Topiary: did police arrest the wrong man in LulzSec investigation?

Filed Under: Denial of Service, Law & order

Fortune tellerSince the British police arrested a teenager yesterday in connection with the hacktivist activities of LulzSec and Anonymous, I've been asked, time and time again, the same question:

Have the cops got the right man?
Have they arrested the "real" Topiary?

It seems that the reason why they're asking is that folks are supicious that LulzSec could have pulled a fast one - and deliberately tricked the computer crime authorities into believing that someone entirely different is the real "Topiary".

In other words, the man arrested in Shetland could be a fall guy.

The main proponent of this theory is a blog article published on The DailyTech website by a chap called Jason Mick.

The article promotes the theory that the real "Topiary" is a 23-year-old Swedish hacker, not a teenager in Shetland, and it offers as evidence a chat log - originally published by th3j35t3r ("The Jester") -
where a plan is described to incriminate someone else as "Topiary":

<Topiary> yeah well, this is my plan:
<Topiary> (as you know I stole this nickname from a troll last December, didn't work out so well)
<Topiary> I'll just keep denying it until they try to go after the troll
<Topiary> then they'll think that's me and harass him
<removed> then he harasses back?
<Topiary> yeah but if I deny my real dox enough, people will go looking for other dox
<Topiary> then nobody will believe I'm me
<Topiary> and all you bastards told me my Brit voice was good, damnit
<Topiary> did they get voice recognition?
<removed> well when you talk the Swedish accent comes out a bit
<removed> but not for a couple of minutes
<Topiary> these f*ggots aren't hitting the UK n*gger Topiary
<Topiary> why aren't they?
<Topiary> I'm hoping someone will go after him and think it's me, then I'll act all scared etc
<Topiary> hope it blows over and they start doxing Ireland f*g or Scotland f*g or wherever the f*ck UK part he's from
<Topiary> anyway I trust you so yeah
<Topiary> we can keep this between us
<removed> Wont say a word bro
<removed> just take care
<Topiary> okay gotta go
<Topiary> thanks for advic 
<removed> bye!

Hmm. I love a convoluted conspiracy as much as the next man. And it would be easy to start one, just by asking questions like:

"Why haven't the police told us the arrested man's real name? What are they hiding?"

"If it isn't Topiary who was arrested, why hasn't he or LulzSec posted any updates about the arrest on Twitter?"

"Is it a bluff or a double-bluff?"

"Why are the police not mentioning any link with phone hacking? Is it because it's completely irrelevant, or because it *is* relevant?"

"Does the arrested man have a Scottish or a Swedish accent?"

"If he's not got a Scottish accent, but was arrested in Shetland, when did he move there?"

"Does he have the same accent as the Anonymous spokesman who conducted all those TV interviews?"


(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

For goodness sake people, let's pause to breathe for a minute.

Here's what we do know so far:

  1. The police issued a press release saying they had arrested a 19-year-old man (later changed to say he was aged 18 - let's not start a conspiracy about that one, okay?) at a residential address in the Shetland Islands.
  2. The police didn't release the man's name, or details of where in the Shetland Islands he had been arrested, but did say that they believed him to be the LulzSec and Anonymous spokesman who went by the online nickname of "Topiary".
  3. LulzSec and Topiary's Twitter feed have gone uncharacteristically quiet.

If you ask me, is the man they arrested in the Shetland Islands is Topiary, another hacker (either working in league with Anonymous/LulzSec or opposing them), or entirely innocent.. my simple answer is I don't know.

We have to presume he's innocent until proven otherwise. He hasn't been charged with any offences yet, and at the moment is just being questioned by the authorities.

I'm pretty sure that the police must have been pretty confident that they had evidence that the man they arrested was "Topiary" if they were prepared to name him as such in their press release.

If the man is connected in any way with criminal hacking activities and denial-of-service attacks I would expect him to start singing like a canary pretty quickly. You may be idealistic when young, but when the hard truth of the seriousness of the situation hits you, anyone with half a brain will realise that the only sensible course of action is to co-operate with the authorities.

So, if you ask me if I think that an unnamed man, arrested in an unnamed street, is guilty of crimes which I wasn't present at then I'm going to have to say "pass". Your guess is as good as mine.

I can't look into a crystal ball and magic up the proof for you, one way or another.

So there! :)

If you do have a feeling in your bones or a strong conviction, however, feel free to choose a side in our poll below.

, , , , , ,

You might like

17 Responses to Topiary: did police arrest the wrong man in LulzSec investigation?

  1. ralahinn1 · 1095 days ago

    Anonymous is suppose to be an"idea" anyway, there is not really suppose to be any real leaders and if one falls there is suppose to be one to step in to fill in. Even if they have the
    "real" topiary, who is to say that he is the only one to use that name. Also there are a group of individual hackers not really connected to Anonymous who hang on to them right now, and are amused at all of the press they are getting. When it no longer amuses them, they will move on to other things....or will they? I don't hack by the way,lol, but I like watching some of what goes on. I have a few " friends" who were hackers, but since they are over 21 now, they say they don't do it anymore . I have no idea if they do or not.

    • MYMEEMAW · 1094 days ago

      Well the idea is that Anonymous is an idea. The reality is somewhat different. Only a very small amount give the group its direction. Anyone who thinks otherwise is being naive and is wishful thinking. If people really do think "everyone is Anonymous" just try starting an Anonymous action and see how far it gets. Then, observe how quickly a action gets traction when certain other people start it.

  2. danR · 1095 days ago

    He's probably the right man. 'Topiary' is the voice on the (youTube) Westboro real-time hack/interview. I posted a question, and an expert reply pegs his accent as Scottish, and is perhaps trying to hide the fact that it is Scottish. The whole 'Swedish' thing, and 'fake Topiary' as a scottish troll, then was a blind.
    .

  3. The only sensible course of action is to cooperate with the authorities? Since when? If nobody talks everybody walks.

    Now will come debate about the "prisoner's dilemma."

    • I'm trying to think of a cybercrime case involving a group where someone hasn't sung like a canary.. Remember, many of these guys are young and the sentences are stiff.

    • Paul Ducklin · 1094 days ago

      "If nobody talks, nobody walks."

      Nice truism. Except that it isn't true. Most court cases don't hinge entirely, and many don't hinge at all, on the evidence of the participants in the crime. Courts accept other sorts of evidence too, don't forget. If they didn't, no-one who pleaded "not guilty" would ever be convicted.

      And whilst you still have a right to silence in the UK, it isn't necessarily the wisest course any more. If you've ever watched any UK cop show, you will know the recommended police warning starts something like this: "You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later rely on in court..."

      In other words, if you have an excuse or an explanation, the court may take against it if you and your legal team could simply have dreamed it up after the event.

  4. Lula · 1095 days ago

    I'm in agreement with danR, i think they got the right guy. You also have to consider the Police probably have other evidence they haven't released which confirms his identity.

    • I would imagine the police feel pretty confident if they were prepared to mention Anonymous/LulzSec/Topiary in their press release.

  5. Graham, did you really just write an article saying there wasn't enough evidence to decide one way or the other, and tag it with a binary vote?

    • Yes. i'm only interested in hearing from people who have clairvoyant powers or inside information!

      • danR · 1095 days ago

        Here is my clairvoyant assessment, if they have in fact got their man:

        Jester is a double-agent misleading the cops.

        Jester was pwned by Anon: white-hat FAIL.

        Either way, Jester has some 'splainin' to do...

  6. Paulio · 1095 days ago

    Article in The Scotsman quotes a local who suggests that the person arrested was not native to the area and may have been German or something. German/Swedish? Similar accents perhaps. I think they have him, if he is the spokesperson for Lulzsec would explain why they went quiet all of a sudden. Also, Jester's identity has supposedly just been revealed on Twitter.

  7. James · 1095 days ago

    I bet Wikileaks put out his information.

  8. Steve · 1094 days ago

    I think they do have the right man.

    So far there has been a pattern every time there was a "Lulzsec arrest" in the media, their twitter feed would comment bragging they were still there and declaring the arrested to not be one of them.

    They did this more than once when there were headlines of "Lulzsec arrests" out there. That this time the twitter feed has gone dark makes me think they have got their man, if it was the wrong guy we would be hearing about it all over that feed.

    As for the chat log I think its fake or part of a much bigger conversation we have not seen the context of. He might have been outed on-line as being Scottish and did his best to blag it off throwing in the "Swedish" angle to throw people off the scent.

    Unless that twitter feed becomes active again, I think its safe to say he's the real man.

  9. Machin Shin · 1094 days ago

    I think they messed up a good chance to have proven it was him by running to the media so fast. If instead they had quietly arrested him and then held him a few weeks before going to the media then it would have cleared some things up.

    If it was him then the posts would have stopped suddenly with no one knowing why for a few weeks. Then they could announce that they had him.

    If it was not the real topiary then the real one would not know he needs to stop posting. The result would be the post continuing showing they did not have right man.

    In the end it will not matter as the evidence is on the computer. At a minimum they will be able to figure out if this guy is a criminal or not. If he is they will lock him up if not he will go free. If he is the "real" topiary is of little importance considering guys like that will always do something stupid and end up in jail eventually.

  10. gu1d0f0x · 1094 days ago

    lol nice one topiary... i knew he was too smart to be caught, leading the police for a troll.

  11. wethecom · 976 days ago

    as for the hack it only takes a second to do the hack he did ..its actually easyer to hack a site like he did than upload a photo on facbook

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.