UK cops: How we sniffed out convicted AnonOps admin 'Nerdo'

Hint: Sometimes gamer tags give the game away

By John Leyden, 14th December 2012

Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms.

Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair the operation of computers following a guilty verdict by a jury at Southwark Crown court last week.

Weatherhead, 22, was studying at Northampton University when he allegedly took part in "Operation Payback", the DDoS campaign launched by the hacktivists in defence of whistle-blowing site WikiLeaks. Targets included the entertainment industry and later financial services firms that had suspended payment processing of donations to WikiLeaks after it controversially published leaked US diplomatic cables in late 2010.

Ashley Rhodes, 27, from Camberwell, south London; Peter Gibson, 24, from Hartlepool; and an 18-year-old male had already pleaded guilty to the same charge, relating to offences that took place between August 2010 and January 2011.

Payback's a bitch

Sandip Patel, prosecuting, said that attacks by various Anonymous hacktivists had cost PayPal £3.5m ($5.5m) and forced it to call in 100 staff from parent firm eBay in order to keep its website up and running over the course of a series of DDoS assaults that spanned several weeks.

The attacks were launched using the Low Orbit Ion Canon (LOIC) packet-flooding tool widely used by Anonymous at the time. LOIC spills the IP addresses of those taking part in attacks. However evidence from IRC channels where the hacktivists hung out and planned attacks was the more important evidence in the police investigation.

Operation Payback attacks began against firms known to oppose copyright piracy (such as those of the Ministry of Sound nightclub, the British Recorded Music Industry and the International Federation of the Phonographic Industry) before the hacktivists switched targets to concentrate packet-slamming assaults on payment-processing firms including PayPal and MasterCard - which had angered Anonymous by choking off a source of income to WikiLeaks.

Sniffing around in AnonOps' channel

Weatherhead (Nerdo) was a network administrator and among a small group of leaders on an AnonOps IRC channel that became the focus of a police investigation, spearheaded by members of Scotland Yard's Police Central eCrime Unit.

Former Detective Constable Trevor Dickey, who has left the Met and found work in the private sector since the successful conclusion of the investigation, explained: "In a nutshell we identified Weatherhead via the IRC network."

"We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of nicks such as admins and operators," he added.

"We then did some keyword searching and spent a lot of time looking social leakage. Combining all these elements we then identified the nicks of interest and did open source research on them. Weatherhead was easy to identify as he had been using the nick of 'Nerdo' for quite some time," he concluded.

Ray Massie, a self-employed computer forensic and open-source training consultant who served as a detective sergeant with the Met Police and led the investigation, explained that UK police decided to target the administrators of Anonymous-run channels, focusing on instigators of attacks rather than Anonymous "foot soldiers" otherwise involved in DDoS assaults. This is contrast to US law enforcement clampdowns, which also targeted simple participants in hacktivist actions who had played no part in selecting targets or planning attacks.

"We went after organisers and facilitators rather than foot soldiers. US authorities went after a mix," Massie explained.

The police operation began in October 2010 with attacks on the Ministry of Sound and the BPI. "It was quickly clear that Anonymous was running similar attacks against different anti-piracy organisations in the USA, Germany, France, Spain and elsewhere. They would select a target, post the named of a target online along with dates and times of an attack and, in some cases, a countdown clock. Everything from signposted from IRC channels."

Massie explained that over time, hacktivists made more use of Facebook and Twitter but this was mainly for promotion and propaganda. "Would-be participants were directed to IRC channels, where plans were all laid out," he said. Links provided on IRC provided advice on how to use LOIC (the favoured DDoS attack tool of Anonymous at the time), how to cover their tracks, and other hacker trade-craft tips.

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Next page: Leaderless collective? I don't think so...

COMMENTS

House Rules Send Corrections

All Reader Comments (58)

Highly Rated

Posted Friday 14th December 2012 13:43 GMT

Anonymous Coward

Re: good work

It's called an investigation - and it is a very good example of why things like the snoopers charter are completely unnecessary

Posted Friday 14th December 2012 11:07 GMT

Lee Dowling

Re: IRC is not secure

I don't think we're dealing with expert hackers here who thoroughly considered the link back to themselves.

Tor and Truecrypt use wouldn't be enough to cover your tracks online on their own. Tor, in particular, can be inherently leaky unless you're paranoid about what packets you send out over it (accidentally leave your IM/Skype/Email running? Whoops, there's identification right there). These people were caught by unencrypted browser histories (by the sound of it, which suggests use of non-full-disk encryption, or encrypted dual-systems - TrueCrypt's "plausible deniability" - where activities spilled over into unencrypted parts, or the part covered by the password they *did* share, of the disks).

And leaving proof-of-hosting just laying around on encrypted partitions? That's just amateur.

Organising over IRC? In comparison that's quite minot, but that's just asking for trouble too, because you leave full logs wherever you go - even accidentally - because a lot of people record IRC 24/7 so they can go to sleep and "catch up" on what happened later. Coordinating the attacks over IRC with random, unverified people (who were probably NOT using such methods to keep their identities hidden) seems a bit daft - especially if some of those people then moved onto social networks to pull in more people. And even using the same username - though that's hardly hard evidence, it suggests a complete lack of thought between connections of you and your activities. You couldn't convict on that alone, but if it gets to the point that there's some decent suspicion you were involved and YOUR Internet name has always been X and Internet name X appears on connections associated with the suspicion, the hosting, the IRC admins, etc. then it's just another nail in your coffin.

That said, not much would have saved them by that point anyway. I suspect that if they *didn't* hand over their TrueCrypt details, that's enough to convict them anyway (perverting the course of justice by failing to provide evidence - though there's a question of self-incrimination - or one of the newer laws would handle that quite nicely). So they weren't going to get away with it once it had come down to a handful of people of interest, and giving away your username, geographical location, and leaving a trail of history since your teenage years on those same details would give police an address in a matter of minutes (one phone call to XBox Live, I would think). Even if it was only as a suspect, you would be having a word with the boys in blue within moments and then explaining why you won't decrypt all those hard drives you have is going to be tricky to make stand up in court.

The story could well have been very different, but only if they actually knew enough about computers, and bothered to try to hide their identities properly. But even then, just finding evidence of connecting to the IRC channel and (then) a TrueCrypt volume that you refuse to decrypt is enough to throw you in jail.

They were sloppy, and got caught, and probably thought they were immune right until the verdict. One of the reasons I would be *useless* in any sort of online activism. I often find programs connecting that I'd forgotten all about (even with software firewalls that warn me), have DNS settings that for years send DNS requests to my old ISP's server, etc.

An example? Windows Vista and above talks to a server to establish the "Internet Connection" or not status of your connections. There are registry entries to tweak what server it talks to and what it expects to find in a named file on that server. I tweaked mine to point to my own private server (the theory being, if anyone is stupid enough to steal and then turn on my machine while it's on the Internet, I would capture their IP from the Apache logs), and then forgot about it for ages until I wondered why my icons never showed Internet connectivity. That's just the kind of stupid stuff that would catch me out before I even started.

Posted Friday 14th December 2012 10:34 GMT

Smallbrainfield