When the FBI arrested LulzSec leader Hector "Sabu" Monsegur, they did so in a hurry—hours before the arrest, Sabu was doxed, his identity posted to the Internet. With his name public, federal agents feared that he would start destroying evidence to protect himself, so they ended their covert surveillance and moved in, according to Fox News.
Efforts to name and shame the LulzSec crew during its 50-day rampage were common. Many of these doxings were inaccurate, a result of faulty inferences or deliberate attempts to mislead on the part of the LulzSec hackers.
But not all were wrong. In fact, the game of doxing Sabu was over before it had even started. He was correctly doxed more than two months before his arrest—in fact, more than a month before LulzSec had even started publicly operating.
This first doxing happened after a group of former Anonymous members, displeased at the moralizing direction that Anonymous had taken and at Sabu's leadership role, decided to take action. Speaking to Gawker almost one year ago, the dissident group calling itself Backtrace Security announced that it was going to post chat transcripts and information about the identies of Anonymous members.
Several days later, it followed through on its promise, releasing IRC logs called "consequences.pdf" (MD5 checksum: a4084efa1713447d295919b4670769da) and a file called"namshub.pdf" (MD5 checksum: 042a645a1bf4cdfb433887424455234e) that showed a spreadsheet of online names, real names, locations, and other evidence about Anonymous members. (The files have now been pulled, allegedly at the "request of the Federal Bureau of Investigation.")
While at least some of the information in namshub.pdf is incorrect—subsequent arrests have established the real identities of Topiary and Kayla, and they don't match Backtrace's claims—one name stands out. Sabu is identified as "Hector Xavier Montsegur." This is slightly misspelled, but it's the right name nonetheless. The document also claimed, correctly, that Sabu lives on New York City's Lower East Side.
The PDFs garnered some attention at the time—they even resulted in Backtrace Security being doxed—but apparently not enough attention to force the FBI's hand.
Backtrace then decided to out Sabu again. Early in the evening of June 7, the day of Sabu's arrest, the Twitter account belonging to Backtrace Security wrote: "Hector Xavier Montsegur -aka Xavier de Leon - aka (Sabu)." The same misspelling, but the same correct name.
Doxings continued even after Sabu's arrest and eventual co-operation with the FBI. These subsequent attempts retained the hit and miss pattern of Backtrace's "namshub" document. Sabu was variously claimed to be Hector Monsegur, Hector Montsegur, and, "Hugo Carvalho."
The bad information in the doxings had many convinced, however. After Jake "Topiary" Davis was arrested in the UK, some outlets even claimed that the police had got it wrong and that the person arrested couldn't be Topiary, because the dox (from Backtrace and others) fingered him as a Swede.
As for how Sabu was identified? Fox reports that the FBI depended on a mistake by Sabu: he accidentally joined an Anonymous IRC server from his own IP address rather than connecting via anonymizing service Tor. Backtrace might have similarly depended on this mistake.
But some of the doxers went a different route. Sabu occasionally mentioned ownership of a domain called prvt.org in his chats, including those in Backtrace's "consequences" document. Every domain registration is associated with corresponding information in the WHOIS database. This information is supposed to include the name and address of the domain's owner.
Often this information is incorrect (most domain registrars do nothing to validate it) or anonymized (many firms offer "proxy" domain registration, so the WHOIS database contains the details of the proxy registrar, rather than the person using the domain). Monsegur appeared to use one of these anonymizing services, Go Daddy subsidiary Domains By Proxy, for registering the prvt.org domain.
The registration for the domain was due to expire on June 25, 2011, requiring Monsegur to renew it. But for some reason—error on Monsegur's part perhaps, or screw-up by the registrar—the renewal was processed not by Domains By Proxy but by its parent, Go Daddy. Unlike Domains By Proxy, Go Daddy uses real information when it updates the WHOIS database, so on 24th June (the day before it was due to expire), Monsegur's name, address, and telephone number were all publicly attached to his domain name.
Monsegur quickly remedied the mistake, changing the WHOIS registration to use various other identities—first to that of Adrian Lamo (who reported Bradley Manning to authorities) and then to "Rafael Lima" and subsequently to "Christian Biermann". This attempt to mislead those relying on the WHOIS information successfully misled some would-be doxers. But not all: by August there were extensive dossiers on Sabu's true identity.
Ultimately, the doxers and Backtrace Security did more than just name Sabu; they also fingered him as co-operating with the FBI. Whether by luck or judgement, Sabu detractors regularly accused him of working for law enforcement. Turns out they were right about that, too.
Listing image by Illustration by Aurich Lawson
reader comments
46