Three British members of the notorious LulzSec hacktivist crew and a hacker affiliate were sentenced today for a series of attacks against targets including Sony, News International, the CIA and the UK's Serious Organised Crime Agency. The youngest of the four accused avoided jail with a suspended sentence while the other three were jailed for terms ranging from 24 to 32 months.
Jake Davis, 19, of Lerwick, Shetland; Ryan Ackroyd, 26, of Mexborough, Doncaster; and Mustafa Al-Bassam, 18, from Peckham, south London all previously admitted involvement in computer hacking attacks. All three were core members of LulzSec while Ryan Cleary, 21, of Wickford, Essex, supplied a botnet of around 100,000 compromised computers that acted as a platform to blitz targeted websites with junk traffic, crashing many sites in the process.
The hackers ran distributed denial of service (DDoS) attacks against the Arizona State Police, 20th Century Fox, HBGary Federal, Bethesda, Eve Online, Nintendo, SOCA and others as part of operations run by various hacking groups including Anonymous and LulzSec.
Cleary (aka Viral) admitted hacking into systems at the Pentagon. He has been indicted in the US and faces possible extradition proceedings. Davis has also been indicted in the US.
Not all members of the group were involved in all the attacks, some of which went far beyond simple packet flooding. Judge Deborah Taylor sentenced the men after considering mitigating factors highlighted by their lawyers over the course of a two day hearing.
In sentencing, Judge Taylor said the group's offences were "planned and persistent".
"The losses were substantial even if your motivation was not financial," she said.
Ackroyd, a former soldier who adopted the online persona of a 16-year-old girl called Kayla to rub salt into the wounds of victims, admitted stealing data from Sony. He also confessed to playing a key role in a malicious prank back in July 2011 involving redirecting visitors to The Sun newspaper's website to a fictitious story about News Corp chairman Rupert Murdoch committing suicide.
Ackroyd taught himself computer programming as a means to gain an edge in the games he was playing online. Among his roles in LulzSec was to seek vulnerabilities on websites. He was jailed for 30 months.
Al-Bassam (aka T-Flow), who was still at school at the time of the attacks, also sought out vulnerable websites that the hacking crew could target. His barrister said that he wanted to go on to study computer science at university. Al-Bassam avoided jail with a 20 month sentence but will still be punished by having to complete a 300 hour community service order.
Davis (aka Topiary) acted as LulzSec's main publicist as well as playing a role in co-ordinating its activities. He was sentenced to 24 months in a prison for young offenders.
The court heard that Cleary made up to £2,500 a month selling access to his zombie computer network to hackers. The Asperger's Syndrome sufferer built up a botnet of 100,000 compromised PCs over a period of five years.
Cleary was jailed for 32 months for the computer hacking offences.
In some instances the group lifted sensitive personal data from compromised websites, London's Southwark Crown Court heard.
Data leaks, including personal details of 74,000 people who had registered to appear on X-Factor, were made available as torrents and publicised through file-sharing sites such as the Pirate Bay. The gang obtained the data after hacking into US network Fox in May 2011.
LulzSec stole 24.6 million customers' private records during an attack on Sony. The entertainment giant was forced to take its PlayStation Network offline for weeks in the wake of the mega-breach, which ultimately cost it an estimated $20 million.
"This is not about young immature men messing about," prosecutor Sandip Patel told the court at the start of the mens' sentencing hearing, Reuters reports. "They are at the cutting edge of a contemporary and emerging species of international criminal offending known as cyber crime."
"LulzSec saw themselves as latter-day pirates," Patel said, adding that the group were motivated by "anarchic self-amusement".
LulzSec – or the Lulz Security hacking collective – started off as an offshoot from the Anonymous hacking collective in 2011. It went on claim a large number of attacks during a 50 day hacking spree in the summer of 2011. Most of its targets were entertainment firms opposing file sharing and law enforcement or intelligence agencies. LulzSec ran a Twitter hashtag called "Fuck FBI Friday" that boasted of its latest assaults.
The alleged ringleader of LulzSec, Hector Xavier Monsegur - known online as "Sabu" - turned FBI snitch following his arrest in June 2011 and helped to identify other members of the group. Monsegur's sentencing hearing has repeatedly been delayed. ®