Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Hacker Sabu Worked Nonstop As Government Informer

Fascinating details continue to emerge about Hector Xavier Monsegur, aka LulzSec and Anonymous leader Sabu. Court documents show he worked around the clock to help investigators.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
According to court transcripts unsealed Thursday, Hector Xavier Monsegur, 28, better known as the hacktivist group LulzSec's leader Sabu, quickly turned model informant after being busted by two FBI agents.

"The defendant has literally worked around the clock with federal agents. He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators," Assistant U.S. Attorney James Pastore told U.S. District Judge Loretta Preska at a court hearing on August 5, according to news reports.

Federal indictments unsealed Tuesday show what Monsegur helped achieve: charges against five other hackers, who prosecutors said served as the de facto leaders of hacktivist groups Anonymous and LulzSec, and before that, Internet Feds.

Monsegur admitted to participating in attacks against numerous websites, including exploits of Tunisian, Zimbabwean, Algerian, and Yemini government servers and the hack of HBGary, which was revealed in February 2011. He also admitted to participating in the December 2010 Operation Payback against MasterCard, PayPal, Visa, and other payment card processors, protesting their cutting off of funds to whistle-blowing website WikiLeaks. In an interview published last year in New Scientist, Sabu had said that while he'd been hacking since the age of 16, the WikiLeaks episode had politicized a number of hackers, giving birth to Anonymous in its full hacktivist incarnation.

But Monsegur's hacking exploits under the LulzSec and Anonymous banners would be short-lived. Court documents show that he was arrested at 10:15 pm on June 7, 2011, by two FBI agents. According to news reports, the agents used classic "good cop, bad cop" tactics, with one threatening to separate Monsegur from his two nieces, aged 5 and 7, for whom he was serving as a foster parent. The other, meanwhile, offered a shot at redemption, should Monsegur work with the bureau.

[ Today's changing IT environment make security more challenging than ever. Here's what you should keep in mind when it comes to bolstering the security of your data. 10 Lessons From RSA Security Conference. ]

Monsegur agreed to cooperate. After an initial appearance in court the next day, during which federal prosecutors recommended he be remanded on bail, the judge released him on a $50,000 bond, and ordered him to submit to FBI supervision. By June 8, meanwhile, a court filing by federal prosecutor Pastore argued that the case should be sealed, owing to the danger Monsegur faced from other hackers should his cooperation be discovered. "The defendant's information is also helping the government close in on several prominent cybercriminals," he said. All the while, the FBI monitored Monsegur using tracking software installed on his computer, as well as video cameras installed in his home.

Court documents unsealed Tuesday reveal that Monsegur ultimately helped the FBI and other authorities amass enough evidence to arrest five alleged hackers in the United States and abroad, including Jake Davis, 19, in Scotland; Ryan Ackroyd, 23, in England; and Donncha O'Cearrbhail, 19, and Darren Martyn, 25, in Ireland. A fifth man, Jeremy Hammond, was also arrested on hacking charges this week in Chicago. Authorities said Hammond operated under the hacker name "Anarchaos," and is accused of having hacked into global intelligence firm Stratfor in December 2011.

It was quite a turn for Monsegur, who as Sabu had cultivated an international reputation and group of comrades in arms. But Monsegur apparently hadn't been living the good life, having been unemployed since April 2010. "At the time of his arrest in June, Monsegur was unmarried and collecting a $400 unemployment check every month," Reuters reported. "He had been living in a small apartment on the sixth floor of a 14-story brick housing project on Manhattan's Lower East Side, overlooking a busy highway."

But the New York Times, after speaking with his neighbors, built a picture of Monsegur that suggested he was also "party boy of the projects," with music blaring late into the night and marijuana fumes occasionally wafting from under his apartment door. Yet he'd also built a reputation for generosity, using his skills upon occasion to improve neighbors' credit ratings.

The FBI had reportedly been on to Monsegur since February 2011, after he slipped up by logging into a chat room without anonymizing his IP addresses. Independently, that same month researchers at Backtrace Security had compiled a list of the most likely people to have been involved in the HBGary hack, and they suspected Monsegur was Sabu. The clue that led to his real identity started with a LulzSec log file, which "contained a domain that led to a subdomain that had a mirror to a page where Monsegur posted photos and video of his beloved Toyota AE86 on a car enthusiast social-networking site," reported CNET. That, in turn, led to a YouTube video that contained information which, after a Google search, led to Monsegur's Facebook page.

Public information suggesting that Monsegur was Sabu appeared in an online anonymous post to Pastebin in June 2011. While the post also misidentified a supposed LulzSec member, the public disclosure led federal investigators to arrest Monsegur more quickly than they'd intended.

Besides helping authorities bust other hackers, Monsegur provided cutting-edge vulnerability information to the bureau, which ultimately helped it stop numerous hack attacks. In court documents, Assistant U.S. Attorney Pastore said that Monsegur had "helped identify and 'patch' or notify potential targets about more than 150 cyber-security vulnerabilities," even enabling the FBI--in some cases--"to alert the would-be victim of an attack before it occurred," reported Bloomberg. According to Pastore, Monsegur's "efforts have involved cooperation against targets of national and international interest."

On August 15, just a few days after a bail hearing, Monsegur pled guilty to 12 charges against him--most involving hacking--that were filed by federal prosecutors in five districts across four states. The charges collectively carry a maximum prison sentence of 124 years, although prosecutors have said it's unlikely he'd serve consecutive terms. Furthermore, according to news reports, Monsegur's cooperation agreement stipulated that prosecutors would recommend a more lenient sentence, provided he offered "substantial assistance" to the government.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)


Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
3/9/2012 | 6:41:49 PM
re: Hacker Sabu Worked Nonstop As Government Informer
"The charges collectively carry a maximum prison sentence of 124 years, although prosecutors have said it's unlikely he'd serve concurrent terms. "

The author probably meant to say "consecutive" not "concurrent."
User Rank: Apprentice
3/9/2012 | 6:44:48 PM
re: Hacker Sabu Worked Nonstop As Government Informer
He'll learn about rats in jail.
User Rank: Apprentice
3/10/2012 | 12:31:28 PM
re: Hacker Sabu Worked Nonstop As Government Informer
Thanks for the catch, JFlanigan. You're correct; we'll make that change.
User Rank: Apprentice
3/10/2012 | 8:35:21 PM
re: Hacker Sabu Worked Nonstop As Government Informer
Obviously this is an attempt to scare the anons... FYI, the general public has lost faith and trust in the mainstream press; therefore, we do not believe a word of this story, other than the fact sabu was arrested. good luck pushing this story.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...