Feeds

Who is the mystery sixth member of LulzSec?

And, hang on, what happened to all the loot...

Protecting against web application threats using SSL

Analysis Thursday's sentencing of three core members of hacktivist crew LulzSec and an accomplice hacker who gave them access to a botnet closes an important chapter in the history of activism. But it also leaves a number of questions unanswered.

One of the most interesting of these puzzlers is the identity of the mysterious sixth member of the group.

LulzSec was a constant feature of the information security headlines in May-June 2011 during its "50 days of Lulz" when it attacked Fox, PBS, Sony, Nintendo, Sega, FBI-affiliated security outfits such as Infragard and HB Gary Federal, the US Senate, the Arizona State Police, the CIA and the UK's Serious Organised Crime Agency.

Most targets were entertainment firms opposing file-sharing, information security outfit, or law enforcement agencies. Tactics ran from basic website-flooding attacks to defacement and site redirection. In several cases the group published stolen data from compromised websites.

The motive of the group was described by prosecutors in a London sentencing hearing this week as "anarchic self-amusement" rather than anything profit-motivated. In truth filthy lucre does play a part in the story of LulzSec, even though the overriding driver appeared in several cases to be the chance for the accused to play rock-star black-hat hackers on a global stage, sticking two fingers up to The Man.

Consequences

LulzSec had six core members: The first four were Topiary aka Jake Davis (@aTopiary), UK; T-Flow, aka Mustafa Al-Bassam (@let_it_tflow), UK; Kayla, aka Ryan Ackroyd (@lolspoon), UK; Sabu, aka Hector Monsegur (@anonymouSabu), US.

The other two, according to the US Attorney's Office and the FBI indictment, were Pwnsauce, named as Darren Martyn (@_pwnsauce), Ireland; and AVunit (@AvunitAnon), whose identity is unknown.

Three suspects were sentenced in London's Southwark Crown Court on Thursday. Jake Davis, 19, of Lerwick, Shetland received a 24-month sentence in a young offenders' institute, of which he'll serve half.

Ryan Ackroyd, 26, of Mexborough, Doncaster, received a 30-month sentence. Providing he behaves himself, he'll serve only 15 months. Mustafa Al-Bassam, 18, from Peckham, south London, got a 20-month sentence, suspended for two years, as well as 300 hours of community work. Al-Bassam avoided jail because of he was underage and still at school at the times of his offences.

Ryan Cleary (AKA Viral), 21, of Wickford, Essex, was found to have supplied a botnet of around 100,000 compromised computers that acted as a platform for LulzSec to blitz targeted websites. He was not a core member of the group but was prosecuted in the same case and ultimately received the most severe punishment of all the accused: a 32-month prison sentence.

Extradition 'not anticipated'

The quartet was investigated in a joint operation by the Metropolitan Police's Central e-Crime Unit and the FBI. In a statement welcoming the sentencing, Scotland Yard explained that each member of the group had a clearly defined role.

Ackroyd was responsible for researching and executing many of their hacks, Cleary assisted by allowing the use of his botnet - a system of malware-infected computers he controlled - to coordinate DDoS attacks. Al-Bassam assisted in discovering and exploiting online vulnerabilities, and also created and controlled LulzSec's website. Davis was their spokesperson, managing their Twitter account and press releases.

Karen Todner, Cleary's solicitor (and managing director of the law firm who represented McKinnon), issued a statement on Thursday saying they "do not anticipate" that he will become the subject of a US extradition request. Davis has also been indicted in the US but early reports suggest its unlikely that US authorities will seek his extradition.

The alleged ringleader of LulzSec, US-based Hector Xavier Monsegur - known online as "Sabu" - agreed to act as an informant following his arrest in June 2011, according to the FBI. The Feds said that Monsegur had helped them to identify other members of the group and other hackers.

Monsegur frequently acted as the group's ideologue as well as directing attack campaigns. He was the midfield play-maker in a group that was nominally leaderless. He has already pleaded guilty to 12 counts of hacking, bank fraud, and identity theft and will be sentenced in August.

Darren Martyn (Pwnsauce) 26, of Galway, Ireland, was indicted in March 2012 for conspiring with other LulzSec members to attack Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service. He also allegedly hacked into the website of Fine Gael, a political party in Ireland. He's yet to be tried.

That all means that four of the six core members of LulzSec have been caught, and police have indicted a fifth man whom they suspect of being number five, but the identity of Avunit remains a mystery, presumably even to Sabu or other members of the group who might have given him up in the hope of receiving a lesser sentence.

"We have no idea who Avunit is," writes Mikko Hypponen, CRO at Finnish anti-virus firm F-Secure. "We have no identity. We don't even know which continent he is from."

Reducing the cost and complexity of web vulnerability management

Next page: Tradecraft

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.