Four members of the notorious LulzSec hacking gang, who attacked websites belonging to the likes of the CIA, the NHS and the Serious Organised Crime Agency (SOCA) are due to be sentenced at Southwark Crown Court in London later today.
The Anonymous-affiliated hacking group didn’t limit itself to denial-of-service attacks which bombarded websites with so much internet traffic that they were inaccessible by the outside world. They also stole personal information from poorly-secured networks.
For instance, the group’s attack on Sony, took the PlayStation Network offline for several days, stole 24.6 million individual pieces of customer data and cost the firm a reported $20 million in revenue.
What’s obvious is that the motive of the LulzSec hacking gang wasn’t to make money. In that sense they were very different from many of the online criminals encountered today.
However, they were set on amusing themselves at the expense of embarrassed organisations, disrupting websites and – in the worst cases – exposing the personal information of innocent people.
Of course, those actions could have costly financial consequences for the companies and individuals who were unfortunate enough to be caught up in the attacks and data breaches.
Below you will find more details of the four hackers, who had previously pleaded guilty to various hacking offences:
- Jake Davis – “Topiary”
- Ryan Cleary – “Viral”
- Mustafa Al-Bassam – “T-Flow”
- Ryan Ackroyd – “Kayla”
- The reign of LulzSec
Further reading: Jail for the LulzSec hacking gang members
Jake Davis, also known as “Topiary”
20-year-old Jake Davis, who acted as LulzSec’s spokesman under the pseudonym of “Topiary” and was arrested at his home in the remote Shetland Islands, was one of the most high profile members of LulzSec, writing press releases for the group, conducting media interviews, and running the group’s Twitter account.
Jake Davis, who by all accounts was not having the greatest experience living so remotely from the British mainland, enjoyed co-ordinating LulzSec’s activities.
He was not the most technically skilled member of the LulzSec hacking gang, but was quick-witted and intelligent, making him an ideal spokesperson for the group.
Here’s a video I made at the time of Davis’s arrest, where “Topiary” is heard claiming that he and other hacktivists would always be one step ahead of the authorities:
(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)
When arrested, Jake Davis was caught red-handed with 750,000 pieces of stolen personal data in his possession, including names and addresses, passwords, and credit card details.
Famously, just before his arrest Jake Davis posted a simple message on Topiary’s Twitter account:
"You cannot arrest an idea"
Last month, Davis pleaded guilty to his part in bombarding various websites with so much internet traffic that they were inaccessible by the outside world
Last year, following his arrest, Davis wrote an article entitled “My life after Anonymous” where he claimed that he felt “more fulfilled without the internet”.
It’s possible that Jake Davis may be extradited to the United States in the future, to answer related hacking charges there.
Ryan Cleary was not a main member of the LulzSec hacking gang, but had access to something very valuable – control over a botnet of compromised computers.
Prosecutor Sandip Patel told the court that “at any one time [Cleary] had up to 100,000 computers directly and actively under his control.”
Cleary had made thousands of pounds every month, renting out access to his massive botnet of hijacked personal computers so criminals could launch denial-of-service attacks and send spam campaigns. But as he was sympathetic to the cause, he didn’t make such financial demands of the LulzSec gang.
After his arrest, in June 2011, at his home in Wickford, Essex, The Sun newspaper described Cleary as a “geek”, “nerd” and “oddball”.
The news report was clearly insensitive, as Cleary suffers from Asperger’s.
It is speculated that The Sun’s front page media report may have angered other members of LulzSec, and motivated the hacking group’s subsequent attack against the newspaper.
The attack against The Sun resulted in phone numbers, email address and passwords of News International employees being posted on the internet.
Meanwhile, website visitors were presented with a false news story claiming that News International founder Rupert Murdoch had died after ingesting a “large quantity of palladium”, and stumbled into his “famous topiary garden”.
Mustafa Al-Bassam, the youngest of the four men and technically a child at the time of the offences, specialised in finding vulnerabilities in websites that could be exploited by malicious hackers.
Calling himself “T-Flow”, Al-Bassam took issue with the homophobic stance of the controversial Westboro Baptist Church that entered an online argument with the Anonymous movement, before being hacked live on-air.
When the A-Level student – who is now 18 years old – was arrested, a note was found giving details of a security vulnerability on the FBI’s website.
Ryan Ackroyd, also known as “Kayla”
Ryan Ackroyd was considered the most skilled hacker in the LulzSec group, who claimed to have learned his computer skills by attempting to tinker with computer games.
After joining the British army when he was 19, Ackroyd had served in Iraq, Canada and the Falklands, before being discharged after five years.
Many, both inside and outside the underground world of hackers, were duped into believing that “Kayla” was a teenage girl – a deliberate attempt by Ackroyd to disguise his true identity.
The truth is that Kayla was a 26-year-old British man, from Doncaster. Ackroyd enjoyed the disguise, as it rubbed salt into the wounds of hacking victims who thought they had been “pwned” by a teenage girl.
The reign of LulzSec
Here’s just a short summary of just some of the hacks, internet attacks and indeed arrests associated with the LulzSec gang during 2011:
- LulzSec suspect pleads not guilty to Sony Pictures website hack. If convicted, Cody Kretsinger, from Phoenix, Arizona, could face up to 15 years in prison.
- LulzSec hacking suspect ‘Topiary’ arrested in the Shetland Islands. A court was later told that alleged hacker Jake Davis had 750,000 passwords in his possession.
- LulzSec and Anonymous hacker suspects arrested by US, UK and Dutch authorities.
- Britain’s leading tabloid, The Sun was hacked, and replaced with a bogus story announcing the death of Rupert Murdoch. In addition, readers who had participated in the newspapers’ competitions had their personal details exposed.
- FBI searches LulzSec suspect’s home in Hamilton, Ohio.
- EA Games resets users’ passwords following LulzSec hack.
- The end of LulzSec? Hacking group says it is disbanding, after 50 days of attacks.
- Ryan Cleary charged with DDoS attacks – SOCA (Britain’s Serious Organised Crime Agency) and other websites in the firing line.
- SOCA website scalp claimed by LulzSec in apparent DDoS attack.
- CIA website brought down by DDoS attack, LulzSec hackers claim responsibility.
- EVE Online and other gaming websites hit by LulzSec DDoS attack.
- LulzSec attacks US Senate and Bethesda Softworks.
- 26,000 sex website passwords exposed by LulzSec.
- Hackers steal Fox TV passwords, deface Twitter and LinkedIn pages.