16 May 2013

LulzSec hackers handed jail sentences

Three LulzSec members are sentenced to between 20 and 32 months for hacking offences. But from the beginning, the Lulzsec group stood in stark contrast to the secretive profiles of other hackers.

Ryan Cleary was sentenced to 32 months and Ryan Ackroyd to 30 months, while Jake Davis was given 24 months. Mustafa al-Bassam received a 20-month suspended sentence.

All three had pleaded guilty to hacking offences, while Cleary also pleaded guilty to possession of images showing child abuse on his computer hard drive.

The LulzSec hackers regularly took to Twitter to publicise their crimes and berate their opponents, and the longer law enforcement took to catch up with them, the bolder their targets became.

Ultimately their hit-list grew to include the NHS, record industry giant Sony and even the CIA, FBI and Serious Organised Crime Agency.

Scientology spat

The origins of the group go back to a spat between the Scientology movement and online freedom of speech advocates. When videos of Scientologist Tom Cruise leaked onto the internet, the church began demanding they be taken down. Users of the message board 4Chan took exception, and protested against the Scientology movement, wearing the now-ubiquitous V for Vendetta masks.

Sony became a target after it attempted to prosecute a customer who had made changes to his PlayStation games console.

Online, the protesters’ weapon of choice was the denial of service (DOS) attack, in which a website is so inundated with traffic that it simply stops working. At the time it was extremely difficult to defend against.

When PayPal, MasterCard and Visa refused to take payments for the whistle-blowing website WikiLeaks, DOS attacks were launched by the protesters, who now operated under the banner Anonymous (so-called because in the online chatrooms inhabited by the hackers, anyone who fails to give a name is automatically assigned the ID “Anonymous”). Sony also became a target after it attempted to prosecute a customer who had made changes to his PlayStation games console.

Exacting revenge

As the hackers gained attention, an American security firm called HBGary began accumulating intelligence on the group, and in an article in the Financial Times HBGary Chief Executive Federal Aaron Barr claimed to have identified key members of Anonymous.

This angered the group, and the emerging LulzSec hackers decided to exact revenge, hacking into HBGary’s computers, stealing emails from Barr’s inbox, as well as other information, which they leaked onto the internet. The company was estimated to have lost $10m as a result, Barr resigned as chief executive and said he suffered threats to his life.

Emboldened by their success, LulzSec officially launched in May 2011, using its Twitter account to announce it had hacked a database of contestants on the US X-Factor TV show.

Data theft

It was the beginning of a brief but high-profile spree. The group’s tactics also moved beyond DOS attacks to include outright data theft. They hacked NHS passwords, defaced websites (including the front page of the Sun newspaper). launched a DOS attack on the CIA website, and used the same tactic against Soca’s website on June 20.

By June 26 2011, the group claimed it was bringing a planned 50-day run to an end. In fact, those watching events unfold knew that the risks were mounting up.

They thought they were protecting themselves, so there was this disconnect between them and what was happening in the real world. Chatroom user

“You could see they were taking more and more risks,” said one source who used the same online chatrooms as the LulzSec hackers. “They thought they were protecting themselves, so there was this disconnect between them and what was happening in the real world.”

In fact, events in the real world were fast overtaking the online group, who used invite-only chatrooms to communicate. Even as LulzSec boasted of its exploits, police in the US had on 7 June arrested Hector Xavier Monsegur, hacker name Sabu, the leader of the group, who is yet to be sentenced. He was allowed to continue operating as police across the world homed in on LulzSec members.

‘Computer misuse’

On 21 June 2011, the day after the Soca attack, Ryan Cleary, 19, was arrested at the house where lived with his mother in Wickford, Essex. Jake Davis, 18, aka Topiary, was arrested on 27 July. Ryan Ackroyd, 26, aka Kayla, of Mexborough, South Yorkshire, was arrested on 1 September, and Mustafa Al-Bassam, 18, of South London on 9 July.

Ultimately all four pleaded guilty to offences under the computer misuse act. Ryan Cleary, who has been diagnosed with Asperger’s syndrome, also pleaded guilty to possessing indecent images of children.

The authorities hope today’s sentencing will deter would-be hackers from following in LulzSec’s footsteps.

Yet the hacktivist movement and its tactics are far from finished. Anonymous-affiliated groups are fighting war online in the fallout of the Arab Spring, and the denial of service attacks which proved so effective for the LulzSec hackers are now being used by cybercriminals for extortion.

In hindsight, Jake Davis’s final Twitter message seems prophetic: “You cannot arrest an idea.”