It was September 2010, and for a couple of years now the Anonymous phenomenon had vanished from news headlines. Raids were small, petty assaults on other sites, mostly carried out by chans or /b/ itself. Very little was happening on IRC, either. The thousands who had piled into #xenu had moved on, put off by the internal discord, their interest lost in the novelty.
On September 8, an article about an Indian software company called Aiplex started getting passed around online. Girish Kumar, Aiplex’s CEO, had boasted to the press that his company was acting as a hit man for Bollywood, India’s booming film industry. Aiplex didn’t just sell software. It was working on behalf of movie studios to attack websites that allowed people to download pirated copies of their films.
Recently, for instance, it had launched DDoS attacks against several torrent sites, including the most famous of them all, The Pirate Bay. Founded in 2003, The Pirate Bay was the most popular and storied BitTorrent site on the net, a treasure trove from which anyone could illegally download movies, songs, porn, and computer programs. Aiplex had used a botnet to flood The Pirate Bay with traffic, overload its servers, and temporarily shut it down. Kumar had explained that when torrent sites didn’t respond to a notice from Aiplex, “we flood the website with requests, which results in database error, causing denial of service.”
Tech bloggers and journalists already suspected that antipiracy groups were DDoSing torrent sites like The Pirate Bay, but Kumar’s admission was the first proof. It was still a shocking admission; DDoS-ing was illegal in the United States, having sent Brian Mettenbrink to jail for a year. Now the Indian company was openly boasting of using the same method.
Soon enough, users on /b/ started discussing the news. It turned out that lots of people wanted to hit back at Aiplex. A few started pasting an everyone-get-in-here link to a channel on IRC for proper planning. This time, there weren’t thousands piling in like they had done with #xenu. Fighting copyright wasn’t as sexy as hitting a shady religious group that suppressed a video of Tom Cruise. But piracy was popular among /b/ users, and, soon enough, roughly 150 people had entered the new IRC channel, game for Anonymous to give Aiplex a taste of its own medicine.
Coordinating an attack would not be easy. By now, IRC network hosts had become more aware of Anonymous and would quickly shut down a chat room if they thought people were using it to discuss a DDoS attack. To deal with this, the Anons jumped from IRC network to IRC network, pasting links to the new rooms on 4chan and Twitter each time they moved so others could follow. No one was appointed to find the new locations; whenever the group had to move, someone would find a new network and make a channel. The channels were always innocuously named so as not to attract attention, but the regular channel name for attacking Aiplex was called #savethepb, abbreviating Pirate Bay.
After some planning, the group launched its first DDoS attack on Aiplex on September 17 at 9:00 p.m. eastern standard time. Just as they had hoped, the software company’s website went dark—and remained so for twenty-four hours. Feeling confident, the Anons quickly broadened their attack, posting digital flyers on /b/ so others could use LOIC against another organization trying to end piracy: the Recording Industry Association of America, or RIAA. The tech blog TorrentFreak.com posted a news article headlined “4chan to DDoS RIAA Next—Is This the Protest of the Future?” The group then hit another copyright organization, the Motion Picture Association of America (MPAA).
Two days later they began circulating a message to the media, saying that Anonymous was avenging The Pirate Bay by hitting copyright associations and “their hired gun,” Aiplex. They called the attacks “Operation: Payback Is A Bitch” and claimed to have taken down Aiplex thanks to a “SINGLE ANON” with a botnet.
“Anonymous is tired of corporate interests controlling the internet and silencing the people’s rights to spread information,” the letter said, adding, “Rejoice /b/brothers.”
In unashamedly romanticizing pirated movies and music, they were also positioning Aiplex’s attacks on The Pirate Bay as “censorship,” giving their fight-back broader appeal. For the first time in two years, it looked like Anonymous might be onto another major project after Chanology, and the spark had been that all-important provocation in hacker culture: you DDoS me, I DDoS you.
It was around this time that Tflow, the quiet hacker who would later bring together Sabu, Topiary, and Kayla, read the TorrentFreak article and jumped into his first Anonymous operation. It would later emerge that the person behind Tflow lived in London and was just sixteen years old. He never talked about his age or background when he was online.
“I thought it was a good and unique cause,” he later remembered. “Of course, DDoS attacks got boring after that.” What Tflow meant was that he was more interested in finding ways that Anons could disrupt antipiracy organizations other than knocking their sites offline. He hopped into #savethepb to observe what other supporters were saying and was pleasantly surprised. A few people appeared to have as much technical knowledge as he did. After Tflow approached a few privately and they met in a separate IRC channel, the smaller team started looking for vulnerabilities in antipiracy groups and found one in the website CopyrightAlliance.org.
About a week after the DDoS attack on Aiplex, the hackers in Tflow’s group carried out the first SQL injection attack in their campaign, possibly one of the first to be committed under the banner of Anonymous. They hacked into the CopyrightAlliance.org Web server and replaced the site with the same message used on September 19, “Payback Is A Bitch.” Defacing a site was harder to do than carrying out a DDoS attack—you had to get root access to a server—but it had a bigger impact. They then turned CopyrightAlliance.org into a repository for pirated movies, games, and songs, including, naturally, “Never Gonna Give You Up” by Rick Astley, and Classic Sudoku. They also stole 500 megabytes of e-mails from London copyright law firm ACS:Law and published them on the same defaced site.
Tflow and the others were all the while herding supporters from place to place. Between September and November 2010, he helped move roughly three hundred regular chat participants between ten different IRC networks so that they could keep collaborating.
“We chose whatever IRC we could go to really,” Tflow later recalled. “There weren’t that many options. Not many IRCs allow DDoS attacks.”
The group of organizers then created what would become a very important private channel, #command. Like #marblecake, it was a place to make plans without distraction. They started making digital flyers and inviting new people to join this new, broader battle against copyright, DDoSing legal firms, trade organizations, even the website of Kiss bassist Gene Simmons. Soon it looked like Anonymous was hitting benign targets—for instance, the U.S. Copyright Office—and the public support they’d been getting on blogs and Twitter was waning. By November 2010, the Anons themselves were losing interest, and only a few dozen were still talking in the Operation Payback chat room. The campaign had gone into hiatus.
With more time to focus, some of Operation Payback’s organizers started working on the first-ever communications infrastructure for Anonymous. Scattered between Britain, mainland Europe, and the United States, these mostly young men pooled their access to ten computer servers around the world. Some had rented the servers, some owned them, but with them they could make a chat network that Anonymous could finally call home. No more herding hundreds of people between different places before getting kicked off. That month they established what they called AnonOps, a new IRC network with dozens of chat rooms just for Anons, some public and some private. One of the first people to check it out was Topiary.
By now Topiary was almost eighteen and, in the offline world as Jake, had moved out of his mother’s home on the tiny island of Yell. He lived in a small, government-financed house in Lerwick, the capital of Shetland Mainland, and had been out of the education system for four years. Lerwick was more modern than Yell, but not by much. There were still no fast-food restaurants, no big department stores. It was a cold, windswept place with patches of green fields, craggy brown cliffs, and gray stone ruins dotting its rolling hills. Jake knew hardly anyone here, but he preferred to be on his own anyway.
His home was part of an assortment of chalet-style wooden houses on a hillside about a twenty-minute walk from the center of Lerwick, in an area known as Hoofields. Drug raids by the police were common on his street, some of his neighbors being avid heroin users. Jake’s house was small, yellow, and comprised one story, with a large living room and kitchen on one side and a bathroom and bedroom on the other. The front yard occasionally saw daisies in the spring, and in the back was a shed where he kept an old fridge—one that still smelled from when he accidentally left it filled with raw salmon, without power, for three weeks. He had bought all his furniture from local people, often benefiting from the good deals that could be found in a tight-knit island community. His cooker, for instance, had originally cost five hundred pounds (about eight hundred dollars), but he bought it off a family friend for twenty-five pounds (roughly forty dollars).
Jake had found a part-time job in an auto store and was just about getting by. He still looked forward to being online where most of his friends were and still got a small thrill from doing prank calls.
One evening while visiting his mother, Jake took a phone call from a man who claimed to be a friend of his father’s. This was a shock. Jake hadn’t spoken to his father for years. There had been occasional phone calls on his birthday, but even those had petered out after he turned thirteen. It was strange to suddenly be hearing about him. The man asked if he could take down Jake and his brother’s cell phone numbers, adding that his father wanted to get in touch with both of them. Apparently, he felt bad about something. His brother didn’t want to talk, but Jake gave the man his own number to see what would happen.
For several weeks, Jake kept his phone charged at all times and next to his bed when he slept, but there was no call. Then in mid-October, a week after his eighteenth birthday, a call came from his father’s friend again, this time with the weight of bad news in his voice. The man apologized for what he was about to say and then explained: Jake’s father was dead. He explained that in the preceding weeks, Jake’s father had sat at home for hours trying to make himself pick up the phone.
“But he didn’t have the confidence,” the man said, adding that, “instead,” he had killed himself. Jake wasn’t quite sure what to think. He felt numb at first. His father hadn’t been a member of the family, so in one way, Jake didn’t need to care or feel upset. When he asked how it had happened, the friend explained that his father had gassed himself, opening the double doors of a church garage late one night, driving inside, and turning the car on.
It was a surreal image. For the first two days after the phone call Jake felt angry. It seemed almost selfish of his father to ask for his number and suggest that he would call, almost as if he wanted Jake to pay attention to what was really about to happen. With more consideration, though, he realized he was probably wrong, and that his father may not have meant to hurt him.
Jake continued his online gaming and visits to 4chan, and a month later discovered the new chat network that had been set up for Anonymous: AnonOps IRC. Intrigued, he signed on, picking the name Topiary, and tried to get a better sense of how he could join in. He didn’t see himself as an activist, but Operation Payback sounded well organized and potentially influential. He had no idea that, even though the anticopyright battle was dying, Operation Payback was about to explode with support for a little organization called WikiLeaks.
Jake, now as Topiary, explored the AnonOps chat rooms while a former, widely-revered hacker from Australia named Julian Assange was getting ready to drop a bombshell on the American government. Earlier in 2010, a U.S. army private named Bradley Manning had allegedly reached out to Assange and given his whistleblower site, WikiLeaks, 250,000 internal messages, known as cables, that had been sent between American embassies. These diplomatic cables revealed American political maneuverings and confidential diplomatic reports. In exposing the documents, Assange would hugely embarrass American foreign policy makers.
The WikiLeaks founder had struck deals with five major newspapers, including the New York Times and the U.K.’s Guardian, and on November 28, 2010, they started publishing the cables. Almost immediately, Assange became both a global pariah and a hero. Until then, WikiLeaks had been moderately well known for collecting leaked data pointing to things like government corruption in Kenya or the untimely deaths of Iraqi journalists. But exposing private data from the American government sparked a whole new level of controversy. U.S. news commentators were calling for Assange to be extradited, charged with treason, even assassinated. Former Alaskan governor Sarah Palin said the United States should pursue Assange with the same urgency as it did the Taliban, while Fox News commentator Bob Beckel, live on television, suggested someone “illegally shoot the son of a bitch.” Secretary of State Hillary Clinton said the leaks “threatened national security,” and U.S. State Department staff were barred from visiting the WikiLeaks website.
WikiLeaks.org quickly came under attack. An ex–military hacker nicknamed The Jester DDoS’d the site, taking it offline for more than twenty-four hours. Jester was a self-styled patriotic hacker who had been known for attacking Islamic jihadist websites; later he would become a sworn enemy of Anonymous. Now he claimed on Twitter that he was hitting WikiLeaks “for attempting to endanger the lives of our troops.”
To try to stay on the web, WikiLeaks moved its site to Amazon’s servers. It was booted offline again, with Amazon claiming it had violated its terms of service on copyright. The rebuffs kept coming: a hosting firm called EveryDNS yanked out its hosting services for WikiLeaks. On December 3, online payments giant PayPal announced it was cutting off donations to the site, saying on the official PayPal blog that it had “permanently restricted the account used by WikiLeaks due to a violation of the PayPal Acceptable Use Policy.” Soon MasterCard and Visa cut funding services.
It is doubtful that anyone from these companies had any idea that a brand of Internet users known for pranking restaurant managers, harassing pedophiles, and protesting the Church of Scientology would suddenly team together to attack their servers.
The people who had set up AnonOps were talking about the WikiLeaks controversy in their private #command channel. They were angry at PayPal, but, more than that, they saw an opportunity. With Anons no longer riled up about copyright, this could be the cause that brought them back in droves. The copyright companies had been bad, but PayPal snubbing WikiLeaks was even worse. That was an unholy infringement on free information in a world where, according to the slogan of technology activists, “information wants to be free” (even if it was secret diplomatic cables). The victimization of WikiLeaks, they figured, would strike a chord with Anonymous and brings hordes of users to their new network. It was great publicity.
Who were these people in #command? Known also as “operators” of the new chat network, they weren’t hackers per se but computer-savvy individuals who maintained the network and who would play a crucial role in organizing ad hoc groups of people, large and small, over the coming weeks. Many of them got a kick out of hosting hundreds of people on their servers. It was often argued that these operators, who had names like Nerdo, Owen, Token, Fennic, evilworks, and Jeroenz0r, were the true, secret leaders of Anonymous because of the power they could wield over communication. They avoided culpability for what Anonymous did, though, in the same way that Christopher “moot” Poole avoided litigation by claiming he was not responsible for what happened on 4chan.
Now, though, the operators were doing more than just maintaining the chat network. They were organizing an attack on the PayPal blog, where the company had made its announcement about WikiLeaks. On Saturday morning, December 4, the day after PayPal said it would cut funding, the AnonOps organizers DDoS’d thepaypalblog.com. The blog went down at 8:00 a.m. eastern standard time.
Soon after, the Twitter account @AnonyWatcher posted “TANGO DOWN—the paypalblog.com,” adding: “Close your #Paypal accounts in light of the blatant misuse of power to partially disable #Wikileaks funding. Join in the #DDoS if you’d like.”
PayPal’s blog remained offline for the next eight hours. Anyone who visited it saw a white screen and the “error 403” message “Access forbidden!” in large type.
The next day, Sunday, someone posted an announcement on Anonops.net, the official website for AnonOps IRC, saying that Anonymous planned to attack “various targets related to censorship” and that Operation Payback had “come out in support of WikiLeaks.”
At around the same time, a digital flyer was being circulated on image boards and IRC networks, with the title Operation Avenge Assange and a long note that stated, “PayPal is the enemy. DDoS’es will be planned.” It was signed, “We are Anonymous, We do not forgive, We do not forget, Expect us.”
These flyers came from new channels on AnonOps called #opdesign and #philosoraptors, which later combined to make #propaganda. Here, anyone who wanted to help with publicity collaborated on writing press releases and designing digital flyers to advertise future attacks. Others would then post the flyers all over 4chan and Twitter. Another channel, #reporter, was where Anons could answer the questions of any bewildered journalists who had figured out how to access IRC. Topiary was jumping between the publicity channels, more interested in spreading the word than firing weapons.
At around 5:00 p.m. eastern standard time on Monday, December 6, the organizers from AnonOps started DDoSing PostFinance.ch, a Swiss e-payment site that had also blocked donations to WikiLeaks. The site would stay down for more than a day.
The attack was “getting in the way of customers doing business with the company,” Sean-Paul Correll, a researcher with Panda Security, said in a blog post that day. Correll, who was on the West Coast of the United States, stayed up into the early hours to monitor the attacks, which seemed to keep coming.
That day, nine hundred people suddenly jumped into #operationpayback, the main public chat room on AnonOps IRC, which had been quiet for months. About five hundred of these people had volunteered their computers to connect to the LOIC “hive.” By now LOIC had an automatic function; you only needed to set it to hive mode and someone in #command would set the target and time. They would type simple instructions into their configured IRC channel—“lazor start” and “lazor stop.” Normal users didn’t have to know who the target was or when you were supposed to fire. They could just run the program in the background.
At 2:00 p.m. eastern standard time on Tuesday, AnonOps started attacking the website of Swedish prosecutors against Assange, who was now looking at extradition to Sweden where he faced questioning for sexual misconduct against two women in that country. Many in Anonymous saw the case as a whitewash. Once again, some five hundred people were using LOIC, and now more than a thousand people were in the main chat channel. At 6:52 p.m., AnonOps announced a new target: EveryDNS.com, the server provider that had yanked the rug from under WikiLeaks.org. One minute later, that site was down. At 8:00 p.m. the target switched to the main site of Senator Joseph Lieberman, the chairman of the U.S. Senate Homeland Security and Governmental Affairs Committee, which had first pushed Amazon to stop hosting WikiLeaks. All of these sites were going down for minutes or sometimes hours at a time, one by one, like dominoes.
By the early hours of December 8 on the West Coast, Correll had tallied ninety-four hours of combined downtime for these sites since December 4. The worst-hit were PostFinance and the PayPal blog. But this was just the beginning.
Word was spreading that if you wanted to help WikiLeaks, all the action was happening on AnonOps IRC. Newcomers could get a quick overview of what was happening from different chat rooms: #target was for talking about future or current attacks and #lounge was a place to just shoot the breeze. In #setup, new recruits could find a link to download LOIC and get help using it from experienced users.
The room contained a link to a digital flyer with step-by-step instructions titled “HOW TO JOIN THE FUCKING HIVE—DDoS LIKE A PRO.”
(If your broadband kept cutting out, LOIC wouldn’t work properly.)
Things were moving quickly. Topiary had now gained higher “operator” status in the publicity channels, which gave him the ability to kick out participants and a generally louder voice in the room. His enthusiasm, ideas, and witty remarks caught the attention of one of the AnonOps operators in #command, and they sent Topiary a private message inviting him into a secret command channel, which Topiary had never heard of. Intrigued, he went in.
Here the operators were talking excitedly about all the new volunteers and media attention they were suddenly getting. They decided to pick a bigger target: the main PayPal website. They quickly chose dates and times and pasted the coordinates at the top of the main IRC channels, then tweeted them. Topiary and the others in #command expected that the call to arms would get stronger feedback than usual, but nothing prepared them for what happened next.
On December 8, just four days after AnonOps had first hit the PayPal blog, the number of visitors to AnonOps IRC had soared from three hundred to seventy-eight hundred. So many people were joining at once that Topiary’s IRC client kept freezing and had to be restarted. Lines of dialogue between people in the main channel, still named #operationpayback, were racing up the screen so quickly it was almost impossible to hold a conversation. “It was mind-blowing,” Topiary later remembered. “Insane.”
“Do you think this is the start of something big?” someone called MookyMoo asked amid the flurry in the main channel.
“Yes,” replied an operator named shitstorm.
Jokes were often being cracked about how the mainstream press had started reporting the attack. “They’re calling us hackers,” said one called AmeMira.
“Even though we don’t really hack,” another, called Lenin, replied.
The IRC network itself was seizing up because of the flood of users. “Are we being attacked or are there just too many people on this server?” one participant asked. Once the LOIC network itself was crashing, newcomers were told to set their “cannons” on manual mode, directly typing the target address and clicking “IMMA CHARGIN MAH LAZAR.”
At around the same time, Topiary watched two very important people enter the private #command room. Their nicknames were Civil, written as {Civil} and Switch. These were botmasters. Each had control of his own botnet, Civil with fifty thousand infected bots and Switch with around seventy-five thousand. Anons who owned botnets could expect to be treated with unusual reverence in Anonymous—with only a few clicks they had the power to bring down a website, IRC network, whatever they wanted. Switch had the bigger ego and could be unbearable to talk to at times.
“I have the bots, so I make the shots,” he would say.
Everything was controlled on IRC. Civil and Switch even controlled their botnets from private chat rooms with names like #headquarters and #thedock. The latter was fitting, since bots were often referred to as “boats,” as in “How many boats are setting sail?” And in the public channel, the thousands of new visitors only had to type “!botnum” and press enter to see how many people were using LOIC. The day before, December 7, the number of people joining the hive option of LOIC had been 420. For the attack on PayPal on December 8, it was averaging about 4,500.
Topiary noticed that Civil and Switch had their botnets prepared to help the attack but that they were waiting for the hordes with LOIC to fire first. Launch time was 2:00 p.m. GMT, when most people in Europe were at their desks and America was just getting into the office. With minutes to go, supporters and IRC operators posted out a flurry of tweets, links to digital posters, and posts on 4chan reminding everyone: “FIRE AT 14:00 GMT.” When 2:00 p.m. finally came around, the IRC channels, Twitter, and 4chan exploded with *FIRE FIRE FIRE FIRE* and FIIIIIRE!!! Along with all the junk traffic, the LOIC hive configured a message to PayPal’s servers: “Good_night_Paypal_Sweet_dreams_from_AnonOps.”
There was a rush of excitement as thousands of copies of LOIC all over the world started shooting tens of thousands of junk packets at PayPal.com, putting its servers under sudden pressure that seemed to be coming out of nowhere.
“If you are firing manually, keep firing at ‘api.paypal.com:443,’” a user called Pedophelia kept saying over and over in the main channel. “Don’t switch targets, together we are strong!”
An IRC operator nicknamed BillOReilly was in a chat room called #loic. Here he could steer the hive of LOIC users from all over the world to attack whatever website was next on the hit list. Anyone who looked in the channel saw a long list of each person who was using LOIC in the attack. Each participant was identified by six random letters and the country his or her computer was in (though many had spoofed that with proxy servers, essentially an intermediary computer, to avoid detection). The countries with the greatest number of participating computers were Germany, the United States, and Britain.
A few minutes into the attack, the IRC operators checked PayPal.com and found that the site was now running slowly—but technically it was still up. There followed much confusion in the horde. Was something wrong with LOIC or AnonOps, or did PayPal have DDoS protection that was too strong?
“The attack is NOT working,” someone named ASPj wrote to Kayla—a name Topiary didn’t recognize yet—in the main chat room. “I repeat, PAYPAL IS NOT DOWN.”
No one outside of #command knew this, but they needed Civil and Switch.
“Let’s add on a few thousand bots,” someone in #command said. Civil knew what he had to do. He typed in commands for all of his bots to join up to his botnet. The operator evilworks messaged Topiary. “Check out these bots,” he said, inviting him into Civil’s botnet control room, eager to show it off.
In the botnet control room, which was like any other chat channel, Topiary could see a list of Civil’s bots suddenly running down the screen in alphabetical order as they started up around the world. There were a few hundred in the United States, a few hundred more in Germany; all were invisibly connected to this IRC channel. Each bot had nicknames like:
[USA | XP] 2025
[ITA | WN7] 1438
It was very similar to the list that BillOReilly was seeing in his room, except these were computers that were infected with a virus that had linked them to Civil’s botnet. These were not voluntary participants. None of the computers in this room belonged to people who wanted to be part of the attack. They were, as the phrase went, zombie computers.
If one of the bots suddenly turned off, it was probably because a random person in Nebraska or Berlin had switched off his or her computer for the day, and the list would go down by one. Civil thus didn’t like using all fifty thousand of his bots at once; instead, he switched between a few thousand every fifteen minutes to let the other ones “rest.” Once the botnet was firing, the people behind each infected computer would notice that their Internet connection had become sluggish. Thinking there was a router problem, they’d usually start fiddling with their connection or switching off all together. Constantly refreshing the bots ensured their owners didn’t switch off or, worse, call the IT guys. (Incidentally, some believed that the best people to infect with viruses so they could join into botnets were those on /b/—they left their computers on all day.)
Civil gave the command to fire. It looked something like this:
!fire 30000 SYN 50 296.2.2.8
A SYN was a type of packet, and this meant flooding PayPal.com with thirty thousand bots at fifty packets each for thirty seconds. The type of packet was important because simply flooding a server with traffic wasn’t always enough to take it offline. If you think of a server like a call center manned by hundreds of people, sending “ping” packets was like calling them all and simply saying “Hello” before hanging up. But sending “SYN” packets was like calling all the workers and staying on the line saying nothing, leaving the other end repeatedly saying “Hello?” The process sent thousands of requests, which the server could not ignore, then left it hanging.
Within a few seconds the PalPal site had gone down completely. It would stay down for a full hour. The thousands of Anons in #OpPayBack cheered at having taken down the world’s biggest e-payment website. Mainstream news sites, from the BBC to the New York Times to the Guardian, reported that the “global hacking group” Anonymous had brought down PayPal.
Panda Security’s Correll hopped on IRC using the nickname muihtil (lithium spelled backward) and sent a message to Switch himself, asking about the size of his botnet and clarifying that he was a security researcher. Switch was surprisingly happy to answer that his friend (presumed to be Civil) had helped in the attack by offering thirty thousand bots, while there had been five hundred in the LOIC hive, and that Switch himself had attacked with thirteen hundred bots.
What this confirmed was that around 90 percent of all the firepower from the attack on PayPal.com had come not from Anonymous volunteers but from zombie computers.
Topiary quietly started thinking about the true power of the hive. When he had joined the #command channel two days earlier, he had thought that the Anonymous DDoS attacks were primarily caused by thousands of people with LOIC, with backup support from the mysterious botnets. Now he realized it was the other way around. When it came to hitting major websites like PayPal.com, the real damage came from one or two large botnets. Thousands of LOIC users could have taken down a smaller site like Scientology.org, but not the planet’s biggest e-payment provider. In practice, finding someone willing to share his botnet was more useful than getting thousands of people to fire LOIC at the same time.
Correll’s observations were reported by Computerworld.com but largely ignored by the mainstream media. Someone nicknamed skiz pasted a link to the story in the AnonOps main chat room, saying skeptically, “They claim Anonymous used a 30,000 person botnet. :D.” Most of these eager volunteers did not want to believe that botnets had more firepower than their collective efforts.
The operators in #command did not like to advertise it, either. Not only could that information put off others from joining, but it could bring unwanted attention to their channel, both from other hackers and from the police. But Civil and Switch continued bragging about how large and powerful their botnets were. Spurred on by the media reports and their audience in #command, they were eager to show off again. The operators agreed that since they had the power to launch another attack, they should. They duly planned a second attack on PayPal for December 9. Once again they chose the morning—eastern standard time—to get the attention of American Internet users and the media.
This time, though, there was less enthusiasm and coordination. Only a day had passed since seventy-eight hundred people had been in the main AnonOps chat room, but the numbers using LOIC had started tapering off. Then, when it came time to fire on PayPal a second time, volunteers in the chat room, #operationpayback, were told to wait. They were not told why. Topiary was also in #command waiting for the attack to happen so he could write his first press release. The problem was that in some unknown part of the world Civil was still sleeping.
“Do we have anything to write about?” asked Topiary. “Because nothing’s happened.”
“No, we have to wait for Civil to come online,” was the reply.
An hour later, Civil finally signed into #command and made a few grumpy remarks. As the operators told the hive to fire their (largely ineffective) cannons, Civil turned on his botnet and took down PayPal.com. He then signed off and went to have his breakfast.
As Topiary watched, the secret power of botnets was reconfirmed. The botnets had boosted the first PayPal attack, since the hive was so big, but the second time around just one botnet had done all the work. The second attack also wouldn’t have happened if Civil had not been bragging. But the operators still wanted Anonymous and the media to think that thousands of people had been responsible. Ignoring these uncomfortable truths, Topiary wrote up a press release about the “hive” striking back.
After the second PayPal attack, there was more bragging from Civil and Switch and the AnonOps operators told them they could hit MasterCard.com on December 12. They broadcast the date and time of the attack across the Internet, knowing that, with the botnets doing most of the work, it would be fun but not crucial to get another horde of people firing. This time around, only about nine hundred people had hooked up their LOICs to the AnonOps chat network and fired on MasterCard.com. It didn’t matter. Thanks to Civil and Switch, the website for one of the world’s biggest financial companies went down for twelve hours, and right on schedule.
Over time, a handful of other people with botnets would help AnonOps. One of them was a young hacker named Ryan. Aged nineteen and living with his parents in Essex, England, Ryan’s real name was Ryan Cleary. In the offline world, Ryan, who would later be diagnosed with Asperger syndrome, rarely left his room, taking dinner from a plate that his mother would leave outside his bedroom door. But his dedication to becoming powerful online had paid off; over the years he amassed servers and what he claimed was a 1.3 million-computer monster botnet. Other online sources put the number at a still-enormous one hundred thousand computers. Though he rented the botnet, he also sublet it for extra cash.
Like Civil and Switch, Ryan was happy to brag about his botnet to operators and hackers and keep its true power a secret from new volunteers. Later in February, for instance, when about fifty people on AnonOps announced they were attacking small government websites in Italy, Ryan quietly used his botnet for them. As the attacks were happening, whenever anyone typed “!botnum” to learn the number of people using LOIC, it would say 550.
“Did you just add 500 computers to your botnet?” Topiary would privately ask Ryan.
“No,” Ryan would reply. “I just changed the LOIC commands to make it look like 512 people were using it.” What this meant was that Ryan not only wielded the real firepower, he was deliberately manipulating other Anons so that they would think they were causing the damage instead. It was not hard to do this. If you were controlling the network of LOIC users, you could spoof the number of people using the tool by typing +500 or even +1000 into the corresponding IRC channel. This ability to fake numbers was an open secret in #command, but people brushed the topic aside whenever it came up. Anonymous was “Legion,” after all.
“It didn’t seem sketchy at all,” said one source who knew about the botnets being used to support AnonOps in December 2010 and January 2011. “More fun trickery I guess.” The upper tier of operators and botnet masters also did not see themselves as being manipulative. This is partly because they did not distinguish the hive of real people using LOIC from the hive of infected computers in a botnet. In the end they were all just numbers to them, the source added. If there weren’t enough computers overall, the organizers just added more, and it didn’t matter if they were zombie computers or real volunteers.
Botnets, not masses of volunteers, were the real reason Anonymous could successfully take down the website of PayPal twice, then MasterCard.com for twelve hours on December 8 and Visa.com for more than twelve hours on the same day. According to one source, there were at most two botnets used to support AnonOps before November 30, rising to a peak of roughly five botnets until February, before the number of botnets went down to one or two again. Only a handful of people could call the shots with bots. For the most part, they were not lending their firepower for money. “People offered things because they believed in the same idea,” claimed the source. More than that, they liked showing off how much power they had.
Naturally, with ego such a big driver of the early December attacks, discussions in #command soon broke down. After Civil, Switch, and the nine hundred people fruitlessly using LOIC hit Mastercard.com, the small group in #command decided, on a hubristic whim, to attack Amazon.com the next day, December 9, at 10:00 a.m. eastern standard time. That’s when the operators realized that Civil and Switch had disappeared.
The operators pushed the attack time to December 9 at 2:00 p.m., hoping the botmasters would return. At 1:30 p.m., the entire AnonOps IRC network went down. It turned out that Civil and Switch had been squabbling with some of the operators in #command and were now using their botnets to attack AnonOps in retribution. When the IRC network came back online about an hour later with a few hundred participants, nobody wanted to attack Amazon anymore. There weren’t enough bots and there didn’t seem to be a point.
Topiary estimated that LOIC users represented on average 5 percent to 10 percent of the damage done against sites like PayPal, MasterCard, and Visa in early December 2010, and in the months that followed less than 1 percent, as fewer people stayed involved. Another source close to the operators at the time estimated more graciously that the LOIC tool contributed about 20 percent of DDoS power during AnonOps attacks in December and January. The truth became especially hard to accept when, seven months later, the FBI arrested fourteen people who had taken part in the PayPal attacks by downloading and using LOIC. These users included college students and a middle-aged woman.
“People who fought for what they believe in shouldn’t be told what they did was in vain,” the source close to the operators said. In a small way, LOIC did help. It made people feel they were contributing to something, which encouraged more to join. Plus, Civil, Switch, and other botmasters might not have helped if they hadn’t seen the groundswell of support.
Regardless, Topiary decided to stick to the party line on December 10 when he was contacted by a reporter from state-backed TV network Russia Today and invited to give his first ever live television interview, an audio discussion over Skype. He was nervous in the moments leading up to the interview, but when it came to it, he proclaimed as confidently as he could that the hive had hit back at PayPal and others.
“We lied a bit to the press,” he said, many months later, “to give it that sense of abundance.” The press liked reporting on this new powerful phenomenon of a hive that nobody seemed able to quantify. “They liked the idea and amplified the attention.”
“Lying to the press” was common in Anonymous, for understandable reasons. Here was a network of people borne out of a culture of messing with others, a paranoid world whose inhabitants never asked each other personal questions and habitually lied about their real lives to protect themselves. It was also part of Anonymous culture to make up random, outrageous statements. If, for instance, someone was about to leave his or her computer for a few minutes to get coffee, he or she might say, “Brb, FBI at the door.” Not only was there a sense of a higher purpose to Anonymous that made it seem okay to inflate figures and lie to the media; Anons were also part of a secret institution that no one in the real world understood anyway.
Anons particularly disliked journalists who would come into the #reporter channel asking, “So who are you attacking next?” or pushing for a quick quote. A few would first exaggerate, saying that there were tens of thousands of people attacking a site. At one point an Anon told a magazine reporter that Anonymous had “colonies” all over the world, a physical headquarters, and that its name was based on a real man named Anonymous.
“So who is Anonymous?” a reporter asked about the supposed man.
“He’s this guy,” the Anonymous supporter said. “He lives in our headquarters in West Philadelphia.” That was actually an Internet meme: tell an elaborate story, then catch the person out by quoting the introductory rap to the sitcom The Fresh Prince of Bel Air.
Later in February 2011, Topiary would create an IRC channel called #over9000—in reference to another famous meme, which involved a few core Anons discussing a bogus hacking operation to mess with a journalist from the Guardian. The reporter had asked for access to “secret” inner channels.
“We need to troll her hard,” Topiary had told the others.
The group went on to spam the room with cryptic messages like: “Charlie is c85 on excess, rootlog the daisy chain and fuzz out dawn mode.”
Lying was so common in Anonymous that people were rarely surprised to hear different versions of events, or to find out that the nickname they thought they were talking to was being hijacked by someone else. There was a constant suspension of disbelief and skepticism about almost everything. Even when people professed genuine admiration for someone or for the ops that were taking place on PayPal and MasterCard, their opinions could change just days later. It wasn’t that people in Anonymous were shallow or that there was little value to their experiences—it was just that events and relationships on the Internet moved far more quickly and dramatically than in real life. The data input for Anons could be overwhelming, and often the result was detachment—from emotions, from morals, and from awareness of what was really going on. But there was one truth in particular that at least a dozen Anons would later regret ignoring. It was about LOIC. Not only was their all-important weapon useless against big targets like PayPal, it could lead the police straight to their doors.