Four British hackers were sentenced two weeks ago between 20 and 32 months in jail for crimes committed during “Lulzsec’s 50 day hacking spree” in 2011. Prosecutors described the men as being at the “cutting edge of contemporary and emerging criminal offending known as cybercrime” and as “latter-day pirates.”
From the hacking spree of Lulz security at nowadays, four guys have been arrested and two weeks ago we have the sentences for the hacker crimes committed. Al-Bassam,18 years old, of Peckham, London, and Davis, 20 years old, of the Shetland Islands, entered guilty pleas to charges of conspiracy to commit DDoS attacks against targets including:
- Westboro Baptist Church,
- But they also pled to conspiracy to hack targets including Nintendo, Sony (again), PBS, and HBGary.
For these crimes, al-Bassam was sentenced to 20 months, suspended for two years and received 300 hours of community service.
Davis instead was sentenced to 24 months in a young offender’s institute, of which 12 months must be served. Time served on bail with an electronic tag counts towards this, leaving Davis with 38 days remaining on his sentence.
Ackroyd was sentenced to 30 months.
Cleary, 21 years old, of Wickford, Essex, pled guilty to both of these charges and a further for:
- constructing a massive botnet,
- making that botnet available to others,
- hacking into a Pentagon system, and performing DDoS attacks against DreamHost.
Cleary also entered a guilty plea against three counts of possession of indecent images of children.
Two further charges of conspiracy to commit fraud were brought against all four. The prosecution declined to present evidence for these charges, and accordingly verdicts of not guilty were entered.
Summing up, judge Deborah Taylor said that the four “cared nothing about the privacy of others” even as they used various technical measures to protect their own identities. Though not motivated by financial gain the four were aware that their behavior could, and did, lead to substantial or catastrophic losses for others.
The sentences were more severe than those given to hackers involved in DDoS attacks earlier this year due to the widespread dissemination of personal information that caused losses claimed to run into the tens of millions of dollars.
Historical Background of the “group”
Lulz Security, commonly abbreviated as LulzSec, was a computer hacker group that claimed responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline. One of the founders of LulzSec was a computer security specialist who used the online moniker Sabu.
The man accused of being Sabu has helped law enforcement track down other members of the organization as part of a plea deal. At least four associates of LulzSec were arrested in March 2012 as part of this investigation. British authorities had previously announced the arrests of two teenagers they allege are LulzSec members T-flow and Topiary.
At just after midnight on 26 June 2011, LulzSec released a “50 days of lulz” statement, which they claimed to be their final release, confirming that LulzSec consisted of seven members, and that their website is to be shut down.
This breaking up of the group was unexpected. The release included accounts and passwords from many different sources. Despite claims of retirement, the group committed another hack against newspapers owned by News Corporation on 18 July, defacing them with false reports regarding the death of Rupert Murdoch. The group helped launch Operation AntiSec, a joint effort involving LulzSec, Anonymous, and other hackers.
The prosecution also gave brief details of the four men’s arrests: for example Cleary was picked up first, arrested in his bedroom on the evening of June 20, 2011. At the time of his arrest his PC (using Windows) was up and running with no encryption and only a password for security. He immediately cooperated with officers, disclosing passwords and the necessary commands to tell the botnet to stop the DDoS attack on SOCA that was ongoing at the time.
It was during forensic examination of Cleary’s PC that the police found and subsequently recovered a num
ber of deleted images of child pornography. Cleary was re-arrested on October 4 and admitted to having downloaded the images from a member-only child porn site.
Mustafa al-Bassam was second to be taken into custody. He was arrested on the afternoon of July 9, 2011—again in his bedroom. He provided police with passwords to his PC.
Next to fall was Jake Davis. The police arrested him on the afternoon of July 27. He told police about Lulzsec’s organization and responsibilities: Ryan Cleary was responsible for DDoS attacks, including the one on SOCA, and that Ryan Ackroyd and Hector Monsegur were responsible for the HBGary hacks.
Police found copies of many of the Lulzsec data dumps on Davis’ computer along with credit card numbers, passwords, and other information. Davis used Truecrypt to protect this information.
Ackroyd was the last to be brought in. He was arrested on September 1, 2011. His computer was turned on and opened to his Twitter account. Unlike the other three however Ackroyd was consistently uncooperative. He claimed that he knew nothing about computers and that it was his brother who was the computer expert and that Kayla was his sister. He said he had never heard of Lulzsec and had no knowledge of what IRC was. He even claimed that the Twitter account he had open at the time of his arrest was not his own. Ackroyd also took measures to protect his security, using software to delete incriminating log files each time his computer was booted.
While the other three entered guilty pleas at the earliest opportunity, in June 2012, Ackroyd insisted that he was not guilty right up until the day his trial was due to start. On April 9, 2013 he pled guilty to the hacking charge (but not the DDoS charge).