He had actually been outed a couple of times last year, and the members of LulzSec -- and Anonymous -- have made missteps that left footprints for the feds to follow. "No. 1, LulzSec was on such a rampage that forced such attention to them and gave law enforcement zero choice. No. 2, when you hack just for the sake of hacking, you're going to make mistakes," Imperva's Rachwald says.

Rachwald says a LulzSec chat log from a few months ago says it all: Topiary and others were discussing LulzSec's interaction with the media. "Sabu and I got a bit carried away and gave LulzSec away a bit," he said in that chat post.

F-Secure's Hypponen says he put two and two together today and realized that Sabu had been the hacker who had reported a vulnerability in an F-Secure product seven years ago when he was with a hacker group called TigerTeam. "At the time, he didn't seem suspicious in any way," Hypponen says. "It was weird that he wasn't using his full name -- just Xavier."

In a Twitter exchange with Sabu a few weeks ago, the LulzSec head referred to "rooting" F-Secure's gateway boxes six years ago. At the time, Hyponnen thought he was referring to something else or trying to intimidate him.

"I didn't make the connection until today," he says. But it's unclear why Sabu would have hinted to Hyponnen about the hack several years ago.

And the hacker known as the jester aka th3j35t3r also had IDed Sabu in the past, and another member of Anonymous had posted Monsegur's personal information last summer on Pastebin.

"A lot of stuff the Jester said way back when ... was dead on," says Thomas Ryan, co-founder and managing partner of cyberoperations and threat intelligence at Provide Security. "Then it was a bait and chase game."

The full FBI press release is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights