Disillusioned ex-Anonymous first outed Sabu last year

Jennifer Emick, who picketed Scientology with the group, says it took her four hours to put a real name to the well-known hacker handle.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

The trail to the New York apartment where a hacker named "Sabu" of LulzSec and Anonymous fame was arrested last June can be traced back to a former Anonymous participant who turned against the group over its WikiLeaks activities.

Sabu, whose name is Hector Xavier Monsegur, pleaded guilty to computer hacking charges in August and spent the last six months or so working as an informant for the FBI. The undercover operation led to hacking-related charges being filed against four alleged cohorts in the U.K., Ireland, and Chicago yesterday.

Sabu was the proverbial big fish who was admired among other hackers and hailed as an online freedom fighter. And unmasking him became a favorite hobby for rivals last year. But it was Jennifer Emick, after being harassed online for criticizing Anonymous' hacking activities, who was the first to match a face and real name with the well-known hacker handle.

"It took me four hours to find Sabu," Emick told CNET today.

It was February 2011 when she and her partners at Backtrace Security compiled a list of identities they believed were tied to the hacker handles associated with the HBGary Federal hack and others. Her break with discovering Sabu's identity came to her from a friend in the group in the form of log files from an Internet Relay Chat room in which Sabu and other LulzSec members discussed the HBGary Federal compromise, she said. One of the log files contained a domain that led to a subdomain that had a mirror to a page where Monsegur posted photos and video of his beloved Toyota AE86 on a car enthusiast social-networking site. That led to a YouTube video that had information that allowed Emick to eventually find Monsegur's Facebook page using a Google search.

Shortly after Backtrace Security posted the list of alleged hacker identities on the Web in March 2011, it got a call from the FBI asking it to remove the list and pass the information on to the feds, Emick said.

Backtrace Security has been following Sabu's activities and communicating with the feds since then but was not involved in the investigation enough to know that Sabu had agreed to turn over his fellow hackers. But Emick said she suspected something was up when Sabu disappeared from IRC for more than a week in June and from Twitter for almost a month.

She speculated that the FBI maintained the undercover operation long enough for Sabu to re-establish trust after his disappearance and to allow them time to gather evidence that would be needed to prosecute his colleagues.

FBI officials did not return calls seeking comment for this story. The FBI was able to warn some of the hacking group's targets and alerted 300 government and private entities globally to potential holes in their computer systems, Fox News reported. Agents even ordered Sabu to call hackers off a planned attack on the CIA's public Web site, the report says. "You're knocking over a bee's nest," he warned them. "Stop."

But it's unclear what was going on with the compromise of global intelligence firm Stratfor in December. The hackers stole 860,000 e-mail addresses and 75,000 unencrypted credit card numbers in that attack and released them on the Web.

Asked why she thinks the feds didn't or weren't able to interfere with the Stratfor hack, Emick speculated that it could have been an elaborate sting to get the hackers to show their hand, or that Stratfor "fell on its sword on purpose" because the company seemed to know about the breach the day it happened.

Stratfor provided this comment when contacted by CNET: ""Stratfor applauds the hard work of the law enforcement organizations involved in the investigation. As the matter now moves through the judicial system, we will stay focused on working to recover from the episode."

Things started getting fishy again when he Sabu "took off" about five weeks ago, Emick said, declining to reveal more specifics. Then some Austrian and German hackers became suspicious about Sabu a couple of weeks ago and set up their own server despite his entreaties that they use his server because theirs was owned by the U.S. feds, according to Emick. Then on Monday night hackers started deleting their hard drives because they knew something was up with Sabu, she said.

Many Anonymous participants are shocked and angered by the news that Sabu had turned on his compatriots. And some are probably eating crow that Emick was right about Sabu's identity after all.

"The path to the data looks like Backtrace Security," said Gregg Housh, an Internet activist and former Anonymous supporter who still observes the group. "That bothers a lot of people because none of us like them."

But Housh reserved his harshest criticism for the FBI, which he accused of relying on "very old-school tactics" in their investigations. "They take down the most vocal guy and hope that gets everyone to stop," he said. "It won't. That's not how the Internet works."

Emick seems to think the strategy works and is doing her part to help. "I've recruited like nine active informants on my on, so who knows how many there are really," she said.

She used to be part of Anonymous herself, back in 2008 and 2009, specifically for the group's Church of Scientology protests. "We went to Scientology pickets," she said. "It was a part of the group that was funny and tongue-in-cheek. At the time there was not hacktivism...It was a generally law-abiding thing. You had to be because it was a religious cult that would take you to court."

But Emick, who was writing about religion for About.com at the time, got disillusioned with Anonymous when the group began aligning itself with WikiLeaks and hacking into networks. "I was being naive at the time," she said. "I was asking, 'why are people who built their reputations on credit card fraud hanging out?' At the time I thought script kiddies and hackers in the soup, and they have access to peoples' details! This is not good."

She says to expect more arrests.

"There's going to be more to the story," she said. "There's stuff I can't talk about right now. People come to me and probably some people came out on their own and they'll be OK. A lot of these people who got involved are kids who didn't know what they got into."

Updated 8:15 a.m. PT to include Stratfor comment