LulzSec Leader's Digital Trail Led Rival Hackers and Possibly FBI to Him

The disclosure Tuesday by U.S. authorities that Sabu, the former leader of prominent hacker group LulzSec, is a 28-year-old man from New York City named Hector Xavier Monsegur, corresponds with much of the information released about him by rival hackers in the past.

Sabu had been secretly arrested by the FBI last year and has since allegedly acted as an informant for the authorities, according to court papers in the case. The whole law enforcement operation resulted in the arrest of five more alleged hackers linked to LulzSec and Anonymous.

Back in June 2011, a few weeks before LulzSec decided to disband, several rival hacker crews like TeaMp0isoN (Team Poison), lone hacktivists like th3j35t3r (The Jester) and other Internet users unhappy with the group's actions, launched a virtual war against its members.

LulzSec's enemies engaged in an activity known in the hacker community as doxing, which consists of gathering personal information about an online user and publishing it online with the goal of exposing his real identity.

One of the first information dumps targeting LulzSec members was done by a group called the A-Team, and while the information later proved largely incomplete and bogus, the details about Sabu in particular appear spot on.

A-Team claimed that Sabu was a Puerto Rican man named Hector Xavier Montsegur who was living in New York. The group said that this information matched archived whois data for prvt.org, a domain name believed to be owned by Sabu, that has since been anonymized.

According to the A-Team, some of the online aliases used by Sabu were 548U, hectic_les and leon, the last of which is mentioned by the authorities in Montsegur's unsealed indictment.

A separate Sabu dox report posted by an anonymous user on Pastebin on June 21 last year, traces Montsegur's alleged online activity to as far back as 2003. It claimed that he was involved in several software and security-related projects over the years under the aliases Xavier Kaotico and Xavier de Leon -- another fake identity mentioned in his indictment.

On August 17, around the time when Montsegur is said to have started working with the FBI as a cooperating witness, another Sabu doxing project was started on a blog. It listed the hacker's known email addresses, including many that contain Sabu, Xavier and Monsegur in their names.

The project concluded that Sabu lives in New York City, is a NY Giants fan and even includes a picture of him grabbed from a MySpace profile.

Information gathered with the help of Google search and other freely available services suggests that the LulzSec leader may have been careless at the beginning of his hacking career and failed to switch to another identity when things started to get more serious.

LulzSec members left electronic fingerprints behind that made their arrest inevitable, said Rob Rachwald, director of security strategy at security firm Imperva. In one incident, a LulzSec member changed his online identity, but left clues about it on a public forum, he said.

There is very much a trail of history on hacker forums, just as there is on Facebook, and if you are loud enough through your actions, like LulzSec was, you will determine law enforcement to search for it, Rachwald said.

The security expert drew a parallel between Sabu's case and that of famous mobster John Gotti, whose similar defiance of law enforcement eventually led to his downfall.

It's somewhat curious that Sabu's accomplices didn't wonder why the hacker never got arrested despite so much information about him being exposed online, even if he did try to deny its accuracy.

It was in June of 2011, at about the same time as Sabu's arrest, that Eric Corley, publisher of quarterly hacker magazine 2600, told The Guardian that, in his opinion, one in four U.S. hackers had been turned into FBI informants. Hackers are susceptible to intimidation because of the harsh penalties involved and their inexperience with the law, he said at the time.

Subscribe to the Security Watch Newsletter

Comments