Topiary was anxious and confused. He was sure someone was lying. First Kayla had reported rumors on a public IRC network that Sabu had been raided. Then someone else had said his two daughters were sick and in the hospital. Then another person whom Topiary knew as a real-life friend of Sabu’s also claimed he had been raided. Then he heard the hospital story from yet another source. There was a fifty-fifty split on what had happened. Topiary wanted to believe the hospital story. Typically, in paranoid hacker circles or Anonymous, if someone disappeared from a public IRC for a while and without reason, people assumed the worst (an FBI raid). But if Sabu had suddenly wanted to go back underground, he would have told a few trusted people to say different things.
Topiary started calling Sabu’s Google Voice number every hour but got no answer. It was unusual for him not to be online for more than half a day. Topiary waited and hoped Sabu wasn’t in a cell being questioned or, worse, snitching. On IRC, Sabu was still logged on. Once his nickname had been idle for twenty-four hours, the team killed it, just in case Feds were watching.
“I’m quite worried,” Topiary said that morning.
Sabu had given him instructions the week before that if he was ever caught, Topiary should access his Twitter feed and tweet as normal while the team should keep announcing hacks. If the Feds did have Sabu, this could be his ticket to avoiding some charges. Topiary’s heart sank when he looked at Sabu’s Twitter account and was reminded of how much the hacker had motivated him. The short bio read: “To all Anons: you all are part of something amazing and powerful. Do not succumb to fear tactics that are so obvious and archaic. Stay free.” Sabu may have been hot-tempered, but he could also be inspiring.
Kayla was just as concerned. “I’m gonna turn the Internet upside down if I find out Sabu’s been hit,” she told Topiary.
Still, the team was in a catch-22. If Sabu had been caught and forced to divulge information, then there was a large chance the Feds could monitor what they were doing. If they did nothing or fled, that would immediately implicate Sabu.
As evening fell, Topiary rang Sabu’s number again. Suddenly, someone picked up the phone. There was no voice. “Uh, who’s this?” Topiary asked.
“David Davidson.”
It was Sabu. Topiary let out a sigh of relief. Sabu sounded like he had a cold or had been crying. Sabu explained that his grandmother had died and that he had had to help with funeral arrangements. He then asked if the rest of the team was around and if Topiary could inform them that he was back. Topiary at first didn’t care that Sabu might have been lying—he was just glad to speak to him again. Not long after, Sabu changed his story and said that it had actually been the anniversary of his grandmother’s death. When they had first spoken, Sabu had probably changed his voice deliberately to make his story sound more genuine. By then, the FBI was logging everything that Sabu said online to LulzSec’s members, as well as everything he said on the phone to Topiary.
Sabu would end up being offline more than usual for the next few days as he began collaborating with the FBI, even working out of their office on a daily basis. Sabu occasionally kept his group abreast of other developments, but the still oblivious Topiary took more responsibility for the team.
As a precaution, Topiary deleted more files, then he redid all his passwords and encryptions to make them ultra-protected. He kept all passwords in a file on an encrypted SD card, with one character in each swapped around. Only he knew which characters were swapped. Still, he couldn’t help constantly looking outside his window and jumping whenever a van drove past. For the first time, he started seriously wondering if a couple of men in police uniforms would splinter his door at dawn the next morning.
A few days earlier when he had been out to buy some food, one of the local druggies had approached Topiary on his way home. “Hey,” the man had said, waving as Topiary took out his earbuds.
“There were some police knocking on your door the other day,” the man said in a thick Scottish accent. Topiary’s heart had started to pound.
“Really. What did they do?”
“They drove by in their car. Then a couple of them came out and knocked on your door, but there was no answer,” he said, shrugging. Topiary played it cool. The druggie might have been lying, but the police might also have stopped by while he was at his thinking spot, looking over the sea. And it was just as likely that they were doing a drug sweep of the area. Still, he resolved to wipe every shred of Topiary and Anonymous from his laptop, encrypt whatever he kept, and send it to all to himself in an e-mail via Hushmail. Eventually he would wipe his laptop completely.
If the police came to his door, they’d find a clean house with one rarely used desktop computer and his innocuous-looking Dell laptop, a couple of extra monitors for watching films, and one phone line going over his living room with clips. None of the empty pizza boxes associated with basement-dwelling hackers. Any documents the police might find about Anonymous on either of his computers could be passed off as research Topiary was doing for a book. They’d find some pirated music and a handful of databases holding a few hundred thousand names and passwords he had acquired from acquaintances or from his own scanning for LulzSec. Topiary called it his personal collection. Sometimes he used it for his own attempts at doxing people, but for the most part it was just nice to have.
He tried not to think that his virtual private network provider, HideMyAss, would ever turn him in to the authorities. His logic was that if customers of HideMyAss ever found out the company had turned in one of its users, they’d leave in droves, and HideMyAss would go out of business. They would surely never give him up.
As Sabu remained offline on the pretext of dealing with family matters, a familiar face came back into the LulzSec fold: Ryan. It made little sense at first, considering Ryan’s temperamental behavior in the past and his cyber attacks on the LulzSec communication channels, but that was hacker life for you. Even the most explosive of disputes could be remedied when someone needed something. In this case Ryan needed some friends, and LulzSec could use Ryan’s mammoth botnet, which infected computers via a rogue Facebook app. Ryan was well connected in the underground hacker scene and served as an administrator of Pastebin, the text application tool that LulzSec used to publish all its leaks, and Encyclopedia Dramatica. Ryan was like the kid in school that people didn’t necessarily like but whom they were compelled to befriend because he had a brand-new Hummer and a house with a pool. Ryan wasn’t rich in real life, but online he seemed loaded; he had spent years building up an impressive array of assets, from servers to his botnet. His servers helped host Encyclopedia Dramatica, and after he had reconnected with a member of the LulzSec crew in the previous week, they also hosted LulzSec’s new IRC network, lulzco.org.
After Topiary first reconnected with Ryan on IRC, he wanted to hear what the new ally sounded like in voice to better suss him out, so the two became contacts on Skype. When Ryan’s voice came through, his English accent was so strong, he sounded almost Australian. Ryan spoke at a rapid-fire pace, openly bragging about his botnet, his hacking, and how he was making money on the underground; he littered his prose with swearwords then described at great length a farmhouse-bread ham sandwich his mother had once made him. Ryan seemed pretty unhinged and insecure, but Topiary’s opinion of him softened when he explained why he’d leaked hundreds of names from AnonOps months before. The network operators had been hassling him, and then someone else had gathered all the data and given it to him to leak. It was water under the bridge. Oh, he added, and that dox of his full name, address, and phone number that had been posted online? That was based on fake information he had created four years ago. Ryan assured Topiary that he had made the false documents and spread them everywhere so that his real information would remain hidden.
Topiary figured he could tell when someone was bullshitting, especially when it was in voice. Ryan, he believed, was genuine. In fact, Topiary started to feel sorry for the guy. People on AnonOps had accused Ryan of being a perpetually angry cretin who logged and attacked everything. But he wasn’t really angry; he was just passionate. Perhaps he came across as rude, but he worked hard and got into things, Topiary thought. With Sabu gone, Topiary missed having someone passionate and a little crazy to talk to, to counteract his laid back personality.
Ryan promised not to log any of the chats, and said he would give the LulzSec crew complete control over his logging ability. He also said the team could use his botnet any time they wanted. He had used it in the past to prank DDoS sites of the U.S. Air Force and then call them afterward to mock them. He could also make hundreds of dollars a day by subletting the botnet to others who wanted to use it for nefarious purposes like extortion and hacker skirmishes. But LulzSec could use it for free. This was like fresh meat to a ravenous dog: with Ryan’s botnet, LulzSec could bring down almost any website it wanted at the drop of a hat.
During one of Sabu’s occasional drop-ins on IRC, he mentioned to Topiary that he did not like having Ryan as a supporter. LulzSec was making too many contacts, he added. (It is unclear if this was the case, or why that might have concerned him now that he had started working as an FBI informant.) Topiary argued back that Sabu himself had been inviting his trusted associates into #pure-elite, including log leaker M_nerva. Topiary won the argument, and Ryan stayed. With Sabu mostly away now, Topiary was enjoying the funnier side of what LulzSec could do with its growing stable of Twitter followers. After he released the administrative passwords of fifty-five porn sites and twenty-six thousand porn passwords, he got replies from people on Twitter saying they had used the data dump to hack into other people’s e-mails or, in one case, find out a guy was “cheating on his girlfriend.”
Topiary realized he could start making things more interactive. He could send a hundred thousand people to a YouTube video and grant the account holder a huge increase in views, or he could send the horde to crash a small website or IRC network. LulzSec’s attacks would become a lot more fun. He and Ryan started talking and doing some prank calls on Skype with some of Ryan’s friends as an audience. Then Ryan set them up with a joint Skype Unlimited account so they could call anywhere in the world, dropping eighty dollars in credit without blinking an eye.
Topiary had an idea. Instead of making prank calls, what if they got LulzSec’s Twitter followers to call them? Topiary suggested setting up a Google Voice number so that anyone in the world could call LulzSec (or at least himself). He wanted the number to spell out the group’s name, as in 1-800-LULZSEC, but he couldn’t find an area code where the number would work. Eager to prove himself, Ryan spent hours going through every possible U.S. number till he found that 614, the area code for Columbus, Ohio, was available with the corresponding digits. They now had a telephone hotline: 1-614-LULZSEC.
It was a free Google number that directed to their new Skype Unlimited-World-Extra number that in turn could bypass to two other potential numbers registered to fake IP addresses. The pair created two voice-mail messages, using voice alteration and over-the-top French accents for the fictional names Pierre Dubois and Francois Deluxe, saying they couldn’t come to the phone because “We are busy raping your Internets.”
Once Topiary announced the hotline on LulzSec’s public chat room, they got several calls a minute; they answered a few and joked with their callers. Without giving any hints, Topiary stated there would be a $1,000 prize for anyone who called in with the magic word—lemonade—but nobody guessed correctly, and around forty people thought it was please. At the end of the day they’d received 450 calls.
In between fielding calls, Topiary wrote up an announcement of the group’s latest drop: a directory listing of every single file on the U.S. Senate’s web server, which had come to them thanks to another black hat. This was a serious attack that could earn someone five to twenty years in prison, but Topiary was mostly eager to get back to his LulzSec hotline.
“This is a small, just-for-kicks release of some internal data from Senate.gov,” Topiary had written. “Is this an act of war, gentlemen? Problem?”
Along with that release was a dump of the source code and database passwords of the gaming company Bethesda—a topic totally unrelated to the Senate, just one of the leaks they were sitting on. They also had a database of two hundred thousand users stored on the servers of gaming company Brink, but they wouldn’t release that because “We actually like this company and would like for them to speed up the production of Skyrim. You’re welcome!” At the top of each release was now a short list of contact and donation details for LulzSec, including the telephone hotline and the IRC chat room.
“It is unclear why LulzSec decided to attempt to embarrass yet another video game company other than to show off,” said Naked Security journalist Chester Wisniewski. “It is difficult to explain random acts of sabotage and defacement, so I am not going to attempt to get into the heads of those behind these attacks.” Yet this was not a matter of motivation, but of circumstance. Back when Kayla had used her botnet to scan the Web for vulnerabilities, hooking it up to an IRC channel and using basic chat commands to run it, she had stumbled on a vulnerability in the network of Bethesda that had given her access to its servers. Since the company was so big, the team chose not to root around for databases right away, using Bethesda’s bandwidth to help search for other sites to hack into and using it as a safe location to hide bots. The gaming company had no idea it was effectively being used to hack other sites. When the servers outlived their usefulness, it was time to dump the data stored on them.
Now the hacks were about to get even more arbitrary. Knowing that Ryan’s botnet could take out anything, Topiary announced the LulzSec hotline on Twitter and told the public: “Pick a target and we’ll obliterate it.” The hotline was suddenly inundated with calls, and the three people that initially got through all requested gaming companies: Eve, Minecraft, and League of Legends.
Within minutes, Ryan’s botnet had hit all three, as well as a site called FinFisher.com, “because apparently they sell monitoring software to the government or some shit like that.” DDoSing sites like this was nothing new, and neither was one or two hours of downtime, but it was the first time anyone had boasted about it to a hundred fifty thousand Twitter followers or referred to it as a DDoS party called Titanic Takeover Tuesday.
“If you’re mad about Minecraft, we’d love to laugh at you over the phone,” Topiary announced. “Call 614-LULZSEC for your chance to reach Pierre Dubois!”
When Topiary started thinking about the Internet meme phrase “How do magnets work?” made famous by the hip-hop duo Insane Clown Posse, he called up the offices at Magnets.com. He asked the woman who answered that question and got a bemused response, hung up, then redirected the LulzSec hotline to the main switchboard of Magnets.com.
“Everyone call 614-LULZSEC for a fun surprise,” he tweeted. About three minutes later he called the number again and heard dozens of phones going off at the same time with answers of “This is Magnets.com…Uh…” He asked to speak to a manager. When a man’s voice came on, Topiary explained the reason for the flood of strange calls. To his credit, the manager took it in good humor.
“How did you do it?” he asked.
“We’re testing out our new Lulz Phone Cannon,” Topiary said. “How are you feeling?”
“I’m a little out of breath.” Magnets.com had been getting more than two hundred calls a minute to their customer support center.
“Okay, I’ll get it to stop,” Topiary said.
“Good, because I feel like I’m about to pass out.”
With a few clicks he stopped the hotline from redirecting, and he heard all the phones in the background suddenly go silent. It was like a DDoS attack by telephone. It made sense to keep this going. Soon he was redirecting the LulzSec hotline to the World of Warcraft online game, then to the main switchboard for FBI Detroit, and then, naturally, to the offices of HBGary Inc.
“You take care of the horde while we’re gone, AaronBarr,” Topiary tweeted to its former executive. “Thanks mate. Bye for now.” In the next twenty-four hours, in between his talking with the other LulzSec hackers and manning a Twitter feed, Topiary’s busy switchboard had received 3,500 missed calls and 1,500 voice mails; the following day, 5,000 missed calls and 2,500 voice mails.
Soon, though, Ryan started to get restless. He wanted to do more than just play around with hotline callers; he wanted to go back to hitting websites, bigger ones. He had a rapt audience now, and a gang of people who were willing to go after the big names under this banner of LulzSec, or Antisec, or Anonymous. Whatever. On his own initiative, he hooked up his botnet, then called up most of his bots and aimed at the main website of America’s Central Intelligence Agency. Then he fired.
Within a few minutes, CIA.gov had gone down.
“CIA ovened,” Ryan said on Skype before beginning a monologue about how he disliked the United States. Topiary was stunned. He visited the CIA’s main site and saw it really was down. He couldn’t help feeling a little uncomfortable. This was big. But he couldn’t leave it unannounced. Through Twitter he said, almost quietly:
“Tango down—cia.gov—for the lulz.”
News outlets on television, print, and the Web instantly took notice and published screaming headlines that LulzSec had just hit the CIA. A few said, incorrectly, that the CIA had been “hacked.” LulzSec was clearly provoking the authorities now, almost inviting them to come and arrest the group.
At around the same time Aaron Barr came onto Twitter to send a new, public message to HBGary Inc.’s chief, Greg Hoglund. “Damn good to see you,” Barr said. “Let’s grab some popcorn. I feel a show coming.” Topiary saw the remark, and it seemed out of the blue.
“Hello Aaron,” Hoglund replied in his first-ever tweet, which he also directed to LulzSec. “I created my Twitter account because I wanted a ringside seat for what is about to go down.” Topiary’s gut feeling was to be skeptical of the veiled threat—he was getting them almost every day now—and he responded with sarcasm.
“What does kibafo33 mean?” he asked Barr on Twitter. “Is it a Turkish/Portuguese combination of ‘that’ and ‘breath?’ Are you a 33rd degree Freemason also?”
Besides, Topiary had other, bigger distractions. About three hundred miles away in London, WikiLeaks founder Julian Assange had heard about LulzSec’s takedown of the CIA website, and he was chuckling to himself.
For Assange, a simple DDoS attack on CIA.gov was some much-needed comic relief. Since Anonymous had leaped to his defense in December, he had spent the last few months fighting the threat of extradition to the United States and accusations of treason over WikiLeaks’s release of diplomatic cables. Swedish authorities had doubled his problems by seeking his extradition too, so they could question him over alleged sex offenses. In the meantime, he was staying in the countryside manor of an English journalist, wearing an electronic tag, and trying to keep up with developments in the world of cyber security. It had been hard not to notice LulzSec. On the one hand, the group looked like fearless comedians. On the other, it clearly had skilled hackers on the team.
Impressed and perhaps unable to help himself, Assange had opened the main WikiLeaks Twitter account and posted to its nearly one million followers: “WikiLeaks supporters, LulzSec, take down CIA…who has a task force into WikiLeaks,” adding: “CIA finally learns the real meaning of WTF.” Soon after a few news agencies and websites reported that WikiLeaks was supporting LulzSec, he deleted the first tweet. He didn’t want to be publicly associated with what were clearly black hat hackers. Instead, he decided it was time to quietly reach out to the audacious new group that was grabbing the spotlight. On June 16, the day after Ryan set his botnet on CIA.gov, an associate of WikiLeaks contacted Topiary.
“I’ve got a contact in WikiLeaks that wants to talk to you,” the person said, then directed him to a new IRC server that could serve as neutral ground for a private discussion. The network was irc.shakebaby.net and the channel was #wikilulz. Topiary was immediately skeptical and believed the contact was trolling him. When he finally spoke to a WikiLeaks staff member known as q, who was in the channel under the nickname Dancing_Balls, he asked for someone to post something from the WikiLeaks Twitter account. Assange, who allegedly had sole access, did so, putting out something about eBay, then deleting the post. Topiary did the same from the LulzSec Twitter feed. But he needed more proof, since the WikiLeaks feed could have been hacked. q said he could do that. Within five minutes, he pasted a link to YouTube into the IRC chat, and he said to look at it quickly.
Topiary opened it and saw video footage of a laptop screen and the same IRC chat they were having, with the text moving up in real time. The camera then panned up to show a snowy-haired Julian Assange sitting directly opposite and staring into a white laptop, chin resting thoughtfully in his hand. He wore a crisp white shirt and sunlight streamed through a window bordered with fancy curtains. q deleted the twenty-two-second video moments later. Also in the IRC channel with Topiary and q was Sabu, now likely with very interested FBI agents monitoring the discussion.
“Tell Assange I said ‘hello,’” Sabu told q.
“He says ‘hi’ back,” q said.
At first Topiary was nervous. Here was Julian Assange himself, the founder of WikiLeaks, reaching out to his team. He couldn’t think why he wanted to talk to them. Then he noticed what q and Assange were saying. They were praising LulzSec for its work, adding that they had laughed at the DDoS attack on the CIA. With all the flattery, it almost felt like they were nervous. For a split second, LulzSec seemed to be much bigger than Topiary had ever thought.
By now a few others from the core team knew about what was happening and had come into the chat room. Sabu had given them a quick rundown of what was going on, then said it could mean hitting bigger targets.
“My crew seems up for taking out traditional government sites,” he told Assange and q in the chat. “But seeing as that video was removed, some of them are skeptical.”
“Yes I removed the video since it was only for you, but I can record a new one if you want :),” q said.
“If we need additional trust (mainly my crew) then ok,” said Sabu. “But right now we seem good.”
Then q went on to explain why he and Assange had contacted LulzSec: they wanted help infiltrating several Icelandic corporate and government sites. They had many reasons for wanting retribution. A young WikiLeaks member had recently gone to Iceland and been arrested. WikiLeaks had also been bidding for access to a data center in an underground bunker but had lost out to another corporate bidder after the government denied them the space. Another journalist who supported WikiLeaks was being held by authorities. Assange and q appeared to want LulzSec to try to grab the e-mail service of government sites, then look for evidence of corruption or at least evidence that the government was unfairly targeting WikiLeaks. The picture they were trying to paint was of the Icelandic government trying to suppress WikiLeaks’s freedom to spread information. If they could leak such evidence, they explained, it could help instigate an uprising of sorts in Iceland and beyond.
The following day, q and Assange wanted to talk to LulzSec again. Perhaps sensing that Topiary was still skeptical, q insisted on uploading another video. It again showed his laptop screen and the IRC chat they were having being updated in real time, then a close-up of Assange himself, head in hand again, but this time blinking and moving the track pad on his laptop, then him talking to a woman next to him. The camera was then walked around Assange before the video ended. The video had been filmed and uploaded in less than five minutes. Topiary, who was experienced with Photoshop and image manipulation, calculated that doctoring the IRC chat and Assange in the same video image within such a short space of time would have been incredibly difficult, and he veered toward believing this was all real.
But q was not asking LulzSec to be hit men out of the goodness of their hearts. There was potential for mutual gain. q was offering to give the group a spreadsheet of classified government data, a file called RSA 128, which was carefully encrypted and needed cracking. q didn’t send it over, but he described the contents.
“That’s pretty heavy stuff to crack,” Sabu told q. “Have you guys tried simple bruteforce?” q explained they had had computers at MIT working on the file for two weeks with no success. Topiary wanted to ask if Assange was going to give the team other things to leak, but he decided not to. Part of him didn’t want to know the answer to that. It was already starting to look like LulzSec was on the road to becoming a black hat version of WikiLeaks. If WikiLeaks was sitting on a pile of classified data that was simply too risky to leak, then it now had a darker, edgier cousin to leak it through.
Topiary decided to mention that LulzSec had been the same team behind the HBGary attack. Assange said he had been impressed with the HBGary fallout but added, “You could have done it better. You could have gone through all the e-mails first.”
“We could have,” Topiary conceded, “but we’re not a leaks group. We just wanted to put it out as fast as possible.”
“Yes but you could have released it in a more structured way,” Assange said.
“We didn’t want to go through 75,000 e-mails looking for corruption,” Topiary countered again. He remembered how he had trawled through those e-mails looking not for scandal but for Penny Leavy’s love letter to Greg Hoglund and for Barr’s World of Warcraft character.
The team decided to invite Assange and q over to their IRC network on Sabu’s server. Topiary created a channel for them all to talk in and called it #IceLulz. q said he wished WikiLeaks could help the group more with things like servers or even advice, but they didn’t want to link the organization too obviously to LulzSec. In fact, when Topiary told q to go ahead and send the RSA 128 file over any time, q seemed to back off.
“Yeah, maybe in the future we’ll see how this goes,” q said. He never did send the file, at least not to Topiary.
Still, Sabu was “the most excited he had ever been,” Topiary later remembered, over the moon that WikiLeaks was asking for his help. It is unclear if Sabu was in reality haunted by the fact that he was now also helping to implicate Assange. Six months prior, he had believed so passionately in the WikiLeaks cause that he was willing to risk bringing his hacker name out into the public for the first time in nine years. Another possibility: the FBI was encouraging Sabu to reach out to Assange to help gather evidence on one of the most notorious offenders of classified government data in recent times. It seems probable that if Sabu had helped, for instance, extradite Assange to the United States, it would have improved his settlement dramatically.
“It’s our greatest moment,” Sabu told the crew. He and q started talking in more depth about various websites, and then Sabu sent links to two government websites and a company to the rest of the team, tasking them with finding a way to get into their networks and grab e-mails. Over the next few days, Topiary passed the job of staying in contact with WikiLeaks to Sabu, and for the next few weeks, Assange visited LulzSec’s chat network four or five more times.
Topiary left the #IceLulz IRC channel open on his laptop and kept it open. Pretty soon, though, it became just another one of the thirty other channels demanding his attention, another page of flashing red text.