LulzSec case in U.K. brings sentences for 4 men

LONDON -- Four members of the LulzSec hacking group were sentenced in court Thursday after pleading guilty to various computer hacking-related charges.

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, were all sentenced together with Ryan Cleary, 21, over a two-day hearing at Southwark Crown Court, London.

Each member of the LulzSec hacktivist group admitted to various hacking charges, including taking down corporate and government Web sites between February and September 2011.

Presiding Judge Deborah Taylor sentenced Ackroyd to 30 months -- serving half -- and Davis 24 months in a Young Offenders institution, serving at least 12 months. Bassam received a suspended sentence of 20 months, and Cleary was ordered to serve half of a 32-month sentence.

Judge Taylor commented:

"You sought to amuse yourselves and wreaked destruction and havoc. You cared nothing about the privacy of others, but kept your own identities hidden." 

Former soldier Ackroyd, who had used the alias of a 16-year-old girl named "Kayla," admitted hacking into a number of Web sites in 2011, including those of Sony, Nintendo, News Corp. and the Arizona State Police. The 26-year-old sat across from his lawyer with a pensive, wide-eyed look, as he was branded the "most sophisticated" defendant, and responsible for researching vulnerabilities and exploits as well as executing hacks.

The prosecution said that Sony suffered $20 million in damages, and revenue loss due to the security breach is "incalculable." An estimated 24.6 million customer accounts were compromised.

Davis and Bassam pleaded guilty to counts of conspiring to access and impair a computer without authorization, including launching attacks against the CIA and the U.K.'s Serious Organized Crime Agency (SOCA).

Dressed in a sweatshirt and jeans, he could not be more of a contrast to Bassam; suited and booted with a serious but resigned look on his face. Davis, the last to arrive, chewed gum and appeared relatively unconcerned.

As the day wore on, however, the strain showed in the eyes of each member of the hacktivist group as they sat behind a glass wall and watched their fates being bargained for. 

According to the prosecution, Davis was responsible for releasing press statements, controlling the LulzSec Twitter feed and defacing Web site pages.

Bassam was said to have controlled the group's Web site, published stolen information to sites including Pastebin and helped with stolen data distribution -- including through the use of BitTorrent technology and mirror websites. In addition, the LulzSec member allegedly researched computer system vulnerabilities ripe for exploitation.

The case against Cleary
Cleary, otherwise known by his Internet alias "Viral," pleaded guilty to the same hacking charges, in addition to counts of supplying articles with intent to impair computer systems and breaking into U.S. Air Force systems. Cleary spent over five years building a sophisticated botnet -- with a minimum of 100,000 computers at its disposal at any one time -- which in turn was used for both Anonymous and LulzSec campaigns.

Aside from hacking charges, an additional indictment against Ryan Cleary was delayed due to a court miscommunication. After the seizure of Cleary's computer and and subsequent recovery of deleted files, the hacker was charged with downloading and possessing indecent images of children following a second arrest on October 4, 2012.

Under the U.K. COPINE scale -- a measure of the severity of images -- the images in question were classified as child "erotica" and deliberate sexual posing. 46 images showed children aged between six and 18 months, whereas others included children aged between ten and 15 years.

The defense team said that Cleary is not a "professional pervert" or sexually obsessed, but rather was obsessed with finding data and using his computer -- a reason laid at the door of his client's Asperger's syndrome. 

A lack of information in psychological reports and pre-hearing files meant that Cleary, who admitted to downloading the images, will not be sentenced this week. 

A number of Web site intrusions were based on vulnerabilities found within the Internet Explorer browser, and Web sites with high traffic levels were targeted. The 21-year-old maintained that his botnet was only "rented out" 10 or so times for monetary gain -- and raised only 2,000 pounds ($3,040 in total -- whereas the prosecution stated it did not believe this was truly the case.

In addition, Cleary's lawyers argued that although he gave botnet access to Anonymous, there is no evidence that he directed or controlled it -- therefore Cleary was guilty of supply rather than actual hacking.

Gideon Cammerman argued that using a botnet was "not brain surgery." Although the result was a sophisticated website take-down attack, the defense attorney wanted the judge to keep in mind that in the case of the SOCA Web site, there was no evidence to suggest the site was infiltrated -- it was only taken offline for a short time.

Outside of the courtroom, Cammerman called the LulzSec hackers "a group of talented young boys who hacked particular things for particular reasons."

In contrast, prosecutor Sandip Patel accused the LulzSec members of launching "sophisticated, orchestrated attacks," which caused firms and individuals "millions of pounds' worth" of damage, coupled with the "dire, personal consequences" suffered by individual victims.

Cammerman said the hacktivists were "politically motivated and morally complicated," which made for a complex case. In this manner, both prosecution and defense agreed, as Patel stated in the hearing: "This is not about young, immature men behaving badly."

U.S. extradition?
An indictment based on two counts of encouraging and assisting in an offense were "not in the public interest to pursue." However, as the U.S. has also issued the same indictment, prosecution had to confirm that currently there has been "no formal request for extradition." Davis' defense team said that "there is an appetite for this type of prosecution in the United States," and it is not a risk the 20-year-old should be exposed to.

As they were individually led away, Bassam looked relieved, whereas the members of the Anonymous splinter group had resigned expressions. 

Cammerman said outside of the courtroom that some of the victims were "thoroughly deserving" of what happened to them.

LulzSec exploded on the hacking scene in 2011 after targeting Sony Pictures Entertainment, which led to the taking down of the PlayStation network. LulzSec member Cody Kretsinger, 25, was arrested in relation to the initial cyberattack and was prosecuted in a Los Angeles court last month.

Kretsinger, also known as "Recursion," admitted to one count each of conspiracy and unauthorized impairment of a protected computer as part of a plea bargain, and was ordered to spend one year behind bars and to perform 1,000 hours of community service.

LulzSec was politically motivated in the beginning; launching the first "cyberwar" in tandem with Anonymous in retaliation to officials' attempts to shut down WikiLeaks. Target choices then began to move away from purely the political, and the Church of Scientology, Westboro Baptist Church, and banking systems found themselves under attack.

However, the "hacktivisit" group was compromised when de facto former leader Hector Monsegur -- otherwise known as "Sabu" -- turned mole after his own arrest and spent nine months passing information on to U.S. officials.

The hacker-turned-spy's information led to the arrests of alleged members of LulzSec and Anonymous in March 2012.

The ruling follows the arrest of the self-proclaimed "leader" of LulzSec in Australia. Matthew Flannery, 24, who allegedly used the name "Aush0k" in hacking activities, was charged for hacking into two computers after being apprehended in coastal town Point Clare.

During the first day of the hearing, Ackroyd wanted closure. His lawyer, John Cooper, counseled that the issue probably wouldn't be over that day; to which the 26-year-old replied, "They won't be done with me for a long time."

No matter the age, the U.K. justice system is unlikely to be "done" with cybercriminals anytime soon.