LulzSec frontman Sabu was FBI informant, fed Stratfor docs to Wikileaks from an FBI-owned computer

The Guardian has more on the big hacking news which Fox News broke yesterday (as noted in a post by Rob). "Sabu," the trash-talking, self-appointed leader of LulzSec, has been working for the FBI for the last six months. The FBI says he helped the US and various European governments identify and arrest five alleged LulzSec members charged with participating in defacement, DDOSing, and "doxing" against high-profile government and corporate targets. Sabu (above) is, in now identified as Hector Xavier Monsegur, a 28-year-old unemployed Puerto Rican guy living in New York, and a father of two. He was charged with 12 criminal counts of conspiracy to engage in "computer hacking and other crimes" last year, pled guilty in August, 2011, then "snitched" on his LulzSec friends.

Here's the FBI news release, which notably omits the names of any prosecutors (perhaps for fear of Anonymous attack).

Snip from Guardian story:

His online "hacker" activity continued until very recently, with a tweet sent by him in the last 24 hours saying: "The feds at this moment are scouring our lives without warrants. Without judges approval. This needs to change. Asap."

In a US court document, the FBI's informant – there described as CW – "acting under the direction of the FBI" helped facilitate the publication of what was thought to be an embarrassing leak of conference call between the FBI and the UK's Serious and Organised Crime Agency in February. Officers from both sides of the Atlantic were heard discussing the progress of various hacking investigations in the call.

A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.

The indictments mark the most significant strike by law enforcement officials against the amateur hacker groups that have sprung out of Anonymous. These groups, which include LulzSec, have cost businesses millions of pounds and exposed the credit card details and passwords of nearly 1 million people.


    1. Karma might bite him in the ass yet. He’s got a world full of hackers who now consider him the ultimate traitor and who would probably love to make his life a living hell. It’s going to be a while before he can use a credit card with any confidence.

      1.  28 unemployed felon… yeah not real high on the list for credit card offers.

      2. I would guess his cooperation was had via both stick and carrot. 

        2 kids is a lot of leverage, if he gave a damn about them, which he likely did. Even lousy parents and lousy people will love and do anything for their offspring.

        Probably got a job and some financial security waiting if he follows through to convictions.

    1. What qualifies as a “professional hacking group?”

      If Uncle Sam signs your paychecks.

    2.  Professional hacking groups are typically backed by criminal gangs or other interests who have a lot to gain. They typically do things like stealing industrial secrets and spreading malware and spam.

      1. Professional hacking groups are typically backed by criminal gangs or other interests who have a lot to gain.

        I would put forth that the FBI would qualify on at least the second charge.

    3. What qualifies as a “professional hacking group?”

      The pros usually don’t get caught.  And, they certainly don’t brag about their exploits to anyone, much less tweet about it.

    1. Which neatly explains why “snitches” are treated so harshly by criminal organizations.  Loose lips sink ships and all that.

    2. Considering he became an informant after he was caught, that doesn’t seem entirely accurate. Unless he was caught because of another, earlier informant, I guess.

      “It was revealed that he had been charged with 12 criminal counts of conspiracy to engage in computer hacking and other crimes last summer, crimes which carry a maximum sentence of 124 years and six months in prison. According to indictments filed in a Manhattan federal court, he secretly pleaded guilty on 15 August last year.”

        1.  Huh… Jester isn’t that someone who does some of the same things Sabu and others are accused of doing?
          And hes not in jail why?

          1. Probably because he was able to give them someone more important and better connected than him in exchange.

  1. What I will be very interested to see is what, if any, blowback occurs because of displeasure on the part of some of lulzsec’s victims during the period that sabu was an FBI informant…

    There is some, er, ‘uncomfortable’ history involving FBI mob investigations that ended up involving people being murdered while the FBI was sitting and waiting for all the evidence they wanted. Needless to say, the families of the victims weren’t too happy.

    If I were, say, Stratfor, I would be less than happy to learn that I got owned by an FBI mole, with the assistance of FBI hardware, so that the FBI could build the case that they wanted.

    1. Note that there are many competing entities in that domain, and some of those are advocating very specific agendas, or are convenient dupes for those who source their intel.

      When even bit players in those fields get burned, it’s reasonable to wonder if they lost some kind of power game.

    1.  Thats what I took from this. The FBI is using Sabu (and the others in lulzec) to try to get a record of Assange encouraging or aiding the acquisition of classified documents so that they can then push to extradite him and punish him in the US (probably in a state with the death penalty etc). Its manufacturing evidence in effect. It doesn’t surprise me if this proves to be the case. Hopefully the folks at Wikileaks are canny enough to watch what they say/email/tweet very carefully to avoid any possibility of this.

  2. “These groups, which include LulzSec, have cost businesses millions of pounds and exposed the credit card details and passwords of nearly 1 million people.”

    Still, small price to pay for the side effect of increased gov’t transparency. That affects lives of dozens million people.

    P.S. OK, I know how questionable the POV is.

    1. It’s not all that questionable. The businesses/gov’t entities are at least equally culpable for being irresponsible with the private data entrusted to them.

    2. I’d really like to see the millions of pounds detailed and explained.
      I wonder if the math includes things like hiring PR firm to make us not look like complete fools for not spending a couple bucks to encrypt user data.

      I wonder how much they had previously been on the hook for when others had raided the systems quietly.  Of course there are no records of that, because that module was cut from the budget so we could have a pizza party.

      Many of the “hacks” used were not 0-day, and in at least 1 case (Sony) were publicly posted and discussed.  There was clear evidence their system was not secure, but the cost to them was nothing for not doing anything about it.  It would be impossible at this point to figure out how many times the systems were looted, because it always falls on the person who had their CC “compromised” to figure out the archaic system that defaults to your at fault always.

  3. Do I understand this correctly: The FBI had this guy do things on their behalf that they’re now indicting other people for participating in?

    Directly facilitating criminal activity is a big step from sitting back and allowing criminal activity to happen in order to gather evidence or go after bigger fish.

    1. Pretty much.  It’s just like the ‘terrorists’ that have been caught over the past few years.  

    2. That’s pretty much what an informant does in any criminal situation – pose and participate in illegal activity while reporting the activities.

      1. Sorry, you replied while I was editing to add the second sentence. Poor form on my part. This is why edit buttons in discussion forums suck.

  4. Perhaps one lesson is to assume that secret groups who send out press releases are not likely to remain secret.

    Well, that, and the old cliche that the biggest loudmouth is usually the government plant.

  5. Boy is this confusingly written or what?

    “A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor…”

    “Provided?” I’m assuming he provided “other Lulsec members” with the FBI owned computer.  Is it so hard to say that? 

    “…and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous…”

    So, in addition to allowing a (fake?) conference call to be “leaked”, we’re  left to assume the FBI knew about this huge email leak and allowed it to happen (I guess) in order to link WikiLeaks with Anonymous. 

    Wonder what Stratfor’s clients think of this?

  6. That… hurts to hear.  Both for wikileaks and StratFor.  StratFor’s data was prostituted to get at wikileaks I guess.

  7. Just wondering… Isn’t LulzSec small fry? They’re obvious, and they’re mostly pranksters. They’re not very dangerous compared to attackers who would be extremely malicious and subtle (organized crime or another state). What is the FBI doing about THOSE people?

  8. One wonders if somewhere in the FBI someone is laughing, sending an email to someone at NSA telling them to suck it.

    To avoid some “issues” with the Government gathering intelligence themselves, they are often turning to outside contractors who do not have the same restrictions.

    So here you have Stratfor being taken down, exposed as just an expensive rss feed run through Google translate.
    You have someone from “LulzSec” running the show, in order to let them catch the hackers.
    So they take out some “intelligence” competition, bag some high profile “cyberterrorists” and guarentee their budget for the next year.

    If you were a luddite wouldn’t you think this means the FBI should run our CyberCommand Defense network?

  9. Brzezinski warned that WikiLeaks was being fed doctored leaks a while back.

    The FBI collusion would explain why the StratFor emails weren’t especially interesting, omitting as they did, StratFor’s persistent yearly claims that Iran is 1-2 years from having nukes.

    1. Once Monsegur is over at Homeland Cybersecurity protecting power grids, he’ll get a new identity and a town car with a 6’5″ driver.

  10. I do love how several Anonymous are now telling the SQL injectors (aka script kiddies) to stop boasting online about their activity. How about just not releasing personal data at all, you stupid cyber terrorists? Oh wait, that would require morals and sound judgement and empathy for your fellow human beings! Sorry.

    1.  While releasing the personal data isn’t very nice consider for a moment… without spilling the contents, the media would ignore it.  The hacked company would claim it was all just faked, to make them look bad.  Other hackers who do this professionally would keep accessing the systems and grabbing data here and there to use, and then someone would say it must be Anon’s using the data.
      The public release of the data means there is a point you can show your CC company that your number got out there through no fault of your own.  (Anyone wonder if Sony got blocked from accepting credit cards for not even being remotely PCI compliant?)
      It was a fun reminder that using your bestest favorite password on every site is bloody well stupid.

      Morals, Sound Judgement, Empathy for other human beings… those are lacking from the people in charge and the people being hacked.  If they cared, or faced any punishment for NOT protecting their customers, maybe they would show some.

      You call them cyber terrorists, I don’t see how that is the correct term.  I mean I guess maybe because corporations are people now they could be terrorizing them for not having any concern for other non-corporate people.  A majority of what they do, when not seen via the filter of Faux News, is cyber protesting.  But dissension and questioning authority now seems to be a crime.

        1. If you want to ignore the damage done previously by those who had been in and out of the systems gathering the information beforehand.  To assume that LulzSec was the first and only group to ever gain access to these systems is laughable.  Sites selling CC#’s don’t populate themselves.

          If you want to ignore that the most basic of protections would have made it nearly impossible for LulzSec to leak anything.

          LulzSec – Evil because they posted my email and password!!!!

          Corporation they got those details from – poor innocent victim, who didn’t give enough of a damn about their customers to even use the crappiest encryption.

          I see more anger at LulzSec than at the companies who failed to do anything.  Personally I was entertained to see all of the official government email addresses registered at that porn site they hacked.

          LulzSec was the messenger, why does everyone hate on the messenger?

        2. Well, with proper protection maybe it would have been impossible for Lulzsec to get their data. The only difference between Lulzsec and any other hackers is Lulzsec anounces their hacks, while other hackers would just shut up and exploit the CC infos etc. 
          From that point of view, Lulzsec is even the “friendlier” hacking collective because through publicizing their hacks they allow you to take countermeasures.
          It’s okay to be angry at Lulzsec too, if your data they leaked was then exploited. But you should also be angry about those you trusted with your data and which obviously neglected even basic security measures.

          It’s like giving a friend your wallet to look after while you go swimming, and then it gets stolen because your friend went to the tiki bar and left your wallet back at the beach, only tucked under his towel. 

  11.  P.S. Please don’t take my previous comment as an endorsement for so-called cyber crime bills. Those bills are just as bad for leaving personal data vulnerable, except it’s worse because the stupid cyber terrorist perpetrators are getting paid good old tax dollars to mess with your stuff.

Comments are closed.