As Anonymous turned its attention to the Middle East in early January of 2011, Topiary continued organizing and writing deface messages in #propaganda and talking to journalists in #reporter. #Command wasn’t much to look at anymore—too many operators and too much squabbling. There were about twenty Anons in each publicity channel, most of them talented writers who had written Anonymous press releases in the past. Once in a while, Topiary talked to Tflow, who would drop into #propaganda to pick up a deface message; soon Topiary would see his text on an official government website for Zimbabwe. With the help of a French Anon, a French version was also posted.
Topiary liked explaining Anonymous to reporters and writing deface messages that shocked a website’s visitors and owners. He also liked learning how to deal with the press, how to get them interested in a story by offering them exclusive information. He wondered if the writers and spokespeople like himself were among the more influential members of Anonymous in the world outside the collective. Soon people started inviting him into more channels that no one else talked about publicly. On January 2, he got an important tap on the shoulder, this time from Tflow.
Sabu, via a local volunteer, had been preparing to take control of the prime minister’s website, and he needed a good deface message, quickly.
“The government of Tunisia’s main sites are going to be hacked,” Tflow told Topiary. “Can you design the deface message?” Topiary felt an instant buzz. This was the first time anyone had trusted him with the knowledge that a hack was about to happen. Eager to help, he and Tflow discussed the timing of what they referred to as the deface, and then Topiary wrote his usual ominous message to the repressive Tunisian government.
As the hack was happening and the deface message being uploaded, Topiary and Tflow went into the main AnonOps chat rooms and gave a running commentary of the attack, to inspire the troops a little.
When it was all over, Tflow surprised Topiary again by inviting him into #InternetFeds. He was effectively trusting Topiary to collaborate and share ideas with some of the most highly skilled hackers working with Anonymous. Topiary had been a stranger to these people, but gradually he was getting their attention.
Over the next month, much of Sabu’s hacking and Topiary’s writing would be at the forefront of Anonymous cyber attacks on the governments of Libya, Egypt, Zimbabwe, Jordan, and Bahrain. Anonymous was not only defacing sites but releasing government e-mail addresses and passwords. Attacks also continued in other parts of the world in the name of Anonymous; two Irish hackers defaced the website of Ireland’s main opposition party, Fine Gael. It was a flurry of revolutionary activity that made Anonymous suddenly look less like a bunch of bored pranksters and more like real activists.
Then on February 5, Tflow sent Topiary another private message on AnonOps IRC, this time inviting him into an even more secret IRC channel that would include just a handful of core people from #InternetFeds. When Topiary entered the exclusive chat room, he forgot he had (as a joke) set a programming script to run on his IRC client that would kick anyone out of the room who didn’t use at least 80 percent capital letters. His first interaction with Sabu involved kicking him out of the chat room. Embarrassed, Topiary apologized and quickly turned off the script. But Sabu took it well, and the group of five—Topiary, Sabu, Kayla, Tflow, and Q—quickly got to talking. The topic was HBGary and Aaron Barr’s article in the Financial Times.
Topiary couldn’t get his head around who or what Kayla was. He vaguely remembered seeing the name Kayla on his old MSN chat list, a 2008 4chan flood, and articles about her on Encyclopedia Dramatica. In between lots of smiley faces and lols, she talked about hacking like it was an addiction. She couldn’t look at a website without checking to see if there were holes in the source code that she could exploit, perhaps allowing her to steal a database or two. She was a conundrum: She seemed to be the chattiest, most happy-go-lucky person in the group, but she was also paranoid and apparently dangerous. She had developed a cast-iron protection for her real identity, and the bold admission that she was sixteen, along with the overwhelming number of emoticons and hearts (<3), suggested she was trying too hard to come across as a girl.
Topiary knew that female hackers were extremely rare; a hacker who claimed to be female was more likely not in real life, though they were possibly transgender, gay, or at least thinking along those lines. An online friend of Topiary, nicknamed Johnny Anonymous, conducted his own ad hoc online poll in late 2010. He put a series of questions to a hundred and fifty users of the early AnonOps network. About sixty, or one-third, identified themselves as LGBT (lesbian, gay, bisexual, or transgender), while the rest said they were straight.
“We have jokes about transvestites because there are so many of them among us,” Johnny Anonymous said in an interview.
Kayla was obsessive about hiding her identity, which was why Topiary later called her the ninja. She rotated her passwords almost daily. She claimed to keep all her data on a tiny microSD card, and she kept her operating system on a single USB stick that she used to boot up her netbook. Like most hackers, she used a VM (virtual machine) to do all her Internet witchcraft; it acted as a buffer between her computer and her life online, so if anyone ever hacked her, he’d only get to the virtual machine. Unlike Topiary and many other Anons, she avoided using a virtual private network (VPN). She didn’t trust them, since a VPN provider could always give her details to the police. She kept a low-end cell phone with an unregistered SIM card, the most secure device she had, and she used it to note down all her passwords. She partitioned a small drive called sys on her phone that she used to store malicious code.
It sounded paranoid, but Kayla said later in an interview that she learned a terrifying lesson about the need to scrub the Web clean of her identity soon after she started attacking hacker forums. The story went that when Kayla was younger (she claimed fourteen) and trying to dox other hackers for fun, she had at one point picked the wrong target. It was a male hacker who managed to do some of his own digging, and he found one of her old e-mail addresses on another forum. He got her name, date of birth, town, and some information on her family. He called her house, and when she answered, he threatened angrily to call the police. In recounting the story, Kayla said that he refused to believe her age and that she broke down in tears. When he eventually calmed down, they arranged to meet in a nearby city. They picked a crowded mall and eventually the two found each other and sat down to talk. The man was interested in Kayla’s life and why she hacked. He revealed that he had found her details from old MSN profiles and hacker forum profiles, and for Kayla, the realization was like a slap in the face: her information was out there, just waiting to be discovered.
As soon as Kayla got home, she wiped everything from her accounts, deleting every e-mail, and read more about how to become completely invisible on the Internet. Within a year, she had her almost-militaristic regime in place and had become confident enough to start hacking bigger names. She couldn’t shake the lure of hacking—there was just something about having access to information that others didn’t have. Her online name, after all, meant “Keeper of keys” in old English. And the attack that would seal her place in the #InternetFeds chat room and in the minds of other hackers was her assault on the news site Gawker.
Gawker had once been in Anon’s good books. It had been the first news site to boldly publish the crazy Tom Cruise video that helped spark Chanology. But then the site’s famously snarky voice turned on Anonymous, reporting on major 4chan raids as examples of mass bullying. After Gawker’s Internet reporter Adrian Chen wrote several stories that poked fun at Anonymous, mocking its lack of real hacking skills and 4chan’s cat fights with Tumblr, regulars on /b/ tried to launch a DDoS attack on Gawker itself, but the attack failed. In response, Gawker writer Ryan Tate published a story on July 19, 2010, about the failed raid, adding that Gawker refused to be intimidated. If “sad 4chaners have a problem with that, you know how to reach me,” he added. Kayla, at the time, had bristled at the comment and felt her usual urge to punish anyone who underestimated her, and now Anonymous.
“We didn’t really care about it till they were like, ‘lol you can’t hack us no one can hack us,’” Kayla later said in an interview. Though Gawker had not said this literally, it was the message Kayla heard.
She decided to go after the site. Kayla and a group of what she later claimed was five other hackers met up in a chat channel called #Gnosis, on an IRC network she had set up herself called tr0ll. Anywhere from three to nine people would be on the network at any given time. Kayla actually had several IRC networks, though instead of hosting them herself she had other hackers host them on legitimate servers in countries that wouldn’t give two hoots about a U.S. court order. Kayla didn’t like to have her name or pseudonym on anything for too long.
People close to Kayla say she set up tr0ll and filled it with skilled hackers that she had either chosen or trained. Kayla was a quick learner and liked to teach other hackers tips and tricks. She was patient but pushy. One student remembered Kayla teaching SQL injection by first explaining the theory and then telling the hackers to do it over and over again using different approaches for two days straight.
“It was hell on your mind, but it worked,” the student said. Kayla understood the many complex layers to methods like SQL injection, a depth of knowledge that allowed her to exploit vulnerabilities that other hackers could not.
On tr0ll, Kayla and her friends discussed the intricacies of Gawker’s servers, trying to figure out a way to steal some source code for the site. Then in August, a few weeks after Gawker’s “sad 4chaners” story, they stumbled upon a vulnerability in the servers hosting Gawker.com. It led them to a database filled with the usernames, e-mail addresses, and hashed passwords of 1.3 million people who had registered with Gawker’s site so they could leave comments on articles. Kayla couldn’t believe her luck. Her group logged into Nick Denton’s private account on Campfire, a communication tool for Gawker’s journalists and admins, and spied on everything being said by Gawker’s staff. At one point, they saw the Gawker editors jokingly suggesting headlines to each other such as “Nick Denton [Gawker’s founder] Says Bring It On 4Chan, Right to My Home,” and a headline with a home address.
They lurked for two months, cracking the hashed passwords and seeing where else those passwords had been used, before a member of the group finally hacked into the Twitter account of tech blog Gizmodo, part of Gawker Media, and Kayla decided to publish the private account details of the 1.3 million Gawker users on a simple web page. One member of her team suggested selling the database, but Kayla wanted to make it public. This wasn’t about profit, but revenge.
On December 12, at around eleven in the morning eastern time, Kayla came onto #InternetFeds to let the others know about her side operation against Gawker, and that it was about to become public. The PayPal and MasterCard attacks had peaked by now, and Kayla had hardly been involved. This was how she often worked—striking out on her own with a few other hacker friends to take revenge on a target she felt personally affronted by.
“If you guys are online tomorrow, me and my friends are releasing everything we have onto 4chan /b/,” she said. The following day, she and the others graced the “sad 4chaners” themselves with millions of user accounts from Gawker so that people like William could have fun with its account holders.
Gawker posted an announcement of the security breach, saying, “We are deeply embarrassed by this breach. We should not be in a position of relying on the goodwill of hackers who identified the weaknesses in our systems.”
“Hahahahahahha,” said an Irish hacker in #InternetFeds called Pwnsauce. “Raeped [sic] much?” And that was hacker, “SINGULAR,” he added. “Our very own Kayla.” Kayla quickly added that the job had been done with four others, and when another hacker in #InternetFeds offered to write up an announcement on the drop for /b/, she thanked him and added, “Don’t mention my name.”
Gnosis, rather than Anonymous, took credit for the attack. Kayla said she had been part of Anonymous since 2008 and up to that point had rarely hacked for anything other than “spite or fun,” with Gawker being her biggest scalp. But after joining #InternetFeds, she started hacking more seriously into foreign government servers.
Kayla had not joined in the AnonOps DDoS attacks on PayPal and MasterCard because she didn’t care much for DDoSing. It was a waste of time, in her view. But she still wanted to help WikiLeaks and thought that hacking was a more effective means of doing so. Not long after announcing the Gawker attack, Kayla went onto the main IRC network associated with WikiLeaks and for several weeks lurked under a random anonymous nickname to see what people were saying in the main channels. She noticed an operator of that channel who seemed to be in charge. That person went by the nickname q (presented here as lowercase, so as not to be confused with the hacktivist Q in #InternetFeds). Supporters and administrators with WikiLeaks often used one-letter nicknames, such as Q and P, because it was impossible to search for them on Google. If anyone in the channel had a question about WikiLeaks as an organization, he or she was often referred to q, who was mostly quiet. So Kayla sent him a private message.
According to a source who was close to the situation, Kayla told q that she was a hacker and dropped hints about what she saw herself doing for WikiLeaks: hacking into government websites and finding data that WikiLeaks could then release. She was unsure of what to expect and mostly just wanted to help. Sure enough, q recruited her, along with a few other hackers Kayla was not aware of at the time. To these hackers and to q, WikiLeaks appeared to be not only an organization for whistle-blowers but one that solicited hackers for stolen information.
The administrator q wanted Kayla to scour the Web for vulnerabilities in government and military websites, known as .govs and .mils. Most hackers normally wouldn’t touch these exploits because doing so could lead to harsh jail sentences, but Kayla had no problem asking her hacker friends if they had any .mil vulnerabilities.
Kayla herself went into overdrive on her hacking sprees for q, one source said, mostly looking for vulnerabilities. “She’s always been blatant, out-in-your-face, I’m-going-to-hack-and-don’t-give-a-shit,” the source said. But Kayla did not always give everything to q. Around the same time that she started hacking for him, she got root access to a major web-hosting company—all of its VPSs (virtual private servers) and every normal server—and she started handing out the root exploits “like candy” to her friends, including people on the AnonOps chat network.
“She would just hack the biggest shit she could and give it away,” said the source, dropping a cache of stolen credit card numbers or root logins then disappearing for a day. “She was like the Santa Claus of hackers.”
“I don’t really hack for the sake of hacking to be honest,” Kayla later said in an interview. “If someone’s moaning about some site I just have a quick look and if I find a bug on it I’ll tell everyone in the channel. What happens from there is nothing to do with me. :P.” Kayla said she didn’t like being the one who defaced a site and preferred hiding silently in the background, “like a ninja.”
“Being able to come and go without leaving a trace is key,” she said. The longer she was in a network like Gawker’s, the more she could get in and take things like administrative or executive passwords. Kayla liked Anonymous and the people in it, but she ultimately saw herself as a free spirit, one who didn’t care to align herself with any particular group. Even when she was working with AnonOps or the people in #InternetFeds, Kayla didn’t see herself as having a role or area of expertise.
“I’ll go away and hack it, come back with access and let people go mad,” she said. Kayla couldn’t help herself most of the time anyway. If she was reading something online she would habitually start playing around with their parameters and login scripts. More often than not, she would find something wrong with them.
Still, working for q gave Kayla a bigger excuse to go after the .gov and .mil targets, and the equivalent sites of third-world countries in Africa or South America, which were easier to get access to than those in more developed countries. Every day was a search for new targets and a new hack. Kayla never found anything as big as, say, the HBGary e-mail hoard for q, but she did, for instance, find vulnerabilities in the main website for the United Nations. In April 2011, Kayla started putting together a list of United Nations “vulns.” This, for example:
http://www.un.org.al/subindex.php?faqe=details&id=57
was a United Nations server that was vulnerable to SQL injection. And this page at the time:
http://www.un.org.al/subindex.php?faqe=details&id=57%27
would throw an SQL error, meaning Kayla or anyone else could inject SQL statements and suck out the database. The original URL didn’t have %27 at the end, but Kayla’s simply adding that after testing the parameters of php/asp scripts helped her find the error messages.
Kayla eventually got access to hundreds of passwords for government contractors and lots of military e-mail addresses. The latter were worthless, since the military uses a token system for e-mail that is built into a computer chip on an individual’s ID card, and it requires a PIN and a certificate on the card before anyone is able to access anything.
It was boring and repetitive work, trawling through lists of e-mail addresses, looking for dumps from other hackers, and hunting for anything government or military related. But Kayla was said to be happy doing it. Every week or so, she would meet on IRC with q and pass over the collected info via encrypted e-mail, then await further instructions. If she asked what Julian Assange thought of what she was doing, q would say he approved of what was going on.
It turned out that q was good at lying.
Almost a year after Kayla started volunteering for WikiLeaks, other hackers who had been working with q found out he was a rogue operator who had recruited them without Assange’s knowledge. In late 2011, Assange asked q to leave the organization. Kayla was not the only volunteer looking for information for what she thought was WikiLeaks. The rogue operator had also gotten other hackers to work with him on false pretenses. And in addition, one source claims, q stole $60,000 from the WikiLeaks t-shirt shop and transferred the money into his personal account. WikiLeaks never found out what q was doing with the vulnerabilities that Kayla and other hackers found, though it is possible he sold them to others in the criminal underworld. It seemed, either way, like q did not really care about unearthing government corruption, and Kayla, a master at hiding her true identity from even her closest online friends, had been duped.
None of this mattered come February of 2011 when Kayla began talking with Tflow, Topiary, and Sabu in the exclusive new chat room that would bring them together for a landmark heist on Super Bowl Sunday: the attack on HBGary Federal. The bigger secret, which Kayla didn’t know then, was that Sabu would not only get her deeper into a world of hacking that would become front-page news, but watch as her details got passed on directly to the FBI.