LulzSec claims FBI affiliate hacked, users and botnet use exposed (Updated)

infragard.jpg LulzSec announced moments ago that it hacked the Atlanta chapter of Infragard, an FBI affiliate, and uploaded the company's user database to the Internet. The cracking group also claims that documents yielded by the intrusion expose an associated company's use of botnets (networks of malware-infected personal computers) and an attempt by someone involved with it to pay LulzSec not to expose the breach.
We just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it, check it out if it's still up: While not very many logins (around 180), we'd like to take the time to point out that all of them are affiliated with the FBI in some way. Most of them reuse their passwords in other places, which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too. One of them, Karim Hijazi, used his Infragard password for his personal gmail, and the gmail of the company he owns. "Unveillance", a whitehat company that specializes in data breaches and botnets, was compromised because of Karim's incompetence. We stole all of his personal emails and his company emails. We also briefly took over, among other things, their servers and their botnet control panel. After doing so, we contacted Karim and told him what we did. After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence. Karim, a member of an FBI-related website, was willing to give us money and inside info in order to destroy his opponents in the whitehat world. We even discussed plans for him to give us insider botnet information.
Lulzsec recently defaced PBS's website and stole more than 1m user records and coupon codes at Sony Pictures Entertainment's. The data posted online includes the personal info for 180 users at Infragard, which is a private-public partnership between the FBI and U.S. businesses "designed to protect IT systems from hacker attacks and other intrusions." It also includes purported chatlogs with Hijazi; and more than 700MB of internal emails discussing the operations of his company, which include references to network surveillance of Libyan interests. Though encrypted, the Infragard passwords were also cracked. Of their wide reuse for personal email and other online services, LulzSec adds: "they should be considered imbeciles from this moment until their moment of death." For the curious, the YouTube video used to deface Infragard's website features someone LulzSec has argued with on Twitter, being insulted by an interviewer. UPDATE: Karim Hijazi, the CEO of Unveillance, responding to LulzSec's claims today:
Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as "LulzSec." During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks. In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities.
Update: And here's LulzSec with another response:
Karim compromised his entire company and the personal lives of his colleagues, then attempted to silence us with promises of financial gain and mutual benefits ... [he] used the same password for all of his online accounts and all accounts linked to a company he owns. Then he tried to bargain with hackers so his company wouldn't crumble.
LulzSec versus FBI Affiliates + Whitehats [Pastebin]


  1. I’m like cheering them on, but also thinking, “Dude, you just poked a sleeping tiger – AGAIN!”

    1. Why are you cheering for them? Because they’re the underdog? An underdog that scampers about pissing on the hard work of larger dogs, who are the bad guys by virtue of being larger? Or is it because you think everyone down to the post office has an illegal file on you and anyone who can expose that is a hero, no matter how goofy their name is or obnoxious their delivery?

      You’re right, they poked the sleeping tiger. Now the sleeping tiger needs to get off its ass and maul these guys.

      1. Hackers and vigilantes are hard not to like after long enough on the internet. It adds some excitement to the place.

      2. They’re the bad guys by virtue of the fact that they claim to be the good guys, but are in fact more corrupt and criminal that most of the people in our prisons.

      3. I disagree that they’re not worth cheering for. These “larger dogs” obviously haven’t put in enough hard work if they’re, for the most part, that easily hacked.

        I do agree that they’re obnoxious and maybe not heroes, but their actions do point out the fact that a lot of large entities, even ones based around net security like Unveillance and Infragard, don’t know much about security. The unethical stuff like the guy allegedly trying to bribe them is just icing on the cake, I suppose.

        1. Provided, of course, that lulzsec is telling the truth. It seems equally probably to me that it could simply be stretching the truth a bit to make his point better. The accusation is made easier by the fact that, either way, Hijazi will deny these accusations. I’d like to believe it and am prone to, but we are dealing with Lulz Security, one of whose stated goals are lulz. They are fundamentally untrustworthy.

        2. I do agree that they’re obnoxious and maybe not heroes, but their actions do point out the fact that a lot of large entities, even ones based around net security like Unveillance and Infragard, don’t know much about security.

          There’s a crazy amount of so-called security experts that don’t understand security realities and suffer from a dangerous cocktail of arrogance and ignorance. They are being exposed for what they are… frauds.

          Right now, there’s such a drunken cocktail being spread amongst pawns in the security field that Mac OS X is actually more vulnerable than Windows 7 just because it doesn’t have a full implementation of ASLR yet.

          OS X will probably utilize full ASLR in Lion and already has in its iOS. But security “experts” that can’t research their way out of a wet paper bag have come to the very errant conclusion DEP combined with ASLR blows away every other security feature currently in OS X. Complete bullshit. ASLR will merely be the security icing on the cake for OS X… it’s NOT the cake itself.

          But don’t try explaining that to a so-called security expert who bring up bullshit like Mac “security through obscurity” (while having to ignore all other previous trends including market share and other complex vectors that roundly disprove that theory in general as well as for Macs).

          Well-researched hackers that utilize a dose of common sense over dogmatic belief systems eat these ignorant and often hypocritical tools and fools for breakfast.

          Oh, and the ASLR implementation in Windows 7 has been bypassed many times, hahaha…. Ouch…

          Expect more pain so-called security experts. It’s a jungle out there.

      4. “An underdog that scampers about pissing on the hard work of larger dogs”

        Insofar as the “work” of dogs consists largely of pissing on things, I think you have chosen a rather nice metaphor – a bunch of dogs, each sniffing and peeing on the same post every time they pass it…

          1. Yeah I actually watched it again earlier this evening and I’m glad I did. Thank you Gulliver!

          1. Omigosh! A huge bladdered gyroscopehound!

            Also, I don’t think I agree that you shouldn’t have posted the first video either. Now, I wonder what “shampoo my crotch” was a metaphor for?

  2. Poking a sleeping tiger is right. I’m surprised that their own website hasn’t been taken over by the FBI. These people are going to end up in jail.

    1. By the standards of the boys who brought us COINTELPRO, running a few botnets is practically angelic…

  3. Ok, I admit it, I like these guys. I never totally been against vigilantism (even made a civil arrest once, was fun). I don’t know if they are right or wrong, but I am pretty sure that these people are fun to talk with.

    Careful with the bad guys. I don’t want to see you water-boarded.

  4. The department of the obvious already outed these guys a few days ago by saying that hacking could be seenz as an act of war. If war be the flav-o-the month, I say flavah on.

  5. (precursor to internal WOT’s, detentions, renditions and various sorts of anal probings by self-acclaimed Christians.)

  6. Call me a skeptic but I expect their impunity will eventually corrupt them. Thats why the FBI was guilty (of whatever lulsec said they were guilty of).

  7. crap, accidently clicked that pastebin link, thinking it was some kind of news source(i’m a dumbass, i know). i quickly exited though. good thing i have ghostery.

    1. Odds are that the FBI is very much more interested in finding the people actually behind LulzSec than they are in finding some random person who clicked on a link.

      Really, don’t be that paranoid and afraid; it’s probably what They want anyway. (OTOH, a little bit of fear and paranoia is necessary.)

    1. Does anybody remember laughter ? :-)


      Laughter was a communist conspiracy to undermine America’s family values. The Founders never intended the First Amendment to apply to laughter. The PATRIOT Act has made it clear that this country has a zero tolerance policy toward laughter.

      Now bow before your master, peasant!

        1. I’m partial to my own theological text…

          Duncan Idaho: “Dual allegiance, Milord, to you and to their tribe.”

          Stilgar: “There is a precedent. Liet serves two masters.”

          Leto Atreides: “Let it be known among your people, Stilgar, that Duke Leto Atreides honors the sacrifice that your warrior has made on our behalf. I wish nothing but peace between us.”

          Paul Atreides: “We thank you for the gift of your body’s water, Stilgar, and accept it in the spirit with which it was given.”

          Stilgar: “Duncan ldaho, your water now belongs to us. The body of our friend, Turok, remains with your duke. His water now belongs to the Atreides. That is the bond between us.”

  8. It’s not hard to avoid getting caught while hacking. It’s exposure via snitch that’s more likely to get you busted. Less skilled hackers get busted, turn snitch to avoid prison and narc on all their would be pals. These people could be anywhere…. And therefore no more intimidated by the FBI than Americans are of the Uruguayan cyber-police.

    I think this is starting to get interesting.


      What? It doesn’t matter where they are, we’ll just invade the world. That’s what a military is for.

  9. People don’t realise that most law enforcement agencies can catch you pretty much at will. It’s just a matter of how much they’re willing to devote in the way of resources and political will.

    It’s not 30 years ago when you were dealing with an aging Hoover hold over wondering how these com-pu-tors worked.

  10. People also get caught by bragging at all.

    That and I always had the theory that even if you know your stuff super tight you can’t be running 100% perfect every time and you could be the one that gets caught by some new technique.

  11. What I do not get: Why is nobody using PKI?! S/MIME is in nearly every Mail-Client, PGP is easy to install, all larger companies and institutions have certs — why is nobody using them?!

  12. So wait–

    They posted:

    we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya’s cyber infrastructure. You will find the emails of all 23 people involved in the emails.

    Is this the same operation that’s on the CSFI home page?

    CSFI is officially releasing “Project Cyber Dawn Libya.” Project Cyber Dawn Libya is the result of a collaborative research effort of twenty-one individuals from the USA, Australia, Canada, Egypt, Italy, Tunisia and the UK.

    Project Cyber Dawn Libya collates, analyzes, and reports on raw data and its Interconnections that have been harvested from the public domain. Recent events are correlated with known historical data to provide an in-depth view into Libyan Cyber Warfare capabilities and defenses. Through this analysis, CSFI can help the international community to understand not only Libya’s potential to influence the balance in cyberspace, but also the physical repercussions of cyber-attacks originating from, and directed towards Libya..

    Maybe it’s being taken a step further than this describes…

  13. There was never an offer to comply with the extortion in any of the communications. Outrageous that these kids would leak those emails. Unveillance actually posted an official response stating that the US CERT and FBI were contacted as soon as they were aware of lulz. Probably just continuing communication with them to prevent the leak and buy time.

  14. 1) Run a Youtube search for the name of the pictured video at the top of the article.

    2) Notice how the number of views can’t seem to get past 302 views.

    3) Cry out shenanigans!

  15. What kind of FBI affiliate would still be using passowrds vs PKI? Fuckin dinosaurs.

    1. What kind of FBI affiliate would still be using passowrds vs PKI? Fuckin dinosaurs.

      The powers that be are an inbred, fear-driven bunch of buffoons that are too busy fucking with Phil Zimmermann to actually be bothered with researching and utilizing it.

      But what else can we expect from a bunch of inbred, inept corporatists who spend more time on bribes and corruption than on research and true hard work? Your rich daddy can’t save you now, corporatist assholes. And, all the stooges whose sole purpose is to prop up the 1% richest asshole have no soul to tell and just don’t have the passion for this work.

      Time to actually WORK for a living if you don’t want to get eaten up in your own dog-eat-dog you lovingly espouse so much. Keep attacking things like a single payer health care system for the public with FUD and the public will keep attacking you. Act like an enemy of the people and you will be treated as such, corporatists. It’s actually in your best interest to surrender… now. But we all know your much too arrogant for that, so the people will just have to keep taking you down brick by brick.

      1. Hey, Cowicide – way to rant. Do you have a blog or something?

        Your ideas intrigue me and I wish to subsrcibe to your newsletter.

          1. Canned Heat
            A Change is Gonna Come / I’m Leaving This Town

            I said I believe…
            yeah folks a change sure is gonna come
            I said I believe…
            yeah people a change… will surely come
            We’ll all have a good peace of mind
            Lord, our freedom will surely surely come
            Well now, I believe in the morning
            I believe I’ll go on back home
            Well, now I believe I’m gonna get up in the morning
            yeah, people ah people, I’m gonna go back home
            Well, now I gotta find my little mama
            You know I gotta have some ridin’ to be done
            Standin’ at the crossroads
            my friends began to yell and shout
            Well, I’m standin’ down at the crossroads
            lord I’m standin’ all by myself
            Well, as long as I’ve got myself a friend
            lord I can’t ask for much
            [Guitar solo]
            Well, when you’ve got yourself a good friend
            You are the luckiest man on earth
            I say you got yourself a good friend
            yeah now do know you’re the luckiest man on earth
            ‘cause you’ve got love in your heart
            Lord that’s worth all its weight in gold
            [Guitar solo]
            Ohhh we like to go down
            Well, what you gonna do
            when your troubles sure do get like mine
            I said what you’ gonna do baby
            yeah child when your troubles sure do get like mine
            Well, now you take yourself a mouth full of sugar
            you drink yourself a good old bottle of turpentine
            Well I’m leavin’ here walking girl
            cause runnin’s most too slow
            I said ‘m leavin here this town
            lord cause runnin’s most too slow)
            Well, I gotta find my little rider,
            you know it’s down the road I go
            Well, now I’m leavin’ this town
            Lord I won’t be back for long
            Well, now I’m leavin’ this town
            Lord people I won’t be back… for long
            Well, now I got myself a brand of loving
            child don’t you know it’s sure can not be told

          2. Haha… I haven’t looked at that thing in months.. I think I update it about once a year or so if it’s a good year. I should make it more self-righteous, though.

      2. Cowicide, I know you and I have disagreed about things in the past, but I want you to know that at the end of the day we agree on much more than we disagree :)


  16. While PBS was a bit of a low blow, and counterproductive, I can really get behind the release of documents from funky private-sector fronts for government intelligence agencies. Can In-Q-Tel be next? I would really like to know precisely how much the CIA is pumping into facebook in exchange for poke maps.

  17. Unfortunately, the RAR stored on mediafire appears to be corrupted or malformed. One wonders if this is foul play on mediafire’s part or if they just uploaded a corrupted file in the first place.

  18. Nevermind, disregard that. It’s a zip, named as a rar. These ‘hackers’ can’t even use proper extensions on their archives.

  19. From the quotes it is unclear if Unveillance operates a botnet or simply sitting on info about how to control one or more existing botnets.

  20. “I do not regret refusing to cooperate with LulzSec. My data is of national security importance. I could not and cannot, in good conscience, agree to release my botnet intelligence to an organization of hackers.”

    Ummm if hes so good why does he use the same password everywhere?
    And why the 19 minute gap in his irc transcript.

    One wonders if he is as good at disaster control as he was at keeping his own accounts secure.

  21. I think the idea that law enforcement can catch you at will is just wrong. There are plenty of ways to hide your traffic to prevent people from seeing who you are, and where you are. It’s not hard, it’s not ambiguous, and it can be 100% perfect everytime.

    Law enforcement isn’t stupid… In general they are more sophisticated than the hackers they are trying to catch or prevent. But it’s easier to hack then to prevent it. Good luck hypothetical law enforcer in your attempts to subpoena that Iranian web host who’s box they used as a proxy… And in the highly unlikely event you get that information, it’s likely to connect to a porn server in the Netherlands, or something… And on and on.

    You cross so many lines of jurisdiction, that evidence handling becomes impossible – and some data just isn’t available – you can’t get it once it’s gone. It’s so much easier to get a snitch to tell then to bring a case to court.

  22. The text paste press release from LulzSec seems to indicate that Unveillance does have access to control the botnet. They talk quite disparagingly about the GUI that they built to help them control it.

  23. What a liar this Karim Hijazi!

    Great job LulzSec! You took another corporate parasite down.


  24. “You’re right, they poked the sleeping tiger. Now the sleeping tiger needs to get off its ass and maul these guys.”

    The sleeping tiger look pretty elderly to me.

    No offense.

  25. As long as bloggers breathlessly suck up to them, they’ll yak and get popped – so keep up the good work!

  26. Cowicide, do be assured that the most crucial federal depts & their contractors do implement PKI for identification and encryption.

    Our dept uses it (obviously not PGP), but we don’t wear gemstones on our jackboots. We’re responsible for eventually neutralizing the lucrative global demand for these “misled” policies and investigations, and eventually putting an end to contracts for designed-to-fail systems that are only keeping the bootlickers licking, and those diamond-studded jackboots clean.
    The irony is palpable, but balancing security and freedom is always a tightrope – in any scope, in any context.

    1. Cowicide, do be assured that the most crucial federal depts & their contractors do implement PKI for identification and encryption.

      Right, but HSPD-12 obviously fails in too many cases and isn’t being properly implemented. I’m not going to endanger anyone’s security by naming anyone or anything, but we on have to look at contractors hit by hackers lately to see some proof in that sloppy puddin’.

  27. LulzSec, you are making this world of ours very entertaining. Keep stickin it to em.

  28. If I were a more suspicious man, I’d start to wonder if the recent spate of high profile hacks and groups triumphantly claiming responsibility as publicly as possible weren’t instigated by the government.

    I say this because it’s become a big thing since Wikileaks proved that it can’t be taken down. The Man is desperately looking for an excuse to clamp down on the free flow of information that is the modern web and by far the best means to do that is to brand the people who seem to take advantage of that freedom as terrorists.

  29. Do not fear power
    Do not fear Evil
    Do not fear misuse
    In the end the truth must be set free.
    Spread the word

  30. I wonder how that offer to pay them went?

    “we’ll give you a million dollar if you don’t leak this information. Now, what’s you full name and address so that we can send the ‘check’?”

Comments are closed.