3

I saw that the leader connected to IRC without using TOR and they traced their IP address, but the identity of each member was supposed to be unknown to the others. So even if the leader was acting as an informant, how did the other people get caught?

http://americablog.com/2012/03/how-the-fbi-caught-lulzsec-hacker-sabu-and-what-that-says-about-the-fbi.html

Chloe
  • 1,668
  • 3
  • 15
  • 30
  • Possible duplicate: http://security.stackexchange.com/questions/2231/why-is-it-difficult-to-catch-anonymous-or-lulzsec-groups – Adi May 17 '13 at 05:08
  • 1
    @Adnan It's not a duplicate. I already read that question, and it was asking why they can't be caught. My question is how did they get caught (besides the leader). – Chloe May 19 '13 at 02:29

1 Answers1

8

Despite the fact these guys claimed to be 'anonymous', they were not actually anonymous and happily communicated in open environments (even if they were, for the most part, behind proxies etc). They all had handles associated with their identified. As a result, it was possible to slowly build up a profile and identify the suspects. One they correctly identified sabu, they flipped him and convinced him to coerce the others into providing information that would reveal them.

Some key failings as highlighted here as well as a fairly detailed writeup about it all:

  • reusing "anonymous" usernames and variations on them for many years resulting in "bleeding" of his identity elements (ie. usernames, e-mail addresses, domain registration information) between different, supposedly-unrelated social media and online accounts;

  • giving out too much personal information about his political/national affiliations/ethnicity;

  • accidentally logging once or twice into IRC chat channels without first anonymizing through VPN or Tor proxies;

  • mentioning in a chatroom a domain name he owned, whose whois status—i.e. its domain ownership information—had not always been set to private, and which once listed his real name and address, subsequently preserved on the Internet;

  • On an Internet that forgets nothing, once a document is made publicly available, even if only briefly, it may be archived in perpetuity. One old clue to even one element of a still-in-use identity can be enough to take down even the most careful hacker.

Another presentation worth viewing which provides evidence used in the trials as excerpts here

NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • 2
    Hubris, being half as smart as you think you are (being extremely clever and having a high IQ is not the same as being wise), keeping up a high profile that begs for a nation-state to come kick your sit-upon. The nail that sticks up will be hammered down. All of these allow profiling which means that digitally covering your tracks doesn't cover your tracks. Statistical analysis kicks in and you get pwnd by your local friendlies. – Fiasco Labs May 17 '13 at 06:32
  • +1, I think this answer hit the nail on the head. Most people on the dark underbelly of the internet take pride in their pseudonyms while assuming anonymity online. The problem as with anything, data leaks, and it's impossible to contain once it's out. As D3C4FF said, it only takes 1 slip-up to bring the whole castle crumbling down, and that slip up could have happened 10 years ago, before you had anything to worry about. The internet doesn't forget. – David Houde May 17 '13 at 06:48
  • Oh, just old fashioned detective work! And they were stupid! Lol! Reminds me of a story on how someone tracked down a Chinese hacker [A Chinese Hacker's Identity Unmasked](http://www.businessweek.com/printer/articles/97042-a-chinese-hackers-identity-unmasked). – Chloe May 19 '13 at 02:38
  • 1
    @Chloe see the presentation i've linked at the bottom of my answer. Please mark this as answered if its answered your question – NULLZ May 19 '13 at 02:46