Leaked IRC logs identify hacker group members and suggest the group is “disorganized and obsessed with its media coverage.”
It was a tight-knit and enigmatic group finding its feet in the febrile world of hacker collectives, where exposing and embarrassing your targets is just as important as protecting your own identity.
But leaked logs from LulzSec’s private chatroom – seen, and published today, by the Guardian – provide for the first time a unique, fly-on-the-wall insight into a team of audacious young hackers whose inner workings have until now remained opaque.
LulzSec is not, despite its braggadocio, a large – or even coherent – organisation. The logs reveal how one hacker known as “Sabu“, believed to be a 30-year-old security consultant, effectively controls the group of between six and eight people, keeping the others in line and warning them not to discuss what they have done with others; another, “Kayla“, provides a large botnet – networks of infected computers controlled remotely – to bring down targeted websites with distributed denial of service (DDoS) attacks; while a third, “Topiary“, manages the public image, including the LulzSec Twitter feed.
They turn out to be obsessed with their coverage in the media, especially in physical newspapers, sharing pictures of coverage they have received in the Wall Street Journal and other papers. They also engineered a misinformation campaign to make people think they are a US-government sponsored team.
They also express their enmity towards a rival called The Jester – an ex-US military hacker who usually attacks jihadist sites, but has become embroiled in a dispute with Anonymous, WikiLeaks and LulzSec over the leaked diplomatic cables and, more recently, LulzSec’s attacks on US government websites, including those of the CIA and the US Senate.
In a further sign that the spotlight is beginning to engulf LulzSec, a lone-wolf hacker managed to temporarily cripple the group’s website on Friday morning. Originally thought to be the work of The Jester, an activist, known as Oneiroi, later claimed responsibility for the attack but did not provide an explanation.
The group’s ambitions went too far for some of its members: when the group hit an FBI-affiliated site on 3 June, two lost their nerve and quit, fearing reprisals from the US government. After revealing that the two, “recursion” and “devrandom” have quit, saying they were “not up for the heat”, Sabu tells the remaining members: “You realise we smacked the FBI today. This means everyone in here must remain extremely secure.”
Another member, “storm”, then asks worriedly: “Sabu, did you wipe the PBS bd [board] logs?”, referring to an attack by LulzSec on PBS on 29 May, when they planted a fake story that the dead rapper Tupac Shakur was alive. If traces remained there of the hackers’ identities, that could lead the FBI to them.
“Yes,” Sabu says. “All PBS logs are clean.” Storm replies: “Then I’m game for some more.” Sabu says: “We’re good. We got a good team here.”
Documenting a crucial five-day period in the group’s early development from 31 May to 4 June, the logs – whose authenticity has been separately confirmed through comments made online by LulzSec’s members – are believed to have been posted online by a former affiliate named “m_nerva”. They contain detailed conversations between the group, who have in recent weeks perpetrated a series of audacious attacks on a range of high-profile targets, including Sony, the CIA, the US Senate, and the UK’s Serious Organised Crime Agency (SOCA).
LulzSec threatened m_nerva on Tuesday in a tweet saying “Remember this tweet, m_nerva, for I know you’ll read it: your cold jail cell will be haunted with our endless laughter. Game over, child.” As an explanation, they said: “They leaked logs, we owned them [took over their computer], one of them literally started crying for mercy”. The leaked logs are the ones seen by the Guardian.
The conversations confirm that LulzSec has links with – but is distinct from – the notorious hacker group Anonymous. Sabu, a knowledgeable hacker, emerges as a commanding figure who issues orders to the small, tight-knit team with striking authority.
Despite directing the LulzSec operation, Sabu does not appear to engage in the group’s public activity, and warns others to be careful who and how they talk outside their private chatroom. “The people on [popular hacker site] 2600 are not your friends,” Sabu warns them on 2 June. “95% are there to social engineer [trick] you, to analyse how you talk. I am just reminding you. Don’t go off and befriend any of them.”
But the difficulty of keeping their exploits and identities secret proves difficult: Kayla is accused of giving some stolen Amazon voucher codes to someone outside the group, which could lead back to one of their hacks. “If he’s talking publicly, Kayla will talk to him,” Sabu comments, bluntly.
Topiary, who manages the public image of LulzSec – which centres around its popular Twitter feed, with almost 260,000 followers – also acted previously as a spokesman for Anonymous, once going head-to-head in a live video with Shirley Phelps-Roper of the controversial Westboro Baptist Church, during which he hacked into the church’s website mid-interview.
His creative use of language and sharp sense of humour earns praise from his fellow hackers in the chat logs, who tell him he should “write a fucking book”. On one occasion, after a successful DDoS attack brings down a targeted web server, Topiary responds in characteristic fashion to the hacker responsible, Storm: “You’re like our resident sniper sitting in the crow’s nest with a goddamn deck-shattering electricity blast,” he writes. “Enemy ships being riddled with holes.”
But while LulzSec has a jovial exterior, and proclaims that its purpose is to hack “for the lulz” (internet slang for laughs and giggles), Sabu is unremittingly serious. Domineering and at times almost parental, he frequently reminds the other hackers of the dangers of being tracked by the authorities, who the logs reveal are often hot on their heels.
During one exchange, a hacker named Neuron starts an IAmA (Q and A) session for LulzSec on the website Reddit for “funzies” and to engage with the public. This immediately raises the ire of Sabu, who puts an angry and abrupt halt to it.
“You guys started an IAmA on reddit?” Sabu asks in disbelief. “I will go to your homes and kill you. If you really started an IAmA bro, you really don’t understand what we are about here. I thought all this stuff was common knowledge … no more public apperances [sic] without us organizing it.”
He adds: “If you are not familiar with these hostile environments, don’t partake in it.”
The logs also reveal that the group began a campaign of disinformation around LulzSec. Their goal was to convince – and confuse – internet users into believing a conspiracy theory: that LulzSec is in fact a crack team of CIA agents working to expose the insecurities of the web, headed by Adrian Lamo, the hacker who reported the alleged WikiLeaks whistleblower Bradley Manning to the authorities.
“You guys are claiming that LulzSec is a CIA op … that Anonymous is working to uncover LulzSec … that Adrian Lamo is at the head of it all … and people actually BELIEVE this shit?” writes joepie91, another member. “You just tell some bullshit story and people fill in the rest for you.”
“I know, it’s brilliant,” replies Topiary. The attempts did pay off, with some bloggers passing comments such as: “I hypothesize that this is a government ‘red team’ or ‘red cell’ operation, aimed at building support for government intervention into internet security from both the public and private sectors.”
The group monitors news reports closely, and appears to enjoy – even thrive – on the publicity its actions bring. But the logs show that the members are frustrated by the efforts of a self-professed “patriot-hacker” known as the Jester (or th3j35t3r), whose name is pejoratively referenced throughout.
The Jester is purportedly an ex-US military hacker, and was responsible for high-profile attacks on WikiLeaks prior to the release of US diplomatic cables in November. In recent weeks he has made LulzSec his principal target, describing them as “common bullies”. Topiary in turn dismisses The Jester as a “pompous elitism-fuelling blogger” – but the group is always worried that The Jester or his associates are trying to track them down.
The Jester claims LulzSec are motivated by money and points to allegations that the group tried to extort money from Unveillance, a data security company. Similar accusations against LulzSec by two other groups, “Web Ninjas” and “TeaMp0isoN_”. Web Ninjas say they want to see LulzSec “behind bars” for committing “insane acts … in the name of publicity or financial gain or anti-govt agenda”.
The logs do not reveal any discussion of extortion between the LulzSec inner circle; nor do they indicate any underlying political motivations for the attacks. But amid the often tense atmosphere depicted in the logs the hackers do occasionally find time to talk politics.
“One of these days we will have tanks on our homes,” writes trollpoll, shortly after it emerged the US government was reclassifying hacking as a possible act of war. “Yea, no shit,” responds Storm.
“Corporations should realize the internet isn’t theirs,” adds joepie91. “And I don’t mean the physical tubes, but the actual internet … the community, idea, concept.”
“Yes, the utopia is to create a new internet,” says trollpoll. “Corporation free.”
On Monday 20 June, Sabu’s worst fears may have been confirmed when a 19-year-old named Ryan Cleary was arrested in Wickford, Essex and later charged with a cyber attack in connection with a joint Scotland Yard and FBI probe in to a hacking group believed to be LulzSec.
Metropolitan Police Commissioner Sir Paul Stephenson described the arrest as “very significant”, though LulzSec itself was quick to claim Cleary was not a member of the group and had only allowed it to host “legitimate chatrooms” on his server.
“Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us,” the group tweeted.
An individual named “Ryan” is occasionally referenced by the hackers in the logs, though he himself does not feature and appears to have only a loose association with the group.
Scotland Yard confirmed on Thursday that it was continuing to work with “a range of agencies” as part of an “ongoing investigation into network intrusions and distributed denial of service attacks against a number of international business and intelligence agencies by what is believed to be the same hacking group”.
In response to the leaked logs, LulzSec posted a statement on the website pastebin, claiming users named joepie91, Neuron, Storm and trollpoll were “not involved with LulzSec” and rather “just hang out with us”.
They added: “Those logs are primarily from a channel called #pure-elite, which is /not/ the LulzSec core chatting channel. #pure-elite is where we gather potential backup/subcrew research and development battle fleet members – ie, we were using that channel only to recruit talent for side-operations.”
The group has vowed to continue its actions undeterred. But they now face a determined pincer movement from the FBI, UK police, and other hackers – including The Jester, who has been relentless in his pursuit of them for more than a fortnight. If its members’ real identities are revealed, LulzSec may vanish as quickly as it rose to prominence.
guardian.co.uk © Guardian News & Media Limited 2010