The capture of Sabu was perhaps the most spectacular fall from grace this century—at least, in the security world. He went from being the most beloved figure in the hacktivist group, Anonymous, to being its most hated.
From 2011 to 2012, Sabu was the unofficial leader of the online activist group, Anonymous. “What? How can Anonymous have a leader?”, you are thinking to yourself, especially when the group’s emblem is the headless suit, representing a leaderless organization and anonymity. But Sabu really was a leader; he was the charismatic spokesperson for Anonymous where there hadn’t been one before—and hasn’t been one since.
During Sabu’s reign, Anonymous became adept at handling the media, making effective use of Twitter to claim victory (even if they were hollow victories at best). Take, for example, the first Operation Payback—Avenge Assange during the first real WikiLeaks affair, when Julian Assange was initially detained for alleged sexual assault in Europe.
Anonymous attacked the thinly defended corporate websites of MasterCard and Visa and forced them offline. However, none of the trading networks or credit card pipeline networks were affected which, of course, would have been the real high-value asset. But screenshots of “site down” pages were taken, tweeted, and trumpeted to the media, which eagerly wrote about the fearsome prowess of Anonymous. These were the “salad days” of Anonymous, when they seemed untouchable and everywhere.
To maximize the glory, Sabu collected a smaller cadre of hacktivists from Anonymous and named it LulzSec, which became famous very quickly for a series of high-profile hacks against Fox Broadcasting Company, the Public Broadcasting System (PBS), Nintendo, the CIA.gov website, and a contracting firm, HBGary Federal. Where many people passively supported the egalitarian goals of Anonymous, they were turned off by the actions of LulzSec, which were seen as having much collateral damage of innocent citizenry.
The LulzSec attack of Sony Pictures is an illustrative example. Sony Pictures was running several prize giveaways as part of a marketing campaign. LulzSec used a basic SQL injection1 to breach the SonyPictures.com database and grabbed the usernames, passwords, and personal profiles of over one million registered users. They then dumped the data to Pastebin. LulzSec’s justification at the time was that Sony Pictures’ security was “… disgraceful and insecure: they were asking for it.” But the justification seemed little more than braggadocio to the community. When someone asked LulzSec why they would compromise the credentials of so many innocent television watchers, they replied “we do it for lulz” (the laughs).
Well, LulzSec wasn’t going to keep laughing for long.
By that time, Sabu had achieved an almost messianic following among Anonymous, and his twitter account, @anonymouSabu, had hundreds of thousands of followers. He was number one on the FBI’s most wanted cybercriminal list.
If that weren’t enough heat, Sabu had also attracted the attention of the complete polar opposite of his time: the famous pro-U.S., ex-Special Ops service member and hacker known as The Jester. The Jester, too, was known for distributed denial-of-service attacks and had been spending months attacking Jihadist websites in order to drive their users into more centralized, resilient networks where they could be monitored by the various agencies that track terrorist activity. The Jester had become notorious (or celebrated) enough that the SANS Institute devoted a whole white paper to him: The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare.2
An epic clash brewed between Sabu and The Jester.
As an ex-military operative, The Jester loathed Sabu. The two stood at opposite sides on nearly any given topic: WikiLeaks, Anonymous, the Occupy movement, the forum 4chan, the CIA, and the Palestinian/Israeli conflict, to name just a few. One notable exception was the Westboro Baptist Church (WBC), which is known for conducting anti-gay protests at military funerals. Only about this group, both Sabu and the Jester agreed; and they both attacked the WBC repeatedly.
During the first half of 2011, Sabu and The Jester tried repeatedly to uncover each other’s identity. An alleged member of LulzSec, Nakomis, even went so far as to impersonate The Jester himself on Twitter. The Jester countered by impersonating a reporter in order to gain the trust of the fake Jester, and trick Nakomis into revealing his personal details.3
The conflict between Sabu and the Jester reached a fever pitch at the DEF CON 19, the nineteenth annual security convention in Las Vegas. Both hackers claimed to be in attendance along with the 20,000 other hackers, researchers, and undercover FBI agents. The Jester taunted Sabu to come out and meet him face-to-face.4 Sabu replied that of course he would not; The Jester was suspected to be in collusion with, or at least sanctioned by, the U.S. government. Sabu protested that if he were to expose his own identity, even privately, to The Jester, he would be immediately pounced upon by the authorities.
I happened to be at that conference and had been monitoring the taunts via my own Twitter feed until a break on the first day when I went down to the pool at the Rio to swim and get some sun. I saw a woman in the pool with striking pink hair, and (with her permission, of course) I took her picture.
When I got back to my room, I saw this tweet from The Jester. He was challenging Sabu to come to the east pool, where he was supposedly waiting.
And a few minutes later, this tweet, along with a picture taken at the pool:
I was stunned! I had just been at the pool and taken a picture of the woman with the pink hair. You can see the same woman in a close-up of The Jester’s picture.
I might have run into The Jester himself. I tried to remember who else had been there, but no one came to mind. If the Jester really did take the picture then, clearly, he was not in it himself, but who was he? Did I blithely walk past him on my way out of the pool?
Sabu did not come out to meet The Jester, and a few months later we found out why.
David Holmes is a researcher and evangelist for F5 Networks, with emphasis on cryptography, distributed denial of service attacks, and the Internet of Things. He has spoken at over 50 conferences such as RSA, RSA Europe, InfoSec and Gartner Data Center. Holmes researches and writes on global cryptography trends, DDoS, IoT and blockchain. He has also written for industry magazines such as SCMagazine and the Network World. Holmes writes regularly about vulnerabilities, technical solutions and the security industry for SecurityWeek.com and F5 Labs.