LulzSec were an international hacking crew and today marks 5 years since the end of their most well-known campaign: the “50 Days of Lulz”.
They were a hacking crew spread across the planet taking down websites for the lulz. The members were Sabu, Pwnsauce, Tflow, Topiary, Kayla, Avunit, Viral, and a few others who were involved to lesser degrees. The members of LulzSec. Five years ago they set sail on an uneasy and brutal ocean: the Internet. Their mission? To laugh at the security of major organisations around the world. They exposed corporations, governments, often the general population itself, and quite possibly everything in between, just because they could.
I thought it time to look back at their voyage and see what could be learned. LulzSec were a band of Internet citizens, who came together and wreaked havoc on a large number of companies, their campaign became known as the “50 days of Lulz”, it came to an end in the early hours of Jun 26th, 2011 (BST). Listening to various members of the crew tell their individual stories, some of the members at least no doubt got caught up in what was happening and the end state wasn’t exactly what they thought they were heading towards when they started.
Topiary, one of the founding members, places the start of his journey into LulzSec in December 2010. When he was first introduced to Anonymous his introduction to the world of hacking and Anonymous was not a gentle one, joining as Operation Payback is in full swing taking down companies such as MasterCard and Visa. His introduction obviously shocked and interested him enough because he hung around in that same chatroom, eventually getting involved by writing defacement messages for the hacks other members were performing.
Topiary’s position as writer and spokesperson of hacking crews was further cemented when Anonymous targeted the Westboro Baptist Church and he gave a live radio interview, as the attack was happening. This is the point that he marks as the start of LulSsec, due to fears of getting caught up with law enforcement due to the Westboro Baptist Church hacks, he says a group of about seven branched off to start their own group.
So Topiary at least, didn’t set sail for the end goal of being a part of the “50 days”, he didn’t start with the intention of getting knee deep in multi-national politics, he was just bored and the Internet offered him something that his home on the Shetland Islands couldn’t. The Internet gave him a world view outside of the tiny island on which he lived and allowed him to just interact with a wider range of people, a wider world Someone told him you could change the world through the Internet; well the Internet certainly changed his.
LulzSec hacked organisations like Fox, PBS, Sony, FBI Affiliates, adult entertainment websites, the Serious Organised Crime Agency and because of their actions online hit the front pages around the globe. This obviously led them straight into the attentions of Law Enforcement. The hacking group’s modus operandi seemed to be to breach a company, claim the breach and simply make the data available through sites such as twitter, pastebin and The Pirate Bay – then move on to the next breach.
The FBI arrested one of the members, Sabu, on June 7, 2011. Later, he pleaded guilty to 12 criminal charges including: 3 counts of conspiracy to engage in computer hacking, computer hacking in furtherance of fraud, conspiracy to commit access device fraud, conspiracy to commit bank fraud and aggravated identity theft. He faced 124 years in prison. Ultimately though, he began working for the FBI and informing on other hackers across the globe both as part of LulzSec and as part of AntiSec.
As law enforcement worked through the list of core members of LulzSec we learned the identities of most of the members: Hector Xavier Monsegur (Sabu), Darren Martyn (Pwnsauce), Mustafa Al-Bassam (Tflow), Ryan Ackroyd (Kayla), but Avunit was never named.
Law enforcement worked through the list of members and the media ate up quotations about them being a serious threat to our national security, categorising them as a threat worse than biological warfare. (Don’t believe hackers are graded above biological warfare against a nation state? Then take a look at the UK’s National Security Risk Assessment which clearly categorises “Hostile Attacks upon UK Cyberspace, by other states and large scale cyber-crime” as Tier 1, above Tier 2 which contains “An attack on the UK or its Overseas Territories by another state or proxy using chemical, biological, radiological or nuclear (CBRN) weapons.”)
Sabu faced a 124 year sentence – but many of the members may have received a smaller sentence for their parts in the attacks. Topiary for example, was sentenced to 2 years imprisonment although due to a period where he was ordered to wear an electronic tag his actual time in prison was reduced to 38 days. However, since his release date was due to be a Saturday he was ultimately released a day early.
Others in the group: Ryan Ackroyd received a 30 month custodial sentence. Tflow received a 20 month suspended sentence. Hector Monsegur was given “time served” for his worth with the FBI and released with 12 months of probation.
Thinking back to police statements, media hype and the way that the public reacted to the LulzSec hacks we have on one hand a hacking crew that has shown they can have a huge impact upon law enforcement and huge international companies which is evidenced in DDoS attacks, defacements and data theft. A group so dangerous that they were described as a fate worse than nuclear warfare. Yet the UK government hands only a little over a month in prison. We’re freaking out that hackers can destabilise economise and yet many of them are knocking over websites just to pass the time and fight the boredom whilst trapped on cold islands north of the Scottish mainland islands.
It’s been five years since LulzSec first laughed at our security, since they gently introduced us to the fact that the security of major organisations was insufficient. So how much progress have we made since then? How much more secure are we as individuals, companies and a nation?