LulzSec Leader Was Snitch Who Helped Snag Fellow Hackers

A top LulzSec leader turned informant last year after he was secretly arrested, providing information to law enforcement that led to the arrests Tuesday of other top members of the hacking group, including one alleged to be deeply involved in December’s Stratfor hack, federal authorities said Tuesday.

Hector Xavier Monsegur, a 28-year-old New Yorker who used the online name “Sabu,” has been working undercover for the feds since the FBI arrested him without fanfare last June, a story first reported by Fox News. Monsegur provided agents with information that helped them arrest several suspects on Tuesday, including two men from Great Britain, two from Ireland and an American in Chicago.

The charges against them would complete any hacker’s resume. They are accused of breaking into computer systems, deleting data, stealing confidential information “including encrypted and unencrypted sensitive personal information for thousands of victims,” according to court documents (.pdf).

Monsegur, an unemployed father of two, led the loosely organized group of hackers from his apartment in a public housing project in New York. He pleaded guilty Tuesday to various hacking-related charges. Documents (.pdf) in his case were unsealed in New York federal court on Tuesday. The government did not say what type of plea deal was made with Monsegur, who theoretically faces a maximum 124-year sentence.

The record unsealed Tuesday generally references him as CW-1. Federal authorities declined comment on whether Monsegur was the informant. But in court records, Stephanie Christensen, an assistant U.S. attorney in Los Angeles, said (.pdf) Monsegur “is actively cooperating with the government and has indicated an intent to continue working proactively with the government. Defendant has provided the government with detailed information concerning the activities of certain individuals who are suspected of being involved in the unauthorized computer intrusions or ‘hacks’ into various computer networks of several well-known corporations.”

Those arrested include Ryan Ackroyd, aka “Kayla” of Doncaster, United Kingdom; Jake Davis, aka “Topiary” of London; Darren Martyn, aka “pwnsauce” of Ireland; Donncha O’Cearrbhail, aka “palladium” of Ireland; and Jeremy Hammond, aka “Anarchaos”of Chicago.

Hammond, a member of Anonymous — a group loosely affiliated with LulzSec — is believed to be the main actor behind the hack of U.S. private intelligence company Stratfor in December, which resulted in the seizure of more than 5 million company e-mails, customer credit card numbers and other confidential information. The government said in a court filing that Hammond “used some of the stolen credit card data to make at least $700,000 worth of unauthorized charges.” (.pdf) The Stratfor hackers publicly said they were using the cards to make donations to charity, and provided screenshots.

The secret-spilling site WikiLeaks has begun to publish the Stratfor e-mails via media partners around the world.

The records show that Texas-based Stratfor encrypted its clients’ passwords, “but stored other client information, including credit card numbers and associated data, in clear text.”

Sabu was one of the most outspoken and brazen of the LulzSec crew that rampaged across the internet last spring, though several of them were publicly arrested last year. However, Sabu fell silent in the summer, leaving a parting Tweet quoting the The Usual Suspects. But then he reappeared in September, denying that he’d been arrested. But many anons suspected that Sabu had been arrested, since other anons had published his identity online.

An anonymous blog post from November made the case that Sabu had turned state’s evidence.

His reappearance was not much of a surprise, as it has been a frequent public rumored (and secretly verified) that Sabu was identified, apprehended by the FBI and turned to an informant. Over the past several months, all of the original LulzSec member except Sabu himself have been arrested. Even though Sabu has been publicly doxed and completely owned on several occasions. You may be asking yourself, why is he still free? The answer is Intel. The longer he is “free” is the longer that the FBI and other LEAs can gather information on other hackers and move in for more arrests. Simple as that.

Besides Sabu’s rampant snitching and informing on this old friends, the Anonops IRC network has been hacked and rooted. Great news all around.

Brian Knappenberger, who has nearly completed a documentary on Anonymous called We Are Legion that is screening next week at SXSW, said he suspected as much when Sabu’s Twitter feed stopped for a month and many Anons suspected it as well.

“When he went dark and tweeted the famous Usual Suspects line about the greatest trick the devil ever pulled was convincing the world he didn’t exist, I thought then he was snatched up by the FBI. Then he came back a month later and like nothing ever happened — like he took a break or just went on vacation,” Knappenberger said. “I had a conversation with someone who said ‘A little bird told me there is a reason they are not arresting Sabu’ but whenever anyone said that on Twitter, Sabu would respond with string of obscenities.”

The other four defendants, who the feds said were affiliated with Anonymous, are accused of a myriad of hacks on Fine Gael, HBGary Federal and Fox Broadcasting Company, according to court records.

The four called themselves “Internet Feds,” the government said.

The authorities added that Ackroyd, Davis, Martyn and Monsegur, “as members of LulzSec,” conspired to hack PBS “in retaliation for what LulzSec perceived to be unfavorable news coverage in an episode of the news program ‘Frontline,’” which had broadcast a documentary on WikiLeaks in May.

Additonal reporting and writing by David Kravets and Ryan Singel