LulzSec Hacks

Overview

Lulzsec Hacks refers to a series of high profile cyber-attacks carried out by the computer hacking group Lulzsec (Lulz Security) beginning in May 2011. Some of the most notable targeted websites include Sony Pictures' internal database, CIA website and FBI's contractor InfraGard among others. Although the group officially announced its retirement in June 2011 and suspect members of Lulzsec have been taken into police custody, numerous related attacks have been reported by its affiliated groups since then.

Background

The group periodically releases stolen information from websites. They post the stolen data on their website in .txt files^[9], on the web app pastebin or in torrents on their page on The Pirate Bay^[10]. Releases often are posted on Fridays and thus they made a hash tag called “#fuckfbifriday” that they use to tweet with. They have been known to use Distributed Denial of Service (DDOS) attacks and SQL injections to take down websites. The group appears to be mainly motivated by political causes related to economic and social justice, but also seem to appreciate hacking for pure entertainment. (See also: #OpSony)

Notable Developments

The group periodically releases stolen information from websites. They post the stolen data on their website in .txt files^[9], on the web app pastebin or in torrents on their page on The Pirate Bay^[10]. Releases often are posted on Fridays and thus they made a hash tag called "#fuckfbifriday" that they use to tweet with.

May 5th, 2011: FOX

The earliest known hack attributed to the group began on May 5th, 2011 against Fox Broadcasting Company, which resulted in the breach of TV talent show X Factor contestants database and 73,000 applicants' personal information. On May 10th, Fox.com sales database and users' personal information was released.

We're releasing the X-Factor contestants database publicly tonight. Stay tuned. Wink, wink, double wink!

— The Lulz Boat (@LulzSec) May 6, 2011

May 27th – June 6th: SONY

Between late May and early June 2011, international media company Sony's database was attacked by hackers who took thousands of users' personal data including "names, passworsd, e-mail addresses, home addresses dates of birth." Lulzsec claimed that it used a SQL injection attack and was motivated by Sony's legal action against the original iPhone jailbreak hacker George Hotz, who revealed similar information of Sony's PlayStation 3 console in December 2010.

Hey guys, we took a cruise! Who wants to play spot the SonyMusic SQLi? #fun #fun #FUN

— The Lulz Boat (@LulzSec) May 24, 2011

The breached databases include Sony Music Japan, Sony Pictures, SonyBMG Netherlands and SonyBMG Belgium. The group claimed to have compromised over 1,000,000 accounts, though Sony claims the real figure was around 37,500. Some of the compromised information has been reportedly used in scams.

May 29th: PBS

On May 29th, 2011, LulzSec managed to compromise several PBS web properties including their official website and Twitter account. The PBS homepage was defaced with an image of Nyan Cat and the words "all your base are belong to lulzsec" referecing All Your Base Are Belong To Us. They claimed it was in response to a biased documentary about Wikileaks that had aired on an episode of PBS Frontline. They also were responsible for an article which claimed that 2Pac, a rapper who died back in 1996^[7], was still alive and was found living in New Zealand with another famous dead rapper, Biggie Smalls^[8].

June 15th: CIA

LulzSec took responsibility for taking down the United States Central Intelligence Agency website in a tweet^[1] on June 15th, 2010. According to Gawker reporter Adrian Chen^[2], the attack was meant to impress Twitter user Quadrapocdacone:

This afternoon, Quadrapodacone and Lulzsec got into a Twitter flame war, after Quadrapodacone mocked Lulzsec for taking on only "soft targets" like video game companies and PBS. (Lulzsec has since deleted its side of the conversation.)

Tango down – cia.gov – for the lulz.

— The Lulz Boat (@LulzSec) June 15, 2011

June 15th: War With 4chan

An article was posted to the website VentureBeat claiming that LulzSec was starting to attack users of the website 4chan.org, and the nebulous group referred to as "Anonymous", on June 15th, 2011.

The sparring began when LulzSec initiated a “DDoS Party,” which was a set of large-scale distributed denial of service attacks on several gaming servers and websites that brought a lot of games offline. EVE Online, League of Legends and Minecraft all faced outages or significant latency problems. That was enough to get the attention of “/v/,” an internal image sharing board on 4chan.org that focuses on video games.^[3]

June 17th: SEGA Attack Denial

On June 17th, 2011, multinational videogame developer company SEGA issued an e-mail to its online network SEGA Pass subscribers revealing that the network was breached by a group of hackers and an unknown number of subscribers' personal information were stolen, such as e-mails and date of birth:

"Over the last 24 hours we have identified that unauthorised entry was gained to our Sega Pass database," the company said. "We immediately took the appropriate action to protect our consumers' data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems."

On the next day, Lulzsec responded to the news on Twitter by denying an involvement with the attack on Sega Pass. In a tweet expressing their fancy for the aging console Dreamcast, @Lulzsec announced that they will help the company to take down whoever launched this attack in retaliation:

<a href="https://twitter.com/Sega">Sega</a> - contact us. We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.</p>&mdash; The Lulz Boat (LulzSec) June 17, 2011

June 17th: War With Anonymous Denial

On June 17th, 2011, the @LulzSec Twitter account announced that they are not at war with Anonymous, and repeated the sentiment by retweeting @YourAnonNews:

Saying we're attacking Anonymous because we taunted /b/ is like saying we're going to war with America because we stomped on a cheeseburger.

— The Lulz Boat (@LulzSec) June 17, 2011

We are NOT at war with <a href="https://twitter.com/LulzSec">LulzSec</a> <a href="https://twitter.com/search/%2523MediaFags">#MediaFags</a></p>&mdash; Anonymous (YourAnonNews) June 17, 2011

June 19th: Operation Anti-Security (#AntiSec)

On June 19th, 2011, LulzSec posted a statement on pastebin^[5] announcing that they will be teaming up Anonymous to attack government agencies.

Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word "AntiSec" on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.

June 20th: SOCA

On June 20th, 2011, LulzSec managed to take down the United Kingdom's Serious Organized Crime Agency (SOCA) website with a DDoS attack as part of Operation Anti-Security.

June 21st: Brazilian Government Websites

On June 21st, a South American branch of Lulzsec group (@LulzSecBrazil) launched DDoS attacks against the portal of Brazilian government websites and the homepage of the President under the banner of Operation Anti-sec. The denial-of-service attacks came following the announcement on June 19th of a joint operation seeking to "steal and leak any classified government information, including email spools and documentation."

Since the beginning of Operation Anti-sec, LulzSec's support base has expanded from small unknown groups to an international network of Anonymous activists and regional Lulzsec chapters in Brazil and Colombia, as well as the Iranian Cyber Army.

June 23rd: Arizona Department of Public Safety

On June 23rd, Lulzsec also released a new set dubbed "Chinga La Migra," a Spanish phrase meaning "fuck the border patrol," which reveals hundreds of private intelligence bulletins, personal information of police officers and confidential documents including training manuals and personal email correspondence. In the press release, the group cited the legislation of SB1070 (Support Our Law Enforcement and Safe Neighborhoods Act), a controversial anti-immigration law that was passed in the state of Arizona in April 2011, as their primary motive behind targeting the Department of Public Safety.

The documents classified as "law enforcement sensitive", "not for public
distribution", and "for official use only" are primarily related to border
patrol and counter-terrorism operations and describe the use of informants to
infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest
movements.

Presenting Chinga La Migra: thepiratebay.org/torrent/649079… | lulzsecurity.com/releases/ching… #AntiSec

— The Lulz Boat (@LulzSec) June 23, 2011

June 25th: LulzSec Retires

On June 25th, 2011, LulzSec released a statement on pastebin^[11] saying that after 50 days of hacking, they will be going into retirement.

50 Days of Lulz statement: pastebin.com/1znEGmHa | Torrent: thepiratebay.org/torrent/649552… Thank you, gentlemen. #LulzSec

— The Lulz Boat (@LulzSec) June 25, 2011

We are Lulz Security, and this is our final release, as today marks something meaningful to us. 50 days ago, we set sail with our humble ship on an uneasy and brutal ocean: the Internet. The hate machine, the love machine, the machine powered by many machines. We are all part of it, helping it grow, and helping it grow on us.

They later tweeted that Operation Anti-Security would be passed on completely to Anonymous:

Finally, we encourage all future #AntiSec enthusiasts to join the AnonOps IRC here: bit.ly/kXnGnn and follow <a href="https://twitter.com/AnonymousIRC">AnonymousIRC</a> for glory!</p>&mdash; The Lulz Boat (LulzSec) June 25, 2011

The farewell statements were also accompanied with about 458 MB of data from AOL, AT&T, Navy.mil, pilimited.com, and many other websites that they uploaded from their Pirate Bay account^[10].

July 13th: LulzSec Announces a "Mystery Operation"

On July 13th, 2011, LulzSec announced that once @pastebin reched 75,000 users they would embark on a mystery operation that would "cause mayhem." After their announcement, @pastebin recived about 10k followers in 6 days.^[12]

July 19th: LulzSec Hacks The Sun

On July 18th, the retired hacker group resumed its activities when they reportedly hacked the homepage of News International-owned The Sun to display a fake story about NewsCorp's CEO Rupert Murdoch's death from a drug overdose:

Media moguls body discovered

Rupert Murdoch, the controversial media mogul, has reportedly been found dead in his garden, police announce. Murdoch, aged 80, has said to have ingested a large quantity of palladium before stumbling into his famous topiary garden late last night, passing out in the early hours of the morning.

“We found the chemicals sitting beside a kitchen table, recently cooked,” one officer states. “From what we can gather, Murdoch melted and consumed large quantities of it before exiting into his garden.”

Authorities would not comment on whether this was a planned suicide, though the general consensus among locals and unnamed sources is that this is the case.

One detective elaborates. “Officers on the scene report a broken glass, a box of vintage wine, and what seems to be a family album strewn across the floor, containing images from days gone by; some containing handpainted portraits of Murdoch in his early days, donning a top hat and monocle.”

Another officer reveals that Murdoch was found slumped over a particularly large garden hedge fashioned into a galloping horse. “His favourite”, a butler, Davidson, reports.

Butler Davidson has since been taken into custody for additional questioning.

As the volume of requests exploded on the news site, the group then redirected its homepage to their Twitter account^[13]. LulzSec also confirmed its responsibility for the hack and released a number of e-mails and passwords presumably associated with The Sun employees via Twitter. The tech blog Gizmodo^[14] also reported that one of the passwords tweeted out by "Anonymousabu" belongs to the recently arrested News International chief Rebekah Brooks:

TheSun.co.uk now redirects to our twitter feed. Hello, everyone that wanted to visit The Sun! How is your day? Good? Good!

— The Lulz Boat (@LulzSec) July 18, 2011

If you visited The Sun before we did this (may God have mercy on your soul) clear your cache so the redirect works. #MurdochMeltdownMonday

— The Lulz Boat (@LulzSec) July 18, 2011

September 23rd: Proxy Information Leak

The FBI was able to find Kretsinger through activity logs they obtained from the UK proxy service Hide My Ass.^[24] In IRC chat logs published by the Guardian^[28] in June 2011, Hide My Ass, or HMA, was referred to as the proxy they were using. On September 23rd, the day after the arrests, Hide My Ass published a blog post^[25] stating that their "VPN service and VPN services in general are not designed to be used to commit illegal activity," condemning the actions that were supposedly performed by LulzSec using their services.

Several other VPN providers, including AirVPN^[26], came out against Hide My Ass's actions. AirVPN specifically noted that their company does not keep logs of their users' actions and included instructions on how to use their services without providing any type of trail. Privacy International^[27] pointed out that Hide My Ass was closely involved with helping Egyptians get access to Twitter and other government-blocked sites during the Arab Spring protests.

December 2011 Attacks

On December 3rd, 2011, the Examiner^[30] reported that LulzSec had launched several DDoS attacks against the Bank of Portugal and a number of government sites in retaliation of police violence toward protesters during demonstrations on November 24th.

On Friday, LulzSec Portugal launched a DDoS attack against the website of Banco de Portugal (Bank of Portugal), making the site inaccessible. In addition to taking down the Bank of Portugal website, LulzSec Portugal has been credited with successful attacks on numerous state services. Earlier this week, LulzSec disabled the websites of the Portugal House of Parliament, several political parties, and the national police.

On December 12th, 2011, the Examiner^[29] published an article revealing that a conservative Christian group, the Florida Family Association, was being attacked by members of both LulzSec and Anonymous.

On Monday, a hacktivist identified as ih@zcAnNONz and working under the flag of Anonymous and LulzSec issued a Pastebin release with email and IP addresses of Florida Family Association members receiving newsletters, as well as a sample of members credit card information offered as proof of the hack.

In addition, the official Florida Family Association official website went down due to a DDoS attack on December 12th.

Anonymous posted an explanation for the attacks into a Pastebin^[32] on December 11th, which claimed the attacks were in retaliation for bigotry against various groups:

Florida Family Association…
Your hatred, bigotry and fear mongering towards Gays, Lesbians and most recently
Muslim Americans has not gone unnoticed!

February 3rd: FBI and Scotland Yard Conference Call Leak

On February 3rd, 2012, a recording of an FBI conference call with Scotland Yard was uploaded to YouTube by TheDigitalfolklore.^[33] The 17-minute call caught the law enforcement officers joking around with each other and discussing the court proceedings of members of LulzSec including Kayla.

The leak of this call, which took place on January 17th, 2012, was covered by BoingBoing^[34], Talking Points Memo^[35], the Guardian^[36], and the BBC.^[37] The same day the YouTube video was uploaded, the FBI confirmed that Anonymous members had obtained an email with the time, telephone number, and access code for the call^[38] and had not hacked into any FBI facilities.

March 6th: Sabu Revealed as Snitch

On March 6th, 2012, five members of LulzSec were charged by the U.S. Department of Justice^[39] with varying computer hacking offenses related to attacks on FOX, Sony, and PBS websites in 2011. The members arrested included Ryan Ackroyd (Kayla) and Jake Davis (Topiary) of England, Darren Martyn (Pwnsauce) and Donncha O'Cearrbhail (Palladium) of Ireland, and Jeremy Hammond (Anarchaos) of Chicago, Illinois.^[53][54]

Additionally, Hector Xavier Monsegur, better known as Sabu^[48], was revealed to have pled guilty to twelve counts^[43] of hacking conspiracies on August 15th, 2011, having worked with the FBI shortly after his arrest in June 2011.^[40] As part of his plea deal, Monsegur agreed to "actively cooperate with the government,"^[41] providing federal agents with details on other suspects involved in similar cases. This information came less than 24 hours after an anti-government tweet was made on Sabu's official Twitter account.^[61]

The federal government is run by a bunch of fucking cowards. Don't give in to these people. Fight back. Stay strong.

— The Real Sabu (@anonymouSabu) March 5, 2012

Sabu's cooperation with the FBI has been rumored on several occasions. On August 17th, 2011, Sabu disappeared from Twitter^[42] after Gawker published a leaked chat log revealing his detailed knowledge regarding the arrest of Topiary. Later that month, another hacker known as Virus told Gizmodo^[46] that he believed Sabu's disappearance meant he cut a deal with the FBI. That November, was once again rumored to be an informant^[44][45], due to the servers he was using to access the Anonops IRC channel as well as the email he used to register his IRC nickname: compromise@gmail.com.

The news story was picked up by the Huffington Post^[49], Reuters^[50], TIME^[51], Forbes^[52], the Guardian^[55], Fox News^[56], the New York Times^[57], CNN Money^[58], the Wall Street Journal^[59] and BBC News.^[60] Amidst the news coverage, it was revealed that Sabu was arrested by the New York Police Department on February 3rd, 2012 for posing as a federal agent^[47] and charged with second degree criminal impersonation.

March 17th: Lulzsec Announces Return

Over a week after the FBI arrests of five additional Lulzsec-related suspects, YouTube channel FawkesSecurity posted a video titled "LulzSec Returns," claiming the anti-government hacking movement will resume on April 1st, 2012 with attacks against various government and corporate agencies.

“Much to the dismay of corrupt governments and corporations across the planet, it’s ridiculous to believe that by arresting the supreme members of LulzSec that you have stopped us.”

The announcement was picked up by tech news sites like WebPro News^[62] and ZDnet^[63] with reserved skepticism towards its validity, speculating that FawkesSecurity could be a mere copycat group seeking to piggyback on the notoriety of Lulzsec. The doubts of ulterior motives were also driven by the revelation that the arrests in early March were directly linked to Lulzsec leader Sabu's cooperation with the federal investigators.

March 26th: Military Singles Dating Site Hack

In late March 2012, a group calling itself Lulzsec Reborn claimed it had hacked MilitarySingles.com, a U.S. military dating website, and released account information of over 170,937 subscribers via Pastebin.^[64] The unauthorized release of personal data, which ranges from e-mail addressees and names to locations and IP addresses, was also announced through its Twitter account @LulzsecReborn:

"The website http://www.militarysingles.com/ was recently closed day ago or so, so we dumped email db. There are emails such as @us.army.mil; @carney.navy.mil; @greatlakes.cnet.navy.mil; @microsoft.com; etc."

MilitarySingles.com, an online dating service website for single soldiers who want to meet peer members of the service or people with shared interests in military lifestyle, is run by a firm called eSingles Inc. According to various news reports, the group gained access to the internal database on March 25th and as a proof, it tweeted a link to a defaced webpage hosted under MilitarySingles.com, which credited the breach to an anonymous hacker known as "lalalalala." The company has yet to comment publicly on the breach.

June 3rd: Lulzsec Revenge Announced

On June 3rd, 2012, YouTube channel Cocksec uploaded a video communique titled "Lulzsec: ALL YOUR BASE ARE BELONG TO US," vowing to release 3 terabytes worth of sensitive information it allegedly obtained from various governmental servers. Created in the style of Star Wars opening parody, the video also provides a short list of targeted websites includes the U.S. State Department (state.gov), U.S. Immigration and Customs Enforcement (ic.fbi.gov) and Defense Intelligence Agency (dia.mil), as well as Syrian government servers and Colombian prison servers among others that were unmentioned.

This time you won't see us coming.You'll just eat cock. That's all you will get. We're the ghosts you've created.

The video announcement of Lulzsec's comeback was immediately met by skeptical comments questioning its authenticity, perhaps due to an unsuccessful attempt at reviving the campaign in March, but the video continued to gain attention after it was endorsed by prominent Anonymous affiliates like @AnonymousIRC, @SgtSecondary and @WikiLeaks, according to the Daily Dot.^[65] As of 2:35pm (ET) on June 5th, the video accrued more than 112,000 views on YouTube.

Trial

June 21st: First Arrest

On June 21st, 2011, 19-year-old Ryan Cleary was arrested by UK police for allegedly attempting to take down a police website. According to PCWorld^[6], his arrest was related to an investigation into LulzSec's attacks:

The Metropolitan Police Central e-Crime Unit (PCeU) said the teenager was detained following an investigation into network intrusions and distributed denial-of-service (DDOS) attacks against "a number of international business and intelligence agencies by what is believed to be the same hacking group."

LulzSec denied that Ryan was a part of the hacker group, and only had minor involvement hosting one of thier irc chatrooms on his server.

Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that's it. youtube.com/watch?v=Jf7iBS…

— The Lulz Boat (@LulzSec) June 21, 2011

July 26th: Lulzsec Spokesperson "Topiary" Arrested

On July 27th, the British Metropolitan Police arrested a 19-year-old Scottish resident in the Shelter Islands on charges related to cybercrime, hacking and network intrusions. Known by his online handle Topiary, the teenager is suspected to be the spokesperson of Lulzsec and account holder of the group's Twitter account. In addition, another teenage suspect was detained and questioned by the police in Lincolnshire, England, though no arrest has been made.

Since the arrest in the morning, there has been no Twitter update posted by @Lulzsec (as of 3pm EST) and all Topiary's personal tweets via @Atopiary have been removed, with the exception of one tweet originally posted on July 21st:

You cannot arrest an idea.

— Topiary (@atopiary) July 22, 2011

Topiary Unmasked

On Monday August 1st, 2011, it was revealed that the man accused of being LulzSec member Topiary was Jake Davis, an 18-year-old from the Shetland Islands. According to The Next Web^[16], a photo was taken of him outside of his first court apperance wearing a blue shirt and black sunglasses:

The suspected LulzSec member is accused of coordinating Anonymous and LulzSec attacks from his home in Yell, on the Shetland Islands. His laptop was examined and it reportedly showed that he wrote a fake article claiming that Rupert Murdoch was dead, and such an article appeared on the Sun’s website recently when its own website was hacked. The hearing today also revealed that Davis’ computer had 750,000 people’s personal details, including private log-in information.

September 2011 Arrests

Two men reportedly sharing the handle "Kayla" were arrested by Scotland Yard on September 2nd, 2011.^[17] The two men, ages 20 and 24, were accused of taking part in the HBGary Federal attack earlier this year. The attack was spurred after the CEO, Aaron Barr, bragged about infiltrating Anonymous via faux Facebook profiles.^[18] Anonymous retaliated by hacking into Barr's personal email as well as HBGary servers, leaking thousands of confidential emails.

On September 22nd, 2011, 23 year old Cody Kretsinger, a college student in Phoenix, was apprehended by the FBI for allegedly participating in the Sony hack.^[19][20] Known as "recursion," he was charged with conspiracy and the unauthorized impairment of a protected computer.^[21] On October 17, 2011, Kretsinger entered not guilty pleas on both counts and is facing 15 years in prison.^[23]

The same day, the FBI also arrested two men in California: Christopher Doyon, known as "PLF," "Commander Adama" or "Commander X," and Joshua Covelli, known as "Absolem" or "Toxic."^[22] They were charged with conspiracy to damage a protected computer and two counts of aiding and abetting that damage. The FBI also issued search warrants for suspected Anonymous members in New Jersey, Minnesota, and Montana.

August 28th: Lulzsec Member Arrested

On August 22nd, 2012, The FBI issued a federal grand jury indictment charging a 20-year-old Arizona resident Raynaldo Rivera on counts of conspiracy and unauthorized impairment of a protected computer, specifically in regard to the breach of Sony's internal database which took place between late May to early June 2011. Nearly a week later on August 28th, the FBI unsealed the indictment papers shortly after it was reported in the news media^[67][68] and the tech blogosphere^[66] that Rivera, also known by his online handles "neuron" and "royal," had turned himself into police custody.

According to the indictment, Rivera is accused of conspiring with another suspect Cody Kretsinger, whom he went to school with at the University of Advanced Technology, to breach and obtain confidential data from Sony Pictures' computers, as well as publishing the stolen personal information on the Lulzsec website and its Twitter account. In addition, Rivera is also accused of using a proxy server in an attempt to hide his IP address and avoid detection from the authorities. If convicted on all charges, Rivera faces a statutory maximum sentence of 15 years in prison.

April 19th: Recursion's Sentencing

On April 18th, 2013, the U.S. District Court in Los Angeles sentenced Cody Andrew Kretsinger (a.k.a Recursion) to one year in federal prison and another year of home detention after his release, in addition to restitution of $605,663 in damage and 1,000 hours of community service. In April 2012, Kretsinger pleaded guilty to charges of conspiracy and unauthorized impairment of a protected computer during Lulzsec's major cyberattack against numerous databases of Sony database between May and June 2011.

May 16th: Sentencing in the UK

On May 16th, 2013, Ryan Ackroyd, Jake Davis, Ryan Cleary and Mustafa Al-Bassam were all sentenced at the conclusion of a two-day hearing at the Southwark Crown Court in London. Ackroyd, Davis and Cleary were each given prison terms of 30 months, 24 months and 32 months respectively, each required to serve at least half of the given time.^[69] Al-Bassam was given 20 months of suspension and 300 hours of community service since he was only 16 when the hacking took place.^[70] Following the sentence, Davis told the BBC (shown below) that he regretted 95% of his internet experience.^[71] He said he learned that the internet had no empathy for others, causing him to become a very cynical person. As of May 16th, Raynaldo Rivera still had to be sentenced in the U.S. District Court in Los Angeles.

Search Interest

External References