Hacker Sabu Worked Nonstop As Government Informer

Fascinating details continue to emerge about Hector Xavier Monsegur, aka LulzSec and Anonymous leader Sabu. Court documents show he worked around the investigators. clock to help

Mathew J. Schwartz, Contributor

March 9, 2012

6 Min Read

Anonymous: 10 Facts About The Hacktivist Group

Anonymous: 10 Facts About The Hacktivist Group

Anonymous: 10 Facts About The Hacktivist Group (click image for larger view and for slideshow)

According to court transcripts unsealed Thursday, Hector Xavier Monsegur, 28, better known as the hacktivist group LulzSec's leader Sabu, quickly turned model informant after being busted by two FBI agents.

"The defendant has literally worked around the clock with federal agents. He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators," Assistant U.S. Attorney James Pastore told U.S. District Judge Loretta Preska at a court hearing on August 5, according to news reports.

Federal indictments unsealed Tuesday show what Monsegur helped achieve: charges against five other hackers, who prosecutors said served as the de facto leaders of hacktivist groups Anonymous and LulzSec, and before that, Internet Feds.

Monsegur admitted to participating in attacks against numerous websites, including exploits of Tunisian, Zimbabwean, Algerian, and Yemini government servers and the hack of HBGary, which was revealed in February 2011. He also admitted to participating in the December 2010 Operation Payback against MasterCard, PayPal, Visa, and other payment card processors, protesting their cutting off of funds to whistle-blowing website WikiLeaks. In an interview published last year in New Scientist, Sabu had said that while he'd been hacking since the age of 16, the WikiLeaks episode had politicized a number of hackers, giving birth to Anonymous in its full hacktivist incarnation.

But Monsegur's hacking exploits under the LulzSec and Anonymous banners would be short-lived. Court documents show that he was arrested at 10:15 pm on June 7, 2011, by two FBI agents. According to news reports, the agents used classic "good cop, bad cop" tactics, with one threatening to separate Monsegur from his two nieces, aged 5 and 7, for whom he was serving as a foster parent. The other, meanwhile, offered a shot at redemption, should Monsegur work with the bureau.

[ Today's changing IT environment make security more challenging than ever. Here's what you should keep in mind when it comes to bolstering the security of your data. 10 Lessons From RSA Security Conference. ]

Monsegur agreed to cooperate. After an initial appearance in court the next day, during which federal prosecutors recommended he be remanded on bail, the judge released him on a $50,000 bond, and ordered him to submit to FBI supervision. By June 8, meanwhile, a court filing by federal prosecutor Pastore argued that the case should be sealed, owing to the danger Monsegur faced from other hackers should his cooperation be discovered. "The defendant's information is also helping the government close in on several prominent cybercriminals," he said. All the while, the FBI monitored Monsegur using tracking software installed on his computer, as well as video cameras installed in his home.

Court documents unsealed Tuesday reveal that Monsegur ultimately helped the FBI and other authorities amass enough evidence to arrest five alleged hackers in the United States and abroad, including Jake Davis, 19, in Scotland; Ryan Ackroyd, 23, in England; and Donncha O'Cearrbhail, 19, and Darren Martyn, 25, in Ireland. A fifth man, Jeremy Hammond, was also arrested on hacking charges this week in Chicago. Authorities said Hammond operated under the hacker name "Anarchaos," and is accused of having hacked into global intelligence firm Stratfor in December 2011.

It was quite a turn for Monsegur, who as Sabu had cultivated an international reputation and group of comrades in arms. But Monsegur apparently hadn't been living the good life, having been unemployed since April 2010. "At the time of his arrest in June, Monsegur was unmarried and collecting a $400 unemployment check every month," Reuters reported. "He had been living in a small apartment on the sixth floor of a 14-story brick housing project on Manhattan's Lower East Side, overlooking a busy highway."

But the New York Times, after speaking with his neighbors, built a picture of Monsegur that suggested he was also "party boy of the projects," with music blaring late into the night and marijuana fumes occasionally wafting from under his apartment door. Yet he'd also built a reputation for generosity, using his skills upon occasion to improve neighbors' credit ratings.

The FBI had reportedly been on to Monsegur since February 2011, after he slipped up by logging into a chat room without anonymizing his IP addresses. Independently, that same month researchers at Backtrace Security had compiled a list of the most likely people to have been involved in the HBGary hack, and they suspected Monsegur was Sabu. The clue that led to his real identity started with a LulzSec log file, which "contained a domain that led to a subdomain that had a mirror to a page where Monsegur posted photos and video of his beloved Toyota AE86 on a car enthusiast social-networking site," reported CNET. That, in turn, led to a YouTube video that contained information which, after a Google search, led to Monsegur's Facebook page.

Public information suggesting that Monsegur was Sabu appeared in an online anonymous post to Pastebin in June 2011. While the post also misidentified a supposed LulzSec member, the public disclosure led federal investigators to arrest Monsegur more quickly than they'd intended.

Besides helping authorities bust other hackers, Monsegur provided cutting-edge vulnerability information to the bureau, which ultimately helped it stop numerous hack attacks. In court documents, Assistant U.S. Attorney Pastore said that Monsegur had "helped identify and 'patch' or notify potential targets about more than 150 cyber-security vulnerabilities," even enabling the FBI--in some cases--"to alert the would-be victim of an attack before it occurred," reported Bloomberg. According to Pastore, Monsegur's "efforts have involved cooperation against targets of national and international interest."

On August 15, just a few days after a bail hearing, Monsegur pled guilty to 12 charges against him--most involving hacking--that were filed by federal prosecutors in five districts across four states. The charges collectively carry a maximum prison sentence of 124 years, although prosecutors have said it's unlikely he'd serve consecutive terms. Furthermore, according to news reports, Monsegur's cooperation agreement stipulated that prosecutors would recommend a more lenient sentence, provided he offered "substantial assistance" to the government.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights