This is a reprint of an article by the talented reporter and researcher Nigel Parry: it originally appeared on his website March 11, 2012.
|[Image removed, thanks for the malware] One of a series of FOX News exclusives clearly based on briefings from the FBI.
As the story goes…
FOX News, once itself a target of the LulzSec hacker group, broke an explosive story on March 6th, 2012 that the Anonymous movement had been infiltrated at one of its cores for 8-9 months by an FBI informant—none other than Sabu—one of the most wanted hackers in the world.
Raids of various alleged members of Lulzsec and Anonymous took place across a couple of continents, United States, UK and Ireland.
“Sabu”, apparently 28-year-old Hector Xavier Monsegur, was the guardian of two young kids and lived in the projects in the Lower East Side of New York City. He was reportedly unmasked through a cumulation of small slips worth detailing:
- reusing “anonymous” usernames and variations on them for many years resulting in “bleeding” of his identity elements (ie. usernames, e-mail addresses, domain registration information) between different, supposedly-unrelated social media and online accounts;
- giving out too much personal information about his political/national affiliations/ethnicity;
- accidentally logging once or twice into IRC chat channels without first anonymizing through VPN or Tor proxies;
- mentioning in a chatroom a domain name he owned, whose whois status—i.e. its domain ownership information—had not always been set to private, and which once listed his real name and address, subsequently preserved on the Internet.On an Internet that forgets nothing, once a document is made publicly available, even if only briefly, it may be archived in perpetuity. One old clue to even one element of a still-in-use identity can be enough to take down even the most careful hacker.Sabu also allegedly used a stolen credit card to order online goods and had them delivered to his home address. So there was lots of sloppy too.
Game over: No virtual lives left
A mixture of private citizens, government contractors, and government law enforcement agencies had been hunting Sabu for years. Former HB Gary Federal CEO Aaron Barr paid dearly in early February 2011 for his attempt to “dox” (“post identifying documents on”) members of Anonymous, an act famously compared by Steven Colbert to “sticking his penis into a hornet’s nest.”
|Corporate Hacker Tries to Take Down WikiLeaks|
A group calling itself “Backtrace Security”, with a domain name creation date of February 16th, 2011, announced in March 2011 its plan to publish identifying information on active members of Anonymous and offered titbits in the most respectable of media organizations.
Two documents followed—namshub.pdf and consequences.pdf—posted online on March 21st. Both PDFs are still available after some persistent searching on Google.
consequences.pdf purported to contain a chat log of conversations between core members of Anonymous, including one exchange in which Sabu let slip the fatal domain name:
|Excerpt from consequences.pdf
nameshub.pdf contained a spreadsheet attempting to reveal the real life identities of hackers in the #Anonymous movement.
|Screenshot of nameshub.pdf, blurred to protect the mostly innocent.
While riddled with inaccuracies—perhaps most notably #LulzSec’s Topiary is incorrectly identified as a Swede (months later, the alleged real life Scottish Topiary would be arrested in the Shetland Islands)—the two documents did link online Sabu with alleged Sabu’s real life identity, signaling the end of the line.
|Excerpt from nameshub.pdf
I recall seeing the documents after following a link to the site from a tweet somewhere around that period, and also recall seeing them disappear within a day or two, Backtrace’s site explaining that, “At the request of the Federal Bureau of Investigation we have pulled the links of most files”.
The FBI, as has been widely stated in the media, was reportedly already monitoring Sabu closely. When the Bureau saw these documents posted, which they knew would alarm Sabu and perhaps provoke him to destroy incriminating data, they apparently asked Backtrace Security to take them down from the Internet.
Other speculation about Sabu’s identity followed on the interwebs, ultimately prodding the FBI to knock on Sabu’s door on June 7th.
The wolf at the door
|(creative commons remix, attribute: nigelparry.com)
Media reports have stated the FBI had intercepted Monsegur sharing stolen credit card numbers via Facebook, giving them at least one solid charge to corner him with, notably a charge involving computer crime, which would grant them all the probable cause they needed to legally search all of his hard drives.
Sabu, facing an almost certain 2 years in prison for the stolen credit cards, was—obviously—also aware of the fact that this sole charge was likely just the first of many against him. Facing the immediate prospect of being separated from the two young girls he was the legal guardian and sole de facto parent of, the children of an incarcerated family member, it’s hard to imagine Sabu seeing any way out of the situation in which he didn’t go to jail.
I don’t know the details of his family situation. Would other relatives have been able to take the kids in the event of Sabu’s incarceration or did the horrifying possibility of seeing his nieces transferred to permanent foster care hang over Hector Xavier Monsegur that day? Whatever you think of his apparent subsequent 9-month cooperation with the FBI to put former comrades in jail, that was an unenviable position to be in. Either he destroys the lives of his own family or that of his online friends and their families.
It seems, from the FOX News report, that there was no attempt to remain silent and seek legal counsel. Reportedly, during that very first encounter with the FBI agents, Monsegur succumbed to a Good Cop-Bad Cop routine and, according to the Associated Press, cooperated from Day 1.
It should be pointed out that this narrative of Sabu collaboration has a single source of origin, the FBI, and was disseminated not directly but via establishment media, initially just FOX News. The official FBI March 6th raids press release details a previously-sealed guilty plea by Monsegur which suggests cooperation, but does not offer any statement about Sabu’s alleged cooperation. On March 6th, we could only turn to FOX News for that information, and subsequent media reports cited FOX. This fact seems worth noting.
Working for The Man
After presumably coming to the as yet unknown deal with the FBI, Monsegur plead guilty in mid-August 2011 to charges potentially carrying a sentence of 124 years in prison. FOX News painted the picture of Sabu settling down to some serious work for the Bureau:
On Aug. 15, 2011, Monsegur pleaded guilty to more than ten charges relating to his hacking activity. In the following few weeks, he worked almost daily out of FBI offices, helping the feds identify and ultimately take down the other high-level members of LulzSec and Anonymous, sources said. In time, his handlers allowed him to work from the home from which he previously wrought destruction, using a PC laptop provided by the FBI.
Sabu was online between 8 and 16 hours a day, often sleeping during the day and working throughout the night, watching YouTube videos as he worked for the FBI. Monitoring software on his government-issued laptop allowed the feds to see what he did in real time. The FBI has had an agent watching his online activity 24 hours a day, officials said.
Sabu and his FBI handlers also disseminated false information to the public and hacker community—often through Twitter, sometimes through unsuspecting reporters who thought they’d landed an online interview with the notorious hacker. Their correspondence was sometimes directly with agents. More often it was with Sabu acting on strict guidance from the agents sitting with him, reading his every word.
“About 90 percent of what you see online is bulls—,” said one of Monsegur’s handlers, referring to the Twitter posts from Sabu’s account and “interviews” he’s given to the press on direction from the FBI as part of their disinformation campaign.
This reportage highlights the level of 24/7 control that the FBI claims to have enjoyed over Sabu’s continued operations, post June 7th arrest.
The dedication and extent to which Sabu apparently threw himself into cooperating with the FBI was additionally outlined in a March 8th Associated Press report, Hacker arrested in NYC cooperated from Day 1:
“Since literally the day he was arrested, the defendant has been cooperating with the government proactively,” Assistant U.S. Attorney James Pastore told a judge in New York during a secret court session for Monsegur on Aug. 5. Over the past few months, the prosecutor said: “The defendant has literally worked around the clock with federal agents. He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators.”
Monsegur secretly pleaded guilty in August, but judges had agreed to close public courtrooms and seal all records of his case in order to keep his work with the government from becoming known. Most of those court files have since been unsealed, and documents made available Thursday provided a handful of new details about Monsegur’s work.
While software on his computer tracked his online activity and video cameras monitored his home at a New York City public housing project, prosecutors said, Monsegur worked feverishly with the FBI to monitor Internet communications between fellow hackers. In many cases, he helped thwart attacks as they were being planned, prosecutors said in a court filing.
By August, he had worked with the FBI to “patch” 150 vulnerabilities in computer systems being eyed by hackers, or in other cases react quickly to help attack victims mitigate the damage, Pastore said in court.
Prosecutors haven’t explained publicly why Monsegur was so willing to work with the government, even as he continued to rail against it in posts online. But court records did note that the 28-year-old was the legal guardian of two young nieces. Neighbors have told The Associated Press that Monsegur was raising the children after his aunt was jailed on drug charges.
@anonymouSabu was now a sock puppet for whatever government propaganda, stings, and disinformation it wished. The feed, and Sabu’s entire online persona, was now a collaborative project under direct FBI control.So from 7 June 2011, Sabu allegedly fully and energetically cooperated with the Federal Bureau of Investigation, who monitored him constantly. His most public face, his @anonymouSabu twitter feed was apparently not only FBI-monitored electronically and in real time, as detailed above, but often agents were the actual authors of Tweets, as also detailed above.
What did Sabu/Sabu’s persona get up to under direct FBI control?
I have archived below as much of the @anonymouSabu public twitter feed as the Twitter API allowed me to download.
Notes: There are approximately 3,200 tweets, one-third of the account’s 9,750 total public tweets. This archive covers the period from 21 Nov 2011 until March 6th, 2012 and contains 503 unaltered pages created with Adobe Acrobat Pro. Hyperlinks on Tweets and Twitter handles do work. Click time/date hyperlinks on right of tweet to access original tweet in conversation context on Twitter’s site. Reply/RT credit hyperlinks underneath tweets do not work. The document should be fully downloadable, printable, copy and paste enabled, searchable, etc. Please attribute to @flyingmonkeyair on Twitter and alert me to the location of a more complete archive of the @anonymouSabu Twitter account if you come across one. (March 12th, 2012 Update: Period of Aug 9th-Sept 17th is available in image form here: http://imagebin.org/202979 (now archived locally).
One thing that is crystal clear from even a cursory glance down the list of some 3,200 tweets, is the scale of the incitement to illegal activity the account was publicly spewing on a daily basis. As the @AnonymousIRC Twitter commented on March 8th, 2012:
You know what’s fun? Read all tweets from @AnonymouSabu of the last half year but exchange his name for @FBIPressOffice.
Download the archive and explore it at your leisure or resume reading, for some highlights from a single day, immediately underneath the embedded document below.
503-page PDF of @AnonymouSabu’s Twitter feed archive, Nov 21, 2011 up to Lulzsec arrests (early March 2012)
From the Trojan Horse’s mouth on just one day, February 28th 2012
Earlier in the day, the @anonymouSabu account encourages people to “target”, “hack the servers”, and “grab mailspoolz” of law enforcement agencies, banks, arms companies, and police equipment suppliers “around the world”
Later in the day, the @anonymouSabu account encourages Anonymous to “strike back” and “infiltrate” Interpol after Interpol arrested 25 members, promotes a DDoS attack on Interpol’s website, and urges people to “unmask” Interpol agents
Click to enlarge image
And who was doing all this again?
Bear in mind, once again, as FOX News reported, that Sabu’s
“handlers allowed him to work from the home… using a PC laptop provided by the FBI. […] Monitoring software on his government-issued laptop allowed the feds to see what he did in real time. The FBI has had an agent watching his online activity 24 hours a day. […] Sabu and his FBI handlers also disseminated false information to the public and hacker community—often through Twitter, sometimes through unsuspecting reporters who thought they’d landed an online interview with the notorious hacker. Their correspondence was sometimes directly with agents. More often it was with Sabu acting on strict guidance from the agents sitting with him, reading his every word. “About 90 percent of what you see online is bulls—,” said one of Monsegur’s handlers, referring to the Twitter posts from Sabu’s account and “interviews” he’s given to the press on direction from the FBI as part of their disinformation campaign.
It may indeed be “bullshit”, but it was unquestionably FBI-directed “bullshit” being pumped into the real world, where real people acted on it.
|(creative commons remix, attribute: nigelparry.com)
There is no escaping the fact that the FBI directly managed the public persona of one of the planet’s most famous bad boy hackers, universally admired by bad kid hackers worldwide, and repeatedly used this lofty pulpit to called on anyone listening to break multiple laws across international borders.
Much of the broadcasting power of the compromised Sabu account was built during its period of FBI management. The @AnonymouSabu account had just over 18,000 followers in August 2011, when Sabu reportedly secretly pled guilty.
By December 11th, it tweeted, “Just noticed I’m about to reach 30k followers. ” On December 26th, “Nice – I just noticed I passed 30k followers. Sweet! Lets make it to 50,000 in style.”
On January 9th, the account tweeted, “I’m up to 31,333 followers as of right now” and on January 29th, “About to hit 40k followers. We are Legion”. At the time of archiving, the account had close to 45,000 followers.
With the FBI publishing calls for law-breaking from such an influential node of #Anonymous’ international network—and one it helped at least double in subscriber size—it’s hard to imagine that such a heavy-handed use of an agent provocateur is going to play out well in the coming court cases of other LulzSec and Anonymous members.
Think about it.
The Frankenstein Sabu hacker persona they created, managed, and controlled 100%—according to their very own media-disseminated narrative delivered at the end of the nine month period—is perhaps responsible for inciting more criminality than the actual Sabu.
And that’s a very strange thing to ponder…
READ THE NEXT ARTICLE IN THE SERIES:
Sacrificing Stratfor: How the FBI waited three weeks to close the stable door (March 25th, 2012)
Nigel Parry—@flyingmonkeyair on Twitter—is a writer and independent media ninja who worked on the first warblog (1995) and first alt.news website from a warzone (1996), cofounded the Electronic Intifada/Iraq/Lebanon series of news websites, worked with the Global Revolution livestream team during #OccupyWallStreet, and wrote the article last August detailing how the unredacted Wikileaks’ Cablegate archive could be decrypted.
March 12th, 2012 Update: Another archive of the AnonymouSabu Twitter feed, covering the period of Aug 9th-Sep 17th 2011, is available in image form here: http://imagebin.org/202979 (now archived locally). Use Google to find individual tweets. See also this excellent March 7th article by Andy Greenberg of Forbes, “Was Anonymous’ Hacker-Informant Sabu A Tool Of FBI Entrapment?”
NOTE: All images have been removed since the original source was hacked and we were hotlinking them (sorry, we know, best practices and all that, shut up and get us an intern!)
Categories: Anonymous, Crime, Hackers, Hacktivism, Hector Xavier Monsegur, News, Sabu, Sabu Week
Well, tell us what you think!