A recent court document, a Plea and Case Management Hearing (PCMH), provides an interesting take on several of the LulzSec members who were arrested and charged with hacking into the CIA, Fox, Sony, and several financial institutions. Several interesting facts were revealed in the document including the shocking revelation that one LulzSec member received an additional charge for possession of child pornography and another rigged his system with an ingenious mechanism to thwart the investigators at the moment of his arrest. It should be recognized that the PCMH legal document is likely biased against the defendants and may purposely portray them in a less than favorable light.
On March 6, 2012, the FBI announced the arrest of five male suspects: two from Britain (Ryan Ackroyd AKA Kayla/Lolspoon and Jake Davis AKA Topiary), two from Ireland (Darren Martyn AKA Pwnsauce and Donncha O’Cearrbhail AKA Palladium), and one from the United States (Jeremy Hammond AKA Anarchaos). A sixth hacker, Hector Xavier Monsegur AKA Sabu, 28, of New York, was arrested a year earlier on June 7, 2011 and threatened with charges punishable by 124 years in federal prison, turned FBI informant and agreed to help investigators reel in the other LulzSec members (interestingly, Monsegur himself was doxed after he turned informant). Shortly after the arrest of Sabu (Monsegur), Ryan Cleary AKA ViraL, was arrested on June 20, 2011 and charged with five offenses including DDoS attacks against the CIA, US Senate, and Sony. A couple of weeks later, the notorious 16-year-old “tFlow”, who maintained the LulzSec website, was arrested on July 9, 2011.
Cleary differs from the others in that he faces a second indictment related to movies and photos of “very young children” that he had obtained from the Ranchi BBS (a underground chat forum on TOR). The images and movies were recovered from his computer on the day he was arrested. Although little detail was revealed in this PCHM, they did note that at least one video featured a child as young as 10-years-old, masturbating.
Cleary, AKA ViraL, was born on November 16, 1991 and was living in Wickford, Essex with his mother at the time of his arrest. The 20-year-old was unemployed and was noted as spending extensive hours through the day and night on the Internet from his bedroom. After his arrest, he breached his bail conditions by communicating with Monsegur (Sabu) and was taken back into custody on March 7, 2012.
The document explained that Cleary was operating a botnet which LulzSec used for DDoS attacks. He also assisted with the penetration testing in order to identify vulnerable servers. When arrested, he was found in possession of “confidential data relating to tens of thousands of individuals”.
Cleary spent 5-6 years building out his botnet and custom coded much of the botnet source code himself using Python. Cleary tested the botnet code on VMs that he was careful to reformat every 30 days. He purposely avoided building code off of existing malware in order to avoid detection by virus scanners.
The botnet he controlled contained over 100,000 nodes operating from compromised personal computers around the world. Cleary kept the botnet nodes updated with fresh code to ensure they evaded detection by anti-virus software. When conducting DDoS attacks, data was allowed to trickle only at a very slow rate (e.g. 1 byte/minute) and was stopped as soon as sufficient publicity was achieved. This also helped ensure the botnet nodes were not discovered by their owners.
Davis, AKA Topiary, was born October 27, 1992 and was 19-years-old at the time of his arrest. He was unemployed and lived alone in the Shetland Islands (he has since moved in with his mother, stepfather, and younger brother). Davis had a “girlfriend” albeit one that he dated exclusively through the Internet and had never physically met.
Davis was not involved as much with the penetration or identification of vulnerable servers but rather acted more as the “spokesperson” for LulzSec and distributor of stolen data to the public. Investigators found confidential data of over 750,000 individuals on his computer. David acknowledged that most of the data had already been posted to public websites.
Davis’s computer was a Dell laptop with a 500GB drive partitioned into several subdrives including a 100GB True Crypt encrypted drive. 16 virtual machines were found running on his computer system, each with a specific hacking purpose.
Ryan Ackroyd, AKA Kayla and Lolspoon, was born January 30, 1987 and was 25 years when he was arrested. He lived in his parents home in Mexborough. Ackroyd had served in the Army but was unemployed at the time of his arrest. Investigators and other LulzSec members considered Ackroyd to be the most elite hacker of the group. He was responsible for discovering vulnerabilities and subsequently rooting the vulnerable machines. He maintained a secret identify of “Kayla”, a 16-year-old girl, but has continued to refuse to admit this identify to investigators even though when arrested, he was sitting on his bed with his computer browser opened on the Twitter account for kayla@lolspoon. He was considered “highly forensically aware”.
It appears as if Ackroyd’s computer was “set up to trigger a wire” that erased the drives and data on his computer when triggered. This is exactly what happened when police raided his home and attempted to confiscate his computer. The reported noted that as he was being arrested, Ackroyd kept trying to kick over his tower computer. When the computer was moved, a small tripwire caused the computer to turn off erasing all the sessions running on his computer. Regardless, fragments of the pagefile.sys (Windows page file) provided a bit of information that tied him to the Kayla identity as well as other data suggesting a close relationship to LulzSec.
Only one of the accused hackers was a minor, Tflow. Tflow researched vulnerabilities and posted doxed data on LulzSecurity.com and Pirate Bay. Little else is known about Tflow.
Hector Xavier Monsegur
Monsegur, AKA Sabu, was 28 years old at the time of this arrest. He is the father of three children and resides in New York City. His role in LulzSec was a rooter with the responsibility of identifying vulnerable systems and gaining access for the other members to exploit. He was the first to be arrested and quickly turned FBI informant working to capture the remaining LulzSec members over the course of a year. Police characterized Monsegur as ‘brilliant, but lazy”. He was unemployed (he had previously worked for the now defunct LimeWire) and living off of welfare, spending most of his free time behind a computer.
The court document also provided information regarding the servers that LulzSec used. LulzSec servers were protected via “reverse proxy” in order to hide their true IP address. In addition, servers were hosted in virtual machines to further obfuscate the machines. One server was located in Chicago and was used to store stolen information and documentation while a second server was located in California and used to host the LulzSecurity.com website.