The seeds of LulzSec‘s downfall were sown long before the FBI and Scotland Yard went knocking on doors this week. In fact, the group owes its downfall to a series of small, internal skirmishes, unforced errors and unlikely clues that created a virtual trail to its leaders, a Threatpost investigation found.
Bad blood within the ranks of Anonymous coupled with a series of small errors provided the clues that led a little known firm, Backtrace security – and eventually the FBI – to the door of Hector Xavier Montsegur, the 28 year-old man now known as “Sabu,” a principal actor in LulzSecurity who turned government witness in a case that has netted some of that group’s foremost members.
Data published online by Backtrace in March, 2011 proved critical to the FBI in identifying Hector Xavier Montsegur, the 28 year-old man living in a Lower East Side New York City public housing project who is now known to the world as “Sabu,” leader of the global hacking collective Anonymous.
“They got Sabu because of what we found,” said Jennifer Emick, aka “Asherah,” a co-founder of Backtrace Security, a small security consulting firm with operations in Michigan and Florida that specializes in social engineering.
Emick says she was an early sympathizer with the group that would become Anonymous in one of its earliest public “ops” – or operations: against the Church of Scientology.
“At the time it began, I was a religion writer. My family had run-ins with Scientology,” Emick told Threatpost in an online chat. “I had personal issues with harassment from (Scientologists).”
Emick said she attended a few of the public protests against the Church of Scientology that Anonymous helped organize in 2008 under the banner “Project Chanology.” But she said her allegiance with the group ended soon after that,as Anonymous began targeting other groups with actions like Operation Payback. “Nobody I knew then would ever have approved of that,” Emick said.
Soon, Emick found herself and some online acquaintances engaged in a pitched online turf war with members of Anonymous, with each side accusing the other of offenses including “trolling” (or online harassment) and “doxing” (or publicly outing) each other.
“You had these warring groups and, in the end, you find out that a lot of what happened was manufactured by other people, and you don’t know the truth behind it,” said Gregg Housh, a self-described Internet activist and early member of Anonymous who Emick believed was behind many of the online attacks against her.
But Emick‘s early involvement with the group had given her contacts that would later prove useful. Among them, Wesley Lauelai Bailey, a Davenport, Iowa based Anonymous member who uses the handle “Laurelai.” It was Bailey who would ultimately provide Emick with the information that would lead to Sabu‘s arrest.
According to Emick, Bailey leaked the log files from a closed IRC chat room discussion that followed the successful hack of HBGary. In that chat room, several of the senior Anonymous members let their guard down: disclosing their private domain names, Emick said. “One of these was Sabu, and on that domain he had a brag page for his car,” Emick said.
Contacted by Threatpost, Bailey confirmed that she passed some information to Emick, saying that she did it as an act of friendship after observing the Anonymous members in the IRC chat room were plotting to attack Emick online. However, she said the information from the IRC chat didn’t reveal any personal information about the members.
The logs from the group’s #HQ IRC channel, which were released by Backtrace in March, cover IRC chats between the Anonymous members from February 8 through February 19, 2011. They pick up in the immediate aftermath of the compromise of HBGary and captures the back-and-forth among a small cadre of senior Anonymous members reveling in the success of that action and working to set up a Web site, anonleaks, to host some of the stolen content.
In an exchange on February 11 with an Anonymous member using the handle “Topiary” (allegedly UK resident Jake Davis, who was arrested in July) a member using the handle “Sabu” attempts to relay the login credentials for a backdoor account he left on HBGary’s e-mail server. In doing so, however, Sabu accidentally reveals the name of another domain, prvt.org.
“I left a backdoor admin account on HBGary.com’s email server,” Sabu wrote in the #HQ channel at 15:23 on the 11th.
“anyone want to see if we still have admin?”
Prompted to provide the address and login, Sabu responds:
15:24 <&Sabu> url: https://www.google.com/a/prvt.org
15:24 <&Sabu> user: reseller
15:24 <&Sabu> pass: random
15:24 <&Sabu> if you do get to login
15:24 <&Sabu> click on “manage domain”
15:24 <&Sabu> reset their passwords
15:24 <&Sabu> and leak new emails
15:24 <&Sabu> ROFLOLFROLOFLORLFRL
15:25 <&Sabu> oops
15:25 <&Sabu> wrong domain
15:25 <&Sabu> https://www.google.com/a/hbgary.com
15:25 <&Sabu> there you go
That slip provided Emick with the information she needed to begin pursuing Sabu, she said.
Some searching online turned up a subdomain, ae86.prvt.org, which was a mirror site for a page at cardomain.com, a social networking site for car enthusiast where Montsegur hosted vanity photos of his true love: a souped up Toyota AE86.
“The car domains page had a YouTube video on it of Montsegur‘s prized ride. A little Googling with the information from cardomains.com and the YouTube video led Emick to Montsegur‘s Facebook page, Emick told Threatpost.
While the exact sequence of events Emick relates can’t be confirmed, a source with first hand knowledge of the Anonymous investigation confirmed that Emick and Backtrace were the first to connect Sabu with Hector Montsegur and the domain in question, prvt.org, even if others who were tracking the group had other pieces of the puzzle.
“I saw that brag page and the license plate on the car wasn’t showing, but I never knew how they made the connection, exactly,” said the source, who requested anonymity because he did not have permission to speak publicly about the case.
Within days of releasing the identifying information on a Web site, Anonymousdown, Federal agents reached out to Emick and her Backtrace colleague, Jin Soo Byun.
“They contacted us immediately after the release in March,” she said. Agents then returned from time to time looking for information.
The FBI did not respond to repeated e-mail and phone requests for comment. However, a source with knowledge of the investigation said that the Backtrace information was useful, but not conclusive in nabbing Sabu.
“Its true that the real investigation started after the HBGary hack,” the source said. “But I think its important to paint the story as collaborative effort of research. There wasn’t one smoking gun. Even when Jennifer’s information came out, there were lots of people who thought it was right, but others weren’t sure how accurate it was. It took months of research and details from lots of folks to solidify that.
Emick said that Anonymous and Lulzsec were never intended to be criminal groups and that the group’s decentralized operations ultimately were its undoing.
“Anon made a great idea for a protest group, but a terrible idea for criminal hacking group,” she said.
Asked why it took so long for the mask to come off, Emick said the media shares part of the blame for not looking deeper.
“(The media) always seem to have fallen for the forced image Anon wanted people to see: naughty scamps with a conscience,” she wrote. “They ignored a lot of really dark stuff…harassment, endangerment.”
Emick said she expects more arrests to come as the FBI works with the information provided by Montsegur and what she claims are other informants from within the inner circle of Anonymous and LulzSec who have been cooperating with authorities.
“The arrests clearly aren’t overand there are many more informants than Sabu…lots,” she wrote.
“The biggest problem of all is that Jen might have been right,” Housh said. “God dammit!”
Correction: An earlier version of this article referred to the individual known online as “Laurelai” as “Wesley Bailey” of Davenport, Iowa. Bailey’s first name is “Laurelai” and not “Wesley.” The article has been corrected and we apologize for any confusion.