This excerpt of Parmy Olson’s We Are Anonymous features the story of Lulzsec’s most fearsome hacker talent, Kayla. “Kayla” is the nick of the purportedly 16-year-old girl who was instrumental in the hacking of HBGary. The story here takes place long before the rise of Lulzsec or the HBGary attack, with the 2010 database hack of Gawker, which exposed 1.3 million registered users’ logins and passwords. The Gawker attack propels Kayla into greater and riskier hacking, but she’s not hacking for who she thinks she’s hacking for.
According to the UK Guardian, two men, aged 20 and 24, were arrested and charged with crimes committed as Kayla last fall.
Parmy Olson is the London bureau chief for Forbes Magazine.
***
Gawker had once been in Anon’s good books. It had been the first news site to boldly publish the crazy Tom Cruise video that helped spark Chanology. But then the site’s famously snarky voice turned on Anonymous, reporting on major 4chan raids as examples of mass bullying. After Gawker’s Internet reporter Adrian Chen wrote several stories that poked fun at Anonymous, mocking its lack of real hacking skills and 4chan’s cat fights with Tumblr, regulars on /b/ tried to launch a DDoS attack on Gawker itself, but the attack failed. In response, Gawker writer Ryan Tate (ed. note: Tate now works for Wired) published a story on July 19, 2010, about the failed raid, adding that Gawker refused to be intimidated. If “sad 4chaners have a problem with that, you know how to reach me,” he added. Kayla, at the time, had bristled at the comment and felt her usual urge to punish anyone who underestimated her, and now Anonymous.
“We didn’t really care about it till they were like, ‘lol you can’t hack us no one can hack us,’” Kayla later said in an interview. Though Gawker had not said this literally, it was the message Kayla heard.
She decided to go after the site. Kayla and a group of what she later claimed was five other hackers met up in a chat channel called #Gnosis, on an IRC network she had set up herself called tr0lll. Anywhere from three to nine people would be on the network at any given time. Kayla actually had several IRC networks, though instead of hosting them herself she had other hackers host them on legitimate servers in countries that wouldn’t give two hoots about a U.S. court order. Kayla didn’t like to have her name or pseudonym on anything for too long.
People close to Kayla say she set up tr0ll and filled it with skilled hackers that she had either chosen or trained. Kayla was a quick learner and liked to teach other hackers tips and tricks. She was patient but pushy. One student remembered Kayla teaching SQL injection by first explaining the theory and then telling the hackers to do it over and over again using different approaches for two days straight.
“It was hell on your mind, but it worked,” the student said. Kayla understood the many complex layers to methods like SQL injection, a depth of knowledge that allowed her to exploit vulnerabilities that other hackers could not.
On tr0lll, Kayla and her friends discussed the intricacies of Gawker’s servers, trying to figure out a way to steal some source code for the site. Then in August, a few weeks after Gawker’s “sad 4chaners” story, they stumbled upon a vulnerability in the servers hosting Gawker.com. It led them to a database filled with the usernames, e-mail addresses, and hashes (encrypted passwords) of 1.3 million people who had registered with Gawker’s site so they could leave comments on articles. Kayla couldn’t believe her luck. Her group logged into Nick Denton’s private account on Campfire, a communication tool for Gawker’s journalists and admins, and spied on everything being said by Gawker’s staff. At one point, they saw the Gawker editors jokingly suggesting headlines to each other such as “Nick Denton [Gawker’s founder] Says Bring It On 4Chan, Right to My Home,” and a headline with a home address.
They lurked for two months before a member of the group finally hacked into the Twitter account of tech blog Gizmodo, part of Gawker Media, and Kayla decided to publish the private account details of the 1.3 million Gawker users on a simple web page. One member of her team suggested selling the database, but Kayla wanted to make it public. This wasn’t about profit, but revenge.
On December 12, at around eleven in the morning eastern time, Kayla came onto #InternetFeds to let the others know about her side operation against Gawker, and that it was about to become public. The PayPal and MasterCard attacks had peaked by now, and Kayla had hardly been involved. This was how she often worked—striking out on her own with a few other hacker friends to take revenge on a target she felt personally affronted by.
“If you guys are online tomorrow, me and my friends are releasing everything we have onto 4chan /b/,” she said. The following day, she and the others graced the “sad 4chaners” themselves with millions of user accounts from Gawker so that people like William could have fun with its account holders.
Gawker posted an announcement of the security breach, saying, “We are deeply embarrassed by this breach. We should not be in a position of relying on the goodwill of hackers who identified the weaknesses in our systems.”
“Hahahahahahha,” said an Irish hacker in #InternetFeds called Pwnsauce. “Raeped [sic] much?” And that was hacker, “SINGULAR,” he added. “Our very own Kayla.” Kayla quickly added that the job had been done with four others, and when another hacker in #InternetFeds offered to write up an announcement on the drop for /b/, she thanked him and added, “Don’t mention my name.”
Gnosis, rather than Anonymous, took credit for the attack. Kayla said she had been part of Anonymous since 2008 and up to that point had rarely hacked for anything other than “spite or fun,” with Gawker being her biggest scalp. But after joining #InternetFeds, she started hacking more seriously into foreign government servers.
Kayla had not joined in the AnonOps DDoS attacks on PayPal and MasterCard because she didn’t care much for DDoSing. It was a waste of time, in her view. But she still wanted to help WikiLeaks and thought that hacking was a more effective means of doing so. Not long after announcing the Gawker attack, Kayla went onto the main IRC network associated with WikiLeaks and for several weeks lurked under a random anonymous nickname to see what people were saying in the main channels. She noticed an operator of that channel who seemed to be in charge. That person went by the nickname q (presented here as lowercase, so as not to be confused with the hacktivist Q in #InternetFeds). Supporters and administrators with WikiLeaks often used one-letter nicknames, such as Q and P, because it was impossible to search for them on Google. If anyone in the channel had a question about WikiLeaks as an organization, he or she was often referred to q, who was mostly quiet. So Kayla sent him a private message.
According to a source who was close to the situation, Kayla told q that she was a hacker and dropped hints about what she saw herself doing for WikiLeaks: hacking into government websites and finding data that WikiLeaks could then release. She was unsure of what to expect and mostly just wanted to help. Sure enough, q recruited her, along with a few other hackers Kayla was not aware of at the time. To these hackers and to q, WikiLeaks appeared to be not only an organization for whistleblowers but one that solicited hackers for stolen information.
The administrator q wanted Kayla to scour the Web for vulnerabilities in government and military websites, known as .govs and .mils. Most hackers normally wouldn’t touch these exploits because doing so could lead to harsh jail sentences, but Kayla had no problem asking her hacker friends if they had any .mil vulnerabilities.
Kayla herself went into overdrive on her hacking sprees for q, one source said, mostly looking for vulnerabilities. “She’s always been blatant, out-in-your-face, I’m-going-to-hack-and-don’t-give-a-shit,” the source said. But Kayla did not always give everything to q. Around the same time that she started hacking for him, she got root access to a major web-hosting company—all of its VPSs (virtual private servers) and every normal server— and she started handing out the root exploits “like candy” to her friends, including people on the AnonOps chat network.
“She would just hack the biggest shit she could and give it away,” said the source, dropping a cache of stolen credit card numbers or root logins then disappearing for a day. “She was like the Santa Claus of hackers.”
“I don’t really hack for the sake of hacking to be honest,” Kayla later said in an interview. “If someone’s moaning about some site I just have a quick look and if I find a bug on it I’ll tell everyone in the channel. What happens from there is nothing to do with me. :P.” Kayla said she didn’t like being the one who defaced a site and preferred hiding silently in the background, “like a ninja.”
“Being able to come and go without leaving a trace is key,” she said. The longer she was in a network like Gawker’s, the more she could get in and take things like administrative or executive passwords. Kayla liked Anonymous and the people in it, but she ultimately saw herself as a free spirit, one who didn’t care to align herself with any particular group. Even when she was working with AnonOps or the people in #InternetFeds, Kayla didn’t see herself as having a role or area of expertise.
“I’ll go away and hack it, come back with access and let people go mad,” she said. Kayla couldn’t help herself most of the time anyway. If she was reading something online she would habitually start playing around with their parameters and login scripts.
More often than not, she would find something wrong with them.
Still, working for q gave Kayla a bigger excuse to go after the .gov and .mil targets, particularly those of third-world countries in Africa or South America, which were easier to get access to than those in more developed countries. Every day was a search for new targets and a new hack. Kayla never found anything as big as, say, the HBGary e-mail hoard for q, but she did, for instance, find vulnerabilities in the main website for the United Nations. In April 2011, Kayla started putting together a list of United Nations “vulns.” This, for example:
http://www.un.org.al/subindex.php?faqe=details&id=57
was a United Nations server that was vulnerable to SQL injection, specifically subindex.php. And this page at the time:
http://www.un.org.al/subindex.php?faqe=details&id=57%27
would throw an SQL error, meaning Kayla or anyone else could inject SQL statements and suck out the database. The original URL didn’t have %27 at the end, but Kayla’s simply adding that after testing the parameters of php/asp scripts helped her find the error messages.
Kayla eventually got access to hundreds of passwords for government contractors and lots of military e-mail addresses. The latter were worthless, since the military uses a token system for e-mail that is built into a computer chip on an individual’s ID card, and it requires a PIN and a certificate on the card before anyone is able to access anything.
It was boring and repetitive work, trawling through lists of e-mail addresses, looking for dumps from other hackers, and hunting for anything government or military related. But Kayla was said to be happy doing it. Every week or so, she would meet on IRC with q and pass over the collected info via encrypted e-mail, then await further instructions. If she asked what Julian Assange thought of what she was doing, q would say he approved of what was going on.
It turned out that q was good at lying.
Almost a year after Kayla started volunteering for WikiLeaks, other hackers who had been working with q found out he was a rogue operator who had recruited them without Assange’s knowledge. In late 2011, Assange asked q to leave the organization. Kayla was not the only volunteer looking for information for what she thought was WikiLeaks. The rogue operator had also gotten other hackers to work with him on false pretenses. And in addition, one source claims, q stole $60,000 from the WikiLeaks t-shirt shop and transferred the money into his personal account. WikiLeaks never found out what q was doing with the vulnerabilities that Kayla and other hackers found, though it is possible he sold them to others in the criminal underworld. It seemed, either way, like q did not really care about unearthing government corruption, and Kayla, a master at hiding her true identity from even her closest online friends, had been duped