28 Jul 2011

Hacker group LulzSec’s ‘real leaders’ still active

As police question a teenager arrested in Shetland over alleged computer “hacktivism”, Channel 4 News learns there are new “leaders” emerging in the chatrooms used by the LulzSec hacking group.

LulzSec hacker group logo.

An 18-year-old from the Shetland Islands, in the far north of Scotland, is in custody in London being questioned over his alleged links with two high-profile hacking groups – Anonymous and LulzSec.

LulzSec has become notorious this year after a string of top-level attacks on big corporations, including Sony Pictures. The UK’s Serious Organised Crime Agency (Soca) and the Criminal Intelligence Agency (CIA) in the US were also targeted.

The alleged hacker, who is the third person arrested in the UK in recent weeks, is said to use the online nickname “Topiary”.

The mysterious collective only identify themselves via codenames, even to each other. “Topiary” is said to be a former Anonymous member.

Scotland Yard said in a statement: “The man arrested is believed to be linked to an ongoing international investigation into the criminal activity of the so-called ‘hacktivist’ groups Anonymous and LulzSec, and uses the online nickname ‘Topiary’ which is presented as the spokesperson for the groups.”

It is unusual for the police to publicly refer to these nicknames. There are claims by rival hacker groups, such as Web Ninjas, that the “wrong guy” has been named as “Topiary” because of “disinformation floating on the web”.

Hactivists: the groups, the mystery members and the targets.

Tech expert Matthew TK Taylor has been monitoring conversations between alleged LulzSec members inside IRCs (internet relay chatrooms) where members can communicate without being identifiable.

He told Channel 4 News that whoever “Topiary” is, he plays a key role and his arrest would indeed be “significant”.

Taylor explained: “‘Topiary’ was one of the more vocal members of Lulzsec, he would often be seen talking to people in the IRC, and it was generally regarded that between himself and ‘Sabu’ [the apparent leader] , they were running the operation.

“Tracing [“Topiary”] to his residence could happen through any number of ways, it may involve equipment [seized by police], it may involve tracing funds, looking at server logs or just long-term investigation.”

LulzSec is believed to be made up of six to 10 members, some of whom were previously affiliated to Anonymous but became disgruntled with the latter’s “moral” agenda – for example, they targeted firms which cut funds to WikiLeaks last year.

“I could see the ‘real leaders’ being those that haven’t spoken much,” Taylor said.

“But these kind of operations are generally all about the fame involved, making a name for yourself, proving your worth, so I doubt if they were running the ‘LulzBoat’ they wouldn’t be making themselves known.”

Having spoken to a source “deep inside” Anonymous, he added that “most of the community would rather call them thought-leaders”.

The locations of LulzSec’s members are key to the police inquiry. In the past it has been stated that the group is “international” but the UK presence of the hackers is becoming more apparent.

“The core membership is starting to seem to be UK-based, but the ‘Antisec’ community is spread across the world, shown from the number of country-based channels in the IRC: Italy, Germany, Greece, UK, France, five or so states in America,” Taylor added.

“The membership that helps them run the DDoS attacks are spread far and wide, and probably can’t be stopped through arrests alone without bringing their communications down. The actual hacking however, is increasingly looking to be UK-based.”

Most of the community would rather call them ‘thought-leaders’. Matthew TK Taylor

The property where the latest arrest was made, in Shetland, has been searched by officers from the Met Police’s e-crime unit following Wednesday’s swoop.

Police have also searched a house in Lincolnshire and interviewed a 17-year-old boy under caution in connection with the inquiry. He was not arrested.

In June accused hacker Ryan Cleary, 19, was said to be “keenly” assisting police with their investigation.

Later that month it was announced that LulzSec was to disband after 50 days of activity. However it has since claimed responsibility for attacks on News International websites, including The Sun, and the group appears to remain active on Twitter.