Begin ReadingTable of ContentsCopyright Page

In accordance with the U.S. Copyright Act of 1976,the scanning, uploading, and electronic sharing of any

part of this book without the permission of thepublisher constitute unlawful piracy and theft of the

author’s intellectual property. If you would like to usematerial from the book (other than for review

purposes), prior written permission must be obtained by

contacting the publisher at permissions@hbgusa.com.Thank you for your support of the author’s rights.

For Avó

Before you read thisbook

Names

Most of the real names and onlinenicknames used in this book are real, buta few are not. All fabricated names inthis book relate to “William,” a youngman living in the UK whose nightlyattempts to prank and harass people giveus a peek into the world of 4chan’s mostpopular discussion board, /b/. His name

and the names of his victims have beenchanged.

Sourcing

Most of the information and anecdotes inthis book are sourced directly frominterviews with those who played keyroles in the story, such as Hector “Sabu”Monsegur and Jake “Topiary” Davis.However, hackers are known tooccasionally share nicknames to helpobfuscate their identities or even flat-outlie. As such I have attempted tocorroborate people’s stories as much astime has allowed. When it comes topersonal anecdotes—Sabu’s stop-and-

search experience with the NYPD, forexample—I have indicated that this isthe hacker’s own testimony. In my yearof gathering research for this book,certain hackers have proved themselvesmore trustworthy than others, and I havealso leaned toward the testimony ofsources I deem most reliable. Notes onthe sourcing of key pieces ofinformation, media reports, and statisticsare found at the back of this book.

Spelling

To help maintain story momentum, I

have cleaned up spelling and somegrammar for quotes that were sourced

from chat logs and have been used fordialogue between characters. In caseswhere I have interviewed people onInternet Relay Chat, I have also cleanedup spelling; however, if a sourceskipped a word or two, I have framedbrackets [ ] around the implied words.

People

A few of the people featured in this bookare figureheads in Anonymous, but theyare not representative of Anonymous asa whole. It is worth saying that again:they are not representative ofAnonymous as a whole. Some keycharacters, like William or Sabu, have

volatile personalities, and in hearingtheir extraordinary stories, you, thereader, will come to learn about socialengineering, hacking, account cracking,and the rise of the online disruptorperhaps more engagingly than if you readabout these techniques alone. There aremany people in Anonymous who are notthe subject of police investigations likethe ones featured in this book, and theyalso seek to uphold genuine standards oflegality and political activism. For otherperspectives on Anonymous, keep an eyeout for work by Gabriella Coleman, anacademic who has been followingAnonymous for several years, and abook on Anonymous by Gregg Houshand Barrett Brown, due out in 2012. The

documentary We Are Legion by BrianKnappenberger also gives more focus tothe political activism of Anonymous.

Part 1

We Are Anonymous

Chapter 1

The Raid

Across America on February 6, 2011,millions of people were settling intotheir couches, splitting open bags ofnachos, and spilling beer into plasticcups in preparation for the year’s biggestsporting event. On that Super BowlSunday, during which the Green BayPackers conquered the PittsburghSteelers, a digital security executivenamed Aaron Barr watched helplesslyas seven people whom he’d never metturned his world upside down. SuperBowl Sunday was the day he came face-to-face with Anonymous.

By the end of that weekend, the wordAnonymous had new ownership.Augmenting the dictionary definition ofbeing something with no identifiablename, it seemed to be a nebulous,sinister group of hackers hell-bent onattacking enemies of free information,including individuals like Barr, ahusband and a father of twins who hadmade the mistake of trying to figure outwho Anonymous really was.

The real turning point was lunchtime,with six hours to go until the Super Bowlkickoff. As Barr sat on the living roomcouch in his home in the suburbs ofWashington, D.C., dressed comfortablyfor the day in a t-shirt and jeans, henoticed that his iPhone hadn’t buzzed in

his pocket for the last half hour.Normally it alerted him to an e-mailevery fifteen minutes. When he fished thephone out of his pocket and pressed abutton to refresh his mail, a dark bluewindow popped up. It showed threewords that would change his life: CannotGet Mail. The e-mail client then askedhim to verify the right password for hise-mail. Barr went into the phone’saccount settings and carefully typed it in:“kibafo33.” It didn’t work. His e-mailsweren’t coming through.

He looked down at the small screenblankly. Slowly, a tickling anxietycrawled up his back as he realized whatthis meant. Since chatting with a hackerfrom Anonymous called Topiary a few

hours ago, he had thought he was in theclear. Now he knew that someone hadhacked his HBGary Federal account,possibly accessing tens of thousands ofinternal e-mails, then locked him out.This meant that someone, somewhere,had seen nondisclosure agreements andsensitive documents that could implicatea multinational bank, a respected U.S.government agency, and his owncompany.

One by one, memories of specificclassified documents and messagessurfaced in his mind, each heralding anew wave of sickening dread. Barrdashed up the stairs to his home officeand sat down in front of his laptop. Hetried logging on to his Facebook account

to speak to a hacker he knew, someonewho might be able to help him. But thatnetwork, with his few hundred friends,was blocked. He tried his Twitteraccount, which had a few hundredfollowers. Nothing. Then Yahoo. Thesame. He’d been locked out of almostevery one of his Web accounts, even theonline role-playing game World ofWarcraft. Barr silently kicked himselffor using the same password on everyaccount. He glanced over at his WiFirouter and saw frantic flashing lights.Now people were trying to overload itwith traffic, trying to jam their wayfurther into his home network.

He reached over and unplugged it.The flashing lights went dead.

Aaron Barr was a military man. Broadshouldered, with jet-black hair andheavy eyebrows that suggested distantMediterranean ancestors, he had signedup for the U.S. Navy after taking twosemesters of college and realizing itwasn’t for him. He soon became aSIGINT, or signals intelligence, officer,specializing in a rare assignment,analytics. Barr was sent abroad asneeded: four years in Japan, three inSpain, and secondments all over Europe,from Ukraine to Portugal to Italy. Hewas stationed on amphibious warshipsand got shot at on land in Kosovo. Theexperience made him resent the way wardesensitized soldiers to human life.

After twelve years in the navy hepicked up a job at defense contractorNorthrop Grumann and settled down tostart a family, covering over his navytattoos and becoming a company man.He got a break in November 2009 whena security consultant named GregHoglund asked Barr if he wanted to helphim start a new company. Hoglund wasalready running a digital securitycompany called HBGary Inc., and,knowing Barr’s military background andexpertise in cryptography, he wantedhim to start a sister company that wouldspecialize in selling services to theUnited States government. It would becalled HBGary Federal, and HBGaryInc. would own 10 percent. Barr jumped

at the chance to be his own boss and seemore of his wife and two young childrenby working from home.

He relished the job at first. InDecember 2009, he couldn’t sleep forthree nights in a row because his mindwas racing with ideas about newcontracts. He’d get on his computer at1:30 a.m. and e-mail Hoglund with someof his thoughts. Less than a year later,though, none of Barr’s ideas wasbringing in any money. Barr wasdesperate for contracts, and he waskeeping the tiny company of threeemployees afloat by running “socialmedia training” for executives, bringingin twenty-five thousand dollars at a time.These were not lessons in how to

maintain friendships on Facebook but inhow to use social networking sites likeFacebook, LinkedIn, and Twitter togather information on people—as spyingtools.

In October 2010, salvation finallycame. Barr started talking to Hunton &Williams, a law firm whose clients—among them the U.S. Chamber ofCommerce and Bank of America—needed help dealing with opponents.WikiLeaks, for example, had recentlyhinted at a trove of confidential data itwas holding from Bank of America. Barrand two other security firms madePowerPoint presentations that proposed,among other things, disinformationcampaigns to discredit WikiLeaks-

supporting journalists and cyber attackson the WikiLeaks website. He dug outhis fake Facebook profiles and showedhow he might spy on the opponents,“friending” Hunton & Williams’s ownstaff and gathering intelligence on theirpersonal lives. The law firm appearedinterested, but there were still nocontracts come January 2011, andHBGary Federal needed money.

Then Barr had an idea. A conferencein San Francisco for securityprofessionals called B-Sides wascoming up. If he gave a speech revealinghow his social media snooping haduncovered information on a mysterioussubject, he’d get newfound credibilityand maybe even those contracts.

Barr decided that there was no bettertarget than Anonymous. About a monthprior, in December 2010, the newsmedia exploded with reports that a largeand mysterious group of hackers hadstarted attacking the websites ofMasterCard, PayPal, and Visa inretaliation for their having cut funding toWikiLeaks. WikiLeaks had just releaseda cache of thousands of secretdiplomatic cables, and its founder andeditor in chief, Julian Assange, had beenarrested in the U.K., ostensibly forsexual misconduct.

Hackers was a famously impreciseword. It could mean enthusiasticprogrammer, it could mean cybercriminal. But people in Anonymous, or

Anons, were often dubbed hacktivists—hackers with an activist message. Fromwhat anyone could tell, they believed allinformation should be free, and theymight just hit your website if youdisagreed. They claimed to have nostructure or leaders. They claimed theyweren’t a group but “everything andnothing.” The closest descriptionseemed to be “brand” or “collective.”Their few rules were reminiscent of themovi e Fight Club: don’t talk aboutAnonymous, never reveal your trueidentity, and don’t attack the media,since they could be purveyors of amessage. Naturally, anonymity made iteasier to do the odd illegal thing, breakinto servers, steal a company’s customer

data, or take a website offline and thendeface it. Stuff that could saddle youwith a ten-year prison term. But theAnons didn’t seem to care. There wasstrength and protection in numbers afterall, and they posted their ominous taglineon blogs, hacked websites, or whereverthey could:

We are AnonymousWe are LegionWe do not forgiveWe do not forgetExpect us.

Their digital flyers and messagesfeatured a logo of a headless, suited mansurrounded by U.N.-style peacebranches, supposedly based on the

surrealist painting of a man with abowler hat and apple by René Magritte.Often it included the leering mask of GuyFawkes, the London revolutionaryembellished in the movie V for Vendettaand now the symbol of a faceless rebelhorde. Anonymous was impossible toquantify, but this wasn’t just dozens oreven hundreds of people. Thousandsfrom all over the world had visited itsmain chat rooms in December 2010 totake part in its attacks on PayPal, andthousands regularly visited Anonymous-related blogs and new sites likeAnonNews.org. Everyone in the cybersecurity field was talking aboutAnonymous, but no one seemed to knowwho these people were.

Barr was intrigued. He had watchedthe world’s attention to this mysteriousgroup grow and seen reports of dozensof raids and arrests in the United Statesand Europe. Yet no one had beenconvicted, and the group’s leaders hadnot been tracked down. Barr believed hecould do better than the Federal Bureauof Investigation—maybe help the FBI,too—with his social media snoopingexpertise. Going after Anonymous wasrisky, but he figured if the collectiveturned on him, the worst they could dowas take down the website of HBGaryFederal for a few hours—a couple ofdays, tops.

He had started by lurking in the onlinechat rooms where Anonymous

supporters congregated and creating anickname for himself, first AnonCog,then CogAnon. He blended in, using thegroup’s lingo and pretending to be ayoung new recruit eager to bring down acompany or two. On the side, he’dquietly note the nicknames of others inthe chat room. There were hundreds, buthe paid attention to the frequent visitorsand those who got the most attention.When these people left the chat room,he’d note the time, too. Then he’d switchto Facebook. Barr had created severalfake Facebook personas by now and had“friended” dozens of real-world peoplewho openly claimed to supportAnonymous. If one of those friendssuddenly became active on Facebook

soon after a nickname had exited theAnonymous chat room, Barr figured hehad a match.

By late January, he was putting thefinishing touches on a twenty-pagedocument of names, descriptions, andcontact information for suspectedAnonymous supporters and leaders. OnJanuary 22, 2011, Barr sent an e-mail toHoglund and HBGary Inc. co-presidentPenny Leavy (who was also Hoglund’swife) and Barr’s second in command,Ted Vera, about his now forthcomingtalk at B-Sides on Anonymous. The bigbenefit of the talk would be the pressattention. He would also tell a fewpeople in Anonymous, under a falsepersona, about the research of a “so-

called cyber security expert” namedAaron Barr..

“This will generate a big discussionin Anonymous chat channels, which areattended by the press,” Barr toldHoglund and Leavy. Ergo, more pressabout the talk. “But,” he added, “it willalso make us a target. Thoughts?”

Hoglund’s reply was brief: “Well, Idon’t really want to get DDoS’d, soassuming we do get DDoS’d then what?How do we make lemonade from that?”Hoglund was refering to a distributeddenial of service attack, whichdescribed what happened when amultitude of computers werecoordinated to overwhelm a site with somuch data that it was temporarily

knocked offline. It was Anonymous’smost popular form of attack. It was likepunching someone in the eye. It lookedbad and it hurt, but it didn’t kill you.

Barr decided the best thing to do wasreach out directly to the press before histalk. He contacted Joseph Menn, a SanFrancisco–based reporter for theFinancial Times, offering an interviewabout how his data could lead to morearrests of “major players” inAnonymous. He gave Menn a taste of hisfindings: of the several hundredparticipants in Anonymous cyber attacks,only about thirty were steadily active,and just ten senior people managed mostof the decisions. Barr’s comments andthe story of his investigation suggested

for the first time that Anonymous was ahierarchy and not as “anonymous” as itthought. The paper ran the story onFriday, February 4, with the headline“Cyberactivists Warned of Arrest,” andquoted Barr.

Barr got a small thrill from seeing thepublished article and e-mailed Hoglundand Leavy with the subject line, “Storyis really taking shape.”

“We should post this on the frontpage, throw out some tweets,” Hoglundreplied. “‘HBGary Federal sets a newbar as private intelligence agency.’ Thepun on bar is intended lol.”

By the end of Friday, detectives fromthe FBI’s e-crime division had read thearticle and contacted Barr asking if he

wouldn’t mind sharing his information.He agreed to meet them Monday, the dayafter the Super Bowl. At around thesame time, a small group of hackers withAnonymous had read the story, too.

They were three people, in threedifferent parts of the world, and they hadbeen invited into an online chat room.Their online nicknames were Topiary,Sabu, and Kayla, and at least two ofthem, Sabu and Topiary, were meetingfor the first time. The person who hadinvited them went by the nicknameTflow, and he was also in the room. Noone here knew anyone else’s real name,age, sex, or location. Two of them,Topiary and Sabu, had only been using

their nicknames on public chat rooms forthe last month or two. They knewsnippets of gossip about one another,and that each believed in Anonymous.That was the gist of it.

The chat room was locked, meaningno one could enter unless invited.Conversation was stilted at first, butwithin a few minutes everyone wastalking. Personalities started to emerge.Sabu was assertive and brash, and heused slang like yo and my brother. Noneof the others in the room knew this, buthe was a born-and-bred New Yorker ofPuerto Rican descent. He had learned tohack computers as a teenager, subvertinghis family’s dial-up connection so theycould get Internet access for free, then

learning more tricks on hacker forums inthe late 1990s. Around 2001, thenickname Sabu had gone underground;now, almost a decade later, it was back.Sabu was the heavyweight veteran of thegroup.

Kayla was childlike and friendly butfiercely smart. She claimed to be femaleand, if asked, sixteen years old. Manyassumed this was a lie. While therewere plenty of young hackers inAnonymous, and plenty of femalesupporters of Anonymous, there werevery few young hackers who werefemale. Still, if it was a lie, it waselaborate. She was chatty and gave awayplenty of colorful information about herpersonal life: she had a job in her salon,

babysat for extra money, and tookvacations in Spain. She even claimedKayla was her real name, kept as a “fuckyou” to anyone who dared try to identifyher. Paradoxically, she was obsessiveabout her computer’s privacy. She nevertyped her real name into her netbook incase it got key-logged, had no physicalhard drive, and would boot up from atiny microSD card that she could quicklyswallow if the police ever came to herdoor. Rumor even had it that she’dstabbed her webcam with a knife oneday, just in case someone took over herPC and filmed her unaware.

Topiary was the least skilled of thegroup when it came to hacking, but hehad another talent to make up for it: his

wit. Cocksure and often brimming withideas, Topiary used his silver tongueand an unusual knack for publicpromotion to slowly make his way upthe ladder of secret planning rooms inthe Anonymous chat networks. Whileothers strained to listen at the door,Topiary got invited right in. He hadbecome so trusted that the networkoperators asked him to write the officialAnonymous statements for each attack onPayPal and MasterCard. He had pickedhis nickname on a whim. The low-budget time travel film Primer had beena favorite, and when he found out itsdirector was working on a new filmcalled A Topiary , he decided he likedthe word, oblivious to its definition of

clipped ornamental shrubs.Tflow, the guy who’d brought

everyone here, was a skilledprogrammer and mostly quiet, a personwho strictly followed the Anonymouscustom of never talking about himself.He had been with Anonymous for atleast four months, a good amount of timeto understand its culture and key figureswithin it. He knew the communicationschannels and supporting cast of hackersbetter than most. Fittingly, he got downto business. Someone had to dosomething about this Aaron Barr and his“research.” Barr had claimed there wereleaders in Anonymous, which wasn’ttrue. That meant his research wasprobably wrong. Then there was that

quote from the Financial Times storysaying Barr had “collected informationon the core leaders, including many oftheir real names, and that they could bearrested if law enforcement had the samedata.”

This now posed another problem: ifBarr’s data was actually right, Anonscould be in trouble. The group startedmaking plans. First, they had to scan theserver that ran the HBGary Federalwebsite for any source codevulnerabilities. If they got lucky, theymight find a hole they could enter, thentake control and replace Barr’s homepage with a giant logo of Anonymousand a written warning not to mess withtheir collective.

That afternoon, someone looked up“Aaron Barr” on Google and came upwith his official company portrait:swept-back hair, suit, and a keen stare atthe camera. The group laughed whenthey saw the photo. He looked so…earnest, and increasingly like fresh meat.Then Sabu started scanningHBGaryFederal.com for a hole. It turnedout Barr’s site ran on a publishingsystem created by a third-partydeveloper, which had a major bug.Jackpot.

Though its job was to help othercompanies protect themselves fromcyber attacks, HBGary Federal itselfwas vulnerable to a simple attackmethod called SQL injection, which

targeted databases. Databases were oneof the many key technologies poweringthe Internet. They stored passwords,corporate e-mails, and a wide variety ofother types of data. The use of StructuredQuery Language (SQL, commonlymispronounced “sequel”) was a popularway to retrieve and manipulate theinformation in databases. SQL injectionworked by “injecting” SQL commandsinto the server that hosted the site toretrieve information that should behidden, essentially using the languageagainst itself. As a result, the serverwould not recognize the typed charactersas text, but as commands that should beexecuted. Sometimes this could becarried out by simply typing out

commands in the search bar of a homepage. The key was to find the search baror text box that represented a weak entrypoint.

This could be devastating to acompany. If DDoSing meant a suckerpunch, SQL injection was secretlyremoving someone’s vital organs whilethey slept. The language it required, aseries of symbols and key words like“SELECT,” “NULL,” and “UNION,”were gibberish to people like Topiary,but for Sabu and Kayla they rolled offthe tongue.

Now that they were in, the hackershad to root around for the names andpasswords of people like Barr andHoglund, who had control of the site’s

servers. Jackpot again. They found a listof usernames and passwords forHBGary employees. But here was astumbling block. The passwords wereencrypted, or “hashed,” using a standardtechnique called MD5. If all theadministrative passwords were lengthyand complicated, it might be impossibleto crack them, and the hackers’ funwould have come to an end.

Sabu picked out three hashes, longstrings of random numberscorresponding to the passwords ofAaron Barr, Ted Vera, and anotherexecutive named Phil Wallisch. Heexpected them to be exceptionally toughto unlock, and when he passed them tothe others on the team, he wasn’t

surprised to find that no one could crackthem. In a last-ditch attempt, he uploadedthem to a Web forum for passwordcracking that was popular amonghackers—Hashkiller.com. Within acouple of hours all three hashes hadbeen cracked by random anonymousvolunteers. The result for one of themlooked exactly like this:

4036d5fe575fb46f48ffcd5d7aeeb5af:kibafo33 Right there at the end of the string ofletters and numbers was Aaron Barr’spassword. When they tried usingkibafo33 to access his HBGary Federale-mails hosted by Google Apps, they gotin. The group couldn’t believe their luck.By Friday night they were watching an

oblivious Barr exchange happy e-mailswith his colleagues about the FinancialTimes article.

On a whim, one of them decided tocheck to see if kibafo33 workedanywhere else besides Barr’s e-mailaccount. It was worth a try.Unbelievably for a cyber securityspecialist investigating the highlyvolatile Anonymous, Barr had used thesame easy-to-crack password on almostall his Web accounts, including Twitter,Yahoo!, Flickr, Facebook, even Worldof Warcraft. This meant there was nowthe opportunity for pure, unadulterated“lulz.”

Lulz was a variation of the termlol—“laugh out loud”—which had for

years been tagged onto the end oflighthearted statements such as “The punon bar is intended lol.” A more recentaddition to Web parlance, lulz took thatsentiment further and essentially meantentertainment at someone else’s expense.Prank-calling the FBI was lol. Prank-calling the FBI and successfully sendinga SWAT team to Aaron Barr’s housewas lulz.

The group decided that they would notswoop on Barr that day or even the next.They would take the weekend to spy onhim and download every e-mail he’dever sent or received during his timewith HBGary Federal. But there was asense of urgency. As they startedbrowsing, the team realized Barr was

planning to meet with the FBI thefollowing Monday. Once they had takenwhat they could, it was decided all hellwould break loose at kickoff on SuperBowl Sunday. There were sixty hours togo.

Saturday started off as any other forBarr. Relaxing and spending time withhis family, sending and receiving a fewe-mails from his iPhone over breakfast,he had no idea that an Anonymous teamof seven was busy delving into his e-mails, or how excited they were withwhat they had stumbled upon. Theirlatest find: Barr’s own research onAnonymous. It was a PDF document thatstarted with a decent, short explanation

of what Anonymous was. It listedwebsites, a timeline of recent cyberattacks, and lots of nicknames next toreal-life names and addresses. Thenames Sabu, Topiary, and Kayla werenowhere to be seen. At the end werehasty notes like “Mmxanon—states…ghetto.” It looked unfinished. As theygradually realized how Barr had beenusing Facebook to try to identify realpeople, it looked like he had no ideawhat he was doing. It looked like Barrmight actually point the finger at someinnocent people.

In the meantime, Tflow haddownloaded Barr’s e-mails onto hisserver, then waited about fifteen hoursfor them to compile into a torrent, a tiny

file that linked to a larger file on a hostcomputer somewhere else, in this caseHBGary’s. It was a process that millionsof people across the world used everyday to download pirated software,music, or movies, and Tflow planned toput his torrent file on the most populartorrenting site around: The Pirate Bay.This meant that soon, anyone coulddownload and read more than fortythousand of Aaron Barr’s e-mails.

That morning, with about thirty hoursuntil kickoff, Barr ran some checks onHBGaryFederal.com and, just as he hadexpected, saw it was getting more trafficthan usual. That didn’t mean morelegitimate visitors, but the beginnings ofa DDoS attack from Anonymous. It

wasn’t the end of the world, but helogged into Facebook under the fakeprofile Julian Goodspeak to talk to oneof his Anon contacts, an apparentlysenior figure who went by the nicknameCommanderX. Barr’s research anddiscussions with CommanderX had ledhim to believe his real name was“Benjamin Spock de Vries,” though thiswas not accurate. CommanderX, whohad no idea that a small group of hackerswas already in Barr’s e-mails,responded to Barr’s instant message.Barr was asking politely ifCommanderX could do something aboutthe extra traffic he was getting.

“I am done with my research. I am notout to get you guys,” Barr explained.

“My focus is on social mediavulnerabilities.” Barr meant that hisresearch was merely trying to show howorganizations could be infiltrated bysnooping on the Facebook, Twitter, andLinkedIn profiles of their members.

“Not my doing,” CommanderX saidhonestly. He had taken a look at theHBGary Federal website and pointedout to Barr that, in any case, it lookedvulnerable. “I hope you are being paidwell.”

Sunday morning, with eleven hours tillkickoff, Tflow was done collating all ofBarr’s e-mails and those of the two otherexecutives, Vera and Wallisch. Thetorrent file was ready to publish. Now

came the pleasure of telling Barr whatthey had just done. Of course, to playthis right, the hackers wouldn’t tell himeverything immediately. Better lulzwould come from toying with him first.By now they had figured out that Barrwas using the nickname CogAnon to talkto people in Anonymous chat rooms, andthat he lived in Washington, D.C.

“We have everything from his SocialSecurity number, to his career in themilitary, to his clearances,” Sabu toldthe others, “to how many shits a day hetakes.”

At around 8:00 a.m. eastern standardtime on Sunday morning, they decided tomake him a little paranoid before thestrike. When Barr entered the AnonOps

chat network as CogAnon, Topiary senthim a private message.

“Hello,” said Topiary.“Hi,” CogAnon replied.In another chat window Topiary was

giving a running commentary to otherAnons who were laughing at hisexploits. “Tell him you’re recruiting fora new mission,” Sabu said.

“Be careful,” said another. “He mayget suspicious quickly.”

Topiary went back into hisconversation with the security specialist,still pretending to believe CogAnon wasa real Anonymous supporter. “We’rerecruiting for a new operation in theWashington area. Interested?”

Barr paused for twenty seconds.

“Potentially. Depends on what it is,” hesaid.

Topiary pasted the response in theother chat room.

“Hahahahhaa,” said Sabu.“Look at that faggot trying to psyops

me out of info,” Topiary said, referringto the tactics of psychological warfare.The word faggot was a word soliberally used in Anonymous that itwasn’t even considered a real insult.

“I take it from your host that you’renear where our target is,” Topiary toldBarr.

Back in Washington, D.C., Barr heldhis breath. “Is it physical or virtual?” hetyped back, knowing full well it wasvirtual but at a loss for what else to say.

“Ah yeah…I am close…” How exactlycould they have figured out he lived inD.C.?

“Virtual,” Topiary replied.“Everything is in place.”

Topiary relayed this again to theAnons. “I’d laugh so hard if he sends ane-mail about this,” he told them.

They couldn’t believe what they werereading. “THIS GUY IS A FUCKINGDICK,” Sabu exclaimed.

“I want to rape his anus,” Topiaryreplied. “Raping” servers was typicallya way to describe a hack into itsnetwork. Tflow made a new chat roomin the Anonymous chat network called#ophbgary and invited Topiary to join it.

“Guys,” a hacker named Avunit piped

up. “Is this really happening? Becausethis shit is awesome.”

Back in the conversation, Barr tried tosound helpful. “I can be in the citywithin a few hours…depending ontraffic lol.”

Topiary decided to give him anotherfright: “Our target is a securitycompany,” he said. Barr’s stomachturned. Okay, so this meant Anonymouswas definitely targeting HBGaryFederal. He opened up his e-mail clientand quickly typed out an e-mail to otherHBGary managers, including Hoglundand Penny Leavy.

“Now we are being directlythreatened,” he wrote. “I will bring thisup with the FBI when I meet them

tomorrow.” Sabu and the others quietlywatched him send it.

He clicked back into the chat withTopiary. “Ok well just let me know,” hewrote. “Not sure how I can still helpthough?”

“That depends,” Topiary said. “Whatskills do you have? We need helpgathering info on Ligatt.com securitycompany.”

Barr let out a long breath of relief.Ligatt was in the same line of work asHBGary Federal, so it looked (for nowat least) like his company was not thetarget after all.

“Ahhhh ok let me check them out,”Barr replied almost gratefully. “It’s beena while since I have looked at them.

Anything specific?” At this point heseemed happy to do anything that wouldkeep HBGary from being a target, evenif he was just playing along.

There was no reply.He typed, “I didn’t realize they were

local to D.C.”A minute later he added, “Man I am

racking my brain and I can’t rememberwhy they were so popular a while back.I remember their [sic] being a lot ofaggression towards them.”

Nothing.“You still there?” Barr asked.Topiary had gone back to planning

with the others. There wasn’t much timeleft and he had to write the officialAnonymous message that would replace

the home page of HBGaryFederal.com.About forty-five minutes later,

Topiary finally replied. “Sorry aboutthat—stay tuned.”

“Ok,” Barr wrote.A few hours later and it was

lunchtime, about six hours until theSuper Bowl kickoff, with Barr sitting inhis living room and staring in dreadfulfascination at his phone after realizinghe’d just been locked out of his e-mails.When he ran upstairs to try talking toCommanderX again on Facebook, he’dbeen locked out of that, too. When hesaw that his Twitter account was undersomeone else’s control, it hit him howserious this was, and how potentiallyvery embarrassing.

He picked up the phone and calledGreg Hoglund and Penny Leavy to letthem know what was going on. Then hecalled his IT administrators, who saidthey would contact Google to try toregain control of HBGaryFederal.com.But there was nothing they could doabout the stolen e-mails.

At 2.45 p.m., Barr got anothermessage from Topiary: “Right,something will be happening tonight.How available are you throughout theevening?” There were just a few morehours to go, and he wanted Barr to havea front-row seat to the end of his career.

As Sunday evening drew near on theeastern seaboard, the Anons, in their

own homes and time zones around theworld, got ready to pounce. CowboysStadium in Arlington, Texas, startedfilling up. There were a few songs fromthe Black Eyed Peas, and ChristinaAguilera muddling the words to thenational anthem. Finally, the coin toss. Aplayer from the Green Bay Packers drewback his foot and kicked the pigskinacross the field.

On the other side of the Atlantic,Topiary watched on his laptop as thefootball flew through the sky. Sitting inhis black leather gaming chair, a giantpair of headphones resting on his hair,he swiftly opened up another windowand logged into Barr’s Twitter account.He had locked Barr out six hours ago

with the kibafo33 password and with theSuper Bowl finally underway he startedposting from it. He felt no inhibition, nosense of holding back from this man. Hewould let Barr have it: “Okay my fellowAnonymous faggots,” he wrote fromBarr’s Twitter account, “we’re workingon bringing you the finest lulz as wespeak. Stay tuned!”

Then: “Sup motherfuckers, I’m CEOof a shitty company and I’m a giantmedia-whoring cunt. LOL check out mynigga Greg’s site: rootkit.com.” Thesewere statements that Topiary wouldnever have said out loud, or face-to-facewith Barr. In real life he was quiet,polite, and rarely swore.

Rootkit.com was Hoglund’s website

specializing in the latest research onprogramming tools that gave root accessto a computer network. Ironically, Sabuand Kayla now had system administratoraccess, or “root” on rootkit.com, too.This was because Barr had been anadministrator of the company’s e-mailsystem, meaning “kibafo33” let themreset the passwords of other in-boxes,including Hoglund’s.

Once he got into Hoglund’s in-box,Sabu had sent out an e-mail as Hoglundto one of HBGary’s IT administrators, aFinnish security specialist named JussiJaakonaho. Sabu was looking for rootaccess to rootkit.com.

“im in europe and need to ssh into theserver,” Sabu wrote in the e-mail to

Jaakonaho, using lowercase letters tosuggest he was in a rush. SSH stood for“secure shell” and referred to a way oflogging into a server from a remotelocation. When Jaakonaho asked ifHoglund (Sabu) was on a publiccomputer, Hoglund (Sabu) said, “no Idont have the public ip with me at themoment because im ready for a smallmeeting and im in a rush. if anything justreset my password to changeme123 andgive me public IP and ill ssh in and resetmy pw [password].”

“Ok,” Jaakonaho replied. “Yourpassword is changeme123.” He added,with a smiley face, “In Europe but not inFinland?”

Sabu played along. “if I can squeeze

out the time maybe we can catch up…illbe in germany for a little bit. thanks.”The password didn’t even work rightaway, and Sabu had to e-mail Jaakonahoa few more times with questions,including whether his own usernamewas “greg or?” before Jaakonahoexplained it was “hoglund.” Sabu got in.This was a prime example of socialengineering, the art of manipulatingsomeone into divulging secretinformation or doing something theynormally wouldn’t.

Now Sabu and Kayla had completecontrol of rootkit.com. First they took theusernames and passwords of anyonewho had ever registered on the site, thendeleted its entire contents. Now it was

just a blank page reading “Greg Hoglund= Owned.” Sabu found he enjoyedworking with Kayla. She was friendly,and she had extraordinary technicalskills. Sabu later told others that she hadsocially engineered Jussi Jaakonaho,partly because the idea of being“owned” by a sixteen-year-old girlwould only embarrass HBGary further.

Sabu and Kayla then got busy onHBGaryFederal.com, removing thehome page and replacing it with theAnonymous logo of the headless suitedman. In place of its head was a questionmark. At the bottom was a link that said“Download HBGary e-mails”—Tflow’storrent file. Now anyone could read allof Barr’s confidential e-mails to his

clients as easily as they might grab asong on iTunes, but for free. The newhome page also had a message writtenby Topiary:

This domain has been seized byAnonymous under section #14 ofthe Rules of the Internet. GreetingsHBGary (a computer “security”company). Your recent claims of“infiltrating” Anonymous amuse us,and so do your attempts at usingAnonymous as a means to garnerpress attention for yourself. How’sthis for attention? You’ve tried tobite at the Anonymous hand, andnow the Anonymous hand is bitch-slapping you in the face.

By 6:45 eastern standard time, twenty-four minutes into the Super Bowl, mostof the “hacking” was over. There wereno distant cheers and whoops for thefootball game from Barr’s neighbors,who were mostly young families. Theworld around him seemed strangelyquiet. With some trepidation, he loggedback into the Anonymous chat rooms toconfront his attackers. They were readyand waiting. Barr saw a message flashup, an invite to a new chat room called#ophbgary. He immediately saw a groupof several nicknames. Some herecognized from his research and othershe didn’t: along with Topiary, Sabu,Kayla, there were others: Q, Heyguise,

BarrettBrown, and c0s. The lastnickname was Gregg Housh, a longtimeAnon in his midthirties who had helpedcoordinate the first wave of major DDoSattacks by Anonymous in 2008, againstthe Church of Scientology (COS).

Topiary got things going. “Nowthey’re threatening us directly,” he toldBarr, quoting the earlier e-mail.“Amirite?”

Barr said nothing.“Enjoying the Super Bowl, I hope?” Q

said.“Hello Mr. Barr,” Tflow said. “I

apologize for what’s about to happen toyou and your company.”

Finally, Barr spoke up. “I figuredsomething like this would happen,” he

typed.“Nah, you won’t like what’s coming

next,” Topiary said.Barr tried persuading the group that

he’d had their best interests at heart.“Dude…you just don’t get it,” heprotested. “It was research on socialmedia vulnerabilities. I was never goingto release the names.”

“LIAR.” This was Sabu. “Don’t youhave a meeting with the FBI Mondaymorning?”

“Sabu, he totally does,” said Topiary.“Ok…Yep,” Barr conceded. “They

called me.”“Oh guys. What’s coming next is the

delicious cake,” Topiary said.It was up to Tflow to finally drop the

bombshell. “I have Barr’s, Ted’s andPhil’s e-mails,” he said. All 68,000.

“Those e-mails are going to bepretty,” said Housh.

“Lol,” Barr replied inexplicably. Heseemed to want to keep proceedingslight, or to convince himself this wasn’tas bad as he thought. “Ok guys,” headded, “well you got me right :).”

Indeed they had. Topiary made hisparting shot. “Well Aaron, thanks fortaking part in this little mini social test tosee if you’d run to your company with‘news’ about Anon. You did, weleeched it, we laughed.” He paused.“Die in a fire. You’re done.”

It was now well into the early hours of

Monday morning. Barr was sitting in hishome office in front of the laptop, hishopes of a turnaround having dwindledto nothing. On the wall in front of himwas a photo he’d bought in New York inOctober 2011. The 9/11 attacks werestill raw, and after visiting Ground Zerohe’d popped into a small gallery sellingamateur photographs taken during theattacks. One stood out. In the backgroundwas the chaos of the fallen towers:papers and bricks strewn everywhere,dazed commuters covered in dust, whilein the foreground was John SewardJohnson’s Double Check, the famousbronze statue of a suited businessman ona park bench, looking into his openbriefcase. Something about its

incongruence made him like it instantly.Now Barr was that man, so caught up inhis ambitions that he’d becomeoblivious to the chaos going on aroundhim.

His public Twitter feed, an importantreputational tool with the public, hisclients, and the press, was now anobscene mess. Topiary had posteddozens of tweets filled with swearwords and racist commentary. His bionow read, “CEO HBGary Federal.Cybersecurity and InformationOperations specialist and RAGINGHOMOGAY.” His photo had the wordNIGGER defaced across it in bold redlettering. Topiary did not considerhimself racist—no one in his group did.

But the graffiti was perfectly in tune withthe underground culture of crude humorand cyber bullying that ran throughAnonymous.

Topiary felt a thrill as he then postedBarr’s home address. Then he tweetedBarr’s social security number, then hiscell phone number. Anyone with anInternet connection could read this. “Higuys, leave me voice mails!” Then thenumber. Then “#callme.”

Soon, hundreds and then thousands ofpeople who perused Anonymous chatrooms, blogs, and Twitter feeds hadheard about what was happening toAaron Barr. They clicked on links toBarr’s website, now a white screen withthe Anonymous logo and message. They

watched the Twitter feed and called hisnumber. Quite a few started taking hisearnest corporate photo and defacing it,cutting out his head and sticking it on amovie poster for James Bond to mockhis spying methods. Another bloated hischin to make him look like the grotesquecartoon from a well-known Internetcomic, or “rage comic,” called ForeverAlone.

Barr had been unable to tear himselfaway from the Anonymous chat rooms,mesmerized as people joked about the“faggot” Barr and egged each other on tocall his cell phone. His phone rangthrough the night. He answered it once tohear a woman’s voice say somethinginaudible and then hang up. There were

a few silent voice mails and one personsinging what sounded like “Never GonnaGive You Up,” the 1987 song by RickAstley, homage to a popular prank inAnonymous to “rickroll” someone.

Barr had called in reinforcements.Penny Leavy went online to try her luckat sweet-talking the attackers. They werefriendly and polite to her at first, but herrequests were met with cold answers.

“Please do not release the HBGary e-mails,” she had pleaded. “There isprivate information there of clients.”

“Shouldn’t be sending e-mails youdon’t want your mother reading,”Heyguise had said. And the e-mails, inany case, had already been published asa torrent on The Pirate Bay.

“Dozens of innocent people couldhave gone to jail,” Sabu said angrily.Before their attack, his newly formedsmall clique of Anons, who’d foundeach other amid hundreds of others in theAnonymous chat networks, had no ideathat Barr’s research had been so flawed,or that his e-mails would be so easy tohack into. In fact, they still didn’t knowthat Barr had been proposing a dirty-tricks campaign against trade unions andWikiLeaks to a government agency and amajor bank. They had been motivated byrevenge and a desire, intensified bygroup psychology, to bully someone whoseemed to deserve it. Once enoughpeople trawled through Barr’s e-mailsand found out what he had done to

Hunton & Williams, the attack wouldsuddenly look more than justified, tothem almost necessary. Within theAnonymous community, Sabu, Kayla,Topiary, and the others would becomeheroic purveyors of vigilante justice.Barr had been fair game. He’d provokeda world where taunting, lying, andstealing was how everybody got by. Aworld that brought euphoric highs, fun,and fulfillment, with hardly any real-world consequences.

As Barr spent the next day fieldingphone calls from journalists and trying,desperately, to pick up the pieces,Topiary, Sabu, Kayla, and Tflow met upagain in their secret chat room. Theycelebrated their accomplishments,

relived what had happened, laughed, andfelt invincible. They had “owned” asecurity company. In the back of theirminds they knew that agents from theFederal Bureau of Investigation wouldstart trying to find them. But over time,members of the small team wouldconclude that they had worked togetherso well on Barr, they had to do it allover again on other targets, for lulz, forAnonymous, and for any other cause thatcame up along the way. No quarrywould be too big: a storied mediainstitution, an entertainment giant, eventhe FBI itself.

Chapter 2

William and theRoots of Anonymous

Aaron Barr would never have comeface-to-virtual-face with Anonymous ifit hadn’t been for a skinny blond kidfrom New York City named ChristopherPoole and the extraordinary contributionhe made to the Internet. Seven yearsearlier, in the summer of 2003, fourteen-year-old Poole was surfing the Web inhis bedroom, looking for information onJapanese anime. Like thousands of otherAmerican teens, he was a big fan.Eventually, he found a peach-colored

Japanese image board dedicated toanime called 2channel, or 2chan. Poolehad never seen anything like it. Foundedin 1999 by a college student namedHiroyuki Nishimura (age thirty-five in2012), it featured anime discussionthreads that moved at lightning speed.Poole would wait thirty seconds, hit F5to refresh the page, and it wouldsuddenly refill with a stream of newposts, numbering up to a thousand.Almost every poster was anonymous.Unlike English-language Web forums,2chan didn’t require you to register in aname field, and hardly anyone did.

In Japan that same summer, the newsmedia had noticed that 2chan wasbecoming a rather embarrassing window

to the country’s underbelly. Discussionsof anime had spilled over into talk ofkids murdering their teachers, attackingtheir bosses, or blowing up a localkindergarten. And it was becoming oneof the country’s most popular websites.

Poole wanted a place to talk to peoplein English about anime, and 2chan hadstarted blocking English posters. So hedecided to clone 2chan by copying itspublicly available HTML code,translating it to English, and buildingfrom there. He put the whole thingtogether on his bedroom computer andcalled it 4chan. When an online friendasked Poole, who went by the nicknamemoot, what the difference between 4chanand 2chan would be, he replied with

some chutzpah, “It’s TWO TIMES THECHAN MOTHERFUCK.” OnSeptember 29, 2003, Poole registeredthe domain 4chan.net and announced iton Something Awful, a Web forumwhere he was already a regular. Heentitled the thread: “4chan.net—English2chan.net!”

4chan had almost the exact samelayout as 2chan: the simple peachbackground, the dark red text, the shadedboxes for discussion threads. Both 4chanand 2chan have barely changed theirdesigns to this day, apart from adding afew color schemes. After opening 4chanto the public, an English-speaking animehub called Raspberry Heaven startedlinking to it, as did Something Awful.

The first few hundred visitors took to itright away. Discussion boards werelisted alphabetically across the top ofthe site: /a/ was for anime, /p/ was forphotography, and so on. Poole had setups /b/, the “random” board that wouldbecome 4chan’s most important feature,within the first two months. In onediscussion with early users, moot saidthat /b/ was “the beating heart of thissite,” but he added that it was “a retardbin.” The random board was a free-for-all.

Poole at first configured 4chan so thatanyone who posted a comment could doso under a nickname. This continueduntil early 2004, when a 4chan user andPHP programmer who went by the

nickname Shii became irritated with theenforced nicknames. That year, Shiipublished an essay about the value ofanonymity on image boards, pointing toJapan’s 2chan as a place whereanonymity could counter vanity and stopusers from developing cliques and elitestatus. When a site forced people toregister with a nickname, that also keptout interesting people with busy lives,instead attracting those who had toomuch time on their hands and whotended to make nasty or senselesscomments. “On an anonymous forum,” hewrote, logic will overrule vanity.

Poole saw the post, liked it, andappointed Shii as a moderator andadministrator on 4chan’s boards. He

asked another admin to implement a newfeature called “Forced_Anon” ondifferent parts of the site. Many userswere deeply upset when Forced_Anonwas implemented on a few of theseboards, and some typed in “tripcodes”so they could override the forcedanonymity and use a nickname. Others,who embraced the anonymity feature,mocked the signers and christened them“tripfags.”

Perhaps as an omen of what was tocome, conflict ensued. Supporters ofanonymity and tripcodes started creatingseparate threads, calling on anyone whosupported their own view to post amessage and demonstrate support, orstarting “tripcode vs. anon” threads. The

tripfags began mocking the anonymoususers as a single person named“Anonymous,” or jokingly referring tothem as a hive mind. Over the next fewyears, however, the joke would wearthin and the idea of Anonymous as asingle entity would grow beyond a fewdiscussion threads. Poole would fadeinto the background as Anonymous tookon a life of its own. Over the years, /b/in particular would take on a dedicatedbase of users whose lives revolvedaround the opportunities the boardafforded them for fun and learning.These users were mostly in the English-speaking world, aged between eighteenand thirty-five, and male. One of themwas named William.

William cracked open an eye and staredahead. It was a cold afternoon inFebruary 2011, and the hard-core user of4chan considered getting out of bed. Inanother part of the world, Aaron Barrwas trying to repair the damage causedby a group of hackers with Anonymous.William was part of Anonymous, too,and sometimes he liked to attack people.He didn’t have the technical skills ofSabu and Kayla, but his methods couldstill have an impact.

A sheet hung from the wall of hisbedroom, draped from the ceiling to thefloor, tacked up with nails. More hadbeen suspended around the room. At theend of his bed was a set of low shelves,

with a pile of clutter to the left and awindow on the right, hidden behind ablackout blind. The room was hiscocoon in the winter, his bed a safetynet. At twenty-one, he had been on 4chanmost days since leaving school six yearsearlier, sometimes for many hours at astretch. For various reasons, he hadnever held a full-time job for longer thana few months. He wanted to. ButWilliam was deeply conflicted. In thereal world he was kind to his family andloyal to his friends. As an anonymoususer on 4chan’s /b/, he becamesomething more dark, even venomous.

4chan was more than just a drop-insite for random kicks that millions ofpeople visited every day. For William

and a dedicated core, it was a lifechoice. Beyond the porn, jokes, andshocking images, it offered targets to toywith. On 4chan, toying with or seriouslyharassing someone was called a “liferuin.” Using many of the same Internetsleuthing tactics as Aaron Barr, Williamwould find people on 4chan discussionforums who were being ridiculed ordeserved ridicule. Then he would “dox”them, or find their true identities, sendthem threats on Facebook, or find theirfamily members and harass them, too.The jackpot was nude photos, whichcould be sent to family, friends, and co-workers for pure embarrassment or evenextortion.

Ruining people’s lives gave William

a thrill, and a sense of power unlikeanything he had felt in the outside world.The only other time he felt anythingsimilar was when he would quietly slipoutside his house in the dead of night,meet up with a few old friends, andspray colorful graffiti on the local wallsor trains. Graffiti was his mistress onsummer nights. In the winter, it was4chan and now, sometimes, the wideractivities of Anonymous.

4chan offered some tame content andmature discussion, and plenty more porn,gore, and constant insults between usersthat created a throbbing mass ofnegativity. It sometimes got Williamthinking scary thoughts about suicide.But 4chan also kept him alive.

Sometimes he felt depression coming onand would stay up all night on the site,then remain awake for the rest of the nextday. When thoughts of killing himselfcame, he could hide in sleep, tuckedsafely under his blanket, against the wallthat he’d covered with a sheet.

William was brought up in low-income British housing. His parents hadmet at the YMCA after his mother, animmigrant from Southeast Asia, escapedan unhappy marriage and becametemporarily homeless. The couple splitwhen William was seven and he choseto live with his father. He went on tomisbehave at school, statistically one ofthe worst in his country. He wouldswear at teachers or just walk out of

class. It became an endless stream ofdetentions. He wasn’t a social outcast;William just couldn’t see the point of hiseducation. After getting expelled atfourteen he was allowed to return, but bythe following year, in October 2004, hedecided to leave entirely.

By this time, William had alreadycreated a new life online. It started whenhe and some friends began visitingwebsites frequented by pedophiles, andsigning up with usernames like“sexy_baby_girl” to get attention.They’d ask the men to go on webcam,and if they came on naked, as they oftendid, the boys would burst out laughing.To raise the stakes, they’d paste anofficial warning from Child Protective

Services in MSN Messenger,Microsoft’s popular chat client, addingthat they had the man’s IP address, aseries of numbers that corresponded tohis computer, which they’d make up. Theman would usually just sign off, but theygot a buzz knowing he was probablyterrified, and that he probably deservedit.

William was always the one whowould push his friends to take the jokefurther or get the male target moresexually excited. Eventually, he startedcontinuing the pranks at home oniSketch.com, TeenChat.net, and otherhotbeds of sexual deviants at that time.None of the images shocked William anymore. He had first seen porn when he

was eleven.He was soon spending many hours

every day immersed in the so-calledDeep Web, the more than one trillionpages of the Internet that cannot beindexed by search engines like Google.As well as dynamic Web forums, muchof it is illegal content. William trappedhimself in a daily digest of images ofgore, horrific traffic accidents, andhomemade porn, all on the familycomputer. When some of the moredepraved images would flash up on thescreen, William would panic andquickly close the browser window.Somehow, though, he’d stumble uponthem again that night. And then again thefollowing night. At around fifteen, he

finally found 4chan, the website thatwould become his world for the nextfew years.

Many people who involve themselves inAnonymous claim to have first found itthrough 4chan. This was the case forWilliam and Topiary, who bothdiscovered the site at the same time, in2005. Already that year, the tagline “Weare Legion” was appearing around theInternet. Tripcode users on 4chan wererare. A year after Shii wrote his essay,forced anonymity had become widelyaccepted on the image board. Anyonedeemed a tripfag was quickly shot downand mocked.

4chan was booming, a teeming pit of

depraved images and nasty jokes, yet atthe same time a source of extraordinary,unhindered creativity. People begancreating Internet memes—images,videos, or phrases that became insidejokes to thousands of online users afterthey got passed around to enough friendsand image boards. Often they werehilarious.

Alongside gore and videos of abuse,pictures of naked women and men, andanime characters, there were endlessphotos of people’s cats. In 2005, userson /b/ had started encouraging each otherto put funny captions under cute catphotos on Saturdays (or what becameknown as Caturday). These so-calledimage macros, photographs with bold

white lettering at the top and a punchline at the bottom, eventually led to theLOLcats meme. It was the first of manymemes to find mainstream popularityoutside of 4chan, ultimately spawningother websites and even books.

Thousands of image macros weremade and then posted to 4chan and otherimage boards every day. A few wentviral, turning into phrases repeated bymillions of others for years afterward.One person who made an image macrothat turned into a well-known meme wasAndrew “weev” Auernheimer. A formerhacker and Internet troll, he had found astock photo of a man raising his fist invictory in front of a computer. He typedthe words “Internet is serious business”

over the photo. The meme is now evenpast the point of cliché as an onlinecatchphrase.

Weev claims to have been in the sameonline discussion in which the word lulzwas born. In 2003, a forum moderator onanother site was commenting onsomething funny when he suddenly typed“lulz!” Others in the chat room startedrepeating it, and it spread from there. “Itwas far superior to lol,” Weev laterremembered. Eventually, “I did it for thelulz” or just “for the lulz” would becomea symbol of Internet culture andAnonymous itself, as well as an ever-popular catchphrase on 4chan.

Though the site often seemedsuperficial and crass, 4chan started

developing a dedicated following ofpassionate users. It became the biggestof the Web’s English-speaking imageboards, and its users accepted oneanother not despite their offensivedesires and humor but because of them.One attraction of /b/ was that, like somesecret club, it wasn’t advertisedanywhere. People came via word ofmouth or links from similar sites, andthey were urged not to invite those whowouldn’t fit in with the culture. Thesepeople were called “newfag cancer.”This was why numbers 1 and 2 of the so-called 47 Rules of the Internet, thought tohave originated from discussions in2006 on /b/ and real-time chat networks,were “Don’t talk about /b/,” and “Don’t

talk about /b/.”4chan’s constituents soon developed

their own language, with phrases like“an hero,” which meant to commitsuicide. This phrase came into use whensome MySpace users set up a tributepage for a friend who had committedsuicide. One of them, probably meaningto type the phrase “he was truly a hero,”instead wrote, “he was truly an hero.” Itsoon became a trend on 4chan todescribe someone as “an hero”—beforeit morphed into the verb form: “I’mgoing to an hero.” There was also “ujelly?,” a way of asking if someone wasjealous, and “cheese pizza,” or “CP,”slang for child porn. More shrewd 4chanusers would start discussion threads

about literal cheese pizza, includingphotos of pizzas, and add hidden links toa child porn archive within the imagecode—accessed by opening the pizzaimages in a text program instead of animage viewer.

The /r/ board stood for requests, foranything from pictures to advice on whatto do about being dumped. Pr0nz, n00dz,and rule 34 meant porn. Rule 34 wasanother one of the 47 Rules of theInternet, which simply stated: “If itexists, there is porn of it.” So /r/ing rule34 on a female celebrity meantrequesting porn, perhaps digitallyaltered, of a singer or actress. “Moar!”meant more, and “lulz” of course meantfun at someone else’s expense, typically

through embarrassment.The original posters, or OPs, to each

thread were the sole semblance ofhierarchy in an otherwise anarchiccommunity. Still, they could only everexpect irreverent responses to theirposts and, more often than not, insults.“OP is a faggot” was a generic response,and there were no exceptions. Racistcomments, homophobia, and jokes aboutdisabled people were the norm. It wascustomary for users to call one another“nigger,” “faggot,” or just “fag.” New4chan users were newfags, old onesoldfags, and Brits were britfags,homosexuals were fagfags or gayfags. Itwas a gritty world yet strangelyaccepting. It became taboo to identify

one’s sex, race, or age. Stripping 4chanusers of their identifying features madeeveryone feel more like part of acollective, and this is what kept manycoming back.

A source of the most unpalatablestories and images users could find, /b/was called “the asshole of the internet”by Encyclopedia Dramatica (ED), asatirical online repository of Internetmemes that had the look and feel ofWikipedia, but was far ruder. Like theusers’ anonymity, /b/ was a blank slatewith no label—the users had completefreedom to decide the content anddirection it took. Over time, regulars,who called themselves /b/rothers or/b/tards, created their own world. One

of the more common threads peoplestarted posting on /b/ (besides pr0nz)was titled “bawww.” Here usersappealed to the sympathetic side of4chan, with titles such as “gf justdumped me, bawww thread please?”posted with the photo of a sad face. Thiswas the rare instance where /b/ userswould offer sincere advice, comfort, orfunny pictures to cheer up the OP. Therewas no way to tell for sure, but the typesof people who were hanging out on4chan appeared to be tech-savvy, bored,and often emotionally awkward. By thetime Anonymous started grabbing theworld’s attention in 2008, most peoplewho supported Anonymous had spentsome time on 4chan, and it is said that

around 30 percent of 4chan users wereregularly visiting /b/.

When William first came across4chan, he had already seen much worseat sites like myg0t, Rotten, and the YNC.But he lingered on /b/ because it was sounpredictable, so dynamic. Years later,he would marvel at how he could still besurprised each day when he opened up/b/, now his home page. Browsing waslike a lottery—you never knew whensomething salacious, seedy, or funnywould pop up. There was somethingunifying about its utter nihilism. As themedia and other outsiders startedcriticizing what /b/ users got up to, manyfelt a sense of righteousness too.

There were still two big no-no’s on

/b/. One was child porn (though this isdisputed by some hardcore users wholike the way it puts off the newfags) andthe other was moralfags. Callingsomeone a “moralfag” on 4chan was theworst possible insult. These werevisitors to /b/ who took issue with itsdepravity and tried to change it or,worse, tried to get /b/ to act on someother kind of wrongdoing. They knewthat hundreds of users on /b/ would oftenagree en masse about an issue on adiscussion thread. And sometimes theywould not just agree on an idea, theywould agree on an action. Though /b/was completely unpredictable,sometimes its users seemed to becontributing to a kind of collective

consciousness. They created jokestogether, hit out at OPs they didn’t liketogether. Like it or not, moralfags wouldeventually take advantage of this abilityto act in sync by persuading /b/ to joinprotests.

What /b/ eventually became mostfamous for was how a poster couldinspire others on the board to gathertogether for a mass prank or “raid.”Someone would typically start a threadsuggesting an issue that /b/ should dosomething about. The refined way tocoordinate a raid was never to suggestone directly but rather to imply that araid was already about to happen. “Heyguys should we do this?” was almostalways met with “GTFO” [get the fuck

out]. Whereas “This is happening now.Join in” would appeal to the crowd. If aposter had prepared an image withinstructions, like a digital image withinstructions on how to join in, it wasmore likely to have staying powerbecause it could be posted over andover.

There was no exaggerating the speedof /b/. The best time of day to getattention, when the United States waswaking up, was also the worst, since thiswas when your post could get lost in thedeluge of other popular posts. Youwould start a thread with one post at thetop, then refresh the page after tenseconds to find it had been pushed fromthe home page to page 2. The threads

were constantly swapping places—oncesomeone contributed a comment to athread, it would come back to the homepage. The more comments, the morelikely it would stay on the home pageand attract more comments, and so on. Araid was more likely to happen if lots ofpeople agreed to take part. But it couldbe manipulated if a small group of fouror five people suggested a raid andrepeatedly commented on it to make itlook like the hive mind was latching on.Sometimes this worked, sometimes itdidn’t. It was a game where secondscounted—if the original poster couldn’tpost for two minutes, the chance couldbe lost and the hive mind would loseinterest.

Another reason to stick around: /b/was an endless source of learning,whether it was how to prank pedos orunearth someone’s private data. Soonenough, the /r/ requests for porn weren’tjust for celebrities but for the n00dz ofreal-life girls, exes, or enemies of/b/tards. As they took up the challenge tosniff out homemade porn, /b/ users taughtone another best practices—for instance,how to find a unique string of numbersfrom each Facebook photo URL, orwebsite address, and use that to accesssomeone’s profile and their information.The methods were simple and crude.The kind of skilled hacking used bycyber criminals or the folks whoattacked HBGary Federal was often not

needed.From age eighteen onward, William

began filling a collection of secretfolders on his family computer withhomemade porn and information aboutpeople, including suspected pedophilesand women he’d met online. Soon hewas encouraging other newfags to “lurkmoar,” or learn more on 4chan. Hecreated another hidden folder called“info,” where he would save any newtechniques or methods for his snooping,often as screencaps, for anything fromhacking vending machines and gettingfree Coke—posted in “Real LifeHacking” threads—to bringing down awebsite. The /rs/ (rapid share) board,which compiled links to popular file-

sharing sites, became a source ofhelpful, free programs like Auto-Clicker, which could help swing anonline poll or spam a site. Lurk longenough, he figured, and you could getaccess to almost anything you wanted.

William was primarily attracted towomen. But lurking on 4chan he noticedother users saying they were swayinginto bisexuality or even homosexuality.A recurring thread ran along the lines of“How gay have you become sincebrowsing /b/?” Many male heterosexualswho visited /b/ found their reaction togay porn went from negative toindifferent to positive. William didn’tfeel himself becoming gay or even bi,but he’d come across so much male porn

over the years that it was no longer aturnoff. You could almost call it penisfatigue.

William’s morals were also becomingincreasingly ambiguous as he constantlywatched and laughed at gore, rape,racism, and abuse. Everything was“cash” or “win” (good and acceptable)./b/tards knew the difference betweenright and wrong—they just chose not torecognize either designation on 4chan.Everyone accepted they were there forlulz, and that the act of attaining lulzoften meant hurting someone. It was nowonder that a future tagline forAnonymous would be, “None of us areas cruel as all of us.” William’sincreasing ambivalence over sex and

morality was being multiplied on a massscale for others on 4chan and wouldbecome a basis for the cultlike identityof Anonymous.

William’s online vigilantismmeanwhile became his full-time job. Itwas fulfilling and effective. He didn’tneed to hack people’s computers to gettheir private data—he just needed to talkto them, then employ the subtle art of“social engineering,” that fancy way todescribe lying.

Once William had peeled himself out ofbed on that chilly February afternoon, hehad something to eat and found his wayback to the family computer. As usual,he opened up his Internet browser, and

4chan’s /b/ popped up as the home page.He clicked through a few threads andafter a few hours stumbled upon thephoto of a girl. Black hair partly hid hergreen eyes and a bewitching half smile.The photo had been taken from above,the customary self-portrait for teenagegirls. The original poster wanted /b/ toembarrass the girl by cracking into herPhotobucket account, finding severalnude photos, and sending them to herfriends and family. Clearly there wassome sort of grudge. “She’s a bitch,anyway,” he said, adding a link to herFacebook profile. This was the sort ofthing William would do to someone allthe time, but the OP had vastlymisunderstood /b/.

/b/ users, for a start, wanted more fortheir time than just n00dz, which werealready the biggest commodity on 4chan.More importantly, an OP must neverbelieve he had /b/ at his mercy. Withinminutes, his post had accumulated morethan a hundred comments—almost allsaying “NYPA” (not your personalarmy)—along with a few other insults.

William said the same, but he wasalso intrigued. He clicked on the girl’sphoto again and decided he had nothingto lose by pursuing a night of fun andjustice. It was now 1:00 a.m. on aSaturday. Neighbors strolled home fromlocal bars outside as William sat, legssplayed in front of the old computer inhis family’s kitchen, occasionally

running a hand through his ragged hair.He clicked on the Facebook link and

saw another photo of the girl; in this oneshe was sitting on a brick wall incolorful dancer’s leg warmers, scowlingat the camera. Her name was Jen, andshe lived in Tennessee.

William signed into Facebook withone of his stock of twenty fake profiles.Almost all were fake women. It wasmuch easier to collect friends onFacebook if you were female, andhaving friends was crucial for a profileto look real. His main fake Facebookaccount had around 130 friends whowere real people. To collect them, hewould pick a location like Chicago, thenadd local guys. If they asked who “she”

was, William would claim to have justmoved there. Most of the other fakeaccounts were throwaways, in the sensethat most of the friends were other fakeprofiles of /b/ users. He would collectthe friends on /b/ itself, via theoccasional thread titled “Add eachothers’ troll accounts here!” The fakeusers would connect on Facebook andwrite on each others’ walls to make theirprofiles look more realistic. Williamwould add profile pictures and faked“vacation photos” by downloadingwhole folders of photos of a singlefemale from online photo repositories or4chan itself, or by coercing a girl intogiving him her photos. Facebook wouldsometimes delete “troll” accounts like

these, especially if they had inane nameslike I. P. Daily. (William lost about twoaccounts a month this way.) But real-looking accounts could last for years.This time around, to speak to Jen, hewas using a key account populated byreal people, under the name KaylieHarmon.

He took a screenshot of the 4chan postwith the girl’s photo. Then under theguise of Kaylie, he typed out a privatemessage on Facebook to Jen. Anyone onFacebook can send a private message toanother user, even if they aren’tconnected as friends. “Look whatsomeone’s trying to do to you,” he said,attaching the screenshot from 4chan. Hesigned it “Anonymous,” as he often did

to frighten his targets.Jen’s reply was almost instant.

“OMG. Who is this? How did you getmy Facebook??” she wrote back.

“I’m a hacker,” William replied,lying. “I’m going to hack your Facebookand pictures on Photobucket. No matterhow many pictures you’ve got online I’llmake them all public.” He kept hisanswers short and ominous.

“What do I have to do to stop this?”she asked, apparently desperate not tohave her photos published. Williamsmiled to himself. Years of raiding girls’Web accounts had taught him this meantshe definitely had nude photos she waswilling to bargain with.

“Give me the nude photos of yourself

and I’ll stop everyone else hacking you,”he said. “There’s dozens of other peopletrying to hack you as we speak.”

Having no reason to believe he waslying, Jen consented and sent him therelevant login details. “Take what youwant,” she said.

There were maybe three hundredphotos in Jen’s Photobucket account,mostly of her with friends and family,holiday snapshots on the beach, a groupof family members giving the thumbs-upat a Ruby Tuesday restaurant. And aboutseventy nude photos. One by one,William started downloading each oneto his personal collection of homemadeporn.

“Done,” William told Jen on

Facebook’s chat feature. “Glad you wentalong with this. It could have been a lotworse.” He advised her to tighten herprivacy settings on Facebook and get ridof her security question. The securityquestion, which websites will use tohelp you recall a lost password, will bealong the lines of “What was your firstpet’s name?” William would have onlyneeded to engage her in small talk to findout the answer, then retrieve herpassword if he wanted—but this time hewas warning her of the ruse.

Within an hour, Jen had forgivenWilliam for his strange actions. She wasmore intrigued with getting to know the“hacker” who had saved her from anembarrassing fate. The two began

chatting about small things likeFacebook and friends. Then Williamproposed an idea. “If you want, I couldfind out the name of the guy that postedyour photo on 4chan,” he said.

Jen agreed. “Find the guy, and I cansend you over some more pics,especially for you.”

“Who’s on your blocked list, onFacebook?” William asked.

“Six people, I think.”William studied each of their profiles.

By now, it was 6:00 a.m. Eventually, hiseyes fell on the Facebook profile photoof Joshua Dean Scott, a sneering,unshaven man in a ripped denim shirtand with piercings in his eyebrow. Heinstantly knew this had to be the OP from

4chan.. He looked like someonethoroughly distasteful. A smiling womanwith punk-shaved hair in several photosappeared to be Josh’s fiancée.

Still in his fake Kaylie account,complete with a smiling profile photo ofa woman and 130 real friends, Williamtyped Josh a message. “Hello, OP.” Heclicked send.

William then sent messages to six ofJosh’s Facebook friends, chosen atrandom, asking if anyone with an axe togrind would help him punish Josh. Aclose friend of Josh’s named Anthonyreplied. William explained what hadhappened on 4chan—that Josh had triedto take revenge on a girl by turning /b/into his personal army. It turned out

Anthony was a longtime 4chan userhimself and was instantly appalled atJosh’s lack of etiquette on the imageboard.

“I’ll help you out,” Anthony said. “Heshouldn’t have done that.” Anthony gaveWilliam Josh’s full name, cell phonenumber, and area of residence.Sometimes in social engineering, all youneeded was to ask for something nicely.

William sent a few more messages toJosh, the first one posting his homeaddress, the next his cell phone. He wassigning the messages “Anon” so thatJosh would think there was a group ofpeople behind this. Soon Josh wroteback, begging for mercy.

“Please don’t hack me,” he wrote.

William replied with instructions. Joshwas to send a photo of himself holding apaper sign saying, “Jen owns my ass.”With his other hand, he was to hold ashoe over his head. The shoe-on-headpose was hugely symbolic on 4chan andwas the ultimate admission of defeat inany kind of online argument or attack.(Do a Google Image search on “shoe onhead” and see for yourself. Oddly, manypeople smile for the camera.) For goodmeasure, William told Josh to send aphoto of his fiancée, without clothes,holding up a sign that simply said /b/. Infull belief that William, a youngunemployed guy in his family homewho’d been up all night, was actually agroup of skilled hackers, Josh did just as

he was asked. William forwarded bothphotos to Jen. By now it was 7:00 a.m.and the rest of his neighborhood wasgetting ready to go to work. Williamheaded back up to bed.

Not everybody on /b/ did whatWilliam did, but he and plenty of otherson 4chan lived for this sort of nightlyexperience. Despite being a young manwho struggled to hold down jobs formore than a few months at a time,William, sometimes within the space ofan hour, could frighten and coercesomeone on the other side of the worldinto doing something most of us wouldnever dream of: take off their clothes,snap a photo, and send it to a completestranger. /b/ offered a unique sense of

power and unpredictability that drewmany more like him into Anonymous,and it kept them hooked. Over time,people found their own roles in the ever-shifting crowd. For the smart-mouthedAnon known as Topiary, that role was toperform.

Chapter 3

Everybody Get InHere

The raid on Aaron Barr in February2011 would be a landmark attack forAnonymous for several reasons: Itshowed the collective could make abigger impact by stealing data, not justby knocking a website offline. OnceBarr’s e-mails were put online, theywould have major repercussions for hisreputation and that of his associates. Italso showed how much more powerfulan attack could be with Twitter. Theprocess of signing into Barr’s Twitter

account had been easy.Topiary had simply tested the

“kibafo33” password he’d been shownand it logged him right in. But hijackingthe account and tweeting a stream ofribald humor would end up becoming ahighlight of the raid for other Anons andfor the press. These tweets weresuddenly giving a new voice toAnonymous, showing this was not just asinister network of hackers who wantedto attack things. They wanted to havefun, too.

Topiary had always enjoyedimmersing himself in thrilling newexperiences like the HBGary raid. Hisclosely guarded real name was JakeDavis. From a young age, he had

regarded the world with intensecuriosity, preferring the British TV mathgame Countdown to cartoons. He likednumbers so much that when he turnedtwo his mother got him a calculator,letting him gleefully punch the keys withhis small fingers while she wheeled himaround the grocery store. The boydeveloped into one of those rareindividuals who was both creative andanalytical, right-brained and left-brained. He loved numbers but adoredmusic and would later be drawn toavant-garde bands and musicians,listening to them at precisely the sametime as other online friends forsomething akin to a religious experience.Jake assigned colors to numbers: seven

was orange, and six was yellow, forinstance. It wasn’t a vision of color, justthe sense of it, and the condition helpedhim plow through math as a child—remembering the color yellow as 42made it easier to answer themultiplication sum of 6 x 7; 81 was ablue number because 9 was blue, and soon. He was certain everyone else thoughtthis way until he realized he had a“condition” called sound-to-colorsynesthesia.

Born in Canterbury, England, at six hemoved, with his mother, to a remotegroup of islands above Scotland knownas the Shetlands. The move wasoccasioned by his grandfather SamDavis’s impulsive purchase of a

dilapidated hotel for sale on one of theislands. Someone had told the older manabout the building, and he had jumped ona plane to take a look, moving with hiswife, Dot, just one week later. SamDavis was a tough, spontaneous man anda risk taker. Jake’s mother, JenniferDavis, had lost contact with her parentsfor years, but when she found out bychance where they were, she decided tofollow. Till then she had been shuttlingher two sons between boarding housesand looking for a permanent home insouthern England. Jennifer and herpartner, Jake’s father, had been on andoff for around six years. He wasincreasingly feckless and had losthimself in alcohol, rambling about

finding religion and chasing otherwomen. One day she gave both her smallsons a backpack, stuffed what she couldinto a couple of suitcases, and took themon an eighteen-hour bus journey toAberdeen, Scotland (the train was tooexpensive), before getting on a ferry tothe Shetland Islands.

They lived on an island called Yell. Itwas the second largest of the Shetlandsbut still tiny, with a population of aboutnine hundred. It was bleak and, by someaccounts, about twenty years behind therest of the country. There waselectricity, but there were no chainstores, fast-food joints, or nicerestaurants. Local teenagers dabbled indrugs as a recreation of last resort. It

was cold, gray, and windswept, withhardly a tree in sight. Narrow, single-lane roads sprawled across the land andtiny stone houses were sprinkledbetween acres of farmland.

People here were isolated. Their thickdialect was hard for newcomers tounderstand. Most had lived here all theirlives, never venturing off the island orreading anything besides the localnewspaper. Despite the farms, the islandrelied on crates of food and fuel ferriedin once a day. When storms brewed overthe horizon, residents raided the localgrocery store in fear they might gohungry. Islanders didn’t associatethemselves with the two countries oneither side of them, Norway and the

United Kingdom. Being close-knit hadits advantages: people looked out foreach other. The local farmers andfishermen often gave away theiroversupply of meat and fish toneighbors. After a few years, Jake’sfamily had three refrigerators burstingwith fresh lamb and huge chunks of freshsalmon so thick your fork, when pokedin, wouldn’t reach the plate. But localswere mistrustful of outsiders, and schoolwould become unbearable for Jake.

While Jake’s grandparents lookedafter him and his brother after school,his mother worked several jobs to helppay the bills. Eventually she found a newpartner, Alexander “Allie” Spence. Sheand her boys moved into Spence’s

house, and Jake started referring to Allieas his stepfather. At school, Jake wasgetting bullied. Although he was fiercelywitty, he also had amblyopia, acondition known as lazy eye that affectedhis left pupil. Socializing at school wasa struggle, and he decided early on that itwas just easier to not try to makefriends. He was quiet and kept adistance from most other kids. If anyonetaunted him, he’d respond with awithering putdown, and if other kidslaughed, he joined in the banter. For themost part, the resulting lack of schoolfriends did not bother him.

More frustrating was the shortfall inlearning. Jake sensed his tiny school of ahundred students was teaching little

about the world outside their island,with classes instead focusing on theparticulars of sheep farming: how to tagthem and how to dip them in liquidinsecticide. There were compulsoryknitting classes twice a week, whereJake was made to churn out colorful toysin the shapes of ghosts and dinosaurs, orhats. One of his dinosaurs won a prize ata local knitting competition, judged bythe “world’s fastest knitter” who was alocal hero. The feeling was bittersweet;he didn’t want to know how to knit, hewanted to learn something that couldchallenge him.

School and the regimen of classesstarted to seem increasingly pointless.When he started going to Mid Yell

Junior High School, he became insolent,openly questioning the logic of teachers,only trying in classes when a teachersaid he couldn’t do the work properly.He made things tolerable by doingpranks. One day he set off the school firealarm, then heaved large pieces offurniture with a few classmates to blockthe entranceway for students andteachers into the main assembly hall. Hedidn’t want to impress the other kids. Hejust liked causing a stir and longed to dothings no one else had done before. Bythe time he entered his teenage years,teachers were telling his mother that heneeded to interact with a wider circle offriends. Jake to them was emotionless,cold, and sassy.

In February 2004, tragedy struck whenhis stepfather, Allie, was driving downone of the island’s narrow lanes, got intoa car accident, and died. Jake wasthirteen. To make matters worse, he andhis family were told that they could notcontinue living in his stepfather’s home.Spence’s ex-wife still had the rights tothe house and asked them to leave.Jennifer Davis and her two sonseventually were able to findgovernment-assisted living—a smallbrown house with vertical wooden slatsin the middle of Yell.

The experience was too much forJake, who decided he did not want to goback to school. The best place to be wasat home, by himself. He became a

recluse. Amid her own grief, his motherwas livid, telling her son that he couldn’tthrow his education away. But he didn’twant to be restricted by schedules, acurriculum, or his own mother.

After leaving school, Jake was mostlyplaying video games or learning with apart-time tutor. By now, his mother hadset up a dial-up Internet connection forthe home so she could send and receivee-mails. Jake had convinced her toupgrade that to faster broadband, andsince the age of eleven he had beengoing online almost every day, exploringan entirely new world of learning,socializing, then learning by socializing.When he started playing online role-playing games like RuneScape, other

players would teach him tricks forgetting around the Web, hiding hiscomputer’s IP address by chattingthrough instant messages, and basicprogramming. Making online friendswas easy. No one could see hisamblyopia, and people valued his witand creativity far more. He becamebolder and funnier. There was anequality he had never experiencedbefore, an ease of conversation and asense of shared identity. When theInternet telephone service Skype camealong, he used it to talk to his newfriends by voice for the first time.

One day on Skype, someone suggesteddoing a prank call and letting everyoneelse listen in. Jake jumped at the

opportunity. He found the number for arandom Walmart outlet in the UnitedStates, then told the woman whoanswered that he was looking for a“fish-shaped RC helicopter.” As hebegged the woman to help him find one,Jake was keenly aware that his friends(on mute) were dying of laughter. Thenext day he prank-called an Applebee’srestaurant in San Antonio, Texas. Themanager became so incensed that hedecided to prank them again, calling foran ambulance in a falsetto voice andclaiming to be giving birth in therestaurant’s basement. When therestaurant threatened to called a localdetective of the San Antonio PoliceDepartment, Jake and his friend called

the same detective and claimed theApplebee’s manager was a terrorist.Jake’s friends couldn’t get enough of hisprank calls. They were entranced by theunpredictability and the cockinesscoming from his now-baritone voice.They would never have known that just ayear before he was the quiet, scrawnykid getting bullied in a village school.

Soon he was doing prank calls for hisfriends almost every day. He found oneor two other good prank callers tocollaborate with, including a guy inLondon with whom he’d pretend to be afather and daughter arguing on an adviceline. Everything was improvised, andsometimes he would think up an idea justas the phone was ringing. He pushed for

ever more daring ways to upset, scare,or confuse his targets. It was likeproducing a television show, keeping hisaudience happy with new ideas andgimmicks. Eventually they moved to awebsite called Tiny Chat, where dozensof users could listen in on Jake’s Skypepranks.

By this time he was an occasionalvisitor to 4chan and /b/, attracted mainlyby the pranks and raids. He noticed hecould grab more listeners if headvertised through 4chan. He wouldstart a thread on /b/ and paste in links tothe chat room where he wasbroadcasting his prank call, encouragingmore people to join in and listen tosomething funny. Soon enough he was

carrying out live prank calls to 250listeners at a time. The San AntonioApplebee’s became his favorite victim.Throughout the course of a year heordered them rounds of twenty pizzas ata time and thousands of free boxes fromUPS. On another occasion he got a tip-off (through 4chan) from a disgruntledemployee at a home furnishings store inthe United States. The employee hadslipped him the phone-in code to accessthe store’s speaker system. When hecalled it, he put on an authoritativeAmerican accent and told the customersthat all items were free for the nexttwenty minutes. When he called back afew minutes later, the sound comingfrom the background could only be

described as chaos.Two years in and fourteen-year-old

Jake was flitting between hisbroadcasted prank calls and raids by4chan’s /b/tards. Successful raids couldtarget just about anything online, but theytended to have one thing in common,something that has barely changed to thisday: a surge. Whether it was the massspamming of shock-photos on someone’sforum, or overwhelming a website withtraffic, or warping the votes for Timemagazine’s Person of the Year or awebsite’s favorite video game character,raids by /b/ involved pooling togetherand flooding something else to the pointof embarrassment. It was strength innumbers. The more people there were,

the bigger the deluge.4chan’s first landmark raid is widely

considered to have been against HabboHotel on July 12, 2006. Habbo was apopular game and real-time chatting sitedesigned as a virtual hangout for teens.Once logged into the site, you could geta bird’s-eye view of various rooms inthe hotel, and in the form of a characteryou had created, you could explore andchat with other people’s avatars.

One day, someone on 4chan suggesteddisrupting the virtual environment byjoining en masse and flooding it with thesame character, a black man in a graysuit and Afro hairstyle. The men with theAfro then had to block the entrance to thepool and tell other avatars it was

“closed due to fail and AIDS.” Whenregular Habbo users logged in, theysuddenly found the area heaving withwhat looked like sharply dressed discodancers. /b/ reveled in the Great HabboRaid of ’06, and the “pool’s closed”meme was born. For the next few yearson July 12, groups of 4chan usersreturned to the Habbo Hotel with theirAfro-wearing avatars, sometimesmoving their characters to createswastikalike formations in the hotel.

By the time he was sixteen and hadbeen out of school for three years, Jakewasn’t just taking part in 4chan raids, hewas organizing them. In 2008 he helpedinstigate Operation Basement Dad.News had broken that spring that

Austrian engineer Josef Fritzl had rapedand imprisoned his forty-five-year-olddaughter for the last twenty-four years,fathering seven of her children. Detailsof Fritzl’s monstrous crimes shocked theworld, and his trial was in the news forweeks. Naturally, 4chan saw the funnyside. Jake and several other 4chan usersmet in a separate chat room and decidedto create a fake Twitter feed for Fritzl.Their goal was for @basementdad tobecome the first Twitter account to reachone million followers, a race then beingfought between actor Ashton Kutcherand CNN. Less than twenty-four hoursafter they had set up the account andannounced it on 4chan, media-sharingsite eBaum’s World, and other sites, the

account had nearly three hundredthousand followers. Nearly half amillion ended up following@basementdad before Twitter shut itdown; according to Jake’s calculations,it was on track to win the race.

Pranks like this couldn’t be organizedeasily on 4chan. There were nowmillions of people using its forums, andup to two hundred thousand posts goingup each day on /b/. The discussionthreads changed so quickly it wasimpossible to have a cogent discussion.Eventually, people realized that toorganize a good raid they neededInternet Relay Chat (IRC).

IRC was a simple, real-time chatsystem created in 1988 by a programmer

named Jarkko “WiZ” Oikarinen. (Henow works for Google in Sweden.) By2008, a few million people were using it—you didn’t need an account, as youmight with MSN or AOL InstantMessenger. You just needed a program,or IRC “client,” that could point you tothe wide variety of networks on offer.There are hundreds of IRC networks outthere today, some aligned with variousorganizations like WikiLeaks. EFnet isone of the oldest, and beloved byveteran hackers like Sabu. Once youwere on a network there could bedozens, even hundreds of chat rooms ormore to visit, known as “channels.”Some channels had one person, somehad thousands. Most had between five

and twenty-five people. You wouldsimply enter and start meeting people.

When someone like Jake first startedusing IRC, it was more than just a casualchat room. IRC was geared towardtechnically minded people, thanks to itslong list of special commands that letyou navigate channels, even manipulatethe network. The command /whois, forinstance, showed you what channelsanother person was in and an IP address.Starting a private chat would look likethis: “msg topiary Hey, how are you?”Depending upon which client you wereusing, each channel would have a list onone side showing the room’sparticipants, ranked by those who had“operator” status, or the power to kick

people out if they were talking IN ALLCAPS or generally being annoying. IRClingo was littered with abbreviationslike rofl (rolling on the floor laughing),lol (laugh out loud), and ttyl (talk to youlater). Like 4chan, it graduallydeveloped its own culture and language.

Once you were on a network, anyonecould create a new IRC channel. Yousimply typed /join #channelname, and itwould appear. If Jake wanted toorganize a new raid like OperationBasement Dad, he would create a room—for example, #opbasementdad—andinvite a chosen few to enter. That way,anyone interested could contribute ideasand help plan the raid or stunt.

Once the planners had figured out

what to do, they would go back to 4chan.This time, though, they would use /b/ asa recruiting tool, creating a new threadand spamming it with this message:“EVERYONE GET IN HERE.” They’dalso paste a link next to the message thattook other /b/ users into their new IRCchannel. Soon there could be scores,even a few hundred people joining thechat room and listening to instructions orthrowing out ideas. Anonymous had firstemerged on image boards like 4chan, butit was evolving through Internet RelayChat networks. It was becoming moreorganized. Although people could usenicknames on IRC, by and large theywere maintaining the anonymityencouraged on the image boards.

Individual personalities could emerge,but people still had no real-worldidentities.

IRC networks were helpingAnonymous turn from an unpredictable,volatile mass of image board users intowell-organized, sometimes-threateninggroups. If the raid was interestingenough, or well-publicized enough, morepeople would join. Things went upanother notch once hackers started tojump in. The more people joined an IRCchannel, the higher the likelihood thatamong them would be individuals withparticularly strong technical talents:programmers and hackers who couldbreach a network or write a script tohelp automate an attack. One of those

hackers was Kayla.

Chapter 4

Kayla and the Riseof Anonymous

While Topiary was making the /b/tardslaugh on 4chan, the Internet entity knownas Kayla was teaching herself to ripholes in cyberspace. Her journey into theworld of Anonymous, as she told it, hadstarted off with isolation, the discoveryof hackers on the Internet, and thenfinding her place in the rise ofhacktivism. But there was one thingmany people came to learn about Kayla.She lied.

It was not done in a malicious way.

Kayla lied partly to protect herself,partly to stay friendly. Being evasiveabout information, like the hacker knownas Tflow, could be off-putting evenwhen people knew that this wasAnonymous etiquette. Instead of refusingto answer a personal question or join inconversations, Kayla freely providedpersonal details about her life to heronline friends, humdrum accounts ofstubbing her toe on the door on the waydownstairs to get some food or going tothe beach with her real-life friends. Sheshared unusually stark details about herchildhood and parents and about otherhacks that she had carried out in the past.Whether she was lying about some,none, or all of it, the person behind

Kayla seemed to have a deep need to tellstories to prove her value to others.

After the February 2011 attack onHBGary Federal, for instance, Kaylacorroborated the story Sabu had told,that a sixteen-year-old girl had hackedinto Greg Hoglund’s website,rootkit.com. “After resetting Greg’saccount, I used it to social-engineerJussi for access to rootkit.com,” Kaylasaid in an interview in March 2011. “Itwas the icing on the cake.” In truth, Sabuhad been the hacker to social-engineerthe admin and hack the site.

When she was asked to recount thestory a few months later, her versionchanged: “The thing is, the way it allhappened…Sabu set the ball rolling with

the social engineering, then I finished itoff by nuking rootkit.com’s server.”Kayla did not have to lie about herexploits. She was a skilled hacker andmost people who knew her acceptedthat. But she also didn’t want to corruptSabu’s lie and make things difficult forher friend. That was Kayla—lying sothat she didn’t have to upset people.

Kayla claimed that, along with being asixteen-year-old girl, her parents hadsplit when she was eleven. The storywent that her father had been the morestable parent and taken custody, thenmoved with her to a remote town wherethere were few kids Kayla’s age nearby.With little else to do, she started chattingwith her old friends on MSN Messenger,

logging in with her real name (which shesaid was also “Kayla”) and othercredentials. Her father, she said, was asoftware engineer who worked fromhome, and the house was littered withbooks on computer programming, LinuxKernel, Intel, and networking. Shestarted reading his books and asking himquestions about what he did. Encouragedby her enthusiasm, he sat with her infront of a computer and showed her howto find bugs in C source code and exploitthem, then how to bypass them. Soon shewas immersing herself in scriptinglanguages like Perl, Python, and PHP,learning how to attack Web databaseswith the SQL injection method. It wasmostly harmless, but by the time she was

fourteen, Kayla claimed she was writingscripts that could automate cyber attacks.

It had all been harmless, “until I wentlooking for so-called hacking forums,”Kayla said. “I registered at some of themand they were all, ‘Go away little girlthis isn’t for you.’ Fair enough I wasonly 14 but it made me so angry!”

Using some of the skills she hadpicked up from her dad and onlineresearch, she claimed she hacked intoone forum site and deleted much of itscontents using SQL injection. It was anattack unlike any the regulars had seenbefore.

“Wow you’re only 14 and you can dothis?” Kayla recalled one of the hackersthere saying. He invited Kayla into the

more exclusive chat channels on EFnet,one of the oldest Internet Relay Chatnetworks. The forum user saw potentialin Kayla, gave her tips, and pushed herto read more books on programming soshe could learn more.

“It got kinda weird because I startedmeeting some shady people,” she said,referring to purely online meetings. “Oneguy was much older than me, like a lotolder and had a weird crush on me. Iguess a girl hacker is every guy hacker’sdream? Maybe? The only thing was hewas 27 and I was only 14, so yeah,weird! I’m so sick of people thinkingonly old people are smart, and justbecause I’m young anything I say doesn’tcount?”

Though Kayla insisted that online lifewas hard because she was female, theopposite was more likely true. The realperson behind her nickname wasguaranteed to get more attention andmore opportunities to hack others bybeing a friendly and mysterious girl.Females were a rare sight on imageboards and hacking forums; hence theonline catchphrase “There are no girlson the Internet,” and why posing as a girlhas been a popular tactic for Internettrolls for years. But this didn’t spell anupper hand for genuine females. If theyrevealed their sex on an image boardlike /b/ they were often met withmisogynistic comments like “Tits orGTFO”—that is, “Show your tits or get

the fuck out.” Many girls on imageboards would often appease these callsby going down the route of becoming“camwhores,” stripping or performingsexual acts on webcam for attention andacceptance. The other option was tosimply hide their sex and be male online.With so much ego and reputation atstake, identifying someone’s gender on aboard like /b/ could be almostimpossible, but it made sense to besuspicious of those claiming outright tobe young women. This was why number29 of the Rules of the Internet said thaton the Internet “all girls are men and allkids are undercover FBI agents.” Kaylaprobably wasn’t an FBI agent, butcertainly someone with an elaborate

backstory, and one that perhaps hinted atwho she really was in real life.

Kayla claimed that, growing up, otherkids her age would hang out on streetcorners while she stayed at homememorizing Windows opcodes, auditingsource code, and accepting invitationsinto private IRC channels where shecould learn more from other hackers.She liked using her skills to play trickson others. A common prank was to“dump” or publish a person’s MySQLdatabase, essentially a map for otherhackers to try to steal their e-mails ordocuments. The ultimate goal was to doxsomeone, discovering and then postinghis or her real-life personal detailsonline.

Trolling and Internet vigilantism hadbeen around for some time already, butthey were becoming increasinglypopular in 2008, and it’s no coincidencethat at around the same time,anonymizing technologies like VirtualPrivate Networks (VPNs) and Tor werealso becoming popular. These allowedhackers and regular 4chan users likeWilliam to hide their IP addresses, theunique number, typically long withseveral decimals, assigned to everycomputer connected to the Internet. Partof the address could correspond to thenetwork the device was part of, and therest to the individual. If you could figureout someone’s real IP address, youcould usually get his or her real name

and real address. But if that person wasusing a VPN, then people (like thepolice, or rival hackers) trying to “gettheir dox” would find a fake IP address,sometimes pointing to another computerin another country.

Trolling was like pranking, butultimately it meant causing some sort ofemotional distress to someone else,often through embarrassment or fear. Forsome people who couldn’t be acceptedin the real world, trolling was an easyroute to power and one-upmanship.After displaying her skills to the hackerforum she disrupted, Kayla startedregularly trolling people for kicks. Sheangered at the smallest hint of doubt ather skills and was obsessed with

proving herself. She took her aggressionout on other hackers, “furfags” (peoplewith a penchant for bestiality), andonline pedophiles. Each time she andother hackers would find their personaldetails, she’d aim to scare them withtheir information, then post it online orthreaten to send it to the police. Around2008, someone invited Kayla toPartyvan, a sprawling network of chatrooms created by a few people whowanted to unite other IRC networks thatwere linked to image boards like 4chan.The idea was to better collaborate onraids and create a home for the onlinephenomenon that people wereincreasingly referring to as Anonymous.

Raids, like that on Habbo Hotel, were astep up from trolling because theyinvolved multiple people workingtogether to cause mischief. Eventually, itwas the raids that got Anonymous itsfirst real airing in the mainstream pressas a single entity—perhaps notsurprisingly by a Fox TV News affiliatein Los Angeles. The segment, aired inJuly 2007, was given the usualsensationalist treatment: whooshingsound effects and flashes of white light.“They call themselves Anonymous theyare hackers on steroids,” the anchor saidwithout pausing, “treating the web like areal-life video game.”

The camera cut to silhouetted handstyping on a keyboard. “Destroy. Die.

Attack,” another disembodied voiceintoned. “Threats from a gang ofcomputer hackers calling themselvesAnonymous.” The segment featured aninterview with a MySpace user named“David,” who said tormentors fromAnonymous had cracked seven of hispasswords.

“They plastered his profile with gaysex pictures,” the narrator remarked.“His girlfriend left him…. They attackinnocent people, like an Internet hatemachine.” The words “Internet hatemachine” zoomed up onto the screen asthe narrator added that Anonymous hadissued death threats and threatened tobomb sports stadiums, actual pranks thathad indeed been carried out by visitors

to /b/.“I believe they’re domestic

terrorists,” a silhouetted woman saidbefore cutting to a clip of an explodingyellow van. “Their name comes fromtheir secret website,” the reportercontinued, as foreboding music beganplaying in the background. “It requireseveryone posting on the site to remainanonymous.”

“They enjoy doing this,” a silhouettedman said in a deep, distorted voice. Foxdescribed him as a former hacker whohad fallen out with Anonymous. “Theyget what they call ‘lulz.’”

“Lulz,” the reporter explained, as theword appeared in a large font on thescreen and horns played in the

background, “Is a corruption of L.O.L.,which stands for laugh out loud…. Theirpranks are often anti-Semitic or racist.”

The report foreshadowed how themedia would continue to overdramatizethe exploits of bored and mischievousteenagers, a nebulous crowd of mostlyyoung males who could spontaneouslypool together against a target. If therewas a “hate machine” as Fox describedit, its cogs and wheels were IRCnetworks and image boards. And whileit was nowhere near as organized as Fox(and future news reports) suggested, theAnons were happy to play up to thatportrayal.

There was no single leader pulling thelevers, but a few organizational minds

that sometimes pooled together to startplanning a stunt. This was what wouldhappen next for Anonymous, on agrander scale. 4chan had spawned lotsof raids on small websites andindividual people. Soon the mob wouldpick a target so controversial that itsattacks would gain a measure of popularsupport and require an impressive act ofplanning. The following year, 2008, waswhen one of /b/’s raids turned into afull-blown insurgency against the Churchof Scientology.

Chapter 5

Chanology

Before Topiary, Sabu, and Kaylacould find each other, attack HBGary,and have the conviction to hit a stream ofother targets as LulzSec, Anonymous hadto grow into something larger than just amass of young people on image boardsor individuals like Topiary makingprank calls. In other words, more thanjust a nuisance. That changed because ofthe actor Tom Cruise and a video thatthe Church of Scientology didn’t wantanyone to see.

Cruise had been involved withScientology since 1990, quickly

becoming its most famous celebrityadvocate. In 2004 he sat down for aninterview with Scientology filmmakersthat would be included in a video shownexclusively to church members. Thevideo had all the trimmings ofpropaganda: an image of Earth in space,flashes of light and the sound of slicingblades as the symbol of Scientologyzoomed into view. Then, as an electricguitar urgently began plucking the themetune to Mission: Impossible, Cruiseappeared, dressed in a black turtleneckand wearing a stern expression.

“I think it’s a privilege to callyourself a Scientologist,” he said. As theMission: Impossible theme continuedplaying in the background, the video

showed segments of Cruise’s strangemonologue, which became increasinglyincoherent.

“Now is the time, okay?” Cruisecontinued. “People are turning to you soyou better know it. You better know it.And if you don’t?” He smiled. “Go andlearn it, you know? But don’t pretendyou know it or whatever, you knowwe’re here to help.” Another segmentstarted by showing Cruise, grinning,with his eyes closed, before suddenlyconvulsing with laughter. “And theysaid, so, so you have you met an SP[Scientology acronym for SuppressivePerson]? Ha ha ha ha! And I looked atthem. Ha ha! You know, and what abeautiful thing because maybe one day

it’ll be like that. Wow.” Though some ofwhat Cruise was saying made sense,most did not. The church was not exactlykeen for the video to get out. In 2007, anunnamed church member decided to leakthe video, mailing it on a DVD to ananti-Scientology campaigner namedPatty Pieniadz.

A former high-ranking Scientolgist,Pieniadz held on to the video for about ayear, waiting for the right moment torelease it. When she heard that a newbiography of Cruise would be releasedon January 15, 2008, she decided thatwas her moment. She offered the videoto TV network NBC to showexclusively, but to her surprise, it balkedat the last minute on copyright concerns.

With only a few days to go, Pieniadz hadjust one other option: the Internet. Shehad no idea how to upload the video tothe Web, so she mailed the DVD toseveral other people in the hope itwould eventually wind up on YouTube.One of those people was Mark Ebner, aninvestigative journalist in Los Angeles.At 2:00 a.m. West Coast time on January15, Ebner sent a message to the founderof the media news website Gawker,Nick Denton, asking if Gawker wantedto host what would later be called “thecrazy Tom Cruise video.” Denton was“giddy” with excitement, according toEbner.

At around the same time, other copiesof the video were being uploaded onto

YouTube and promptly being takendown on apparent copyright violations.The Church of Scientology wasnotoriously litigious, and it is likely thatYouTube’s parent company, Google,which had been sued for $1 billion indamages by Viacom in a copyrightlawsuit the previous year, did not wantto take any chances.

This did not put off Gawker. On thefifteenth, founder and editor Dentonpublished the video in a blog post titled“The Cruise Indoctrination VideoScientology Tried to Suppress.” In theaccompanying article, he wrote,“Gawker is now hosting a copy of thevideo; it’s newsworthy; and we will notbe removing it.” The video went viral

almost instantly. To date, Denton’s blogpost has received more than 3.2 millionviews, while a copy of the video thateventually stayed up on YouTube hasreceived more than 7.5 million.

But things were about to get evenmore embarrassing for the Church ofScientology, thanks to 4chan and /b/.

Later that day, at 7:37 p.m. easternstandard time, a /b/ user who had seenGawker’s story and who, it is claimed,was female, started a discussion threadon the board. The title was simply,“Scientology raid?” Every Original Poston /b/ had to include an image, and shehad picked the church’s gold-and-whitelogo. Her accompanying text was heavywith platitudes and appealed to the

regular users of /b/ to galvanizethemselves:

I think it’s time for /b/ to dosomething big. People need tounderstand not to fuck with /b/…

I’m talking about “hacking” or“taking down” the officialScientology website.

It’s time to use our resources todo something we believe is right.

It’s time to do something bigagain, /b/.

Talk amongst one another, find abetter place to plan it, and thencarry out what can and must bedone.

It’s time, /b/.

Fellow /b/ posters were immediatelydubious. “Yeah, good luck with thisfail,” said one of the first to reply.

“A random image board cannot takedown a pseudo-religion with the backingof wealthy people and an army oflawyers,” said another. “Even if everyperson who has ever browsed /b/ ONCEjoined in on a mass invasion it wouldstill amount to nothing. Plus…theywould have 500 lawyers up their assbefore they could say ‘litigation.’”

“4chan vs. scientology = M-M-MONSTER FAIL.”

“Can we take Mormonism next? ThenChristianity?” another Anonymousposter asked sarcastically. “Then, if we

really got balls, Islam?” A few /b/ userswho had a background in Scientologyalso defended the religious group:“Scientology isn’t fundamentally wrongor harmful as a belief system,” one said.

The discussion continued, but soon theoriginal, skeptical comments weredrowned out by the comments of peoplewho supported the OP. It was as if themore /b/ thought about hittingScientology in a big way, the more itsusers liked the idea. “You don’t get it doyou,” said one. “We are the anti-hero,we will do good, and fuck anyone, goodor bad, who happens to be in the way.”

“This is the first step in somethinglarger, something epic,” another agreed.

“We can do this,” said another. “We

are Anon, and we are interwebssuperheroes.”

Suddenly, the thread’s opinion wasrushing toward all-out agreement on araid. The initial skepticism andobjections that /b/ was “not yourpersonal army” were forgotten by thenow-zealous throng:

“We are thousands strong, they can’tsue all of us!”

“I say it’s time to stop talking aboutshitting dick nipples and do somethingeven half-worth while, even if it IS justpissing off a bunch of scam artists.”

“Future generations of /b/tards willlook back to this as the day we fuckedwith batshit insane scientologists.”

“Let’s do it, /b/.”

“I have three computers. How can Ihelp?” someone asked.

“Jesus will someone write thenewfags some explanations on how to doa DDoS? And then we can get this shitunderway.”

Before Anonymous emerged, DDoSattacks had been mostly confined to useby cyber criminals against financialwebsites or companies from which theycould extort money. But by 2008, it wasalready becoming one of the mostpopular forms of Anonymous attacks.Two years earlier, /b/ users had beenDDoSing the site of white nationalistradio host Hal Turner, temporarilyknocking it offline. He later tried suing4chan, another image board called

7chan, and eBaum’s World, claimingthousands of dollars in bandwidth costs,with no success.

You could take part in a DDoS attacksimply by downloading one of at least adozen free software tools available on4chan’s /rs/ board. When enough peopledid so and flooded a target with junktraffic, the effect was like fifteen fat mentrying to get through a revolving door atthe same time, according to an analogyby security writer Graham Cluley.Nothing could move. The result:legitimate visitors got an error pagewhen they visited the site, or theirbrowser just kept loading. Thedowntime was always temporary—similar to when an online retailer holds

a 75 percent off sale and can’t handle theflood of visitors. This may seem trivial,since anyone who surfs the net hasexperienced a bad connection and errorpages. But downtime that lasts for hoursor days can cost companies thousands inlost revenue or extra bandwidth cost.Participating in a DDoS attack is alsoillegal, breaking the Computer Fraud andAbuse Act in the United States as wellas the 2006 Police and Justice Act in theUnited Kingdom; in both countries,perpetrators face a maximum penalty often years in prison.

This, of course, rarely deterred /b/and made raids seem more like a high-stakes game. With Scientology,participants agreed it was worth getting

the newfags on board to create an armyand spread the word to the other Internetimage boards, also known as “chans.”These included 7chan, a popular imageboard for ex-/b/ users; GUROchan, animage board whose posts mainlyconsisted of gore; and Renchan, a now-defunct site whose content bordered onpedophilia. 4chan needed to gather atleast a thousand people, said one /b/user on the still-developing Scientologythread that day, and who knew, theycould probably find at least fivethousand willing to fight for the cause.

People quickly got down to business.One /b/tard suggested “Phase one”:prank-calling the Dianetics hotline and

rickrolling them, or asking the callcenter “why there’s a volcano on thecover of Dianetics…generally bug thehell out of them.”

Another /b/tard instructed everyone toDDoS a list of Scientology sites. Youcould do this by simply visitingGigaloader.com and inputting a list ofURLs that pointed to eight images onScientology.org. The Gigaloader site(now defunct) was originally meant tostress-test a server, but from as early as2007 people figured out they couldexploit it for DDoS-style attacks. Youcould enter several Web addresses forimages on a website, and Gigaloaderwould constantly reload the images inyour browser—that would burden the

image server and eat up the site’sbandwidth, an effect multiplied by thenumber of people participating.

The best part was /b/ could include amessage in the traffic that was beingsent. In a separate incident, a webmasterwhose website was being hit byGigaloader in 2007 said the traffic hewas getting looked like this:

75.185.163.131 - -[27/Sep/2007:05:10:16 -0400] “GET/styles/xanime/top.jpg?2346141190864713656_ANON_DOES_NOT_FORGIVEHTTP/1.1” 200 95852“http://www.gigaloader.com/user-message/ANON_DOES_NOT_FORGIVE”“Mozilla/5.0 (Windows; U;Windows NT 5.1; en-US;rv:1.8.1.7) Gecko/20070914

Firefox/2.0.0.7” In the case of Scientology.org, 4chanwas sending the message “DDOS BYEBAUMSWORLD” to the church’sservers, part of a running gag to blame4chan’s antics on the rival, slightlytamer site. Once the thread’s participantsstarted hitting Scientology.org withGigaloader, another poster described“Phase 2”: /b/ would create a shell siteand upload to it a video that repeatedlyflashed “facts of Scientology and itsinner workings.” /b/ users would thensuggest links to content-sharing site Diggand upload the video to YouTube andYouPorn. Phase 3 would be whenmainstream news outlets like Fox andCNN picked up on the video, and an e-

mail address on the shell site got a ceaseand desist order from the Scientologylawyers, which would include thelawyers’ names, phone numbers, officeaddresses, and fax numbers. /b/ shouldthen harass the lawyers, prank-call them,fax them pictures of shock site Goatse,and “complain to her/his boss that she/heis a crack whore/rapist/niggerwhatever.”

As the /b/ thread on Scientologycontinued, its contributors becamephilosophical. This raid was about self-preservation, said one. /b/ was dying.The board had become elitist, sniping atparticipants who appeared too nerdy anddiscussing increasingly tame subjects.“The gaiafags, furfags, all the fags that

you pushed out, we need to amass anumber in the thousands and then strike,”they said. “The 3-phase program thatanon posted a bit up [sic] is foolproof,as long as we work together.” Longtimeusers who had become disenchantedwith the site knew it had potential to bemore than just an image board, and tolive up to the immortal Fox11 line“Internet hate machine.”

“We used to be something powerful,”another old hand said wistully. /b/ wasnow filled with “newfags” who would“bitch and moan” whenever a new raidwas proposed. “Long ago, people wouldjump on the chance to cause massivelulz, annoy the hell out of people, andpossibly do some good for the world. I

found an army that did not belong to oneperson, but belonged to each other.”

Now an Anon had posted Phase 4,which was getting into Scientology’scomputer network. “This is the climax ofeverything,” the person said. “Whoeverwill complete this will be a god in theeyes of Anonymous.” Someone had toget into an actual Scientology church,preferably a small one in a small townsomewhere. They had to bring a USBdrive with a keylogger program,software that could log everything typedinto a computer. “You must do whateveris possible to get behind the front desk,”they explained. “While they are busy,sneak to the tower of the computer underthe desk, load the keylogger, and let it

sit. Walk out, and come back in a day ortwo.”

About an hour and ten minutes afterthat first call-to-arms post, someonenoticed the spontaneous DDoS attackthey’d been hoping for was working.Gigaloader.com was working. “Thescientology site’s running slow as shit,”they said. It was taking two minutes toload a page that had previously beeninstantaneous.

“COME ON GUYS,” shouted oneAnon. “KEEP GIGALOADING!” Sofrenzied was the atmosphere that onlyfour posts out of hundreds mentionedusing a VPN or other anonymizing toolsso that people taking part could hidetheir IP addresses.

By 9:30 p.m., the raid had moved intoeveryone-get-in-here mode. Someonehad posted an IRC network and channelfor people to hop in and discuss whatwould happen next in more detail. Thechannel was called #raids, andeventually the original poster who hadstarted the thread created a new IRCchannel called #xenu. In the Scientologybelief system, Xenu was the dictator ofthe Galactic Confederacy who firstbrought humans to Earth around seventy-five million years ago, then placed themaround various volcanoes and killedthem with hydrogen bombs.

By now, hundreds of people werepiling into #xenu, and then #target,where self-appointed planners could

specify targets with a topic title at thetop. Everyone was talking at once in the#xenu channel about what to do next.

“HEY /B/,” someone wrote at 9:45p.m. back on 4chan. The Anon claimedto have found “a bunch of” XSSvulnerabilities on Scientology.org. XSS,or cross-site scripting, was said to bethe second most common hackingtechnique after SQL injection. “I’LLTRY TO MAKE AN EXPLOIT OUTOF IT.” The address of the IRC channelkept being spammed. There was a sensethe thread was coming to an end, so afew people posted one key takeawayfrom the discussions on IRC: rememberthe date January 20. “Shit will godown.”

The entire thread had amassed 514posts in about three hours. Spirits werehigh. The third to last poster estimatedthat around two hundred people hadbeen involved in the discussion. Bynow, Scientology centers around theworld were already getting a trickle ofprank calls playing the music of RickAstley, faxes of black paper that woulddrain their printer cartridges, unwantedpizza deliveries, and unwanted taxis.Their main website was also loadingslowly.

The following day, January 16,someone using the nicknameWeatherman started a page onEncyclopedia Dramatica, the onlinerepository whose slogan was “In lulz we

trust.” That page included a declarationof war on Scientology. Then, at 5:47p.m. eastern standard time, the originalposter who had first suggested a chanraid on Scientology congratulated thegalvanized troops on /b/ and gearedthem up for more dramatic action.

“On 15/1/08 [sic] war was beginning.Scientology’s site is already underheavy bombardment,” the OP said. “Thisis just the tip of the iceberg, the firstassault in many to follow. But withoutthe support of the chans, Scientologywill brush off this attack. 4chan, answerthe call!…We must destroy this evil andreplace it with a greater one—Chanology!”

The portmanteau of “chan” and

“Scientology” signified an event thatwould unite the different image boards,turning their individual battles againstpedophiles, MySpace users, and eachother into a larger battle against a largerorganization. Scientology may haveseemed like an odd choice for a target—until then, most visitors to chansprobably only knew it as a kookyreligion with a few celebrity followers.Suddenly it was becoming the biggesttarget Anonymous had ever attacked(there were thought to be around twenty-five thousand Scientologists in theUnited States in 2008) with what seemedlike the biggest wave of interest. No one,not even the original poster, knew wherethis was going, if this would be a single

incident or a step forward from thecreative anarchy of the Internet.

But why Scientology? A bizarreperformance by a celebrity and theunusual belief system of Scientologyinitially appealed to people whobrowsed image boards and eBaum’sWorld looking for the strange, new, andtitillating. Then Scientology’s attemptsto suppress the Cruise video invited avigilante-style attack to right theirwrong. Another factor wasScientology’s almost neuroticdefensiveness. The church was wellknown by this time to have usedintimidation tactics against its criticsboth in real life and on the Web, whichmade it perfect “troll bait” for the likes

of 4chan and the increasingly organizedAnons on Partyvan. Scientology’sprevious scuffles with online dissenterswere already so well known thatCanada’s Globe and Mail dubbed itsattempts to remove the Cruise videofrom YouTube “Scientology vs. TheInternet, part XVII.” The church hadbeen fighting a war with onlinedissenters for fifteen years, all the wayback to the old days of Usenetnewsgroups like alt.religion.scientologyin 1994, when ex-members infuriated thechurch by leaking secret documents.

One other reason, which often appliedto the seemingly random thingsAnonymous did, was because theycould. Technology was developing to

the point where anyone with an Internetconnection could access free web toolslike Gigaloader and help take down awebsite. The Tom Cruise video and theoriginal poster on /b/ had come in at justthe right moment. As the attackdeveloped, so did the opportunity to takepart. The “firing” on Scientology.orgdidn’t let up; if one person stopped usingGigaloader, two or three others weregetting involved.

This was the beginning of a newchapter of Anonymous. The OP hadcontinued on her second post: “If we candestroy Scientology, we can destroywhatever we like!” She reminded 4chanthat its users had to “do the right thing”as the largest of the chans, holding the

manpower that the “legion” needed. Thenew thread was as popular as theprevious day’s, getting 587 responses,including the repeated instructions forusing Gigaloader and comments like“I’M IN.”

Soon the Anons were DDoSing otherwebsites affiliated with Scientology:rtc.org, img2.scientology.org, andvolunteerministers.org. As a result,Scientology.org shut down for twenty-four hours before the church moved itsservers to an outside company called800hosting. There were about tendifferent software tools that Anons couldchoose from to help take down theScientology sites, but the most popularwas Gigaloader.

By now, #xenu was teeming with somany people it was becomingimpossible to organize anything. Thenalmost out of nowhere on the secondday, a male Anon who was also anadministrator on EncyclopediaDramatica yelled, ALL CAPS: “YOUGUYS NEED TO TALK TO THEPRESS. PUT A PRESS RELEASETOGETHER. THIS IS BIG.” No one sofar had organized a group of people todeal with publicity, and hardly anyone inthe channel wanted to step up. But a fewdid. With a few clicks, one personcreated a channel called #press,announced to the #xenu channel that itwas there, and five people joined it. Atthe top of the channel they had set a

topic: “Here’s where we’re going to talkto the press.”

One of the people joining the #presschannel was a round-faced man inglasses sitting in his bedroom in Boston.The room doubled as a home office forhis freelance software work. GreggHoush would become instrumental inhelping organize the Anons over the nextfew months, though like others inAnonymous, he would eventually fadeinto the background as a new generationof figureheads like Sabu and Topiarylater emerged. Originally from Dallas,Texas, Housh loved trolling andorganizing pranks and was a regular onthe Partyvan IRC network. He had acommanding, talkative personality that

belied any outward appearance of beinga computer geek. He’d done some jailtime for his part in coordinating illegalfile sharing in his late teens, his termhelpfully cut short after he agreed tocooperate with the FBI, according tocourt documents, and the judgeconsidered his tough upbringing.Housh’s father had left when he wasfour, and his mother was a housecleanerwho also cared for a grown daughterwith cerebral palsy. Having now beenout of jail for a while, Housh waslooking to stay out of trouble, since healso had a young daughter. But hecouldn’t help feeling intrigued by whatwas happening to Scientology. Hejumped into #press and, together with a

few others in the chat room, wrote apress release called the “Internet GroupAnonymous Declares War OnScientology,” listing the tongue-in-cheeksource as “ChanEnterprises.” Theypublished it.

When the #press channel’sparticipants read over the press release,it sounded so dramatic and ominous thatthey decided something similar shouldbe narrated in a video, too. A member ofthe group, whose nickname was VSR,created a YouTube account calledChurch0fScientology, and the groupspent the next several hours findinguncopyrighted footage and music, thenwriting a video script that could benarrated by an automated voice. The

speech recognition technology was sobad they had to go back and misspellmost of the words—destroyed became“dee stroid,” for instance—to make itsound natural. The final script ended uplooking like nonsense but sounding likenormal prose.

When they finally put it together, aStephen Hawking–style robotic voicesaid over an image of dark clouds,“Hello, leaders of Scientology, we areAnonymous.” It climbed to new heightsof hyperbole, vowing to “systematicallydismantle the Church of Scientology inits current form.…For the good of yourfollowers, for the good of mankind—forthe laughs—we shall expel you from theInternet.” Housh and the group of

publicity reps weren’t taking any of thisseriously. But as they were puttingfinishing touches on the video and jokingabout how this “war” would be one ofthe funniest trolling events of all time,lasting a few days at most, a French PhDstudent in the group suddenly got seriouswith them.

“Guys, what we are doing today isgoing to change the world,” he said.

The others in the group stopped for amoment and then laughed, Housh laterrecalled.

“Gtfo,” wrote one. “Quit your jibberjabber.” But the French Anon wasunrelenting. Tens of thousands of peoplewere going to watch the video they weremaking. This was the start of something

major, “and we just don’t know what itis yet.”

Housh and the others shrugged andcarried on, according to Housh. Theycalled the video Message toScientology, published it on January 21,and posted links all over the chans andDigg. Having worked on the videothrough the night, most of them went tosleep.

The next morning, Housh’s girlfriendat the time nudged him awake. “Youneed to get back onto your computer,”she said. “Stuff is blowing up.”

Housh fell out of bed, fumbled for hisglasses, and stared at his screen. ThePartyvan IRC network was crashing asthousands of new people tried piling into

#xenu.“We had DDoS’d ourselves,” he later

recalled in an interview. The video hadbeen picked up by Gawker and anothertech site called The Register, andthousands had seen it. Later that day,around ten thousand people were tryingto get into #xenu, and the IRC networkhosts on Partyvan kicked everyone offthe network. Housh and the others triedto get everyone to move to another IRCnetwork, which immediately went down.Fortunately, the Partyvan admins cameback, saying they had added five moreservers so that the horde could return.Most communication for Anonymouswas now taking place on Partyvan IRCservers.

It was a whirlwind for Housh and theothers. Waking up and realizing thatthousands of people wanted to take partin this prank, they suddenly had it dawnon them that people were payingattention and they couldn’t just dosomething silly.

Over the next forty-eight hours, #pressbegan filling up with a few more peoplewho liked setting agendas. Realizing thatthe chat room was starting to turn into anorganizational hub, the group, whohadn’t known one another before theselast few days, changed the channel’sname to #marblecake. By picking arandom name, their room was morelikely to remain private, allowing themto avoid the distraction of visitors and

focus on organizing. For the first coupleof days they were stumped on what to donext and argued about how the massesshould proceed.

“We had no clue what we weredoing,” Housh remembered. Should theyhit Scientology with more DDoSattacks? Prank them in some other way?They decided the first port of call was tostop #xenu from collapsing. They askedthe IRC operators to limit the channel toa hundred people so that any more thanthat would be automatically kicked out.They then directed people to joinchannels based on the city nearest tothem, such as #London, #LA, #Paris, or#NY. Over the next six hours, the legionself-segregated.

The first DDoS attacks on Scientologyhad been carried out using simple Webtools like Gigaloader and JMeter.Within a few days, though, they wereusurped by what would become the twomost popular weapons in the Anonymousarsenal: botnets and the Low-Orbit IonCannon (LOIC).

Botnets would not be usedsignificantly by Anonymous for a fewmore years, but they were easily themore powerful of two key weapons.These were large networks of “zombie”computers usually controlled by a singleperson who gave them commands from aprivate IRC channel. It’s rumored thatbotnets were used just once or twiceduring the first Anonymous attacks on

Chanology, though few details areknown. Often botnets are made up ofbetween ten thousand and one hundredthousand computers around the world.The biggest botnets, ones that have thepower to take out the servers of smallgovernments, have upward of a millioncomputers. The computers belong toaverage people like you and me,oblivious to what is going on—oftenwe’ll have joined a botnet byaccidentally downloading infectedsoftware or visiting a compromisedwebsite. Perhaps someone sent us aspam e-mail with a link promising freephoto prints or a cash prize, or weclicked on an interesting video thatdisguised malicious code.

Nothing appears to be amiss aftersuch software downloads. It installsitself quickly and quietly and for themost part remains dormant. When thebotnet controller issues commands to anetwork of “bots,” a signal is sent to theinfected computer, and the smallprogram that was downloaded starts upin the background without the owner’srealizing it. (Who knows—yourcomputer could be taking part in a DDoSattack right now.) The network ofthousands of computers will act together,as if they were one single computer.Typically, botnets will use their bots tosend spam, find security vulnerabilitiesin other websites, or launch a DDoSattack on a corporate website while the

controller demands a ransom to stop. Inunderground hacker culture, largerbotnets translate to greater street credfor the controllers, or botmasters.

It’s unclear how many computers inthe world have been assimilated intobotnets, but the number is at least in thetens of millions, with the greatestnumber of bot-infested computers in theUnited States and China. In 2009 theShadowserver Foundation reported thatthere were thirty-five hundred identifiedbotnets in the world, more than doublethe number in 2007. In March 2010Spanish police arrested three menbehind a botnet called Mariposa,Spanish for “butterfly.” Discovered bywhite-hat hackers (cyber security

specialists) and law enforcement agentsin 2008, the monster botnet was made upof as many as twelve million zombiecomputers and had been used to launchDDoS attacks, send out e-mail spam, andsteal personal details. The ringleadersmade money on the side by renting it out.

Renting a botnet was far less riskythan making one yourself, and with theright skill set and contacts, they weresurprisingly easy to come by. A 2010study by Web infrastructure companyVeriSign showed the average rate forrenting a botnet from an undergroundmarketplace was $67 for twenty-fourhours and just $9 for one hour. Renting abotnet that could take out the servers of asmall government might cost around

$200 an hour. Botnets used byAnonymous in both the Chanologyattacks of 2008 and Op Payback in2010–11 were both rented and self-created, and sources say there was alsoa range of botnet sizes. But it was thesuper botnets, controlled by a smallhandful of people, that could do the mostdamage.

The second weapon in the Anonymousarsenal was the Low Orbit Ion Cannon,whose acronym is pronounced “lo-ick.”In terms of power, it was piddlingagainst a botnet—like the differencebetween a long-range missile and ahandgun—but the software was free andeasy for anyone with a computer toaccess. From the start of Chanology

onward, LOIC started replacingGigaloader in popularity. The origins ofthe software program are a little unclear,but it is widely thought to have first beendeveloped by a programmer nicknamedPraetox, who was eighteen at the time,lived in Oslo, Norway, and enjoyedprogramming and “running in thewoods,” according to his website.

Praetox made all sorts of things on hiscomputer, including cheats for the onlinerole-playing game Tibia and a programthat would make windows on a computerdesktop look transparent. He was alsoversed in chan culture and used thecartoon image of a “Pool’s closed” signfor his YouTube account. The nameLOIC itself comes from a weapon in the

Command & Conquer video gameseries, and of all his creations it wouldbe Praetox’s legacy.

Praetox appears to have originallycreated LOIC as an open source project,which meant anyone could improve it.Eventually, a programmer nicknamedNewEraCracker made some tweaks thatallowed LOIC to send out uselessrequests or “packets” to a server,making it what it is today. At the time,packets were part of everything one didon the Internet. Visiting a web pageinvolved receiving a series of packets,as did sending an e-mail, with a typicalpacket containing 1–1,500 bytes. Theycan be compared to addressedenvelopes in the postal service. “Packet

sniffing” meant trying to figure out whatwas inside a piece of mail by looking atwhat was on the envelope. The datainside a file could be encrypted, but thepacket itself would always identify thesender and receiver.

A DDoS attack was, in one way, likeoverwhelming someone with thousandsof pieces of junk mail that they had nochoice but to open. One defense was to“filter the packets,” which would be likeasking a doorman to not allow any mailfrom a certain sender. But DDoSprotection costs money, and it wasdifficult to filter the junk packets fromLOIC, since they were coming frommany different users. Ultimately, ifenough people used the program and

“aimed” it at the same site at the sametime, they could overload it with enoughjunk traffic to take it offline. The effectwas similar to a botnet’s, except insteadof having infected computers, theparticipants were voluntarily joining thenetwork. A key difference waseffectiveness. The effect of LOIC wasfar more unpredictable than that oftraditional botnets, since popularity andhuman error came into play. You mightneed four thousand people to take thewebsite of a major corporation down, inthe same way you’d need four thousandpeople wielding handguns to destroy asmall building. You’d need just a fewhundred people to take down a tinyhomemade website belonging to an

individual. The upside was thatdownloading LOIC was free and easy—you could get it from a torrent site or4chan’s /rs/ board.

One of the hundreds of people whodownloaded LOIC and took part in someof the first impromptu Scientologyattacks was a college student namedBrian Mettenbrink. An Iowa StateUniversity student with a mop of brownhair and a beard, Mettenbrink, eighteen,was sitting in front of his desktopcomputer in a dorm room, browsingthrough his favorite website, 7chan,when he first saw posts about aScientology raid in January 2008. Hedid not care about Scientology, but he

was interested in exploring the world ofIT security and reasoned that taking partin an attack like this was a good way tolearn about the other side of the industry.Besides, with so many other peoplecontributing to the attack, he wouldn’tget caught.

Mettenbrink, who had been regularlyvisiting 4chan since he was fifteen, wentto the site’s /rs/ board and downloadedLOIC. The download took a fewseconds, and it included a “readme” fileto explain how to use it. The programgave the impression that it wasconnecting users to an army of rebelfighters. When Mettenbrink first openedLOIC, the main window that popped uphad a Star Wars–themed design: dark

and light green text boxes, and aPhotoshopped mock-up of the Anti-Orbital Ion Cannon used in Star Wars:The Clone Wars, blasting a thick greenlaser beam toward a planet.

There were options to “Select atarget,” by adding in a URL, and a buttonsaying “Lock on.” Once you had alocked target, a large box in the middlewould show its server’s IP address asthe program geared up for an attack.Next came another big button labeled“IMMA CHARGIN MAH LAZER,”followed by options to configure theattack. During the first DDoS attacks onScientology, the LOIC was always in“manual mode,” which meant userswould decide where and when to fire

and what type of junk packets to sendout.

Once an attack was under way, astatus bar at the very bottom would showthe program as being Idle, Connecting,Requesting, Downloading, or Failed. If“Requesting,” a number would startrising rapidly. Once it froze, that meantthe LOIC was stuck or the target wasdown. You could check by visiting thetarget website—if you got a “NetworkTimeout” error message, it meantmission accomplished.

There was no buzz or rush of feelingwhen Mettenbrink first fired LOIC atScientology.org, especially since theprogram froze as soon as it started. Hechecked his configurations, and when the

program got going again, he minimizedthe window and went back to wastingtime on 7chan. Unlike Gregg Housh,Mettenbrink was a casual participant inChanology. He did not bother joining anIRC channel like #xenu or finding outwhat Anonymous might do next. Instead,he kept LOIC running for several daysand nights in the background of hiscomputer, eventually forgetting he wasrunning it at all. Only when he noticedthat the program was starting to slowdown his Internet connection did heswitch it off—about three days afterstarting it.

“I am not responsible for how you usethis tool,” LOIC programmerNewEraCracker had written as a

disclaimer for the program when heuploaded his tweaked version to theWeb. “You cannot blame me if you getcaught for attacking servers you don’town.” It was crucial for people whowere using LOIC to run it through ananonymizing network like Tor to hidetheir IP addresses from the target orpolice. But there were plenty ofoblivious supporters, like Mettenbrink,who ran LOIC straight off their owncomputer with no special software. Thiswas often because they did not knowhow, or they didn’t realize that usingLOIC was illegal.

On top of that, more Anons werecommunicating on IRC networks, whichmeant they had nicknames and

reputations to uphold. Now there wasn’tjust the attraction of being part of a mob—there was a sense of obligation toreturn and join in with future attacks.Some participants in a Chanology IRCchannel knew, for instance, that returningto an IRC channel the following day alsomeant reacquainting themselves with anew stable of online friends, who mightthink less of them if they didn’t turn up.This wasn’t like /b/, where you couldsuddenly disappear and no one wouldnotice.

Chanology was turning into a newcommunity of hundreds of people, and itbrought the collective to a point wherecommunication was gradually splittingbetween image boards and IRC

networks. Image boards like 4chan hadbeen using LOIC for a couple of years;the /b/tards were forever declaring waron other sites that they claimed werestealing credit for their memes andcontent, such as eBaum’s World or theblogging site Tumblr. But now moreAnons were starting to use IRC networksto coordinate and follow instructions forDDoS attacks. Beginning in January2008, organizers had also startedpublishing announcements on Chanologyand how-to guides on the Partyvannetwork so that the sudden influx ofthousands of “newfags” from all over theworld to these new online protests couldlearn about LOIC and IRC channelswithout having to ask.

The DDoS attacks on Scientologyreached a pinnacle on January 19, whenthe church’s main website was hit by488 attacks from different computers.Several media outlets, among them Foxand Sky News, reported that the onlinedisruptions were being caused by a“small clique of super hackers.” Thiswas a terrible misconception. Only afew Anonymous supporters were skilledhackers. Many more were simply youngInternet users who felt like doingsomething other than wasting time on4chan or 7chan.

When someone posted anannouncement on Partyvan that therewould be a third, bigger DDoS attack onJanuary 24, about five hundred people

are rumored to have taken part. But bythen, Scientology had called in ProlexicTechnologies, a specialist in DDoSprotection based in Hollywood, Florida,to help shield their servers. Soon theLOIC-based attacks stopped having aneffect and the Scientology sites were upand running as normal.

Scientology then hit back through themedia, telling Newsweek in earlyFebruary that Anonymous was “a groupof cyber-terrorists…perpetratingreligious hate crimes against Churchesof Scientology.” The strong wordingdidn’t help Scientology’s cause, bearingin mind a famous phrase on the Internet:“Don’t feed the troll.” By appearingdefensive, Scientology was

inadvertently provoking more Anons totake part in the attacks. And becausejoining Anonymous was so easy—atminimum you had to enter an IRCchannel, or /b/, and join in theconversation—hundreds of new peoplestarted looking in.

Then Anonymous found another wayto cause a stir. Back in #marblecake,Housh had noticed one team memberwho had been quiet for the past fourdays. He asked him to figure out howmany cities and countries were beingrepresented on the chat network. Whenthe scout came back, he reported thatthere were 140 to 145 differentChanology channels and participants inforty-two countries in total.

“What do we do with all thesepeople?” one of the team asked. Theystarted searching the Internet to see whatopponents of Scientology had done in thepast and stumbled across a video of anti-Scientology campaigner Tory “Magoo”Christmam, who was dancing andshouting in front of a Scientology center.

“This is hilarious,” a team membersaid. “We should totally make theInternet go outside.”

“We have to put them in the streets,”the French member who’d been studyingfor a PhD said. Housh didn’t agree, andhe argued with the Frenchman for thenext three hours. Eventually, Houshrelented, deciding that a real-worldconfrontation between Anons and the

public could be rather amusing.“We honestly thought the funniest

thing we could do to Scientology wasget in front of their buildings,” Houshlater said.

The group started working on theirnext video, their “call to arms,” and thena code of conduct after a Greenpeaceactivist came on IRC and said theyneeded to make sure protesters didn’tthrow things at buildings or punch cops.Housh started taking an increasinglyorganizational role, dishing outresponsibilities and bringing discussionsback on topic when they veered off intojokes of firebombing or Xbox games.

On January 26, someone callinghimself “Anon Ymous” sent an e-mail to

Gawker’s “tips” address, about aforthcoming protest outside the Churchof Scientology in Harlem. “Wear a maskof your choosing,” it said. “Bring aboombox. Rickroll them intosubmission. We will make headlinezLOL.” There was also a tagline at thebottom, which was appearing onYouTube, blogs, and forum posts:

We are AnonymousWe are LegionWe do not forgiveWe do not forgetExpect us.

This now infamous closing signature,reminiscent of Star Trek bad guys theBorg, comes from the 47 Rules of the

Internet. After rules 1 and 2, which wereto never talk about /b/, came:

Rule 3. We are Anonymous.Rule 4. Anonymous is legion.Rule 5. Anonymous never forgives.

Some say the twisting of rule 4 into“we” are legion comes from the Biblepassage of Mark 5:9, wherein Jesusapproaches a man possessed by demons.“And He [Jesus] asked the man, ‘What isthy name?’ And he answered saying,‘My name is Legion: for we are many.’”The Message to Scientology YouTubevideo said: “If you want another namefor your opponent, then call us Legion,for we are many.”

Over the next few months, morepeople from 4chan, 711chan, and IRCwere taking part in real-world protests.On February 2, 2008, about 150 peoplegathered for the first time outside aChurch of Scientology center in Orlando,Florida. A week later, the Tampa BayTribune reported that seven thousandpeople had protested against churchcenters in seventy-three citiesworldwide. Often the protesters werepeople in their teens and early twenties,standing in groups or sitting around inlawn chairs, holding signs with Internetmemes and yelling at passersby. Some ofthe participants saw the demonstrationsas being tongue-in-cheek, an elaborateprank by the Internet itself on an

established organization. Many otherstook the protests seriously and held upsigns with messages like “$cientologyKills.” One YouTube accountassociating itself with Anonymous ran aregular news program on YouTubecalled AnonyNews. It featured an anchorreporting on the real-life protests aroundthe world. He wore a dark suit and a redtie, slicked-back hair, and the samegrinning white mask worn by theprotagonist V in the 2006 dystopianmovie V for Vendetta that was fastbecoming a symbol for Anonymous. Thiswas thanks to a key scene in the film,which showed thousands of peoplewearing V’s mask in solidarity with themain character, loosely based on British

revolutionary Guy Fawkes.That V mask was everywhere at

Anonymous’s demonstrations, hidingprotesters’ faces so that in at least someform they could still be anonymous in thereal world. Over time, the mask wouldcome to represent the one-half ofAnonymous who took the idea ofrevolution and protest seriously. Peoplelike William, who thought Anonymousshould be about fun and pranks,abhorred it. (Time Warner profited fromthe sale of more than one hundredthousand V masks every year by 2011,while other masks associated with itsfilms sold barely half that figure.)

When passersby approached thedemonstrators to ask who had organized

the protests, DDoS attacks, pranks, andcyber attacks, no one knew an officialanswer. Most regular volunteers did notsee the small groups of self-appointedorganizers in the background who werepulling various strings.

But the physical protests wereworking, and when they first got underway, Housh remembered the scout whohad counted all the different country andcity chans and, assuming that he likedgrunt work, asked him to go into thechannels for each major city and look forone person who appeared to be givingorders and generally takingresponsibility. “Look for them in Paris,London, New York,” Housh said.

The scout spent the next three days

dropping in on an array of city-basedchat rooms and looking out for theorganizational minds, anyone whoseemed especially keen on the cause. Hethen started a private chat with each,asking if they had seen the first Messageto Scientology video. “One of the guyswho made that wants to talk to you,” hewould tell them. Intrigued, and probablya little nervous, they would then be ledinto #marblecake and told not to tellanyone about the channel.

“We’re not trying to controleveryone,” Housh would explain tothem. “But bringing lists of suggestionsand hoping people go with it.” Over thenext two weeks #marblecake grew toabout twenty-five talented members,

including Web designers who couldthrow together a website in a day andorganizational types who knew to callthe police about obtaining protestpermits.

By the end of March, a few peoplehad also set up new websites forChanology, which included discussionforums. These were places for the newChanology community to hang out, andtwo popular sites wereEnturbulation.org andWhyWeProtest.net. Chanology was nowno longer being discussed on 4chan—ithad permanently moved to these sitesand IRC channels. For the next fewmonths, Anonymous continued holdingmostly small, physical protests around

the world, while Housh was helpingmaintain regular meetings every threedays in #marblecake to discuss attackstrategies against Scientology.

The meetings would last anywherefrom three to six hours, Houshremembered. He would post an agendaof points, hear reports of what peoplehad done, and delegate responsibilities,from making a website, to designing aflyer that advertised the next raid, tofinding background music for the nextYouTube video. The group tried to planAnonymous events over the followingmonth. Before then, no one had actuallybeen scheduling Anonymous raids orpranks in advance.

Here’s an example of what the

#marblecake channel had as a “topic,”based on a chat log from Friday, June 6:

03[19:44] * Topic is ‘pressreleases, videos, ideas,collaboration, basically thingswe need done. || Meetingthursday nights at 9pm EST ||/msg srsbsns for cosnews.netwritefagaccounts || youshould think of things youhate about the present stateof chanology and wantchanged._’03[19:44] * Set by gregg on FriJun 06 19:27:08

“I started running it with an iron fist,” hesaid. “Very few [meetings] weremissed.” If someone couldn’t make it to

a meeting, there was a Google doc theycould read to catch up.

By June, motivations were fizzling outand people in #marblecake werereminiscing about when Chanology firstkicked off in January.

“I loved the old days,” said one usercalled 007, in a June meeting. “No oneknew what was gonna happen IRL [inreal life]. Everyone was totally into it. Iwish we could get the same amount ofparticipation as before.”

By the summer of 2008, ProjectChanology was also suffering frominfighting among organizers, and thenumber of participants in physicaldemonstrations, which had been

occurring monthly in major cities, wastapering off. Housh claimed that a blowto the fledgling movement came thatsummer when a couple of Anonsnicknamed King Nerd andMegaphonebitch outed #marblecake andthe people in it, labeling them“leaderfags” and prompting most of thepeople who started the organizationalhub to leave. In the coming months,Chanology wouldn’t so much wrap up asunceremoniously fade away. ManyAnons were simply bored with ProjectChanology, by any measurement thelongest and biggest series of attacks thatAnonymous had ever initiated against asingle target.

The Federal Bureau of Investigation,

meanwhile, was just getting started.Also by the summer of 2008, the FBI, or“feds” as Anons referred to them, hadmanaged to track down and apprehendtwo out of the hundreds of people whoparticipated in the DDoS attacks onScientology. They would be the unluckysacrificial lambs and the first of scoresmore arrests over the next few years.Anons had always thought till now thatthey were immune to arrest, or wellhidden from the authorities. One of thefirst to learn the hard truth was BrianMettenbrink, the bored college studentwho in January 2008 had left LOICrunning in the background of hiscomputer for a little too long.

“Brian.”“Yeah?” Brian Mettenbrink was

asleep on his couch in the basementwhen he heard the voice of hishousemate calling his name. It was acool morning in mid-July 2008, sixmonths since he had downloaded LOICand taken part in the very first DDoSattacks by Anonymous againstScientology. He barely remembered thatweekend spent mostly in his dorm room.Since then, he had dropped out of hisaerospace engineering classes at IowaState, moved into a large, pea-greenhouse with a few friends in Omaha,Nebraska, and started looking for a jobto help pay the rent.

“There’s some men here to see you.”

He sat up. Bleary-eyed, Mettenbrinkpadded up the stairs and went to thedoor, wearing the plain t-shirt and shortshe’d been sleeping in. Two men in suitswere standing on the doorstep. Theyeach took out a badge and identifiedthemselves as FBI agents. They askedMettenbrink if he had time for “afriendly conversation.” Mettenbrinkanswered yes and invited them in. Hestill had no idea that this had anything todo with DDoS attacks.

The agents walked through the archedentranceway of Mettenbrink’s house,their shoes clicking on the ceramic tilefloor as they entered the dining room,and sat at a wooden table. Mettenbrinkadjusted the wire-rim glasses on his

nose. He was more oblivious thannervous at this point. The agents beganasking him questions about the attackslast January and about Anonymous itself.

“What does Anonymous think ofScientology?” one of them asked.“What’s its stance?”

“I know Anonymous doesn’t likeScientology,” Mettenbrink said, tellingthem about the flurry of excited postsabout a Scientology raid on 4chan and7chan. “They were saying we shouldattack their websites.” Mettenbrink hadbeen reading up on Scientology after theattacks and added that the religion’sbeliefs were “weird,” and that it chargedpeople hundreds of dollars to bemembers.

“Were you involved in the DDoSattacks?” one of the men asked.Mettenbrink shifted in his seat.

“I was involved for a little bit,” hesaid. The computer he had used to runLOIC was now sitting downstairs in thebasement.

“Did you…enjoy taking part in theattacks?”

“Yeah,” said Mettenbrink, thinkingback to how dull he had found college.“It was fun. It was something new andinteresting to do.”

“Did you know that your actions werea criminal violation?” one of the menasked.

“Sure,” Mettenbrink said, “I justdidn’t think the FBI would be showing

up at my door.” He stared at the twomen. Mettenbrink had known all alongthat using LOIC was illegal, but he hadno idea it was a serious criminaloffense. He believed the crime was asbad as running a red light, thepunishment akin to a speeding ticket orhundred-dollar fine. Later he wouldregret being so open with the agents.

The two men then told Mettenbrinkthat an FBI investigation had shown thatan IP address used in the attacks tracedback to Mettenbrink’s computer. “Doyou understand that?” they asked.

“Yes,” he said.“Do you know anyone from the group

in real life?” one of the agents asked.“No,” said Mettebrink.

The “friendly conversation” lastedabout an hour, giving the FBI and, later,prosecuting attorneys representing theChurch of Scientology evidence to useagainst the hapless Mettenbrink. Later,the FBI would contact his old college toaccess his Internet records. Mettenbrinkdidn’t hear from the FBI again formonths, and it was a year before he trulyrealized, during a conversation with hislawyer, the seriousness of his offense.“Do you have any idea how muchmonetary damage the Church ofScientology is saying you caused?” thelawyer had asked during one of hismeetings with Mettenbrink.

The young man thought for a moment.“I can’t imagine there was any monetary

damage,” he said. All he’d done washelp send a bunch of spoof traffic to awebsite and slow it down for a coupledays.

“They’re claiming one hundredthousand dollars,” the lawyer replied.Mettenbrink was stunned. He hadattacked Scientology.org on a whim, hisweapon a tiny, freely available programhe’d run in the background for three dayswhile he browsed an image board. Howcould that have cost someone a hundredthousand dollars?

Eventually, Scientology lowered itsestimate for damages to twenty thousanddollars. Mettenbrink would have to payit all back, but at least it wasn’t ahundred thousand. Prosecutors

representing the Church of Scientologyin Los Angeles also called for a twelve-month jail sentence, adding that aprobationary sentence, or one thatavoided jail time, “might emboldenothers to use the Internet to engage inhate crimes.”

According to his sentencing memo,Mettenbrink had been given “everyadvantage in life,” coming from a close,“supportive” family in Nebraska andparents who helped pay his way throughcollege. He was also said to have“special skills” with computers andhardware. In court, a lawyerrepresenting Scientology used wordsl i k e Nazis and terrorism when hedescribed Anonymous.

On January 25, 2010, almost twoyears to the day he downloaded theLOIC tool, Mettenbrink pleaded guilty ina federal court to accessing a protectedcomputer, having agreed to serve a yearin prison. He would be only the secondperson to be sent to jail for joining in anAnonymous DDoS attack. In November2009, nineteen-year-old Dmitriy Guznerof Verona, New Jersey, had beensentenced to a year and a day in federalprison.

In the meantime, IT security expertswere scratching their heads about thisnew breed of hacktivists who seemed tohave come out of nowhere. Prolexic, thesecurity company that had gained someexperience protecting Scientology from

the DDoS attacks, had some advice forfuture targets of Anonymous.

“Let sleeping dogs lie,” the companysaid, adding that, once a DDoS attackfinished, stop talking about it. “Don’tissue warnings or threats to the attackersvia the media; this will only keep theissue alive, raise tempers and greatlyenhance the possibility of anotherassault. Most DDoS attackers seekpublicity, so don’t hand it to them on asilver platter.” Scientology, of course,had done just that.

What few realized was that asAnonymous had responded toScientology’s provocations, itsparticipants also split into two camps.People had already seen it in the

demonstrations, with the differencesbetween the signs scrawled withlighthearted jokes and those with seriousremonstrations against Scientology. Thiswas the evolution of a fundamentaldivide between those who believed inAnonymous’s roots in fun and lulz, andthe new, activist direction it was taking.In the coming years, this split inmotivations would make it harder todefine what Anonymous was trying tobe. It would even drive a wedgebetween Topiary and Sabu, and asChanology started to fizzle out, one ofSabu’s biggest future adversaries wouldtake to the stage.

Chapter 6

Civil War

While most of the participants inAnonymous were young single men,women joined in, too, some of themmarried and with children. When newsof Chanology reached California, amarried mother of four named JenniferEmick decided to investigate. At thirty-six with black hair and Celtic jewelry,Emick was intrigued by the snippets ofinformation she had heard aboutChanology. When she was younger, amember of her family had becomeinvolved with Scientology and had had aharrowing experience, convincing Emick

that the church was evil. Emick ended upbecoming a writer who specialized innew religious movements and religioussymbolism. By the time Chanology camealong she was writing off and on aboutreligion and esoteric issues forAbout.com, an informational websiteaffiliated with the New York Times.

Armed with a notebook, she wentalong to the first Anonymous protests infront of a Scientology center in SanFrancisco on February 10, 2008, towrite a report. There were between twohundred and three hundred people at theevent, including ex-Scientologistcelebrities and the son of founder L. RonHubbard. On the same day, about eighthundred Anonymous supporters attended

protests in front of Scientology centersin Australia, and more in London, Paris,Berlin, New York, Los Angeles,Chicago, Toronto, and Dublin. Betweenseven thousand and eight thousandpeople took part, in ninety-three citiesworldwide, according to local newsreports. But Emick saw past theprotesters’ playful attitude. She wasenthralled by how momentous these newdemonstrations seemed to be. Emickdecided to return for another protest thefollowing month, this time as aparticipant.

She liked the way demonstrators werewell behaved toward police officers.The protesters were equally impressedby Emick’s forceful personality and

ability to throw watertight arguments atScientology representatives. Theydesignated her a resident expert onScientology. Emick explained that thechurch’s intimidation tactics wereperfectly normal. Scientology reps hadbeen following demonstrators home,accusing them of “perpetrating religioushate crimes.” At the Los Angeles eventin March, a man thought by someprotesters to be aligned with Scientologyflashed a gun to the crowd. A protesterbegan following him around with aplacard saying, “This guy has a gun.”Emick noticed that the more Scientologyoverreacted, the more enthusiastic theprotesters became. The organization’sprickly defensiveness made it the perfect

troll bait.As more Anonymous supporters

published research on Scientologyonline, they discovered new reasons tokeep up the fight. “People were thinking,‘Holy cow, they’re not justentertainingly crazy, they’ve hurtpeople,’” Emick remembered a fewyears later. When one researcher gothold of what was alleged to be a list ofmurdered Scientology defectors, themood toward the church darkenedconsiderably. Scientology had gone frombeing a kooky plaything to an evilorganization that the protesters feltdeserved punishment and exposure.Emick threw herself into the cause. Thiswas now full-blown activism.

Of course, not everyone liked wherethis was going. Activism was not whatAnonymous was about, some argued,and betrayed its origins in fun and lulz.Many of the original /b/tards who hadpushed for a Scientology raid were nowcriticizing the continuing campaign asbeing hijacked by “moralfags.”

One of those critics was WesleyBailey. Tall, thin, with a military buzzcut, Bailey was twenty-seven and anetwork administrator for the army,working on a Fort Hood military base industy Killeen, Texas. He had been asoldier for nine years, enlisting when hewas eighteen. In the summer of 2008, hewas married and had two small children,a boy and a girl. His was an

unconventional family life: Bailey andhis wife were swingers, and he lovedspending hours surfing the net andchatting with people online. When hefirst stumbled on 4chan, he was confusedby forced anonymity and disturbed bythe wild creativity and shocking images.It took him months to get used to thephrases and weird porn, but slowly hegot hooked. He realized that this was aunique place in which people could saywhatever they wanted, no matter howdark or improper. He also liked thevigilante justice, watching someone on/b/ post the photo of a known pedophileand getting scores of others to help himfind out his name and address. Hestarted seeing “Anonymous” referred to

as an entity and realized it had power.When he saw a series of 4chan posts onProject Chanology, including longarticles about Scientology that werebeing farmed to other websites likeEnturbulation.com, he realized this wasa new level of collective pranks andonline harassment.

Like Emick, Bailey went to one of thesimultaneous worldwide protests onFebruary 10, in Houston, Texas. LikeEmick, he was also enthralled by thedemonstrators, but not because of thegood behavior or collaboration. Messingwith Scientologists was entertaining. Hesaw one woman draw occult symbols onthe sidewalk in front of the Scientologycenter, then sprinkle foot powder around

the symbols and add flickering blackcandles. The idea was to spookScientologists who were deeplysuspicious of black magic and the occult.He joined other Anons in offeringScientologists cake if they would comejoin the protest. This was a nod to the“delicious cake” meme. They alsoplayed an audio version of OT3,confidential documents that are believedby Scientologists to lead them to aspiritual state known as OperatingThetan. Adherents are not supposed tolisten to or read them until they areready. Bailey found it hilarious.

“But then,” he remembered a fewyears later, “they stopped coming out toplay.” By the end of 2008, Scientology

stopped responding, and thedemonstrations and cyber attacksstopped altogether. Bailey and Emickwound up in the middle of the infightingthat followed.

There were dramatic rows betweenthe IRC network operators and adminson Partyvan, between the people whoran Anonymous forums, and betweenprotest organizers. There was discordamong the original anti-Scientologistcampaigners who had been there longbefore the Anonymous flood came along.Emick recalled a spat between twoorganizers, with one supporter accusinganother of cheating with her husband,then “freezing out” mutual acquaintancesto create a rift. The war of words

escalated to lofty heights of machismo—this was the Internet, after all.

“You have no idea who you’refucking with,” Emick remembered oneperson saying. “Just wait and see what’scoming.”

If 2008 was the year Anonymous burstinto the real world with well-organizeddemonstrations, 2009 was when itstarted unraveling into the chaos of e-drama. The biggest rift was over whatAnonymous was about. Activism? Orlulz? And it was to be fought betweenmoralfags like Emick and trolls likeBailey.

In late 2008, just before beingdeployed with the army to South Korea

for a year, Bailey had set up a newwebsite calledScientologyExposed.com. The protestswere dying down, but Anons were stillcommunicating online, albeit morechaotically. His idea was to create analternative to Gregg Housh’s morepopular Enturbulation.com (whichturned into the slick-lookingWhyWeProtest.net). Housh had by nowgiven many interviews to newspapersand television reporters aboutAnonymous after being outed by name,and Enturbulation was his baby. He toldjournalists that he was absolutely not anAnonymous “spokesman,” since no onecould speak for the collective, but moreof an observer. By then, he’d gotten

burned in the courts. The Church ofScientology had sued Housh fortrespassing, criminal harassment,disturbing an assembly of worship, anddisturbing the peace. When the protestswere at their peak, a Scientologyspokesman told CNN that the church was“dealing with six death threats, bombthreats, acts of violence,” and vandalismfrom Anonymous. Housh didn’t exactlyfit the stereotype of an activist, butBailey didn’t like him or his site.

Bailey believed the peoplesurrounding Enterbulation were tooearnest, too “moralfaggy” to beeffective. Housh’s site had become thede facto meeting ground, and thereneeded to be an alternative. Bailey

designed his site to encourage pranksand trolling over peaceful activismagainst the church. The site containedhidden forums, a section of “fun stuff”like WiFi-router passwords used byScientology organizations, and tips forpranks. One was to send an official-looking letter of warning to each of thehighest-ranking leaders of Scientology tofreak them out.

Bailey was dedicated to maintaininghis site even while stationed in SouthKorea, working on it for four to sixhours in the evening and on weekends. Itwas a tough schedule. He would workon the site until 1:00 or 2:00 in themorning, then get up at 5:00 a.m. to doan hour of jogging and physical training

with the other soldiers while it was stilldark outside. Bailey hated all the runningand developed shin splints, but helooked forward every evening to gettingback on his laptop in his dorm. He hadfully embraced the goal of destroyingScientology and made new friends alongthe way. One of them was JenniferEmick.

Bailey and Emick first began talkingon an online forum. Bailey likedEmick’s chutzpah and invited her to bean administrator on his site. Over time,though, he realized the two had starklydifferent views about Anonymous.Emick didn’t understand the darker sideof chan culture and seemed to thinkAnonymous should focus on peaceful

protest. The two hard-talking individualsbegan to have blazing public arguments.The final straw came one day when thepair was fighting on the site’sanonymous forum, and Emick suddenlysaid, “I know it’s you, Raziel.” Byouting Bailey’s regular online nickname,Raziel, Emick had betrayed an importantcustom on forums like this: that hidingyour online identity, or nickname, couldbe just as important as hiding your real-world identity. Enraged, Bailey removedEmick’s administrative access and thetwo stopped talking.

Looking back, Bailey said Emick hadrealized that Anonymous was not apeaceful protest group but “full ofhackers and people on the net who don’t

do nice things for fun.…It broke her,”Bailey added. “She had invested somuch personal pride in it.”

Years later Emick also found it hardto talk about why she broke away fromAnonymous. “The group itself waslosing sight of…I don’t want to pinpointexactly,” she said. “In 2008 and 2009there was a group ethos. You weren’tconfrontational with the community, youdidn’t yell at cops, you were a goodexample. You fight an evil cult you can’tbe evil yourself. Then at some point theysaid, ‘Well, why not?’”

Emick seemed to revel in the dramaand gossip, but she hated the threats andreal-life mischief. What had happened tothe well-behaved ethos at those first

protests? Anonymous was becomingincreasingly vindictive not only towardScientology but to other Anons whodidn’t agree with its methods. Thisnastiness was nothing new for peoplelike Bailey, who had found Anonymousvia the netherworld of 4chan, but forEmick it was a crushing betrayal.

“We tried to tell her Anonymous isn’tnice and it isn’t your friend,” Baileysaid. “We tried to tell her these aren’tgood people. They are doing fucked-upthings because it’s funny.” Eventually,Emick became a target herself. The moreshe tried telling other Anons that theywere being irresponsible bullies, themore they threw insults and threats backat her. People found out her real name

and address and posted it online, alongwith her husband’s details. People fromvarious schisms in Anonymous beganharassing her stepdaughter. There wastalk of SWATing her house—calling upthe FBI to send a SWAT team, asurprisingly easy prank to carry out.Soon Emick got her family to move toMichigan and started going online from afake server that hid her true IP address.Though she was breaking away, Emickwould come back more than a year later,having honed her skills in socialengineering and “doxing,” helping tonearly rip Anonymous apart.

Military man Bailey had meanwhilebecome fascinated by a subset of

Anonymous that everyone wanted to joinbut few could understand: the hackers.He had noticed that a small contingent ofskilled hackers had checked outChanology early on in the project buthad left. As Anonymous descended intoa chaotic civil war between moralfagsand trolls, Bailey set out to find thehackers. He wanted to be able to dowhat they could do: track down anenemy, steal someone’s botnet, or hacktheir servers. It bothered Bailey that hedidn’t have these skills already. First,however, he had to make a drasticchange to his personal life, after leavingthe army in 2009.

Since childhood, Bailey had harboreddeep, secret feelings that he was really

female. Even as he and his wife pursueda polyamorous relationship and went toswinging parties, he had kept thoseparticular feelings repressed. Soon afterleaving the army, though, Bailey becamefriends online with a transgender womanand felt an instant attraction. She wasbeautiful and confident, and Baileystarted to believe it might be possiblefor him to look and feel the same. OnMay 26, 2009, he bought a case ofhormone replacement therapy (HRT)pills online and started secretly takingthem. He was excited but decided to seehow he felt before telling his familyabout his decision. The pills ended uptaking effect more quickly than he hadexpected; within a month he had

developed B-cup breasts.He asked his mother and brother to

come over and sat them down in theliving room with his wife and twochildren, ages three and two at the time.It took him an hour of stalling to finallyget to the point, but eventually he toldthem why they were there. He wanted toundergo a sex change and become awoman. They were stunned into silence.Eventually one of them asked if Baileywas sure he wanted to do it. He toldthem flat-out that he had already beguntaking estrogen supplements. He knewthat they would try to talk him out of it,so he had resolved to be firm.

He gave them two choices: accept thathe was becoming a woman or stay out of

his life. Not long after that meeting, heand his wife filed for divorce, agreeingto share custody of their two children.Bailey’s mother and brother wereaccepting. Bailey went by the nameLaurelai, the name his mother had pickedin case he’d been born a girl.

Laurelai had an educational mountainahead of her. Learning how to be femalewas like going through puberty all overagain. It was tough, but she felt that shewas becoming the person she was meantto be. Soon her soldier’s buzz cut hadgrown long and she was walking aroundthe house in pink tank tops. In themornings she would sit down in front ofher computer and take a few hormonepills with a swig from a bottle of Coke.

As she left her old sexuality behind, shealso wanted to change what she wasonline, from a simple websiteadministrator to a full-fledged hacker.She started exploring the darker arts ofthe Web while maintaining her website,ScientologyExposed. It was now late2009, and as the site got fewer visitors,Laurelai realized the goal of “destroyingScientology” was probably too grand.

One day, someone started attackingher site. Laurelai checked the site’sconfigurations and saw it was gettingflooded with so much junk traffic that itwas now offline—a classic DDoSattack. She hopped onto an IRC network,and, as she was discussing the problemwith a few of her site’s moderators, a

new person came into the chat room toclaim responsibility. The moderatorssuspected that this was just a troll, butwhen Laurelai exchanged privatemessages, the person explained thatsomeone was using a botnet to hit hersite. To Laurelai’s surprise, the strangerinvited her into the botnet’s commandchannel to speak to the person causingthe damage. Laurelai agreed and wentinto a new channel on another IRCnetwork. There, controlling the botnetthat had shut down her website, wasKayla. Laurelai had never heard of herbefore.

“Who the fuck is this?” Kayla asked.A little taken aback, Laurelai

explained that she was the owner of the

website ScientologyExposed, the onethat Kayla happened to be attacking.Kayla seemed surprised. She explainedthat she hadn’t meant to hitScientologyExposed but ratherEnturbulation.org. Laurelai knew it asGregg Housh’s site. Thanks to sometechnical complications from a previoustime when they had briefly workedtogether, she and Housh shared the sameserver. By hitting Enturbulation, Kaylahad caused collateral damage toLaurelai’s site. Laurelai explained thather site was an alternative to Housh’s,concentrating more on trolling. Kayla’smood suddenly lightened.

“Oh, sorry,” she said. “Why are youon the same server as those moralfags

anyway?” Laurelai realized that Kaylahated moralfags; it was why she washitting Enturbulation in the first place.Kayla explained that she disliked theway the Chanology organizers had put astop to black hat hacking. She believedthat hitting Scientology with hard andfast attacks was more effective than along, drawn-out protest. Laurelai felt aninstant meeting of minds and wasespecially intrigued when Kaylamentioned black hat hackers. Theadversaries of white hats, black hatswere people who used their computerprograming skills to break into computernetworks for their own, sometimesmalicious, means. The two talked forabout an hour, after which Kayla said

she would put the brakes on for a fewhours to give Laurelai some time tomove her site to a different server.Kayla then resumed her DDoS attack.

Later Laurelai asked some black hathackers she had recently met if they’dheard the name Kayla. She learned thather new acquaintance had the reputationof someone not to be crossed. “A lot ofpeople were afraid of her,” Laurelailater remembered. Some were surprisedthat Kayla would even talk to Laurelai—who at the time was just somebody witha website.

Regardless, the two kept in touch. Afew days later, Kayla found Laurelai onIRC and invited her to the public chatnetwork where she normally hung out.

The two got to know each other a littlebetter. At one point, Laurelai askedKayla her age. Kayla replied that shewas fourteen. When she asked her sex inreal life, Kayla said she was female.Kayla asked the same, and whenLaurelai replied that she wastransgender, Kayla launched into topicslike hormone supplements. To Laurelai’ssurprise, Kayla seemed to know thedetails about hormone dosages and theirside effects better than she did. Kaylaeven used the nickname for the little bluepills sold as Estrofem: titty skittles.

Laurelai wondered if she wasspeaking to a transgender hacker.

There was not much research onhackers who were trans but plenty of

anecdotal evidence suggesting thenumber of transgender people regularlyvisiting 4chan or taking part in hackercommunities was disproportionally high.One reason may have been that aspeople spent more time in thesecommunities and experimented with“gender bending” online, they couldmore easily consider changing who theywere in the real world. Lines betweenthe offline and online selves couldbecome blurred, and some people inthese communities were known to talkabout gender as just another thing to“hack on,” according to ChristinaDunbar-Hester, a professor at RutgersUniversity who studied genderdifferences in hardware and software

hacking. If people were already used tocustomizing a machine or code, theymight have come to see their own bodiesas the next appealing challenge,especially if they already feltuncomfortable with the gender they wereborn with. Still, according to Dunbar-Hester, plenty of people immersedthemselves in another gender online, butdidn’t replicate that in real life. In otherwords, Kayla could have been a manwho enjoyed being female online, andnothing more.

“Are you trans?” Laurelai ventured.“No,” said Kayla. “I just know

someone trans. :)” Kayla had answeredthis quickly, and it strengthenedLaurelai’s suspicions.

“Well it doesn’t matter if you’re transor not,” Laurelai replied, adding that ifKayla wanted to be called “she” online,then Laurelai would refer to her as “she”out of respect for her wishes. The twotalked more about hacking, trolling, andsocial engineering, Laurelai as studentand Kayla as teacher. In the comingyears, Kayla would introduce Laurelaito her secretive world, whileAnonymous would fall back into theshadows. All that was needed was for anew cause to come along, and in late2010 one finally did, pushingAnonymous into the internationalspotlight.

Chapter 7

FIRE FIRE FIRE FIRE

It was September 2010, and for acouple of years now the Anonymousphenomenon had vanished from newsheadlines. Raids were small, pettyassaults on other sites, mostly carriedout by chans or /b/ itself. Very little washappening on IRC, either. The thousandswho had piled into #xenu had moved on,put off by the internal discord, theirinterest lost in the novelty.

On September 8, an article about anIndian software company called Aiplexstarted getting passed around online.Girish Kumar, Aiplex’s CEO, had

boasted to the press that his companywas acting as a hit man for Bollywood,India’s booming film industry. Aiplexdidn’t just sell software. It was workingon behalf of movie studios to attackwebsites that allowed people todownload pirated copies of their films.

Recently, for instance, it had launchedDDoS attacks against several torrentsites, including the most famous of themall, The Pirate Bay. Founded in 2003,The Pirate Bay was the most popularand storied BitTorrent site on the net, atreasure trove from which anyone couldillegally download movies, songs, porn,and computer programs. Aiplex had useda botnet to flood The Pirate Bay withtraffic, overload its servers, and

temporarily shut it down. Kumar hadexplained that when torrent sites didn’trespond to a notice from Aiplex, “weflood the website with requests, whichresults in database error, causing denialof service.”

Tech bloggers and journalists alreadysuspected that antipiracy groups wereDDoSing torrent sites like The PirateBay, but Kumar’s admission was thefirst proof. It was still a shockingadmission; DDoS-ing was illegal in theUnited States, having sent BrianMettenbrink to jail for a year. Now theIndian company was openly boasting ofusing the same method.

Soon enough, users on /b/ starteddiscussing the news. It turned out that

lots of people wanted to hit back atAiplex. A few started pasting aneveryone-get-in-here link to a channel onIRC for proper planning. This time, thereweren’t thousands piling in like they haddone with #xenu. Fighting copyrightwasn’t as sexy as hitting a shadyreligious group that suppressed a videoof Tom Cruise. But piracy was popularamong /b/ users, and, soon enough,roughly 150 people had entered the newIRC channel, game for Anonymous togive Aiplex a taste of its own medicine.

Coordinating an attack would not beeasy. By now, IRC network hosts hadbecome more aware of Anonymous andwould quickly shut down a chat room ifthey thought people were using it to

discuss a DDoS attack. To deal withthis, the Anons jumped from IRCnetwork to IRC network, pasting links tothe new rooms on 4chan and Twittereach time they moved so others couldfollow. No one was appointed to findthe new locations; whenever the grouphad to move, someone would find a newnetwork and make a channel. Thechannels were always innocuouslynamed so as not to attract attention, butthe regular channel name for attackingAiplex was called #savethepb,abbreviating Pirate Bay.

After some planning, the grouplaunched its first DDoS attack on Aiplexon September 17 at 9:00 p.m. easternstandard time. Just as they had hoped,

the software company’s website wentdark—and remained so for twenty-fourhours. Feeling confident, the Anonsquickly broadened their attack, postingdigital flyers on /b/ so others could useLOIC against another organization tryingto end piracy: the Recording IndustryAssociation of America, or RIAA. Thetech blog TorrentFreak.com posted anews article headlined “4chan to DDoSRIAA Next—Is This the Protest of theFuture?” The group then hit anothercopyright organization, the MotionPicture Association of America(MPAA).

Two days later they began circulatinga message to the media, saying thatAnonymous was avenging The Pirate

Bay by hitting copyright associations and“their hired gun,” Aiplex. They calledthe attacks “Operation: Payback Is ABitch” and claimed to have taken downAiplex thanks to a “SINGLE ANON”with a botnet.

“Anonymous is tired of corporateinterests controlling the internet andsilencing the people’s rights to spreadinformation,” the letter said, adding,“Rejoice /b/brothers.”

In unashamedly romanticizing piratedmovies and music, they were alsopositioning Aiplex’s attacks on ThePirate Bay as “censorship,” giving theirfight-back broader appeal. For the firsttime in two years, it looked likeAnonymous might be onto another major

project after Chanology, and the sparkhad been that all-important provocationin hacker culture: you DDoS me, I DDoSyou.

It was around this time that Tflow, thequiet hacker who would later bringtogether Sabu, Topiary, and Kayla, readthe TorrentFreak article and jumped intohis first Anonymous operation. It wouldlater emerge that the person behindTflow lived in London and was justsixteen years old. He never talked abouthis age or background when he wasonline.

“I thought it was a good and uniquecause,” he later remembered. “Ofcourse, DDoS attacks got boring afterthat.” What Tflow meant was that he was

more interested in finding ways thatAnons could disrupt antipiracyorganizations other than knocking theirsites offline. He hopped into #savethepbto observe what other supporters weresaying and was pleasantly surprised. Afew people appeared to have as muchtechnical knowledge as he did. AfterTflow approached a few privately andthey met in a separate IRC channel, thesmaller team started looking forvulnerabilities in antipiracy groups andfound one in the websiteCopyrightAlliance.org.

About a week after the DDoS attackon Aiplex, the hackers in Tflow’s groupcarried out the first SQL injection attackin their campaign, possibly one of the

first to be committed under the banner ofAnonymous. They hacked into theCopyrightAlliance.org Web server andreplaced the site with the same messageused on September 19, “Payback Is ABitch.” Defacing a site was harder to dothan carrying out a DDoS attack—youhad to get root access to a server—but ithad a bigger impact. They then turnedCopyrightAlliance.org into a repositoryfor pirated movies, games, and songs,including, naturally, “Never Gonna GiveYou Up” by Rick Astley, and ClassicSudoku. They also stole 500 megabytesof e-mails from London copyright lawfirm ACS:Law and published them onthe same defaced site.

Tflow and the others were all the

while herding supporters from place toplace. Between September andNovember 2010, he helped moveroughly three hundred regular chatparticipants between ten different IRCnetworks so that they could keepcollaborating.

“We chose whatever IRC we could goto really,” Tflow later recalled. “Thereweren’t that many options. Not manyIRCs allow DDoS attacks.”

The group of organizers then createdwhat would become a very importantprivate channel, #command. Like#marblecake, it was a place to makeplans without distraction. They startedmaking digital flyers and inviting newpeople to join this new, broader battle

against copyright, DDoSing legal firms,trade organizations, even the website ofKiss bassist Gene Simmons. Soon itlooked like Anonymous was hittingbenign targets—for instance, the U.S.Copyright Office—and the publicsupport they’d been getting on blogs andTwitter was waning. By November2010, the Anons themselves were losinginterest, and only a few dozen were stilltalking in the Operation Payback chatroom. The campaign had gone intohiatus.

With more time to focus, some ofOperation Payback’s organizers startedworking on the first-evercommunications infrastructure forAnonymous. Scattered between Britain,

mainland Europe, and the United States,these mostly young men pooled theiraccess to ten computer servers aroundthe world. Some had rented the servers,some owned them, but with them theycould make a chat network thatAnonymous could finally call home. Nomore herding hundreds of peoplebetween different places before gettingkicked off. That month they establishedwhat they called AnonOps, a new IRCnetwork with dozens of chat rooms justfor Anons, some public and someprivate. One of the first people to checkit out was Topiary.

By now Topiary was almost eighteenand, in the offline world as Jake, had

moved out of his mother’s home on thetiny island of Yell. He lived in a small,government-financed house in Lerwick,the capital of Shetland Mainland, andhad been out of the education system forfour years. Lerwick was more modernthan Yell, but not by much. There werestill no fast-food restaurants, no bigdepartment stores. It was a cold,windswept place with patches of greenfields, craggy brown cliffs, and graystone ruins dotting its rolling hills. Jakeknew hardly anyone here, but hepreferred to be on his own anyway.

His home was part of an assortment ofchalet-style wooden houses on a hillsideabout a twenty-minute walk from thecenter of Lerwick, in an area known as

Hoofields. Drug raids by the policewere common on his street, some of hisneighbors being avid heroin users.Jake’s house was small, yellow, andcomprised one story, with a large livingroom and kitchen on one side and abathroom and bedroom on the other. Thefront yard occasionally saw daisies inthe spring, and in the back was a shedwhere he kept an old fridge—one thatstill smelled from when he accidentallyleft it filled with raw salmon, withoutpower, for three weeks. He had boughtall his furniture from local people, oftenbenefiting from the good deals that couldbe found in a tight-knit islandcommunity. His cooker, for instance, hadoriginally cost five hundred pounds

(about eight hundred dollars), but hebought it off a family friend for twenty-five pounds (roughly forty dollars).

Jake had found a part-time job in anauto store and was just about getting by.He still looked forward to being onlinewhere most of his friends were and stillgot a small thrill from doing prank calls.

One evening while visiting hismother, Jake took a phone call from aman who claimed to be a friend of hisfather’s. This was a shock. Jake hadn’tspoken to his father for years. There hadbeen occasional phone calls on hisbirthday, but even those had petered outafter he turned thirteen. It was strange tosuddenly be hearing about him. The manasked if he could take down Jake and his

brother’s cell phone numbers, addingthat his father wanted to get in touch withboth of them. Apparently, he felt badabout something. His brother didn’t wantto talk, but Jake gave the man his ownnumber to see what would happen.

For several weeks, Jake kept hisphone charged at all times and next tohis bed when he slept, but there was nocall. Then in mid-October, a week afterhis eighteenth birthday, a call came fromhis father’s friend again, this time withthe weight of bad news in his voice. Theman apologized for what he was about tosay and then explained: Jake’s fatherwas dead. He explained that in thepreceding weeks, Jake’s father had sat athome for hours trying to make himself

pick up the phone.“But he didn’t have the confidence,”

the man said, adding that, “instead,” hehad killed himself. Jake wasn’t quitesure what to think. He felt numb at first.His father hadn’t been a member of thefamily, so in one way, Jake didn’t needto care or feel upset. When he askedhow it had happened, the friendexplained that his father had gassedhimself, opening the double doors of achurch garage late one night, drivinginside, and turning the car on.

It was a surreal image. For the firsttwo days after the phone call Jake feltangry. It seemed almost selfish of hisfather to ask for his number and suggestthat he would call, almost as if he

wanted Jake to pay attention to what wasreally about to happen. With moreconsideration, though, he realized hewas probably wrong, and that his fathermay not have meant to hurt him.

Jake continued his online gaming andvisits to 4chan, and a month laterdiscovered the new chat network thathad been set up for Anonymous:AnonOps IRC. Intrigued, he signed on,picking the name Topiary, and tried toget a better sense of how he could joinin. He didn’t see himself as an activist,but Operation Payback sounded wellorganized and potentially influential. Hehad no idea that, even though theanticopyright battle was dying,Operation Payback was about to explode

with support for a little organizationcalled WikiLeaks.

Jake, now as Topiary, explored theAnonOps chat rooms while a former,widely-revered hacker from Australianamed Julian Assange was getting readyto drop a bombshell on the Americangovernment. Earlier in 2010, a U.S.army private named Bradley Manninghad allegedly reached out to Assangeand given his whistleblower site,WikiLeaks, 250,000 internal messages,known as cables, that had been sentbetween American embassies. Thesediplomatic cables revealed Americanpolitical maneuverings and confidentialdiplomatic reports. In exposing the

documents, Assange would hugelyembarrass American foreign policymakers.

The WikiLeaks founder had struckdeals with five major newspapers,including the New York Times and theU.K.’s Guardian, and on November 28,2010, they started publishing the cables.Almost immediately, Assange becameboth a global pariah and a hero. Untilthen, WikiLeaks had been moderatelywell known for collecting leaked datapointing to things like governmentcorruption in Kenya or the untimelydeaths of Iraqi journalists. But exposingprivate data from the Americangovernment sparked a whole new levelof controversy. U.S. news commentators

were calling for Assange to beextradited, charged with treason, evenassassinated. Former Alaskan governorSarah Palin said the United States shouldpursue Assange with the same urgencyas it did the Taliban, while Fox Newscommentator Bob Beckel, live ontelevision, suggested someone “illegallyshoot the son of a bitch.” Secretary ofState Hillary Clinton said the leaks“threatened national security,” and U.S.State Department staff were barred fromvisiting the WikiLeaks website.

WikiLeaks.org quickly came underattack. An ex–military hacker nicknamedThe Jester DDoS’d the site, taking itoffline for more than twenty-four hours.Jester was a self-styled patriotic hacker

who had been known for attackingIslamic jihadist websites; later he wouldbecome a sworn enemy of Anonymous.Now he claimed on Twitter that he washitting WikiLeaks “for attempting toendanger the lives of our troops.”

To try to stay on the web, WikiLeaksmoved its site to Amazon’s servers. Itwas booted offline again, with Amazonclaiming it had violated its terms ofservice on copyright. The rebuffs keptcoming: a hosting firm called EveryDNSyanked out its hosting services forWikiLeaks. On December 3, onlinepayments giant PayPal announced it wascutting off donations to the site, sayingon the official PayPal blog that it had“permanently restricted the account used

by WikiLeaks due to a violation of thePayPal Acceptable Use Policy.” SoonMasterCard and Visa cut fundingservices.

It is doubtful that anyone from thesecompanies had any idea that a brand ofInternet users known for prankingrestaurant managers, harassingpedophiles, and protesting the Church ofScientology would suddenly teamtogether to attack their servers.

The people who had set up AnonOpswere talking about the WikiLeakscontroversy in their private #commandchannel. They were angry at PayPal, but,more than that, they saw an opportunity.With Anons no longer riled up aboutcopyright, this could be the cause that

brought them back in droves. Thecopyright companies had been bad, butPayPal snubbing WikiLeaks was evenworse. That was an unholy infringementon free information in a world where,according to the slogan of technologyactivists, “information wants to be free”(even if it was secret diplomatic cables).The victimization of WikiLeaks, theyfigured, would strike a chord withAnonymous and brings hordes of usersto their new network. It was greatpublicity.

Who were these people in#command? Known also as “operators”of the new chat network, they weren’thackers per se but computer-savvyindividuals who maintained the network

and who would play a crucial role inorganizing ad hoc groups of people,large and small, over the coming weeks.Many of them got a kick out of hostinghundreds of people on their servers. Itwas often argued that these operators,who had names like Nerdo, Owen,Token, Fennic, evilworks, andJeroenz0r, were the true, secret leadersof Anonymous because of the power theycould wield over communication. Theyavoided culpability for what Anonymousdid, though, in the same way thatChristopher “moot” Poole avoidedlitigation by claiming he was notresponsible for what happened on 4chan.

Now, though, the operators weredoing more than just maintaining the chat

network. They were organizing an attackon the PayPal blog, where the companyhad made its announcement aboutWikiLeaks. On Saturday morning,December 4, the day after PayPal said itwould cut funding, the AnonOpsorganizers DDoS’d thepaypalblog.com.The blog went down at 8:00 a.m. easternstandard time.

Soon after, the Twitter account@AnonyWatcher posted “TANGODOWN—the paypalblog.com,” adding:“Close your #Paypal accounts in light ofthe blatant misuse of power to partiallydisable #Wikileaks funding. Join in the#DDoS if you’d like.”

PayPal’s blog remained offline for thenext eight hours. Anyone who visited it

saw a white screen and the “error 403”message “Access forbidden!” in largetype.

The next day, Sunday, someone postedan announcement on Anonops.net, theofficial website for AnonOps IRC,saying that Anonymous planned to attack“various targets related to censorship”and that Operation Payback had “comeout in support of WikiLeaks.”

At around the same time, a digitalflyer was being circulated on imageboards and IRC networks, with the titleOperation Avenge Assange and a longnote that stated, “PayPal is the enemy.DDoS’es will be planned.” It wassigned, “We are Anonymous, We do notforgive, We do not forget, Expect us.”

These flyers came from new channelson AnonOps called #opdesign and#philosoraptors, which later combinedto make #propaganda. Here, anyone whowanted to help with publicitycollaborated on writing press releasesand designing digital flyers to advertisefuture attacks. Others would then postthe flyers all over 4chan and Twitter.Another channel, #reporter, was whereAnons could answer the questions of anybewildered journalists who had figuredout how to access IRC. Topiary wasjumping between the publicity channels,more interested in spreading the wordthan firing weapons.

At around 5:00 p.m. eastern standardtime on Monday, December 6, the

organizers from AnonOps startedDDoSing PostFinance.ch, a Swiss e-payment site that had also blockeddonations to WikiLeaks. The site wouldstay down for more than a day.

The attack was “getting in the way ofcustomers doing business with thecompany,” Sean-Paul Correll, aresearcher with Panda Security, said in ablog post that day. Correll, who was onthe West Coast of the United States,stayed up into the early hours to monitorthe attacks, which seemed to keepcoming.

That day, nine hundred peoplesuddenly jumped into#operationpayback, the main public chatroom on AnonOps IRC, which had been

quiet for months. About five hundred ofthese people had volunteered theircomputers to connect to the LOIC“hive.” By now LOIC had an automaticfunction; you only needed to set it to hivemode and someone in #command wouldset the target and time. They would typesimple instructions into their configuredIRC channel—“lazor start” and “lazorstop.” Normal users didn’t have to knowwho the target was or when you weresupposed to fire. They could just run theprogram in the background.

At 2:00 p.m. eastern standard time onTuesday, AnonOps started attacking thewebsite of Swedish prosecutors againstAssange, who was now looking atextradition to Sweden where he faced

questioning for sexual misconductagainst two women in that country. Manyin Anonymous saw the case as awhitewash. Once again, some fivehundred people were using LOIC, andnow more than a thousand people werein the main chat channel. At 6:52 p.m.,AnonOps announced a new target:EveryDNS.com, the server provider thathad yanked the rug from underWikiLeaks.org. One minute later, thatsite was down. At 8:00 p.m. the targetswitched to the main site of SenatorJoseph Lieberman, the chairman of theU.S. Senate Homeland Security andGovernmental Affairs Committee, whichhad first pushed Amazon to stop hostingWikiLeaks. All of these sites were going

down for minutes or sometimes hours ata time, one by one, like dominoes.

By the early hours of December 8 onthe West Coast, Correll had talliedninety-four hours of combined downtimefor these sites since December 4. Theworst-hit were PostFinance and thePayPal blog. But this was just thebeginning.

Word was spreading that if youwanted to help WikiLeaks, all the actionwas happening on AnonOps IRC.Newcomers could get a quick overviewof what was happening from differentchat rooms: #target was for talking aboutfuture or current attacks and #lounge wasa place to just shoot the breeze. In#setup, new recruits could find a link to

download LOIC and get help using itfrom experienced users.

The room contained a link to a digitalflyer with step-by-step instructions titled“HOW TO JOIN THE FUCKING HIVE—DDoS LIKE A PRO.”

1. Get the latest LOIC fromgithub.com/NewEraCracker

2. FIX YOUR GODDAMNINTERNET. THIS IS VERYFUCKING IMPORTANT

(If your broadband kept cutting out,LOIC wouldn’t work properly.)

Things were moving quickly. Topiaryhad now gained higher “operator” statusin the publicity channels, which gavehim the ability to kick out participants

and a generally louder voice in theroom. His enthusiasm, ideas, and wittyremarks caught the attention of one of theAnonOps operators in #command, andthey sent Topiary a private messageinviting him into a secret commandchannel, which Topiary had never heardof. Intrigued, he went in.

Here the operators were talkingexcitedly about all the new volunteersand media attention they were suddenlygetting. They decided to pick a biggertarget: the main PayPal website. Theyquickly chose dates and times and pastedthe coordinates at the top of the mainIRC channels, then tweeted them.Topiary and the others in #commandexpected that the call to arms would get

stronger feedback than usual, but nothingprepared them for what happened next.

On December 8, just four days afterAnonOps had first hit the PayPal blog,the number of visitors to AnonOps IRChad soared from three hundred toseventy-eight hundred. So many peoplewere joining at once that Topiary’s IRCclient kept freezing and had to berestarted. Lines of dialogue betweenpeople in the main channel, still named#operationpayback, were racing up thescreen so quickly it was almostimpossible to hold a conversation. “Itwas mind-blowing,” Topiary laterremembered. “Insane.”

“Do you think this is the start ofsomething big?” someone called

MookyMoo asked amid the flurry in themain channel.

“Yes,” replied an operator namedshitstorm.

Jokes were often being cracked abouthow the mainstream press had startedreporting the attack. “They’re calling ushackers,” said one called AmeMira.

“Even though we don’t really hack,”another, called Lenin, replied.

The IRC network itself was seizing upbecause of the flood of users. “Are webeing attacked or are there just too manypeople on this server?” one participantasked. Once the LOIC network itselfwas crashing, newcomers were told toset their “cannons” on manual mode,directly typing the target address and

clicking “IMMA CHARGIN MAHLAZAR.”

At around the same time, Topiarywatched two very important peopleenter the private #command room. Theirnicknames were Civil, written as{Civil} and Switch. These werebotmasters. Each had control of his ownbotnet, Civil with fifty thousand infectedbots and Switch with around seventy-five thousand. Anons who owned botnetscould expect to be treated with unusualreverence in Anonymous—with only afew clicks they had the power to bringdown a website, IRC network, whateverthey wanted. Switch had the bigger egoand could be unbearable to talk to attimes.

“I have the bots, so I make the shots,”he would say.

Everything was controlled on IRC.Civil and Switch even controlled theirbotnets from private chat rooms withnames like #headquarters and #thedock.The latter was fitting, since bots wereoften referred to as “boats,” as in “Howmany boats are setting sail?” And in thepublic channel, the thousands of newvisitors only had to type “!botnum” andpress enter to see how many peoplewere using LOIC. The day before,December 7, the number of peoplejoining the hive option of LOIC had been420. For the attack on PayPal onDecember 8, it was averaging about4,500.

Topiary noticed that Civil and Switchhad their botnets prepared to help theattack but that they were waiting for thehordes with LOIC to fire first. Launchtime was 2:00 p.m. GMT, when mostpeople in Europe were at their desks andAmerica was just getting into the office.With minutes to go, supporters and IRCoperators posted out a flurry of tweets,links to digital posters, and posts on4chan reminding everyone: “FIRE AT14:00 GMT.” When 2:00 p.m. finallycame around, the IRC channels, Twitter,and 4chan exploded with *FIRE FIREFIRE FIRE* and FIIIIIRE!!! Along withall the junk traffic, the LOIC hiveconfigured a message to PayPal’sservers: “Good_night_Paypal_

Sweet_dreams_from_AnonOps.”There was a rush of excitement as

thousands of copies of LOIC all over theworld started shooting tens of thousandsof junk packets at PayPal.com, putting itsservers under sudden pressure thatseemed to be coming out of nowhere.

“If you are firing manually, keep firingat ‘api.paypal.com:443,’” a user calledPedophelia kept saying over and over inthe main channel. “Don’t switch targets,together we are strong!”

An IRC operator nicknamedBillOReilly was in a chat room called#loic. Here he could steer the hive ofLOIC users from all over the world toattack whatever website was next on thehit list. Anyone who looked in the

channel saw a long list of each personwho was using LOIC in the attack. Eachparticipant was identified by six randomletters and the country his or hercomputer was in (though many hadspoofed that with proxy servers to avoiddetection). The countries with thegreatest number of participatingcomputers were Germany, the UnitedStates, and Britain.

A few minutes into the attack, the IRCoperators checked PayPal.com andfound that the site was now runningslowly—but technically it was still up.There followed much confusion in thehorde. Was something wrong with LOICor AnonOps, or did PayPal have DDoSprotection that was too strong?

“The attack is NOT working,”someone named ASPj wrote to Kayla—a name Topiary didn’t recognize yet—inthe main chat room. “I repeat, PAYPALIS NOT DOWN.”

No one outside of #command knewthis, but they needed Civil and Switch.

“Let’s add on a few thousand bots,”someone in #command said. Civil knewwhat he had to do. He typed incommands for all of his bots to join upto his botnet. The operator evilworksmessaged Topiary. “Check out thesebots,” he said, inviting him into Civil’sbotnet control room, eager to show it off.

In the botnet control room, which waslike any other chat channel, Topiarycould see a list of Civil’s bots suddenly

running down the screen in alphabeticalorder as they started up around theworld. There were a few hundred in theUnited States, a few hundred more inGermany; all were invisibly connectedto this IRC channel. Each bot hadnicknames like:

[USA | XP] 2025[ITA | WN7] 1438

It was very similar to the list thatBillOReilly was seeing in his room,except these were computers that wereinfected with a virus that had linkedthem to Civil’s botnet. These were notvoluntary participants. None of thecomputers in this room belonged topeople who wanted to be part of the

attack. They were, as the phrase went,zombie computers.

If one of the bots suddenly turned off,it was probably because a randomperson in Nebraska or Berlin hadswitched off his or her computer for theday, and the list would go down by one.Civil thus didn’t like using all fiftythousand of his bots at once; instead, heswitched between a few thousand everyfifteen minutes to let the other ones“rest.” Once the botnet was firing, thepeople behind each infected computerwould notice that their Internetconnection had become sluggish.Thinking there was a router problem,they’d usually start fiddling with theirconnection or switching off all together.

Constantly refreshing the bots ensuredtheir owners didn’t switch off or, worse,call the IT guys. (Incidentally, somebelieved that the best people to infectwith viruses so they could join intobotnets were those on /b/—they left theircomputers on all day.)

Civil gave the command to fire. Itlooked something like this:

!fire 30000 SYN 50 296.2.2.8 A SYN was a type of packet, and thismeant flooding PayPal.com with thirtythousand bots at fifty packets each forthirty seconds. The type of packet wasimportant because simply flooding aserver with traffic wasn’t always enoughto take it offline. If you think of a server

like a call center manned by hundreds ofpeople, sending “ping” packets was likecalling them all and simply saying“Hello” before hanging up. But sending“SYN” packets was like calling all theworkers and staying on the line sayingnothing, leaving the other end repeatedlysaying “Hello?” The process sentthousands of requests, which the servercould not ignore, then left it hanging.

Within a few seconds the PalPal sitehad gone down completely. It would staydown for a full hour. The thousands ofAnons in #OpPayBack cheered at havingtaken down the world’s biggest e-payment website. Mainstream newssites, from the BBC to the New YorkTimes to the Guardian, reported that the

“global hacking group” Anonymous hadbrought down PayPal.

Panda Security’s Correll hopped onIRC using the nickname muihtil (lithiumspelled backward) and sent a message toSwitch himself, asking about the size ofhis botnet and clarifying that he was asecurity researcher. Switch wassurprisingly happy to answer that hisfriend (presumed to be Civil) had helpedin the attack by offering thirty thousandbots, while there had been five hundredin the LOIC hive, and that Switchhimself had attacked with thirteenhundred bots.

What this confirmed was that around90 percent of all the firepower from theattack on PayPal.com had come not from

Anonymous volunteers but from zombiecomputers.

Topiary quietly started thinking aboutthe true power of the hive. When he hadjoined the #command channel two daysearlier, he had thought that theAnonymous DDoS attacks wereprimarily caused by thousands of peoplewith LOIC, with backup support fromthe mysterious botnets. Now he realizedit was the other way around. When itcame to hitting major websites likePayPal.com, the real damage came fromone or two large botnets. Thousands ofLOIC users could have taken down asmaller site like Scientology.org, but notthe planet’s biggest e-payment provider.In practice, finding someone willing to

share his botnet was more useful thangetting thousands of people to fire LOICat the same time.

Correll’s observations were reportedby Computerworld.com but largelyignored by the mainstream media.Someone nicknamed skiz pasted a link tothe story in the AnonOps main chatroom, saying skeptically, “They claimAnonymous used a 30,000 person botnet.:D.” Most of these eager volunteers didnot want to believe that botnets had morefirepower than their collective efforts.

The operators in #command did notlike to advertise it, either. Not onlycould that information put off othersfrom joining, but it could bring unwantedattention to their channel, both from

other hackers and from the police. ButCivil and Switch continued braggingabout how large and powerful theirbotnets were. Spurred on by the mediareports and their audience in #command,they were eager to show off again. Theoperators agreed that since they had thepower to launch another attack, theyshould. They duly planned a secondattack on PayPal for December 9. Onceagain they chose the morning—easternstandard time—to get the attention ofAmerican Internet users and the media.

This time, though, there was lessenthusiasm and coordination. Only a dayhad passed since seventy-eight hundredpeople had been in the main AnonOpschat room, but the numbers using LOIC

had started tapering off. Then, when itcame time to fire on PayPal a secondtime, volunteers in the chat room,#operationpayback, were told to wait.They were not told why. Topiary wasalso in #command waiting for the attackto happen so he could write his firstpress release. The problem was that insome unknown part of the world Civilwas still sleeping.

“Do we have anything to writeabout?” asked Topiary. “Becausenothing’s happened.”

“No, we have to wait for Civil tocome online,” was the reply.

An hour later, Civil finally signed into#command and made a few grumpyremarks. As the operators told the hive

to fire their (largely ineffective)cannons, Civil turned on his botnet andtook down PayPal.com. He then signedoff and went to have his breakfast.

As Topiary watched, the secret powerof botnets was reconfirmed. The botnetshad boosted the first PayPal attack, sincethe hive was so big, but the second timearound just one botnet had done all thework. The second attack also wouldn’thave happened if Civil had not beenbragging. But the operators still wantedAnonymous and the media to think thatthousands of people had beenresponsible. Ignoring theseuncomfortable truths, Topiary wrote up apress release about the “hive” strikingback.

After the second PayPal attack, therewas more bragging from Civil andSwitch and the AnonOps operators toldthem they could hit MasterCard.com onDecember 12. They broadcast the dateand time of the attack across the Internet,knowing that, with the botnets doingmost of the work, it would be fun but notcrucial to get another horde of peoplefiring. This time around, only about ninehundred people had hooked up theirLOICs to the AnonOps chat network andfired on MasterCard.com. It didn’tmatter. Thanks to Civil and Switch, thewebsite for one of the world’s biggestfinancial companies went down fortwelve hours, and right on schedule.

Over time, a handful of other peoplewith botnets would help AnonOps. Oneof them was a young hacker named Ryan.Aged nineteen and living with hisparents in Essex, England, Ryan’s realname was Ryan Cleary. In the offlineworld, Ryan, who would later bediagnosed with Asperger syndrome,rarely left his room, taking dinner from aplate that his mother would leaveoutside his bedroom door. But hisdedication to becoming powerful onlinehad paid off; over the years he amassedservers and what he claimed was a 1.3million-computer monster botnet. Otheronline sources put the number at a still-enormous one hundred thousandcomputers. Though he rented the botnet,

he also sublet it for extra cash.Like Civil and Switch, Ryan was

happy to brag about his botnet tooperators and hackers and keep its truepower a secret from new volunteers.Later in February, for instance, whenabout fifty people on AnonOpsannounced they were attacking smallgovernment websites in Italy, Ryanquietly used his botnet for them. As theattacks were happening, wheneveranyone typed “!botnum” to learn thenumber of people using LOIC, it wouldsay 550.

“Did you just add 500 computers toyour botnet?” Topiary would privatelyask Ryan.

“No,” Ryan would reply. “I just

changed the LOIC commands to make itlook like 512 people were using it.”What this meant was that Ryan not onlywielded the real firepower, he wasdeliberately manipulating other Anonsso that they would think they werecausing the damage instead. It was nothard to do this. If you were controllingthe network of LOIC users, you couldspoof the number of people using thetool by typing +500 or even +1000 intothe corresponding IRC channel. Thisability to fake numbers was an opensecret in #command, but people brushedthe topic aside whenever it came up.Anonymous was “Legion,” after all.

“It didn’t seem sketchy at all,” saidone source who knew about the botnets

being used to support AnonOps inDecember 2010 and January 2011.“More fun trickery I guess.” The uppertier of operators and botnet masters alsodid not see themselves as beingmanipulative. This is partly because theydid not distinguish the hive of realpeople using LOIC from the hive ofinfected computers in a botnet. In the endthey were all just numbers to them, thesource added. If there weren’t enoughcomputers overall, the organizers justadded more, and it didn’t matter if theywere zombie computers or realvolunteers.

Botnets, not masses of volunteers,were the real reason Anonymous couldsuccessfully take down the website of

PayPal twice, then MasterCard.com fortwelve hours on December 8 andVisa.com for more than twelve hours onthe same day. According to one source,there were at most two botnets used tosupport AnonOps before November 30,rising to a peak of roughly five botnetsuntil February, before the number ofbotnets went down to one or two again.Only a handful of people could call theshots with bots. For the most part, theywere not lending their firepower formoney. “People offered things becausethey believed in the same idea,” claimedthe source. More than that, they likedshowing off how much power they had.

Naturally, with ego such a big driverof the early December attacks,

discussions in #command soon brokedown. After Civil, Switch, and the ninehundred people fruitlessly using LOIChit Mastercard.com, the small group in#command decided, on a hubristicwhim, to attack Amazon.com the nextday, December 9, at 10:00 a.m. easternstandard time. That’s when the operatorsrealized that Civil and Switch haddisappeared.

The operators pushed the attack timeto December 9 at 2:00 p.m., hoping thebotmasters would return. At 1:30 p.m.,the entire AnonOps IRC network wentdown. It turned out that Civil and Switchhad been squabbling with some of theoperators in #command and were nowusing their botnets to attack AnonOps in

retribution. When the IRC network cameback online about an hour later with afew hundred participants, nobodywanted to attack Amazon anymore.There weren’t enough bots and theredidn’t seem to be a point.

Topiary estimated that LOIC usersrepresented on average 5 percent to 10percent of the damage done against siteslike PayPal, MasterCard, and Visa inearly December 2010, and in the monthsthat followed less than 1 percent, asfewer people stayed involved. Anothersource close to the operators at the timeestimated more graciously that the LOICtool contributed about 20 percent ofDDoS power during AnonOps attacks inDecember and January. The truth

became especially hard to accept when,seven months later, the FBI arrestedfourteen people who had taken part inthe PayPal attacks by downloading andusing LOIC. These users includedcollege students and a middle-agedwoman.

“People who fought for what theybelieve in shouldn’t be told what theydid was in vain,” the source close to theoperators said. In a small way, LOIC didhelp. It made people feel they werecontributing to something, whichencouraged more to join. Plus, Civil,Switch, and other botmasters might nothave helped if they hadn’t seen thegroundswell of support.

Regardless, Topiary decided to stick

to the party line on December 10 whenhe was contacted by a reporter fromstate-backed TV network Russia Todayand invited to give his first ever livetelevision interview, an audiodiscussion over Skype. He was nervousin the moments leading up to theinterview, but when it came to it, heproclaimed as confidently as he couldthat the hive had hit back at PayPal andothers.

“We lied a bit to the press,” he said,many months later, “to give it that senseof abundance.” The press liked reportingon this new powerful phenomenon of ahive that nobody seemed able toquantify. “They liked the idea andamplified the attention.”

“Lying to the press” was common inAnonymous, for understandable reasons.Here was a network of people borne outof a culture of messing with others, aparanoid world whose inhabitants neverasked each other personal questions andhabitually lied about their real lives toprotect themselves. It was also part ofAnonymous culture to make up random,outrageous statements. If, for instance,someone was about to leave his or hercomputer for a few minutes to get coffee,he or she might say, “Brb, FBI at thedoor.” Not only was there a sense of ahigher purpose to Anonymous that madeit seem okay to inflate figures and lie tothe media; Anons were also part of asecret institution that no one in the real

world understood anyway.Anons particularly disliked

journalists who would come into the#reporter channel asking, “So who areyou attacking next?” or pushing for aquick quote. A few would firstexaggerate, saying that there were tens ofthousands of people attacking a site. Atone point an Anon told a magazinereporter that Anonymous had “colonies”all over the world, a physicalheadquarters, and that its name wasbased on a real man named Anonymous.

“So who is Anonymous?” a reporterasked about the supposed man.

“He’s this guy,” the Anonymoussupporter said. “He lives in ourheadquarters in West Philadelphia.”

That was actually an Internet meme: tellan elaborate story, then catch the personout by quoting the introductory rap to thesitcom The Fresh Prince of Bel Air.

Later in February 2011, Topiarywould create an IRC channel called#over9000—in reference to anotherfamous meme, which involved a fewcore Anons discussing a bogus hackingoperation to mess with a journalist fromthe Guardian. The reporter had askedfor access to “secret” inner channels.

“We need to troll her hard,” Topiaryhad told the others.

The group went on to spam the roomwith cryptic messages like: “Charlie isc85 on excess, rootlog the daisy chainand fuzz out dawn mode.”

Lying was so common in Anonymousthat people were rarely surprised to heardifferent versions of events, or to findout that the nickname they thought theywere talking to was being hijacked bysomeone else. There was a constantsuspension of disbelief and skepticismabout almost everything. Even whenpeople professed genuine admiration forsomeone or for the ops that were takingplace on PayPal and MasterCard, theiropinions could change just days later. Itwasn’t that people in Anonymous wereshallow or that there was little value totheir experiences—it was just thatevents and relationships on the Internetmoved far more quickly anddramatically than in real life. The data

input for Anons could be overwhelming,and often the result was detachment—from emotions, from morals, and fromawareness of what was really going on.But there was one truth in particular thatat least a dozen Anons would later regretignoring. It was about LOIC. Not onlywas their all-important weapon uselessagainst big targets like PayPal, it couldlead the police straight to their doors.

Chapter 8

Weapons thatBackfired

When nearly eight thousand peoplehad rushed into the main AnonOps IRCchannel on December 8, eager to avengeWikiLeaks, the dozen or so operators in#command were stunned and thenoverwhelmed. Hundreds had beenclamoring for direction, and the obviousone was to download and use LOIC. Theoperators made sure that at the top of themain chat channels there was a link todownloading the program, along with adocument explaining how to use it.

But no one knew for sure if LOIC wassafe. There were rumors that LOIC wastracking its users, that the feds weremonitoring it, or that it carried a virus.More confusingly, the LOIC that Anonswere downloading in droves duringOperation Chanology three years agowas very different from the LOIC thatthey were downloading now forOperation Payback. In the fast-movingworld of open source software,developers were tweaking things all thetime, and there was no one deciding ifthey should be helping or hinderingAnonymous. One person who took acloser look at LOIC realized it wasdoing the latter.

Around the same time that the PayPal

attacks were getting under way, a highlyskilled software developer hopped ontoAnonOps IRC for the first time. Theprogrammer, who did not want to revealhis nickname or real name, had workedwith WikiLeaks in the past and was keento help attack its detractors. When hedownloaded LOIC from the link at thetop of the main chat channels, he thoughtto look at the program’s source code.

“I took it apart,” he said, “and itlooked like shit.”

The big problem was that theapplication was sending junk trafficdirectly from users’ IP addresses. It didnothing to hide their computer in thenetwork. This meant the people whoused LOIC without also using

anonymizing software or a proxy serverwere just asking to get arrested.

The programmer quickly sent privatemessages to a few of the operators andlet them know his concerns, asking themto remove the LOIC link at the top of thechannel. About half of them agreed—butthe other half refused. According to theprogrammer, the operators who refuseddidn’t understand the technology behindLOIC. Making things more complicatedwas the range of operators, all offeringdifferent interpretations of LOIC on thechat network. AnonOps had differentlevels of operators—network operatorsat the top, and channel operators belowthem. The channel operators were likemiddle managers, with the ability to kick

people out of channels with a fewsimple commands. One young femalestudent who went by the nickname Nomanaged to work her way up to channeloperator by the time of the PayPalattacks, and she became known forbanning people from the main#operationpayback channel if they triedto tell others not to use LOIC.(Ironically, police ended up trackingdown No and arresting her a few monthslater because she had used LOIC.)

New volunteers and operators alikealso assumed there was safety innumbers. Anonymous, as the sayingwent, was everyone and no one.

“Can I get arrested for doing this?” aperson called funoob asked in the #setup

channel on December 8.“Nah, they won’t arrest you,”

answered someone called Arayerv.“Too many people. You can say youhave spyware. They can’t charge you.”

Another called whocares concurred:“If you get arrested just say you don’tknow but it’s probably a virus.”

“I hope in a way to get arrested,” onecalled isuse joked. “The trial would behilarious.” (Those who did go to trialfor using LOIC later on most likely don’tagree.)

“They honestly believed that becauseof the amount of people it would beimpossible to prosecute any singleindividual,” the programmer laterremembered. “No one talked about

prosecutions. They didn’t want to hearabout your IP being exposed or anythinglike that.” And the overwhelming senseof camaraderie and accomplishmentdominated reasonable argument. Theworld’s media were paying attention toAnonymous and its extraordinary hivemind; the last thing they needed was tostart fiddling with the technology theywere relying on and slowing thingsdown.

Even when Dutch police swiftlyarrested sixteen-year-old AnonOps IRCoperator Jeroenz0r and nineteen-year-old Martijn “Awinee” Gonlag onDecember 8 and 11, 2010, people onAnonOps initially didn’t believe it.

“BS, no one is getting arrested,” said

a user called Blue when links to thearrest stories started getting passedaround. Then, when more articles aboutthe arrests started appearing online, aflood of new Dutch supporters pouredinto AnonOps. There were so many thata new channel was started to host themall, called #dutch.

Around December 13, a rare digitalflyer was released warning anyone whohad recently used LOIC that they were at“high risk” of arrest and needed todelete all chat logs. The organizershitstorm said: “Ridiculous. This is anobvious ploy to try and scare peopleaway.”

“It’s a troll,” another organizer toldPanda Security’s Correll.

The operators, including one whowent by the name Wolfy, continued toencourage people to use LOIC even asCorrell reported on the Panda Securityblog around December 9 that LOICdidn’t mask a user’s IP address.

“People were so excited,” theprogrammer recalled. “They were in theChristmas spirit and were going crazy.”

The programmer wasn’t giving up. Hedecided to help build a new tool toreplace LOIC. He started asking aroundon AnonOps for any interestedvolunteers who could prove they weredevelopers. After gathering a team ofeight from all over the world, they meton a separate IRC server and spent thenext three weeks doing nothing but

rewriting LOIC from scratch. It was thefastest program making he had everexperienced, fueled by a sense of justiceagainst corporations and thegovernments and the idea of contributingto the wider collective. The programmerwas at his computer all day includingduring work at his day job, skippingmeals and drinking alcohol at the sametime as his new colleagues in other partsof the world.

The team added new features to theprogram, which was like LOIC but letusers fire junk packets at a target throughTor, the popular anonymizing network.The tool was not only safer than LOICbut more powerful and far-reaching, too.The programmer claimed it got two

hundred thousand downloads onAnonOps IRC when it was finallycompleted on December 23. When itwas posted on a popular blog run by anAnonOps IRC operator named Joepie91,it was downloaded another 150,000times. Still, many newbie Anonscontinued to download LOIC because itwas so well known. The link to LOICdownload was still everywhere onAnonOps IRC. And the programmer’snew tool was more complicated to setup. LOIC may have even acquired aveneer of legitimacy from frequentmentions in the mainstream press—fromthe New York Times to BBC News.

Later, in March 2011, the programmerand his crew disassembled LOIC again

and found it had indeed been trojaned, orinfected with a malicious program. “Ithad a code that would record what yousent and when you sent it, then send it toa server,” he said, adding it waspossible that users’ IP addresses werebeing sent to the FBI.

As it happened, the FBI had beeninvestigating Anonymous since theattacks on copyright companies inOctober and November 2011, and hadalso been working closely with PayPalsince early December. Two days afterthe December 4 DDoS attack on thePayPal blog, FBI agents spoke on thephone to PayPal cyber security managerDave Weisman. As the attacksintensified, the two parties kept in touch

while a security engineer at PayPal’sparent company, eBay, took LOIC apartand analyzed its source code.

On December 15, a member ofPayPal’s cyber security team gave asmall USB thumb drive to the FBI. Itwas the mother lode. The thumb drivecontained a thousand IP addresses ofpeople who had used LOIC to attackPayPal, the ones who had sent the largestnumber of junk packets. Once theChristmas holidays were over, the FBIwould start serving subpoenas tobroadband providers like AT&T InternetServices to unmask the subscribersbehind some of those IP addresses. Thenthey would start making arrests.

“Switch is basically under a shoot onsight watch list,” the operator Owen toldother operators on December 20. Thebotmaster who had helped make thePayPal attacks happen in earlyDecember had gone AWOL after makingtrouble on the network and gettingbanned from a few of the main chatrooms, including #command. He hadbecome aggrieved that his contributionto the attacks hadn’t led to more power.

Civil was said to be similarly bitter.After the Visa and MasterCard attacks,he told AnonOps operators like Owenthat he was being used, and that theywere pretending to like him for his bots.Though it wasn’t the case for all botnetmasters who supported AnonOps, Civil

and Switch were largely uninterested inthe activism that Anonymous waspublicly fronting, according to Topiary,and more keen to parade their power tothe Anon operators, getting the wowfactor with their ability to take down amajor website on a whim.

Meanwhile, as their former alliesstarted attacking the AnonOps networkfrom December 13, its operators foundthemselves overwhelmed with extramaintenance work. With folks like Civil,Switch, The Jester, and God knows whoelse attacking the network, there was notime to dictate a central strategy from#command.

The result was that the masses oforiginal participants started splintering

off and starting their own operations.Often they were legal and coherent. Oneformer operator called SnowyCloudhelped start Operation Leakspin, aninvestigative op calling on people totrawl through the WikiLeaks cables andthen post short summaries of them onYouTube videos that could be searchedwith misleading tags like Tea Party andBieber. There was also OperationLeakflood, where Anons posted a digitalflyer with the headquarters fax numbersof Amazon, Mastercard, PayPal, andothers with directions to fax “randomWikiLeaks cables, letters fromAnonymous…” People were creating theflyers in #Propaganda, where Topiarywas still spending much of his time.

From #Propaganda a few spearheadedOperation Paperstorm, calling on Anonto take to the “real life” streets—not inprotest this time, but to plaster them withprinted logos of Anonymous onSaturday, December 18. Another channelcalled #BlackFax listed the fax numbersof several corporate headquarters andencouraged Anons to send them ink-draining black faxes.

Soon, AnonOps was splintering intoall sorts of side operations, often underagendas completely different fromWikiLeaks, but always as “Anonymous.”In mid-December, a few Anons hit SarahPalin’s official website andConservatives4Palin with a DDoSattack, and a group of about twenty-five

attacked a Venezuelan government site toprotest Internet censorship. Anotheroperation called Operation OverLoadsaw Irish hackers team together to maptheir government’s entire network in aneffort to deface every .gov and .edu sitethey could.

Each time someone would produce apress release announcing an attack byAnonymous, the media would suggest itwas coming from the same “group ofhackers” that hit PayPal andMasterCard. Not only were these peoplenot all from the same group, more oftenthan not they weren’t even hackers anddidn’t know the first thing about SQLinjection. They were armed mostly withan ability to coordinate others and with

access to free software tools they couldget on 4chan’s /rs/ board.

Topiary had been dipping into someof the different operations that hadbriefly taken off after the PayPal andMasterCard attacks. In late December,while he was lurking in#operationpayback, he noticed a numberof people talking to a participant called'k. “So you’re THE Kayla?” someoneasked. They asked about an incident on4chan—someone had taken full controlof the /b/ board and spammed it withrepeated loops of “Kayla <3” in 2008. 'ksaid yes and added a smiley face.Another name, Sabu, was lurking amongthe participants, not saying anything, justlistening.

Soon Sabu and Kayla had moved intoanother secret channel that was slowlyreplacing #command as a tactical hubfor Anonymous: #InternetFeds. Thischannel was so highly classified that itwasn’t even on the AnonOps networkbut allegedly on the server of a hardcorehacktivist with Anonymous. About thirtypeople had found their way in, mainlyvia invitation. They included Sabu,Kayla, and Tflow, some of the originalAnonOps operators, and a botmaster ortwo. Most were skilled hackers.

Here they could share flaws they hadfound in servers hosting everything fromthe official U.S. Green Party to HarvardUniversity to the CERN laboratory inSwitzerland. Sabu even pasted a list of

exploits—a series of commands thattook advantage of a security glitch—toseveral iPhones that anyone could snoopon. They threw around ideas for futuretargets: Adrian Lamo, the hacker that hadturned in WikiLeaks’s military moleBradley Manning, or defected botmasterSwitch.

“If someone has his dox,” said Kayla,“I can pull his social security numberand we can make his life hell.” To thosewho didn’t know her, Kayla came acrossas someone who was especially keen todish out vigilante justice.

As the InternetFeds participants got toknow each other more, they also sawthat Sabu was the one with the loudestvoice, the biggest opinions, and the

strongest desire to coordinate others intoaction. Sabu, who was well connected tothe underground hacker scene, wanted torelive the days of the so-calledAntisecurity movement and wouldeventually realize he could do so with anelite group of Anons like Kayla,Topiary, and Tflow. What’sextraordinary is that, while his actionsgradually betrayed the rhetoric, Sabuwas gradually positioning himself asAnonymous’s most spectacularrevolutionary hero.

Chapter 9

The Revolutionary

Sabu’s dramatic involvement inAnonymous might never have happenedif it weren’t for an importantintroduction: around mid-December2011, Tflow invited Sabu, who in reallife was a twenty-eight-year-old NewYorker with a string of criminalmisdemeanors behind him, into the#InternetFeds chat room. It was in thischat room that Sabu first met Kayla andother hackers who would help him attackmyriad other targets with the mission ofrevolution in his mind. Until now,Anonymous raids had reacted to

circumstance: Chanology because ofTom Cruise; Operation Payback becausea few companies snubbed WikiLeaks.But Sabu wanted Anonymous to be morethan just kids playing hacker. He wantedAnonymous to change the world.

Sabu was an old-time cyber punk. Hedid not use words like moralfag andlulz, and he did not go on 4chan. Heconquered networks, then basked in hisachievement. He was more interested inthe cachet of taking over entire Internetservice providers (ISPs) than prankingScientologists. While 4chan trolls likeWilliam were looking for random fun,Sabu wanted to be a hero by takingfigures of authority down a notch or two.He did not shy away from big targets or

big talk. In his decade underground heclaimed to have taken control of thedomain-name systems of thegovernments of Saudi Arabia, PuertoRico, the Bahamas, and Indonesia.

Sabu was known to exaggerate, andother hackers who dealt with himlistened to his claims with someskepticism. Though he was highlyskilled, Sabu would often lie about hislife, telling people things he perhapswished were true—that he came fromPuerto Rico; that his real mother hadbeen an upstanding member of the localpolitical community; that in real life, hewas married and “highly successful inhis field.” The truth was that he wasjobless, insecure, and struggling to

support his family.Sabu’s real name was Hector Xavier

Monsegur. He lived in a low-incomehousing project on New York’s LowerEast Side, and with help fromgovernment welfare, he supported hisfive brothers, a sister, two femalecousins for whom he was legal guardian,and a white pit bull named China.Monsegur would refer to the two girls,who were seven and twelve,respectively, in 2012, as his daughters.He was of Puerto Rican descent and astickler for left-wing activism. As achild, he listened to tales of the El Gritode Lares revolt and told his family thatone day, he would launch his ownrevolution.

Born in New York City in 1983,Monsegur grew up in relative poverty.His father, also named Hector, and hisaunt Iris sold heroin on the streets. WhenMonsegur was fourteen, they were botharrested for drug dealing and sentencedto seven years in prison. Monsegur wentto live with his grandmother Irma in asixth-floor apartment in the Jacob Riishousing project on New York’s LowerEast Side.

As he settled into his new home, hediscovered The Anarchist Cookbook,the notorious book originally publishedin 1971 that led him to tips for hackingphone lines to make free calls as well asdirections for making napalm bombs outof soap. His grandmother could not

afford a fast Internet connection, so theyoung Monsegur followed instructions toget the family computer hooked up to theInternet service EarthLink for free. As heexplored the Web, he also found his wayonto EFnet, a storied Internet relay chatnetwork popular with hackers that Kaylawould join years later. Monsegureventually came across an online essayfrom a notorious 1980s hackernicknamed the Mentor. It was called“The Hacker’s Manifesto” and spoke toMonsegur more than anything else he hadread online. The Mentor, whose realname was Lloyd Blankenship, hadwritten the short essay on a whim onJanuary 8, 1986, a couple of hoursbefore police arrested him for computer

hacking.“Did you, in your three-piece

psychology and 1950’s technobrain,ever take a look behind the eyes of thehacker? I am a hacker, enter my world.…”

“Oh man,” Monsegur said, recallingthe event years later in an interview.“That right there is what made me who Iam today.” The last line of the manifestowas especially resonant for him: “Mycrime is that of outsmarting you,something that you will never forgive mefor.”

The idea that figures of authority, fromteachers to the media, misunderstood thetrue talents of hackers was somethingMonsegur understood all too well. As a

young Latino living in the projects wherehis own family dealt drugs, he did not fitthe description of nerdy computerhacker. More than likely he wasconfronted by people who doubted hisabilities. But he was eager to learn.After successfully hooking his family upwith free Internet, Monsegur wanted tofind the next challenge to conquer.

He read more online, experimented,and took a few pointers from people onIRC networks like EFnet. Still at justfourteen, Monsegur taught himselfsoftware programming in Linux, Unix,and open-source networking.

Outside of school, Monsegur wasshowing off his talents: he joined a localtraining scheme for talented young

programmers called the NPowerNYTechnology Service Corps, then gotwork experience researching networksecurity at the Welfare Law Center. Ateighteen he had joined mentoringprogram iMentor as a technology intern.

By now he had grown into a tall,broad-shouldered young man, but he hada tenuous relationship with authority.According to an essay the teenagedMonsegur wrote in August 2001, itboiled down to an incident at hisWashington Irving High School inManhattan. He had been working for theschool during class hours, installingWindows on what he called their“obsolete” computers, when one daywhile Hector was walking through the

school’s metal detector, its chief ofsecurity stopped him to ask about thescrewdriver he was carrying.

“I am the geek that fixes your systemwhen you forget not to execute weird.exes,” he recalled saying.

“Hey, don’t give me an attitude, boy,”the head of security replied, staring athim. Monsegur explained it again. Hewas a student who worked on the “non-functioning computers during my schooltime.” The security head took thescrewdriver.

“Thanks,” he said. “I’m keeping this.”Embarrassed and angry, Monsegur wrotea complaint and gave it the school’sauthorities, accusing the security head of“corporal punishment” and “disrespect.”

When the complaint was ignored, hedistributed a “controversial piece ofwriting” to his teachers. During class,the school’s principal paid him a visit,asking if he would step aside so theycould talk. He and other school officialsfound Monsegur’s writing threatening, hesaid.

“The guy stares me down,” Monsegurwrote in his essay. “Disrespects mephysically in front of tens of students.What happened to my complaint? Whereis the justice I seek?” Monsegur feltjilted. Weeks later he got a call from histeacher, who he described as saying hewas “temporarily expelled from theschool.”

Monsegur replied, “Very well then, it

is such a shame that one such as myselfwould have to be deprived of myeducation because of my writing.” Justas the teacher was about to reply,Monsegur hung up. New York’sAdministration for Children’s Servicesthen requested he meet with apsychologist for a mental evaluation.Monsegur claimed that he passed. But healso left high school without finishingthe ninth grade.

Online, he could live out hisambitions and avoid the “disrespect” hefelt from figures of authority. By now hewas learning how to break into the webservers of big organizations, fromJapanese universities to third-worldgovernments. Monsegur liked the buzz of

subjugating a computer system, and soonhe was veering from protecting them onhis internships, to breaking into them inhis spare time.

He had meanwhile discoveredhacktivism. When he was sixteen andwatching TV one day, Monsegur saw anews broadcast about protests inVieques, an island off the coast of PuertoRico. The U.S. Navy had been using thesurrounding waters as a test-bombingrange, and a year earlier, in 1999, astray bomb had killed a local civilianguard. The guard’s funeral receivedglobal press attention and sparked awave of protests against the bombings.In the TV broadcasts, soldiers pushedagainst protesters, including the

Reverend Al Sharpton, a communityleader in New York that Monsegur hadbecome aware of through his growinginterest in left-wing activism. Somethingsnapped inside him.

He went to his computer and drew upa network map of the entire IP space forPuerto Rico, and he found that acompany called EduPro was running thegovernment sites. He hacked into theservers, discovered the root password,and got administrative access. In the heatof the moment, he also typed up an angrymissive in Microsoft Word, ignoring hisown typos: “Give us the Respect that wedeserve,” he wrote. “Or shall we take itby force? Cabron.” He brought down thePuerto Rican government’s websites and

replaced them all with his message,which stayed up for several days.Smiling at his work, Monsegurconsidered this his first act ofhacktivism. When the U.S. military gavecontrol of the Vieques base back to thelocals two weeks later, he felt it waspartly thanks to him.

Monsegur wanted to keep going. Hethrew himself into hacking, joining thefirst stirrings of a cyber war betweenAmerican and Chinese hackers, whichmostly involved young men from eachside trash-talking and defacing websitesin the other side’s country. OperationChina took place in 2001, the same yearthat Monsegur appears to have droppedout of high school. Beijing at that time

had refused to give President Clintonaccess to a U.S. spy plane that hadcollided with a Chinese fighter jet andcrash-landed on Hainan island. Thesurviving U.S. crew were held foreleven days, and in that time a few gung-ho American computer hackers likeMonsegur broke into hundreds ofChinese websites and defaced them withmessages like “We will hate Chinaforever.” The Chinese hackers hit backwith the likes of “Beat downImperialism of America.” By this point,Monsegur was regularly using thenickname Sabu, borrowed from theprofessional wrestler who was popularin the 1990s for his extreme style, andwho played up his minority status by

claiming to be from Saudi Arabia, whenhe was actually from Detroit and ofLebanese descent. Sabu, similarly,claimed online to be born and bred inPuerto Rico.

Monsegur’s group was calledHackweiser; it was founded in 1999 bya talented Canadian hacker nicknamedP4ntera. It counted between ten andfifteen hackers as members whenMonsegur joined. His role in the groupwas one that would remain the same adecade later: he hacked into, or rooted,as many servers as he could. Later in2001, after Sabu had spent severalmonths learning the ropes withHackweiser, P4ntera suddenly wentmissing. Monsegur realized that if the

group’s charismatic leader could getarrested, the same could happen to him.He wrestled with his ego. He lovedseeing “Sabu” gain notoriety for theaudacious hacks he was carrying out, buthe did not want to go to jail.

“We humans suffer from egos,” Sabulater remembered. “We have a need tohave our work appreciated.” ButMonsegur decided to play it safe, and hestopped all public use of the name Sabuand went underground for the next nineyears. If “Sabu” ever appeared online, itwas only in private chat rooms. He alsotried using his programming skills forlegitimate means. In 2002 he started agroup for local programmers in Python,a popular programming language.

Introducing himself as Xavier Monsegur,he invited others to “integrate theirknowledge into one big mass of hairyinformation” and said that the site he hadmade was “nere [sic] its final layoutstate…It’ll be all about us, ourknowledge, our ideas, just ‘us’ having afun time and enjoying what we have andcan do.”

The sociable programmer went on tofreelance for a Swedish IT securitycompany called Tiger Team, then foundwork with the peer-to-peer file-sharingcompany LimeWire. He continued livingwith his grandmother and used hiscomputer-hacking skills to helpneighbors in the apartment blockfraudulently raise their credit ratings.

Money thus came sporadically from bothlegal and illegal sources: sometimes itwas from Monsegur’s legitimate work;other times it was from selling marijuanaon the streets, or hacking into a computernetwork to steal credit card numbers.

But problems came all at once in2010, when he was twenty-six.Monsegur’s father and aunt had beenreleased from prison, but his aunt Irishad resumed selling heroin and that yearwas arrested again. She left her twodaughters in Monsegur’s care, and he gotlegal custody. At around the same time,he lost his job at LimeWire after therecording-industry group RIAA hit thecompany with a $105 million lawsuitand it was forced to lay off workers.

Worse, Monsegur’s grandmother withwhom he had lived since the age offourteen died.

“That messed him up,” a familymember later told the New York Times,referring to his grandmother’s death.Monsegur became more disruptive,hacking into auto companies andordering car engines and disturbing hisneighbors by playing loud music, oftenuntil 4:00 a.m. in the home where hisgrandmother no longer lived. Monsegurwas unemployed and drifting.

Then in early December, out ofnowhere, Anonymous burst onto thescene with WikiLeaks, offering a causethat Monsegur could be passionateabout. He watched the first attack on

PayPal unfold and saw echoes of hiswork with Hackweiser and his protestattack for the island of Vieques, but on amuch grander scale. He would later saythat Anonymous was the movement hehad been waiting for all those years“underground.”

On December 8, when AnonOps hadits highest surge of visitors for the initialbig attack on PayPal, Monsegur signedinto the public chat room, using thenickname Sabu for the first time inalmost a decade. It was chaos onAnonOps IRC, with hundreds of trollsand script kiddies (wannabe hackers) alltalking over one another.

“We need the name of the wiredemployee who just spoke on cnn,” he

said, referring to Wired magazine’s NewYork City bureau chief, John Abell.“john swell? john awell? pm me thename please.!!!” As Sabu, he repeatedthe request three times. Eventually hezeroed in on Tflow, who was droppingadvanced programming terms. AfterSabu and Tflow talked via privatemessages, neither of them revealing histrue location or any other identifyinginformation, Tflow showed Sabu into thesecret channel for hackers,#InternetFeds.

#InternetFeds was secure and quiet. Inthe open AnonOps chat rooms, hundredsclamored for large, impossible targetslike Microsoft and Facebook. There waslittle point trying to reason with the

horde and explain why those targetswouldn’t work, that you needed to find aserver vulnerability first. It was liketrying to explain the history of baseballto a noisy stadium full of people itchingto see a home run. It had been the samein Chanology, when the #xenu channelwas backed by the quiet planning in#marblecake. Discord grew in#operationpayback over who should feelthe wrath of Anonymous next; theWikiLeaks controversy was recedingfrom the headlines, and the hackers hadgrown bored with trying to attackAssange’s critics. Sabu, Kayla, and theothers in #InternetFeds increasinglytalked about focusing their efforts onanother growing news story: revolution

in the Middle East.Sabu was already interested in the

region, having attended a protest marchor two for Palestine when he wasyounger. Now he and the others wereseeing articles about demonstrations inTunisia that had been sparked bydocuments that WikiLeaks had released.Tunisia’s government was known foraggressively censoring its citizens’ useof the Internet. Websites that werecritical of the government were hacked,their contents deleted and their serversshut down. Locals who visitedprodemocracy e-newsletters and blogswould often be met with error messages.

In early January of 2011, thegovernment censorship appeared to get

worse. Al Jazeera reported that theTunisian government had startedhijacking its citizens’ Facebook loginsand password details in a processknown as phishing. Normally this was atactic of cyber criminals; here, agovernment was using it to spy on whatits citizens were saying on socialnetworks and mail services like Gmailand Yahoo. If officials sniffeddissenters, they sometimes arrestedthem. Locals needed to keep changingtheir Facebook passwords to keep thegovernment out. At a time when thecountry of more than ten million peoplewas on the edge of a politicalrevolution, protesters and regularcitizens alike were struggling to avoid

government spies.The hackers in #InternetFeds came up

with an idea, partly thanks to Tflow. Theyoung programmer wrote a web scriptthat Tunisians could install on their webbrowsers and that would allow them toavoid the government’s prying eyes. Thescript was about the length of two sidesof paper, and Tflow tested it withanother Anon in Tunisia, nicknamedYaz, then pasted it onto a website calleduserscripts.org. He and a few others thenadvertised the link in the #OpTunisiachat room on AnonOps, on Twitter, andin digital flyers. It got picked up by afew news outlets. The hacktivist Q wasone of the #InternetFeds members andalso one of the dozen channel operators

in the #OpTunisia channel. He begantalking with Tunisians on AnonOps—theones who were web-savvy enough toaccess it via proxy servers—andencouraged them to spread news of thescript through their social networks.

“OpTunisia fascinated me,” Q latersaid in an interview. “Because weactually did make an impact by pointingWestern media to the things happeningthere.” Within a few days, news of thescript had been picked up by technologynews site ArsTechnica and it had beendownloaded more than three thousandtimes by Tunisian Internet users.

Sabu was impressed, but he wanted tomake a different kind of impact—alouder one. Thinking back to how he had

defaced the Puerto Rican governmentwebsites, he decided he would supportthe Tunisian revolution by embarrassingits government. It helped that Arabgovernment websites were relativelyeasy to hack and deface.

Sabu and a few others from#InternetFeds discovered there were justtwo name servers hosting Tunisia’sgovernment websites. This was unusual—most governments and largecompanies with Web presences ran onseveral name servers, so a hacker takingdown a few usually didn’t do muchdamage. In Tunisia’s case, however,shutting down just two name serverswould take the government completelyoffline.

“It was a very vulnerable set-up,” onehacker that was in #InternetFedsrecalled. “It was easy to shut them off.”

To take the Tunisian servers offline,Sabu did not use a botnet. Instead, helater claimed, he hijacked servers from aweb-hosting company in London thatallowed him to throw ten gigabytesworth of data per second at the Tunisianservers. These were broadcast servers,which could amplify many times theamount of data spam of a basic server; itwas like using a magnifying glass toenhance the sun’s rays and destroy agroup of ants. Sabu single-handedly keptthe Tunisian servers down for fivehours. Soon, though, authorities on theother side were filtering his spoofed

packets, like the owner of a mansiontelling his butler not to bring in mailfrom a particular person. The traffic hewas sending was losing its effect.Undeterred, Sabu called an old friendfor help, someone he knew from his daysof dabbling in cyber crime. While Sabuhit the first name server, the other tookdown the second.

Tunisia was where Sabu really gotinvolved in Anonymous for the firsttime. He not only took down thegovernment’s online presence; he and afew others also trudged through dozensof government employee e-mails.

But the government fought back again.It blocked all Internet requests fromoutside Tunisia, shutting itself off from

foreign Internet users like Sabu. Sabuwanted to deface the site of Tunisianprime minister Mohamed Ghannouchi,but he would have to do that from insidethe country, and he wasn’t about to geton a plane. So on January 2, he signedinto the #OpTunisia chat room with itsdozen channel operators and severalhundred other Anons from around theworld, including Tunisia. There was talkof using proxies and potential DDoSattacks; questions about what was goingon. Then Sabu hit the caps lock key andmade his grand entrance.

“IF YOU ARE IN TUNISIA ANDARE WILLING TO BE MY PROXYINTO YOUR INTERNET PLEASEMSG ME.” The room went almost

silent. After a few minutes, Sabu got aprivate reply from someone with anautomated username like Anon8935—ifyou didn’t choose a unique nickname onAnonOps, the network would give youone similar to this—a man who claimedto be in Tunisia. Sabu didn’t know theman’s real name and didn’t ask. Hedidn’t know if Anon8935 was sitting inthe sweltering heat of a city or tuckedaway in a quiet suburb. The man saidonly that he’d been a street protester andnow wanted to try something different,something with the Internet. Troublewas, Anon8935 didn’t know a thingabout hacking. Sabu gave him somesimple instructions, then said, “Mybrother. Are you ready?”

“Yes,” the other replied.“You realize I’m going to use your

computer to hack pm.gov.tn?”“OK,” the main replied. “Tell me

what to do.”Sabu sent over some brief instructions

for downloading and installing aprogram that would let Sabu take controlof the man’s computer. Soon he wasoperating on an antiquated version ofWindows and an achingly slow Internetconnection.

“See me?” Sabu asked, moving themouse cursor.

“OK!” the man typed back.Sabu set to work while the Tunisian

man sat and watched. Sabu opened upthe command prompt and began typing

programming code that his new friendhad never seen before, a lengtheningcolumn of white text against a blackbackground representing the back roadsof the Web. About forty minutes later,Sabu brought up the official website ofTunisia’s president. Sabu imagined theman’s eyes growing wider at this point.Within minutes, the president’s officialwebsite was gone, replaced by a simplewhite page with black lettering. At thetop, in large Times New Roman font, itread “Payback is a bitch, isn’t it?”Underneath was the giant blacksilhouette of a pirate ship and the nameOperation Payback. The word operationreinforced the idea that this wasn’t just aprotest or anarchy; it was a mission.

In the meantime, Tflow had toldTopiary that a hack on Tunisia wasunder way, and he asked if he couldcreate an official deface statement.Topiary wrote it up and passed thestatement to Tflow, who sent it to Sabu,who used it to replace the official site ofTunisian prime minister Ghannouchi.“Greetings from Anonymous,” the homepage of pm.gov.tn now read. “We havebeen watching your treatment of yourown citizens, and we are both greatlysaddened and enraged by yourbehavior.” It carried on dramaticallybefore ending with the tagline: “We areAnonymous, We are legion…Expect us.”

Sabu stared at the new page and thensat back and smiled.

“You don’t know the feeling of usingthis guy’s Internet to hack the president’swebsite,” he later remembered. “It wasfucking amazing.” The Tunisiangovernment had set up a firewall to stopforeign hackers from attacking itsservers; it had never expected attackersto come from within its own borders.

“Thanks, brother,” Sabu said. “Makesure to delete everything youdownloaded for this and reset yourconnection.” After a few minutes, theman went offline, and some days later,Sabu hung a Tunisian flag in his house.Sabu then heard that the man had beenarrested. While he felt bad for hisvolunteer, Sabu did not feel guilty. Ahigher cause had been served.

“Operation Tunisia,” Sabu laterrecalled, “was the beginning of a serioustechnical advancement for Anonymous.”

On January 14, Tunisian presidentBen Ali stepped down. It was alandmark moment, following a month ofdemonstrations by thousands ofTunisians over unemployment and Ali’soverarching power and culminating in anew form of online protest, an allianceof people on the other side of the worldworking with local citizens.

Ali fled Tunisia and took a plane toSaudi Arabia, and Sabu ended hisweeks-long attack on Tunisiangovernment servers. By February,Ghannouchi would resign too, and overthe coming months, Internet censorship

in the country would fall dramatically. Inthe meantime, Sabu, the hackers in#InternetFeds, and the Anons onAnonOps turned their attention to othercountries in the Middle East. Sabuworked with hackers to take governmentwebsites in Algeria offline, thenaccessed government e-mails inZimbabwe, seeking evidence ofcorruption. Sabu and Kayla continueddoing the rooting; Tflow did thecoordinating; and Topiary wrote thedeface messages. Anonymous’s newMiddle East campaign was moving atlight speed, with teams of volunteershitting a different Arab website almostevery day. They were spurred on by thevulnerabilities they discovered, the

newfound camaraderie—and theresulting media attention.

Kayla in particular was on a roll, butnot just because she wanted to supportthe revolution. The hacker had struck asecret deal with someone who claimedto be with WikiLeaks.

Chapter 10

Meeting the Ninja

As Anonymous turned its attention tothe Middle East in early January of2011, Topiary continued organizing andwriting deface messages in #propagandaand talking to journalists in #reporter.#Command wasn’t much to look atanymore—too many operators and toomuch squabbling. There were abouttwenty Anons in each publicity channel,most of them talented writers who hadwritten Anonymous press releases in thepast. Once in a while, Topiary talked toTflow, who would drop into#propaganda to pick up a deface

message; soon Topiary would see histext on an official government websitefor Zimbabwe. With the help of a FrenchAnon, a French version was also posted.

Topiary liked explaining Anonymousto reporters and writing deface messagesthat shocked a website’s visitors andowners. He also liked learning how todeal with the press, how to get theminterested in a story by offering themexclusive information. He wondered ifthe writers and spokespeople likehimself were among the more influentialmembers of Anonymous in the worldoutside the collective. Soon peoplestarted inviting him into more channelsthat no one else talked about publicly.On January 2, he got an important tap on

the shoulder, this time from Tflow.Sabu, via a local volunteer, had been

preparing to take control of the primeminister’s website, and he needed agood deface message, quickly.

“The government of Tunisia’s mainsites are going to be hacked,” Tflow toldTopiary. “Can you design the defacemessage?” Topiary felt an instant buzz.This was the first time anyone hadtrusted him with the knowledge that ahack was about to happen. Eager to help,he and Tflow discussed the timing ofwhat they referred to as the deface, andthen Topiary wrote his usual ominousmessage to the repressive Tunisiangovernment.

As the hack was happening and the

deface message being uploaded, Topiaryand Tflow went into the main AnonOpschat rooms and gave a runningcommentary of the attack, to inspire thetroops a little.

When it was all over, Tflow surprisedTopiary again by inviting him into#InternetFeds. He was effectivelytrusting Topiary to collaborate and shareideas with some of the most highlyskilled hackers working withAnonymous. Topiary had been a strangerto these people, but gradually he wasgetting their attention.

Over the next month, much of Sabu’shacking and Topiary’s writing would beat the forefront of Anonymous cyberattacks on the governments of Libya,

Egypt, Zimbabwe, Jordan, and Bahrain.Anonymous was not only defacing sitesbut releasing government e-mailaddresses and passwords. Attacks alsocontinued in other parts of the world inthe name of Anonymous; two Irishhackers defaced the website of Ireland’smain opposition party, Fine Gael. It wasa flurry of revolutionary activity thatmade Anonymous suddenly look lesslike a bunch of bored pranksters andmore like real activists.

Then on February 5, Tflow sentTopiary another private message onAnonOps IRC, this time inviting him intoan even more secret IRC channel thatwould include just a handful of corepeople from #InternetFeds. When

Topiary entered the exclusive chat room,he forgot he had (as a joke) set aprogramming script to run on his IRCclient that would kick anyone out of theroom who didn’t use at least 80 percentcapital letters. His first interaction withSabu involved kicking him out of thechat room. Embarrassed, Topiaryapologized and quickly turned off thescript. But Sabu took it well, and thegroup of five—Topiary, Sabu, Kayla,Tflow, and Q—quickly got to talking.The topic was HBGary and AaronBarr’s article in the Financial Times.

Topiary couldn’t get his head aroundwho or what Kayla was. He vaguelyremembered seeing the name Kayla onhis old MSN chat list, a 2008 4chan

flood, and articles about her onEncyclopedia Dramatica. In betweenlots of smiley faces and lols, she talkedabout hacking like it was an addiction.She couldn’t look at a website withoutchecking to see if there were holes in thesource code that she could exploit,perhaps allowing her to steal a databaseor two. She was a conundrum: Sheseemed to be the chattiest, most happy-go-lucky person in the group, but shewas also paranoid and apparentlydangerous. She had developed a cast-iron protection for her real identity, andthe bold admission that she was sixteen,along with the overwhelming number ofemoticons and hearts (<3), suggested shewas trying too hard to come across as a

girl.Topiary knew that female hackers

were extremely rare; a hacker whoclaimed to be female was more likelynot in real life, though they werepossibly transgender, gay, or at leastthinking along those lines. An onlinefriend of Topiary, nicknamed JohnnyAnonymous, conducted his own ad hoconline poll in late 2010. He put a seriesof questions to a hundred and fifty usersof the early AnonOps network. Aboutsixty, or one-third, identified themselvesas LGBT (lesbian, gay, bisexual, ortransgender), while the rest said theywere straight.

“We have jokes about transvestitesbecause there are so many of them

among us,” Johnny Anonymous said inan interview.

Kayla was obsessive about hiding heridentity, which was why Topiary latercalled her the ninja. She rotated herpasswords almost daily. She claimed tokeep all her data on a tiny microSDcard, and she kept her operating systemon a single USB stick that she used toboot up her netbook. Like most hackers,she used a VM (virtual machine) to doall her Internet witchcraft; it acted as abuffer between her computer and her lifeonline, so if anyone ever hacked her,he’d only get to the virtual machine.Unlike Topiary and many other Anons,she avoided using a virtual privatenetwork (VPN). She didn’t trust them,

since a VPN provider could always giveher details to the police. She kept a low-end cell phone with an unregistered SIMcard, the most secure device she had,and she used it to note down all herpasswords. She partitioned a smalldrive called sys on her phone that sheused to store malicious code.

It sounded paranoid, but Kayla saidlater in an interview that she learned aterrifying lesson about the need to scrubthe Web clean of her identity soon aftershe started attacking hacker forums. Thestory went that when Kayla was younger(she claimed fourteen) and trying to doxother hackers for fun, she had at onepoint picked the wrong target. It was amale hacker who managed to do some of

his own digging, and he found one of herold e-mail addresses on another forum.He got her name, date of birth, town, andsome information on her family. Hecalled her house, and when sheanswered, he threatened angrily to callthe police. In recounting the story, Kaylasaid that he refused to believe her ageand that she broke down in tears. Whenhe eventually calmed down, theyarranged to meet in a nearby city. Theypicked a crowded mall and eventuallythe two found each other and sat down totalk. The man was interested in Kayla’slife and why she hacked. He revealedthat he had found her details from oldMSN profiles and hacker forum profiles,and for Kayla, the realization was like a

slap in the face: her information was outthere, just waiting to be discovered.

As soon as Kayla got home, shewiped everything from her accounts,deleting every e-mail, and read moreabout how to become completelyinvisible on the Internet. Within a year,she had her almost-militaristic regime inplace and had become confident enoughto start hacking bigger names. Shecouldn’t shake the lure of hacking—therewas just something about having accessto information that others didn’t have.Her online name, after all, meant“Keeper of keys” in old English. And theattack that would seal her place in the#InternetFeds chat room and in the mindsof other hackers was her assault on the

news site Gawker.Gawker had once been in Anon’s

good books. It had been the first newssite to boldly publish the crazy TomCruise video that helped sparkChanology. But then the site’s famouslysnarky voice turned on Anonymous,reporting on major 4chan raids asexamples of mass bullying. AfterGawker’s Internet reporter Adrian Chenwrote several stories that poked fun atAnonymous, mocking its lack of realhacking skills and 4chan’s cat fights withTumblr, regulars on /b/ tried to launch aDDoS attack on Gawker itself, but theattack failed. In response, Gawkerwriter Ryan Tate published a story onJuly 19, 2010, about the failed raid,

adding that Gawker refused to beintimidated. If “sad 4chaners have aproblem with that, you know how toreach me,” he added. Kayla, at the time,had bristled at the comment and felt herusual urge to punish anyone whounderestimated her, and nowAnonymous.

“We didn’t really care about it tillthey were like, ‘lol you can’t hack us noone can hack us,’” Kayla later said in aninterview. Though Gawker had not saidthis literally, it was the message Kaylaheard.

She decided to go after the site. Kaylaand a group of what she later claimedwas five other hackers met up in a chatchannel called #Gnosis, on an IRC

network she had set up herself calledtr0lll. Anywhere from three to ninepeople would be on the network at anygiven time. Kayla actually had severalIRC networks, though instead of hostingthem herself she had other hackers hostthem on legitimate servers in countriesthat wouldn’t give two hoots about aU.S. court order. Kayla didn’t like tohave her name or pseudonym on anythingfor too long.

People close to Kayla say she set uptr0ll and filled it with skilled hackersthat she had either chosen or trained.Kayla was a quick learner and liked toteach other hackers tips and tricks. Shewas patient but pushy. One studentremembered Kayla teaching SQL

injection by first explaining the theoryand then telling the hackers to do it overand over again using differentapproaches for two days straight.

“It was hell on your mind, but itworked,” the student said. Kaylaunderstood the many complex layers tomethods like SQL injection, a depth ofknowledge that allowed her to exploitvulnerabilities that other hackers couldnot.

On tr0lll, Kayla and her friendsdiscussed the intricacies of Gawker’sservers, trying to figure out a way tosteal some source code for the site. Thenin August, a few weeks after Gawker’s“sad 4chaners” story, they stumbledupon a vulnerability in the servers

hosting Gawker.com. It led them to adatabase filled with the usernames, e-mail addresses, and hashes (encryptedpasswords) of 1.3 million people whohad registered with Gawker’s site sothey could leave comments on articles.Kayla couldn’t believe her luck. Hergroup logged into Nick Denton’s privateaccount on Campfire, a communicationtool for Gawker’s journalists andadmins, and spied on everything beingsaid by Gawker’s staff. At one point,they saw the Gawker editors jokinglysuggesting headlines to each other suchas “Nick Denton [Gawker’s founder]Says Bring It On 4Chan, Right to MyHome,” and a headline with a homeaddress.

They lurked for two months before amember of the group finally hacked intothe Twitter account of tech blogGizmodo, part of Gawker Media, andKayla decided to publish the privateaccount details of the 1.3 millionGawker users on a simple web page.One member of her team suggestedselling the database, but Kayla wanted tomake it public. This wasn’t about profit,but revenge.

On December 12, at around eleven inthe morning eastern time, Kayla cameonto #InternetFeds to let the others knowabout her side operation againstGawker, and that it was about to becomepublic. The PayPal and MasterCardattacks had peaked by now, and Kayla

had hardly been involved. This was howshe often worked—striking out on herown with a few other hacker friends totake revenge on a target she feltpersonally affronted by.

“If you guys are online tomorrow, meand my friends are releasing everythingwe have onto 4chan /b/,” she said. Thefollowing day, she and the others gracedthe “sad 4chaners” themselves withmillions of user accounts from Gawkerso that people like William could havefun with its account holders.

Gawker posted an announcement ofthe security breach, saying, “We aredeeply embarrassed by this breach. Weshould not be in a position of relying onthe goodwill of hackers who identified

the weaknesses in our systems.”“Hahahahahahha,” said an Irish

hacker in #InternetFeds calledPwnsauce. “Raeped [sic] much?” Andthat was hacker, “SINGULAR,” headded. “Our very own Kayla.” Kaylaquickly added that the job had been donewith four others, and when anotherhacker in #InternetFeds offered to writeup an announcement on the drop for /b/,she thanked him and added, “Don’tmention my name.”

Gnosis, rather than Anonymous, tookcredit for the attack. Kayla said she hadbeen part of Anonymous since 2008 andup to that point had rarely hacked foranything other than “spite or fun,” withGawker being her biggest scalp. But

after joining #InternetFeds, she startedhacking more seriously into foreigngovernment servers.

Kayla had not joined in the AnonOpsDDoS attacks on PayPal andMasterCard because she didn’t caremuch for DDoSing. It was a waste oftime, in her view. But she still wanted tohelp WikiLeaks and thought that hackingwas a more effective means of doing so.Not long after announcing the Gawkerattack, Kayla went onto the main IRCnetwork associated with WikiLeaks andfor several weeks lurked under a randomanonymous nickname to see what peoplewere saying in the main channels. Shenoticed an operator of that channel whoseemed to be in charge. That person

went by the nickname q (presented hereas lowercase, so as not to be confusedwith the hacktivist Q in #InternetFeds).Supporters and administrators withWikiLeaks often used one-letternicknames, such as Q and P, because itwas impossible to search for them onGoogle. If anyone in the channel had aquestion about WikiLeaks as anorganization, he or she was oftenreferred to q, who was mostly quiet. SoKayla sent him a private message.

According to a source who was closeto the situation, Kayla told q that shewas a hacker and dropped hints aboutwhat she saw herself doing forWikiLeaks: hacking into governmentwebsites and finding data that

WikiLeaks could then release. She wasunsure of what to expect and mostly justwanted to help. Sure enough, q recruitedher, along with a few other hackersKayla was not aware of at the time. Tothese hackers and to q, WikiLeaksappeared to be not only an organizationfor whistle-blowers but one thatsolicited hackers for stolen information.

The administrator q wanted Kayla toscour the Web for vulnerabilities ingovernment and military websites,known as .govs and .mils. Most hackersnormally wouldn’t touch these exploitsbecause doing so could lead to harsh jailsentences, but Kayla had no problemasking her hacker friends if they had any.mil vulnerabilities.

Kayla herself went into overdrive onher hacking sprees for q, one sourcesaid, mostly looking for vulnerabilities.“She’s always been blatant, out-in-your-face, I’m-going-to-hack-and-don’t-give-a-shit,” the source said. But Kayla didnot always give everything to q. Aroundthe same time that she started hacking forhim, she got root access to a major web-hosting company—all of its VPSs(virtual private servers) and everynormal server—and she started handingout the root exploits “like candy” to herfriends, including people on theAnonOps chat network.

“She would just hack the biggest shitshe could and give it away,” said thesource, dropping a cache of stolen credit

card numbers or root logins thendisappearing for a day. “She was likethe Santa Claus of hackers.”

“I don’t really hack for the sake ofhacking to be honest,” Kayla later saidin an interview. “If someone’s moaningabout some site I just have a quick lookand if I find a bug on it I’ll tell everyonein the channel. What happens from thereis nothing to do with me. :P.” Kayla saidshe didn’t like being the one whodefaced a site and preferred hidingsilently in the background, “like a ninja.”

“Being able to come and go withoutleaving a trace is key,” she said. Thelonger she was in a network likeGawker’s, the more she could get in andtake things like administrative or

executive passwords. Kayla likedAnonymous and the people in it, but sheultimately saw herself as a free spirit,one who didn’t care to align herself withany particular group. Even when shewas working with AnonOps or thepeople in #InternetFeds, Kayla didn’tsee herself as having a role or area ofexpertise.

“I’ll go away and hack it, come backwith access and let people go mad,” shesaid. Kayla couldn’t help herself most ofthe time anyway. If she was readingsomething online she would habituallystart playing around with theirparameters and login scripts. More oftenthan not, she would find somethingwrong with them.

Still, working for q gave Kayla abigger excuse to go after the .gov and.mil targets, particularly those of third-world countries in Africa or SouthAmerica, which were easier to getaccess to than those in more developedcountries. Every day was a search fornew targets and a new hack. Kayla neverfound anything as big as, say, theHBGary e-mail hoard for q, but she did,for instance, find vulnerabilities in themain website for the United Nations. InApril 2011, Kayla started puttingtogether a list of United Nations “vulns.”This, for example:

http://www.un.org.al/subindex.php?faqe=details&id=57

was a United Nations server that wasvulnerable to SQL injection, specificallysubindex.php. And this page at the time:

http://www.un.org.al/subindex.php?faqe=details&id=57%27

would throw an SQL error, meaningKayla or anyone else could inject SQLstatements and suck out the database.The original URL didn’t have %27 at theend, but Kayla’s simply adding that aftertesting the parameters of php/asp scriptshelped her find the error messages.

Kayla eventually got access tohundreds of passwords for governmentcontractors and lots of military e-mailaddresses. The latter were worthless,since the military uses a token system for

e-mail that is built into a computer chipon an individual’s ID card, and itrequires a PIN and a certificate on thecard before anyone is able to accessanything.

It was boring and repetitive work,trawling through lists of e-mailaddresses, looking for dumps from otherhackers, and hunting for anythinggovernment or military related. ButKayla was said to be happy doing it.Every week or so, she would meet onIRC with q and pass over the collectedinfo via encrypted e-mail, then awaitfurther instructions. If she asked whatJulian Assange thought of what she wasdoing, q would say he approved of whatwas going on.

It turned out that q was good at lying.Almost a year after Kayla started

volunteering for WikiLeaks, otherhackers who had been working with qfound out he was a rogue operator whohad recruited them without Assange’sknowledge. In late 2011, Assange askedq to leave the organization. Kayla wasnot the only volunteer looking forinformation for what she thought wasWikiLeaks. The rogue operator had alsogotten other hackers to work with him onfalse pretenses. And in addition, onesource claims, q stole $60,000 from theWikiLeaks t-shirt shop and transferredthe money into his personal account.WikiLeaks never found out what q wasdoing with the vulnerabilities that Kayla

and other hackers found, though it ispossible he sold them to others in thecriminal underworld. It seemed, eitherway, like q did not really care aboutunearthing government corruption, andKayla, a master at hiding her trueidentity from even her closest onlinefriends, had been duped.

None of this mattered come Februaryof 2011 when Kayla began talking withTflow, Topiary, and Sabu in theexclusive new chat room that wouldbring them together for a landmark heiston Super Bowl Sunday: the attack onHBGary Federal. The bigger secret,which Kayla didn’t know then, was thatSabu would not only get her deeper intoa world of hacking that would become

front-page news, but watch as her detailsgot passed on directly to the FBI.

Chapter 11

The Aftermath

It was February 8, 2011, two days afterSuper Bowl Sunday. Aaron Barr wasgrabbing shirts out of his closet, quicklyfolding them, and placing them into themedium-size suitcase that rested on thebed in front of him. This was no madrush, but Barr had to move. He had spentfifteen years in the military, and he andhis family were now expert travelers.They made their preparations quicklyand with quiet efficiency. His wife waspacking a separate bag, the silenceinterrupted only by the occasionalquestion about traveling arrangements.

Just two hours before, Barr had beenback in his study catching up on theflood of news stories about the HBGaryattack and the new, disastrous view themedia was taking of Barr’s proposals toHunton & Williams against WikiLeaksand Glenn Greenwald.

Learning about the Anonymous hackhad been stressful for him. But themedia’s feast on his controversial e-mails was having a definite effect on hisblood pressure. Barr longed to correcteach story, but lawyers had told him tostay quiet for now. All he could do wasread and grit his teeth. Occasionally,curiosity would overcome his betterjudgment and he would dip into theAnonOps IRC rooms under a pseudonym

to see what the Anons were saying. Hewas still a laughingstock for thehundreds of participants hungry to seeBarr humiliated in new ways. Therewere calls for anyone who lived inWashington, D.C., to drive past Barr’shouse and take pictures or to send himthings in the mail—he received a blindperson’s walking cane and a truckful ofempty boxes. He also got one pizza. Acouple of people had randomly shownup at his front door, and one had tried totake pictures of the inside of his house.Barr had been disturbed but had just sentthem away, figuring this was mostlyharmless. Then, a couple of hoursearlier, he had visited Reddit, a snarkyforum site that had become increasingly

popular with people who liked 4chanbut wanted more intelligent discussion.A user had posted the Forbes interviewwith Barr from the preceding Monday,and amid the analysis and machismo inthe 228 resulting comments, there were afew nasty suggestions about Barr’s kids.It was most likely just talk, but Barrdidn’t want to take any more chances. Ittook only one nutjob to pull a trigger,after all. Minutes later, he had talked tohis wife, and the two started packing.

That afternoon the family loadedeverything into their car, the twinsthinking they were about to embark onsome exciting road trip. Barr’s wife andkids drove south to stay with a friend fortwo weeks while Barr hopped on a

plane to Sacramento. This was whereHBGary Inc. was headquartered andwhere Barr would get into the cleanupjob and start to help the police with theirinvestigation.

Meanwhile, HBGary Inc.’s GregHoglund was working on damagecontrol. He contacted Mark Zwillingerof Internet law firm Zwillinger &Genetski. Mark would later be assistedon the case by Jennifer Granick, a well-known Internet lawyer who hadpreviously represented hackers likeKevin Poulsen and worked for freedom-of-information advocates the ElectronicFreedom Foundation. After talking toZwillinger, Hoglund penned an openletter to HBGary customers. When he

was done, he published it on the nowrestored HBGary website, referringspecifically to HBGary Inc. and not thesister company Barr had run.

“On the weekend of Super BowlSunday, HBGary, Inc., experienced acyber incident. Hackers unlawfullyaccessed the e-mail accounts of twoHBGary Inc. employees, held by ourcloud-based service provider, using astolen password, and uploaded thestolen e-mails to the Internet.”

Hoglund’s letter wasn’t clear aboutwhere it was pointing the finger—thoughthat would change in time. It seemed tosuggest that HBGary’s attackers hadgone to great lengths to access thecompany’s e-mails, when actually the

process had not been difficult at all. Itwas an SQL injection, the simplest ofattacks. Ted Vera’s password,satcom31, had been easy to crack. OnlyHoglund had used a random string ofnumbers and letters that had no relationto any of his other web accounts. Theattack could have been worse too. Thehackers had gotten all kinds of personaldata on HBGary employees, from socialsecurity numbers to home addresses, andphotos of Vera’s kids after gettingaccess to his Flickr account. “This waswhen my moralfag mode kicked in,”Topiary later remembered. The othersagreed that no kids should be involved,and they all decided not to leak thesocial security numbers. “I’m thankful

that we didn’t.”Still, the combination of social media,

blogs, and twenty-four-hour online andTV news meant the names Aaron Barrand HBGary were all over the Internetthe day after Super Bowl Sunday.Topiary’s fake Aaron Barr tweets hadbeen retweeted by Anonymous IRC, afeed with tens of thousands of followers,and there were now thousands of newsstories about Barr.

Barr soon found out the attack hadbeen conducted largely by five people.“I’m surprised it’s a small number,” hesaid in a phone interview early Mondaymorning in Washington, D.C. “There is acore set of people who manage thedirection of the organization. And those

people are, in my impression, verygood.”

Barr sounded tired. “Right now I justfeel a bit exhausted by the whole thing.Shock, anger, frustration, regret, allthose types of things,” he said. “Youknow if I…maybe I should have knownthese guys were going to come after methis way.”

No one knew at the time that thecontent of Barr’s e-mails would proveso controversial and would gain him asmuch press attention as the attack itselfhad, but Barr was already concerned.“The thing I’m worried about the most isI’d rather my e-mails not be all out there,but I can’t stop that now,” he said,adding he would be contacting all the

people he had exchanged e-mails with totell them what was going on. “It does notcause any significant long-term damageto our company so I’m not worried.”About this, Barr was wrong.

As the hack on HBGary Federal wastaking place, Kayla had sent a messageto Laurelai, the transgender woman whoa couple of years before had been asoldier named Wesley Bailey and whowas now becoming a familiar face in theworld of hacking. Kayla told Laurelaithat she was in the middle of “owning” afederal contractor called HBGary andasked if she wanted to come intoAnonOps and see.

Laurelai hopped onto the AnonOps

network to find hundreds of peopletalking over one another about what hadhappened, and the wife of GregHoglund, Penny Leavy, appealing to theattackers in the AnonOps #reporterchannel.

“It was chaos,” Laurelai remembered.Laurelai was now volunteering with awebsite and blog called Crowdleaks, anevolved version of Operation Leakspin.This was the project that had spun offOperation Payback and gotten Anonssifting through WikiLeaks cables.Laurelai had disliked Operation Paybackbecause, like Kayla, she believedDDoSing things was pointless. She likedsifting through data and consideredherself an information broker. She came

aboard Crowdleaks when a mutualfriend suggested she’d make a greatserver admin for the site’s manager, anAnonymous sympathizer nicknamedLexi.

“There’s a huge story brewing fromthis HBGary hack,” Laurelai told Lexi,who replied that Laurelai should cover itfor the blog herself. Laurelaidownloaded Barr’s and Greg’s e-mailsand started searching for terms like FBI,CIA, NSA, and eventually, WikiLeaks. Alist of Barr’s e-mails to Hunton &Williams showed up on her screen. AsLaurelai looked through these e-mails,she stumbled on the PowerPointpresentation Barr had made for the lawfirm in which he suggested ways of

sabotaging the credibility of WikiLeaks.Laurelai did a bit more digging onHunton & Williams and realized that thefirm represented the Bank of America.By now it was widely rumored thatWikiLeaks had a treasure trove ofconfidential data that had been leaked toit from Bank of America and that it wasgetting ready to publish. That’s when thepenny dropped.

“Oh shit,” Laurelai said she thoughtthen. “Bank of America is trying todestroy WikiLeaks.” Her next realizationwas scarier: Barr hadn’t even tried toencrypt the e-mails about the proposal,and he hadn’t seemed that secretiveabout it. It suggested that this sort ofproposal, however unethical, was not

that far from standard industry practices.HBGary Federal was not a rogueoperator; it counted stalwarts in theindustry like Palantir and BericoTechnologies as partners. Laurelaiwrote a blog post for Crowdleaks andcollaborated with a journalist from theTech Herald to report that HBGary hadbeen working with a storied law firmand, indirectly, Bank of America to hurtWikiLeaks.

Still only a couple of days after theHBGary attack, Sabu, Topiary, andKayla did not know about Barr’s strangeproposals on WikiLeaks. Topiary wasstill trawling through the e-mails lookingfor juicy information, and the team wasplanning to publish them on an easy-to-

navigate website that they wanted to callAnonLeaks. If this sort of thing caughton, they figured, AnonLeaks couldbecome a more aggressive, proactivecounterpart to WikiLeaks. Lexi offeredthe server space being used byCrowdleaks, which was using the samehosting company as WikiLeaks.

Just as an Anon named Joepie91 hadfinished programming the e-mail viewer,the group started seeing press reports onthe actual content of the HBGary e-mailsfrom journalists who had alreadydownloaded the entire package viatorrent sites.

The group decided that the searchableHBGary e-mails would be the firstaddition to their new site, AnonLeaks.ru.

But they had no plans for where this newsite would go or how, or even if, itwould be organized.

“I think the media will get confusedand think AnonLeaks is separate toAnonOps or PayBack,” said Kayla. “Idunno. The media ALWAYS seem to getanything Anon wrong.” Still, the teamspent a few days in early Februarywaiting for HBGary Federal’s tens ofthousands of e-mails to compile, andTopiary suggested looking for a fewchoice pieces to put on the newAnonLeaks website as teasers. Thatway, the blank website wouldn’t givethe impression that the team was playingfor time. It was a classic PR strategy—getting the word out initially, then

developing the story with a drip feed ofexclusive information. Among theteasers was an embarrassing e-mail fromBarr to company employees in which hegave them his password, “kibafo33,” sothat they could all take part in aconference call.

Finally, on Monday, February 14,after a few news sites reported that aWikiLeaks-style site called AnonLeakswas coming, the team launched the newweb viewer with all 71,800 e-mailsfrom HBGary. They included 16,906 e-mails from Aaron Barr, more than25,000 e-mails from two other HBGaryexecs, and 27,606 e-mails from HBGaryInc. CEO Greg Hoglund, including alovesick e-mail from his wife, Penny,

that said, “I love when you wear yourfuzzy socks with your jammies.”

Now more journalists startedcovering the story, and the coveragewent on for more than a month. Theattack had been unscrupulous, but theends were an exposé on spying,misinformation, and cyber attacks by asecurity researcher. Hardly anyonepointed out that people with Anonymouswere using exactly the same tactics.

In late February 2011, Barr resignedas CEO of HBGary Federal. A weeklater, Democratic congressman HankJohnson called for an investigation intogovernment, military, and NSA contractswith HBGary Federal and its partnersPalantir and Berico Technologies.

Johnson had read reports of the scandaland asked his staff to look into it.

“I felt duty bound to move for furtherinvestigation,” Johnson said in aninterview at the time. He did not like theidea of government contractors likeHBGary Federal developing softwaretools that were meant to be used incounterterrorism for “domesticsurveillance and marketing to businessorganizations.” Spying on your owncitizens, he added, was bad enough.

“If you have anything else like this comeup,” Laurelai asked Kayla after getting apeek at the chaos from the HBGaryattack, “can you let me know so we canwrite about it?”

“Sure,” Kayla replied. She kept herword. A couple of days later Kaylaasked Laurelai if she wanted to seewhere some action was happening andthen invited her into a new exclusiveIRC channel, again off AnonOps, called#HQ. By now #InternetFeds had beenshut down after rumors that one of thethirty or so participants was leaking itschat logs. This room, #HQ, was smallerand had about six people in it, at most, atany one time. It included everyone whohad helped in the HBGary Federalattack.

“Hang out here and you’ll see whenstuff is about to pop up,” Kayla said.Laurelai was excited about being in#HQ and wondered if she might be able

to help expose other white hat securityfirms that were operating under theirown laws and getting away with the kindof stuff that Anons were getting arrestedfor. Already in January, the FBI hadexecuted forty search warrants onpeople suspected of taking part in theDDoS attacks on PayPal, working off thelist of a thousand IP addresses thecompany had detected.

Though no one else knew it, Laurelaiwas secretly logging everything that wasbeing said in the #HQ room, even whenshe wasn’t in it. Having spent the lasttwo years learning how to hack andsocial-engineer people, she deemed itimportant to document what peoplearound her were saying—at a later date,

the logs could be used to corroboratethings or refute them if necessary.Logging the chat was just standardprocedure for Laurelai. In the meantime,she gradually became disappointed withthe standard of discussion in the room.“They were acting like a bunch of damnkids,” she later remembered.

“SUCH AN AWESOME CREWHERE,” the hacker known as Marduk(and also known as Q) said on February8, the same day Aaron Barr and hisfamily fled their home.

“An Anon Skype party should be inorder,” said Topiary. (It eventuallyhappened, but only with people fromAnonOps who were willing to reveal

their voices.)They threw out occasional ideas for

short projects. Marduk, who had strongpolitical views and seemed to be olderthan most of the others, at one pointasked Kayla to scan for vulnerabilitiesin websites for Algerian cell phoneproviders. He was looking for databasesfull of tens of thousands of cell phonenumbers for Algerian citizens that hecould then hand over to the country’sopposition party for a mass SMS onFebruary 12. It would be another attemptto support the democratic uprising in theMiddle East after the successful attackson Tunisia and Egypt in January.

Kayla seemed more excited aboutpublishing Greg Hoglund’s e-mails.

“Greg’s e-mails are ready. Parsed andeverything,” she said. “The time to fuckGreg is now. :3.”

That was one thing they could allagree on.

“Who is handling media?” Kaylaasked.

“Housh and Barrett,” Topiary said,referring to Gregg Housh fromChanology, who now spoke to the mediaas an expert on Anonymous, and anotherman, called Barrett Brown, whomTopiary would deal with more closelyin the coming weeks.

Eventually, Laurelai introducedherself.

“Hi,” Laurelai said when she firstentered that morning.

“Ahai,” said Marduk. “Welcome towhere the shitstorm began.” Then he gotdown to business. “Laurelai, we can’ttie [HBGary Federal] to WikiLeaks forsure?” he asked.

“I already have,” she answered. “Wegot enough to smear the shit out of them.”That confirmation pleased Marduk.

“They are one strange company,” saidMarduk. “Actually I’m sure it’s agovernment coverup.”

“The government uses thesecompanies to do their dirty work,”Laurelai explained.

The WikiLeaks connection Laurelaihad found conveniently segued with themodus operandi of Operation Payback,making it look almost as if Anonymous

had planned it all.“*Kayla cuddles Laurelai :3 So much

<3,” Kayla wrote with her usualcheerfulness.

“Haha,” Topiary said. “Women on theInternet.”

“You hear about HBGary beingcontracted by Bank of America to attackWikiLeaks?” Kayla told a rarenewcomer to the #HQ chat room, proudto provide the news.

“Seriously?” the person answered.“Fuck this shit’s deep.”

“Fallen right off the diving board anddrowned,” said Topiary. “That’s howdeep it goes.”

Eventually, the group had to talk aboutwhat they would do next. After being

away for about a week, Sabu was backonline, claiming he had a new laptop andeager to discuss future hits.

“So are we going to focus onAnonLeaks, or should I start looking fortargets?” he asked the group. He hadbeen up for the last two days and wasexhausted but wanted to make progressand hit more digital security firms.“HBGary was the tip of the iceberg.”

Overshadowing everything was agrowing sense of unease about theauthorities and, worse, spies andsnitches from anti-Anonymous hackerslike The Jester and his crew. They cameto believe that HBGary Inc.’s GregHoglund had come onto AnonOps undera different alias, trying to track down

Topiary and Marduk.But one of the most prominent people

criticizing Anonymous at that momentwas doing so through Twitter, under theusername @FakeGreggHoush. No one in#HQ knew the real person behind thisaccount, which was created on February16, the day after their HBGary e-mailsviewer went live. This person wasconstantly making biting remarks andeven threatening to expose the realnames of the HBGary attackers on aspecific upcoming date: March 19.@FakeGreggHoush was actuallyJennifer Emick, the former Anon fromChanology who hated the real GreggHoush and who, after breaking awayfrom Anonymous, had begun her own

campaign against it with a few onlinefriends.

Another five Twitter accounts soonappeared, all equally spiteful and allclaiming publicly to know who Topiaryreally was. They were not just makingthese claims to Topiary, but to the wholeAnon community and anyone whofollowed it. A few tweeted to newsreporters that he was leadingAnonymous. “Troll Anonymous hardenough and they name one of their own,”one proclaimed. “Who will be first?”Another said, “Topiary, we are outsideyour flat, taking pictures, we will sendyou a few, just so you know we aren’tfull of shit.” Topiary replied by askingfor high-quality prints. Reading the

tweets was like being poked with a bluntpencil. It didn’t hurt, but it wasincreasingly distracting. The fact was,anyone who really wanted to dox theHBGary hackers could make himselfmore dangerous than the FBI, especiallyif driven by a personal vendetta.

“How much info do you haveavailable on the Internet about yourself,Marduk?” Topiary asked. “I mean deep,like little personal tidbits from like 10years.”

“All, but not as Marduk,” he said.“And nobody, absolutely nobody onAnonOps knows who I am.”

“Just be careful,” Sabu said. “Can’tafford to lose any of you guys.”

Sabu was also worried about his own

safety. While Topiary could rest assuredthat his real name, Jake Davis, wasnowhere on the Web in connection withhim, Sabu knew that “Hector Monsegur”was dotted around the Internet. Also,from what little information the teammembers were sharing with one another,Sabu believed (correctly) that he wasthe only HBGary hacker who lived in theUnited States. This meant the FBI wasalmost certainly on his tail. He gaveTopiary a Google Voice number andasked him to call it every day, withoutfail. The first time Topiary did, he noteda heavy New York accent and asurprisingly young-sounding voice.

“Hey,” Sabu answered.“Hello,” said Topiary. It was the first

time they were speaking to each other invoice, and while it was awkward atfirst, they soon had a normalconversation. Afterward, Sabu wouldalways answer with a coded greetingthat was an homage to an Internet meme:“This is David Davidson.” Sometimeshe would answer the phone while hewas driving; other times he’d be athome, the sound of TV or his twodaughters playing in the background.Sabu made sure his Google Voicenumber was bounced through severalservers all over the world before itfinally got to his BlackBerry. His voicealways sounded clear, though.

As the immensity of their heist madeSabu feel more paranoid, he also grew

increasingly mistrustful of Laurelai, thenewest member to #HQ. His irritationrose when he found out Laurelai hadwritten up a manual for visitors toAnonOps about working in teams tocarry out attacks similar to the one onHBGary.

“Remove that shit from existence,” hesaid. There were no hierarchy,leadership, or defined roles inAnonymous and so no need for anoperations manual. “Shit like this iswhere the Feds will get American Anonson Rico abuse act and other organizedcrime laws.”

Laurelai began arguing with Sabuabout how HBGary had been carriedout, saying the hackers should have taken

their time to exploit more internal infofrom the company. But Sabu was havingnone of it. Keenly aware of his group’sreputation and image and ever fearful ofgetting caught, he pointed out that anoperations doc that gave guidelines forhitting other websites was no differentfrom the proposals Aaron Barr had beencreating on hitting WikiLeaks and thechamber of commerce.

“It makes us look like hypocrites,” hesaid. “Who the fuck is Laurelai and whyis he/she/it questioning our owning ofHBGary?…Who invited you anyway?”Sabu said he felt the channel was beingcompromised and left.

Over the coming days the group ofstill roughly half a dozen people became

increasingly distracted by theories abouttheir enemies, a crew of people hangingout on another IRC network who theybelieved were plotting to dox andexpose them. Who was this@FakeGreggHoush on Twitter? Topiarygot hold of the real Gregg Housh on IRCand asked him if he knew. Houshsuggested it was a woman from back inthe Chanology days (three years ago—almost a lifetime in Internet years)named Jennifer Emick.

Topiary had never heard the name, buthe drew up a document adding JenniferEmick and a few people allegedlyworking with her and showed it to theothers in #HQ. When Laurelai looked atthe document, she suddenly grew

nervous. These were all the people whohad supported her Scientology Exposedwebsite. And while she and Emick hadfought and grown apart, they still talkedfrom time to time. Laurelai believed thatEmick was being framed by someoneelse, probably Housh. Recently, Emickhad told Laurelai privately that Houshwas acting as a puppet master forAnonOps and that he was trying to createchaos in the network. If anything, thiswas Housh’s hand at work, trying to turnAnonOps into his personal army againstEmick and run things like he did in#marblecake, Laurelai reasoned. Shehad no idea that Emick’s real plansinvolved tracking down the peoplebehind Anonymous and unmasking them

publicly.“Topiary, they aren’t behind it,” she

said. “Something a lot more sinister isgoing on.” She called up the memoriesfrom Chanology and asked a weightyquestion. “Does anyone know what‘marblecake’ means?”

There was silence. Nobody did. Oneperson had vaguely heard the name andassociated it with petty fighting overforums, something akin to a previousgeneration of Anonymous. Laurelaicontinued: “Jen’s a little weird, butshe’s harmless.”

While the others quietly rolled theireyes, Laurelai began formulating atheory that she eventually came to fullybelieve: Gregg was trying to get back at

her for an old vendetta in Chanology byimplicating Jennifer Emick. This meantEmick was in danger of being attackedby Anon. Laurelai couldn’t help but feelconvinced by the theory. She had justexposed Barr’s plot against WikiLeaks,hadn’t she? But she was also spendingabout twelve hours a day online whileher mother looked after her two kids.The Internet was becoming her life, andit was hard not to let it take over.

Laurelai contacted Emick and blurtedout the allegations, told her what Houshwas up to, and said that she was in aprivate channel called #HQ with theHBGary hackers. Emick, soundingsurprised, denied plotting anything.

“I don’t care about what’s going on in

AnonOps,” Emick told Laurelai on thephone. “I have no idea what’s going on.”Laurelai took this information back tothe others in #HQ as proof that Emickwas not a saboteur and that all therumors were Housh trying to “get at me.”Marduk and Topiary listened but werewary of the conspiracy theories. Theywere noise.

“Really this shit affects nothing,”Topiary concluded.

But it wasn’t over. Back on Twitter,the @FakeGreggHoush account startedneedling Laurelai, accusing her of beingpart of the group of people who hadworked with Housh in the oldMarblecake chat room (which was nottrue). That was the final straw. Laurelai

wrote back on Twitter and said she hadlogs proving that she wasn’t talking toGregg Housh and that she could providethem, privately, in exchange for newinformation about Housh to help herpiece the conspiracy together andexonerate Emick. “The only thing I careabout is protecting Jen and her friends,”Laurelai said. The Twitter account@FakeGreggHoush agreed.

Laurelai looked over the chat log shehad been diligently keeping that notedeverything said in #HQ for the past weekand a half (from February 8 to February19). She naively believed that if sheshowed them to whoever@FakeGreggHoush was, she wouldexonerate Emick and that no one would

have to know she had leaked the chatlogs. Laurelai copied the entire chat log,about 245 pages, and posted it on theweb app Pastebin. She then sent a directmessage on Twitter to@FakeGreggHoush, telling the person totake a look at the logs. Within a fewminutes, Emick had copied the logs, andLaurelai, still oblivious, had deleted thePastebin file.

“Holy shit,” Emick thought as shestared at the screen. She quickly startedskimming the enormous chat log, theprize that had just been handed to her ona plate. Bizarrely, there was nothing thattruly implicated Gregg Housh but plentyto implicate Sabu, Kayla, and Topiary inthe attack on HBGary Federal. She

started reading the huge log much morecarefully.

Emick’s deceptions of Laurelai, aswell as her alter ego as@FakeGreggHoush, were tactics aimedat outing the real people behindAnonymous. Emick had realized afterHBGary that the best way to takeAnonymous down was simply to showthat people in it were not anonymous atall. All she had to do was find their realnames. And thanks to Laurelai, she wasabout to find Sabu’s.

Part 2

Fame

Chapter 12

Finding a Voice

In mid-February of 2011, as JenniferEmick dug into the HQ logs that Laurelaihad handed her, Topiary was enjoying anewfound popularity on the AnonOpschat network. People on the networknow knew that he had been involved inthe HBGary attack and that he hadhijacked Aaron Barr’s Twitter feed. Forthe Anons, this had been an epic raid,and Topiary was the Anon who knewhow to make it fun, or “lulz-worthy.”Now, whenever Jake signed intoAnonOps as Topiary, he got half a dozenprivate messages inviting him to join an

operation, offering him logs from theCEO of a French security company,requesting that he intervene in a personaldispute, or asking his advice onpublicity.

This was sort of like what washappening to Anonymous itself. Over thecourse of February, the public channelson AnonOps were inundated withrequests from regular people outside thenetwork asking what they thought was agroup of organized hackers to hit certaintargets. The requested sites includedother digital security firms; individuals;government websites in Libya, Bahrain,and Iran; and, naturally, Facebook. Nonewere followed up.

Most attacks came from discussions

that occurred directly on AnonOps IRC,especially discussions betweenoperators like Owen and Ryan. Therewas no schedule, no steps being taken.People would often start planning an op,run into a roadblock, and shelve it.Everything seemed to overlap. Topiaryhimself would rarely finish one projectbefore moving onto another—he’d bewriting deface messages one minute andthe next start reading the Aaron Barr e-mails again.

After his recent invitation into#InternetFeds, Topiary was grantedunusually high status in chat channels byoperators. He would sometimes spend awhole day flitting between chat rooms,cracking jokes, then segueing into some

serious advice on a side operationbefore going to bed, feeling fulfilled. Itwas better than the buzz he’d gotten fromdoing prank calls back on 4chan andunlike anything he had ever experiencedin the real world, let alone in school.Operators and other hackers confirm thathe came across as “charming” and“funny.” Being a talented writer wasuseful in a world where youcommunicated in text, and Topiary’sstyle had hints of mature world-weariness that appealed to Anons.

Topiary rarely interacted with peoplein the real world. There was theoccasional visit to his family, a trip tothe store, or a once-in-a-while meetingof some old friends in his town whom he

knew from online gaming. Perhaps 90percent of all his social interaction nowtook place online. And this suited himfine. He liked entertaining people, andsoon he’d get to do the prank call of hislife.

Starting in early January, many

supporters in Anonymous had suggestedgoing after the Westboro Baptist Church,a controversial Kansas-based religiousgroup known for picketing the funeralsof soldiers with giant signs blaring GODHATES FAGS . They claimed God waspunishing the United States because it“enabled” homosexuality. Westboroseemed like an obvious target forAnonymous, even though the church was

practicing its right to free speech,something that Anonymous wassupposed to fight for.

But soon enough, someone laid downthe gauntlet. On February 18, out of theblue, a public letter was posted onAnonNews.org (anyone could post oneon the site) issuing a threat with theflourish of unnecessarily formallanguage. “We have always regardedyou and your ilk as an assembly ofgraceless sociopaths and maniacalchauvinists,” it told Westboro.“Anonymous cannot abide by thisbehavior any longer.” If the messagewas ignored, Westboro would “meetwith the vicious retaliatory arm ofAnonymous.” The letter ended with the

“We are Anonymous, We are Legion”slogan. The first day, no one noticed theletter. The next day, however, someonefrom #Philosoraptors asked if anyoneknew where it had come from. Nobodydid. An empty threat that wasn’tfollowed up would make Anonymouslook weak if the media picked up on it.One of the operators ran a search on allthe network’s chat channels and found asecret, invite-only room called#OpWestboro. It looked like a couple ofbored trolls had been trying to get somepress attention.

To everyone’s chagrin, the trolls gotit. The attack on HBGary had excitednews reporters so much that any hint ofan Anonymous threat suddenly had a

veneer of credibility. Several newsoutlets, including tech site Mashable,reported on the latest Anonymous“threat,” updating their stories on thesame day with a gleeful public ripostefrom Westboro. Megan Phelps-Roper,the curly-haired granddaughter ofWestboro Baptist’s founder, FredPhelps, quickly tweeted, “Thanks,Anonymous! Your efforts to shut upGod’s word only serve to publish itfurther.…Bring it, cowards.” The churchalso posted an official flyer on itswebsite in a screaming, bold font,headlined “Bring it!” and callingAnonymous “coward cry-baby‘hackers,’” “a puddle of pimple facednerds,” and adding that “nothing will

shut-up these words—ever.” They wereclearly reveling in the prospect of adogfight.

About five writers in #Philosoraptorsscrambled to write a new, official-sounding press release to douse the fire.“So we’ve been hearing a lot aboutsome letter that we supposedly sent youthis morning,” they said. “Problem is,we’re a bit groggy and don’t remembersending it.” Several news reportsquickly picked this up. “It’s a Hoax,”cried PCWorld.com, “Anonymous DidNot Threaten Westboro Baptist Church.”Now people were getting confused. WasAnonymous going to attack WestboroBaptist Church or not? This troubledTopiary. He disliked the public

confusion about what Anonymous wasplanning to do. He had seen it inDecember of 2010, when Anonymoussaid it would take down Amazon.comand then didn’t because of the squabbleswith botmasters Civil and Switch. Hedidn’t want it to look like Anonymoushad failed again.

Topiary popped into #InternetFedsand noticed that one of the participantshad some interesting news. The first,fake threat against Westboro had gottenhim curious enough to poke around in thechurch’s computer network, and he’dfound a vulnerability. Two other hackershad found a way to exploit the securityhole. If they wanted, they could takedown several of Westboro’s key

websites, including its mainGodHatesFags.com site, and defacethem too.

“We might as well do somethingnow,” they said. Most of the dozen or sopeople in #InternetFeds, including Tflowand the AnonOps operator Evilworks,began talking about hitting Westboro,revving one another up for what couldbe another spectacular attack. Freespeech aside, it would at least bringclosure to the confusion.

“So what should we do now?”someone asked. The people in#InternetFeds were good at hacking butterrible at publicity. That’s whenTopiary piped up. “We should do this asan event, not just the usual defacement,”

he said. Then he had an idea. “Gonnacheck something out. Be right back.”

Topiary wanted to confirm it beforegetting people’s hopes up, but in all thetalk of Westboro, he had rememberedhearing about a YouTube video of arecent radio show in which Westborospokeswoman Shirley Phelps had beentalking about the alleged Anonymousthreat. What if he could get on that radioshow and confront Shirley himself?

The David Pakman Show was a currentaffairs program recorded at GreenfieldCommunity College in Massachusetts.Set in a studio with full lighting andmultiple cameras, the show wasrecorded for TV and radio

simultaneously. At twenty-seven,Pakman was one of the youngestnationally syndicated radio hosts inAmerica; he had gotten into the businesswhen he started his own talk show incollege. Over the subsequent six years,Pakman had invited people from theWestboro Baptist Church to be on theshow about half a dozen times. Pakmanknew that confrontational oddballsbrought listeners, whether it was apastor who wanted to burn the Koran on9/11 or an anti-gay former navy chaplainwho claimed he had performed a lesbianexorcism. Pakman justified giving thesepeople airtime because he felt it wasright to expose what they preached.

Westboro Baptist Church had about

eighty-five members and had beenfounded by Fred Phelps, a former civilrights lawyer. For years, Phelps hadruled his family with an iron fist. Hisone estranged son, Nate, claimed thepreacher abused his children, eventhough most of them had gone on tofollow his teachings. Shirley Phelps(Fred’s daughter) became something of aregular guest on Pakman’s showwhenever Westboro picketed a soldier’sfuneral or did something equallyunpleasant. She would tell Pakman thathe was going to hell because he wasJewish and his people had killed Jesus.He found it amusing.

“Things are gonna happen to thoselittle cowards,” she said on his latest

show about the Anonymous “threat” toWestboro; she was smiling, and her facewas devoid of makeup. “And it’s goingto cause the ears of them that hear it totingle. They’ve made a terrible mistake.”

After the show, when Pakman got aTwitter message from Topiary stating hewas from Anonymous and wanted totalk, Pakman was skeptical. Thenanother thought came to his mind: “Thiscould be a compelling piece ofinterview.” Bringing two controversialgroups onto his show at the same timeseemed like too good an opportunity topass up.

Topiary e-mailed Pakman, telling theradio host that Anonymous had access tothe Westboro sites and suggesting that

hacking might take place on the show.According to Topiary, Pakman repliedcryptically with “If something like thatwere to happen, it would be myobligation to bring immediate attentionto it.” It dawned on Topiary that Pakmanwas very interested, since he laterbrought the subject up again, asking ifthe “event” was still going to take place.Pakman, who later denied that he hadhad any idea ahead of time thatAnonymous was going to hack theWestboro websites live on the air, thenarranged for Topiary to go on the showthe next day. He would make sure, headded, that the show got plenty of onlineattention by posting links on popularforums like Reddit and Digg.

“Good job,” someone on#InternetFeds said when Topiary cameback into the chat room and reported thatthe group had a forthcoming appearanceon the Pakman show, giving them thechance to do a live hack and deface ofthe Westboro sites. He asked around tosee if anyone else wanted to do the livecall, since he’d already thrown his voicearound on TV news network RussiaToday. But people wanted to hearTopiary versus Shirley. Many onAnonOps thought he was good at publicspeaking, even though his speech coulddeteriorate into stuttered sentences andwhat he considered a goofy Britishaccent.

Resigned to his part in the verbal

showdown, Topiary started writing adeface message for the Westborowebsite. Then he noticed something odd:most of Westboro’s main sites werealready down. Not defaced—justoffline. It looked like someone hadnoticed the buzz around the fakeAnonymous threat and taken the sitesdown himself. Topiary realized it wasThe Jester. He hopped over to Jester’schat room, approached the hacktivist,and asked if he could let the sites backup for at least a couple of hours. Hedidn’t give Jester any times or say that itwas for a radio show, just in casesomeone from his crew tried to sabotageit. He stayed vague.

Jester confirmed his involvement by

refusing, adding mysteriously that hewas “under extreme pressure to keepthem down.” A little bewildered andirritated, Topiary gave up and went backto #InternetFeds. They would have tomake do with an attack on a minor webpage.

He set to work writing up adefacement message in the simpleprogram Notepad++, the same way hehad done all ten deface messages forAnonymous in the last month or so. Afterwriting the release he’d paste it into atext box on Pastehtml and write theHTML code around it. All the defacepages were plain text on a whitebackground. Topiary had tried morecomplicated layouts but they never had

as much impact as stark black and white,a complete contrast from the busilydesigned websites that were supposed tobe there. Often he would explore thedifferent chat rooms on AnonOps IRCand note down any philosophical thingspeople said about Anonymous or theworld in general, and then he’d try toincorporate them into his messages.Anons were already starting to realizetheir opinions mattered, as journalistsquoted random comments made inAnonOps chat rooms.

Topiary was doing this partly for hisown good. Leading up to Westboro andparticularly after the Pakman show, hisnickname became more public. “I didn’twant all that attention,” he later said.

Deep down he didn’t want his “voice”in text and audio to become familiar tothe public and authorities. When hewrote a press release, he took to postingit on Pirate Pad and imploring othersupporters and Philosoraptors to edit it.“I’d leave it for 10 minutes and no onewould touch it,” he said. “People keptsaying, no it’s fine. I don’t know if theywere nervous or didn’t want to tell me itwas a bit wrong.”

The next day, just before the show,Topiary asked a friend on AnonOps howhe should handle the Westboro Baptistspokeswoman.

“Just let her ramble,” the friendreplied. “You don’t need to make herlook bad. She’s going to make herself

look bad.” Topiary then spent a fewminutes listening to music to try to calmhis nerves, a song by the mellow technoartist World’s End Girlfriend. It alwaysleft him more relaxed. Thirty secondsbefore the show was to start, Pakmancalled Topiary, who could hear ShirleyPhelps-Roper in the background,grumbling in a southern drawl aboutcamera issues.

Pakman immediately recognizedTopiary’s voice from the interviews hehad done with Russia Today and fromthe Tom Hartman program. At theeleventh hour, Pakman breathed a quietsigh of relief that he was speaking to agenuine spokesperson for Anonymous.

Soon enough, Phelps-Roper was on

the line too, and the video segmentshowed three images: Pakman in a blackblazer with his microphone; Shirley witha home printer and bookshelf in thebackground, her hair pulled back in aponytail and her eyes ablaze; and apicture of a giant shark being attacked byBatman wielding a light saber—that wasTopiary. Whenever Topiary spoke, hisown picture glowed blue.

“Well, today we have everybodyhere,” Pakman said, introducing Topiaryas a “source within Anonymous” andthen referring to him as simply“Anonymous.” Did Anonymous issue athreat to Westboro Baptist Church? heasked.

“No, there was no talk of it, uh…”

Topiary’s deep baritone voice almostgrowled out onto the airwaves. He hadan unusual accent—a Scottish liltblended with a Nordic twang. He’d sethis laptop on a table and turned awayfrom it. Every prank call had been likethis—he looked at simple focal points,like the ceiling or a book spine, or outthe window.

“Shirley, is it your belief thatAnonymous cannot harm the Westborowebsites in any way?” Pakman asked.

“No one can shut these words thatare…ROARING out of Mount Zion!”she cried. “I mean I’m talking to a littleguy who’s a Jew.” David looked over athis producer and smiled.

“OK.” Pakman suddenly grew

serious. “So, Anonymous, can youaddress that? I mean, aren’t all ofShirley’s websites down right now?”Shirley let out a surprised laugh.

“Yeah right now,” replied Topiary.“Um, GodHatesFags.com is down,YourPastorIsAWhore.com is down.” Helisted several more snappily named sitesand explained, disappointed, that credithad to go to The Jester and not,technically, to Anonymous.

“Potatoe, potahto!” Phelps-Ropersaid, drowning him out for a moment.“You’re all a bunch of criminals, andthugs.…And you’re ALL facing yourimminent destruction.”

“Anonymous,” David ventured, “isthis riling you up to the point where you

will actually take action?”“Please do,” Phelps-Roper

deadpanned.“Well…” said Topiary“Hold on, Shirley,” said Pakman.“Our response to the ‘cry-baby

hackers’ letter was mature,” Topiarysaid. “Our response was we don’t wantto go to war with you—”

Phelps-Roper’s eyes widened. “Didyou just call criminals and thugs…‘MATURE’?”

Topiary balked and decided to switchtacks.

“You say the Internet was inventedjust for the Westboro Baptist Church toget its message across, right?” he asked.

“Exactly,” she said.

“Well, then how come God allowedgay-dating websites?”

“Psh. Silly.” Phelps-Roper laughed.“That’s called your proving ground.”

“Am I going to hell?”Phelps-Roper suddenly looked

concerned. “Well, hon, I only know whatI’m hearing because you’re”—she raisedher eyebrows—“Anonymous…and…you sound like a guy who’s headed tohell I’m just sayin.’”

“Well in my lifetime I’ve performedover 9,000 sins,” Topiary said. “So…”

“OH! And you keep track! What, youhave a tally sheet?”

“Yeah over 9,000 sins. I keep track.”Pakman was smiling to himself.

Topiary glanced back at his laptop and

for the next thirty seconds he observed awindow in AnonOps IRC, where ahandful of people were watching a livestream of the show on Pakman’s site.They were laughing. Pakman seemed tobe waiting for Phelps-Roper to get riledup and say that nobody could hack theWestboro site before bringing thingsback to Topiary for the hack.

Phelps-Roper was explaining whybeing proud of sin did not “fit into a boxwith repentance.…Of course you’regoing to hell.”

“Hmm.” Topiary sighed. “Internets isserious business.”

“Let me bring things back to a centralpoint,” said Pakman. “Is there a nextstep? Does Anonymous intend to prove

that they can in fact manipulate theWestboro Baptist Church network ofwebsites? What can we expect goingforward, Anonymous?”

If anything was going to happen, nowwas the time. Phelps-Roper tried to pipeup again but Topiary kept going.

“Actually,” he said, smacking his lips,“I’m working on that right now.”Topiary turned back to his laptop,clicked on a tab on his IRC windows toenter the private room #over9000, andquickly typed in gogogo, the signal.Tflow was ready and waiting withTopiary’s HTML file.

Phelps-Roper’s sarcasm went intooverdrive. “He’s working on thatRIGHT NOW! Oh yay!” she yelled.

Then her face darkened. “Hey, listen up,ladies.…”

“Hold on, let’s hear from Anonymousplease, Shirley,” said Pakman.

“No, no,” Shirley said.“No I have something interesting, I

have a surprise for you, Shirley,” saidTopiary.

“Wait a minute,” she said. “You saveit for a minute!” The other voices fellsilent. “This is what you’veaccomplished. You have caused eyes allover the world to look. All we’re doingis publishing a message…a HUGEglobal explosion of the word of God.”The others stayed silent.

With no live hack, the segment wascoming to a close, and Pakman needed to

steer things back to Topiary.“Anonymous, go ahead.”

“I was just going to say in the timeShirley started blabbing her religiouspreach I actually did some business, andI think if you check downloads dotWestboro Baptist Church, I think you’llsee a nice message from Anonymous.”

Phelps-Roper looked unmoved.“Nice,” she said, rolling her eyes.

“Dot com is it?” Pakman asked.Pakman’s team already knew the exactURL for the site that was going to behacked, as Topiary had sent it in an e-mail beforehand. “That’s how hisproducer found it so fast,” Topiary latersaid.

“Yes, we just put up a nice release

while Shirley was preaching there,”Topiary said on the show.

“Just while we were doing thisinterview.” Pakman chuckled inapparent amazement. He looked to hisproducer and pointed to somethingoffscreen.

“Yeah, we’d had enough! We’dresponded maturely, saying we don’twant a war. Then Shirley came on theradio, started, well…thinks I’m going tohell, so we’ve given her something tolook at.”

“So hold on,” Pakman said, noddingoff camera again, “I am getting a thumbs-up from my producer that there has beena message posted that appears to be fromAnonymous.” A screenshot of Topiary’s

earlier written message suddenly filledthe screen: a simple white backdroptopped by the Anonymous logo of aheadless suited man who was taking upwhat was supposed to be WestboroBaptist Church’s main web page fordownloads.

“Anonymous, are you takingresponsibility for this?” Pakman askedagain.

“Yep,” Topiary said. “We just did itright now this very second.”

“That is so special,” Phelps-Ropersuddenly interjected. “So special.”

Topiary tried to explain. “You told uswe can’t harm your websites and we justdid,” he said. “I mean—”

“What I told you,” Phelps shot back,

“is you cannot shut us up. Thank you.”That was the end of the segment.It wasn’t the smack-down of

Westboro that Topiary had been hopingfor, but he was relieved he had avoidedscrewing anything up. Sure, Phelps-Roper had been surprised by the livedefacement, but years of shooting downeven the most reasonable argumentsgave her a knack for barbed commentslaced with sarcasm. She was a tough oneto troll.

“I’ve encountered some nasty trollsand counter-trolls in my days, butShirley came across with a sort of new-wave supertrolling that caught me offguard,” said Topiary.

Her most withering put-downs even

had some truth in them. In the end,Anonymous’s main weapon wasn’t allthat destructive. They were defacing alittle-known page on the church’snetwork—“so special”—with theanticlimax further dampened by TheJester’s confusing side campaign.

None of this mattered in the first fewdays after what came to be called thelive Westboro hack because Topiary’sface-off with Shirley Phelps-Roperquickly became one of the most popularvideos on YouTube that week. Topiarywatched the numbers rising each day,initially with excited fascination, thenwith some dread. First it was tenthousand, then two hundred thousand,and after five days, more than one

million people had watched the video.By this point Topiary had learned

there was a fine line between successand failure when it came to the publicside of Anonymous. “There had to behumor, so a meme or two, but definitelynot too many,” he later remembered.“There had to be something inexplicable—a kind of what-the-fuck-am-I-seeing.jpg, so Batman attacking a sharkwith a light saber.” Finally there had tobe something blatantly obvious to pickon: Shirley. “She’s like that lady fromThe Simpsons that throws cats around,except she’s talking about Mount Zionand dead soldiers.” It was hard forTopiary not to look like the good guywhen talking to her. “I was so, so happy

I never stared into her crazy eyes,” headded. “The first time I saw her facewas when I clicked on the YouTubevideo. What the fuck, man.”

A more serious thought had grippedhis mind at the time, though: “More thanone million people have heard myvoice.” Mixed in with the pride was aterrible unease—if only one person whoknew him personally saw the video, hisidentity would be revealed. He hadn’tused voice altering or changed hisaccent because he’d wanted it to seemreal. He couldn’t decide if the stunt hadbeen a stupid mistake or his ballsiestmove yet.

Pakman didn’t hear from anyone inAnonymous after the show, but there was

a flood of feedback from listeners, withviews split on how great it had been tosee the Westboro Baptist Church gettaken down and others pointing out thatwhomever the target, Anonymous hadjust committed a crime. Pakman took itrather lightly. “I found the entire thing tobe a kind of parody at the highest level,”he recalled.

“Thinking back on everything withAnonymous and LulzSec, I see manythings I regret being entangled in,”Topiary later said. “But the WestboroBaptist Church attack, well…is proudthe right word? Honored. I was honoredto have been involved.”

It seemed Westboro and Anonymoushad some similarities. One key to

Westboro’s unfathomable ability tosurvive and maintain itself was itsisolation. Its members knew their uniquegroup as “us against the world.” Theirpickets at funerals were not really aimedat saving souls or spreading God’s wordbut at stirring up anger and hatred inothers—a self-serving exercise to fueltheir own sense of righteousness. Thisculture of hate was one that only itslongtime participants could trulyunderstand. Profound acceptancecoupled with desensitization to theirown vicious trolling. When it came tomotivation, Anonymous was often thesame.

Chanology and Operation Paybackhad shown that Anonymous could take

on unsavory characters as a group, butthe live Westboro hack with Topiarysignaled where Anonymous would begoing next: smaller and more extreme.

Kayla had conducted her vengefulattack on Gawker; Sabu had had arevolutionary turn on Tunisia; Topiaryhad experienced the thrill of a liveperformance. Anonymous may have beena movement that could change the world,but it existed just as much for its ownmembers as anything else. It gave themsomething to do, made them feel useful,and, while no one would admit it, letthem carry out urges in a way thatseemed justified and necessary. Gawkerand HBGary had shown that Anonymouscould be at its most destructive when it

was taking revenge and when a small butfocused group of people led operations.But it was only when a joker and publiccommunicator like Topiary was addedto the mix that the group had the makingsof an even more powerful team: Sabuwith his passion, Kayla with her skills,and Topiary with his silver tongue.

Chapter 13

Conspiracy (DrivesUs Together)

A few days after the live Westborohack, Topiary couldn’t help but feelworried that more than a million peoplehad now heard his real voice. One wayto distract himself from those concernswas to plow through more of AaronBarr’s e-mails. Transfixed by what wason his Dell laptop screen, he’d comeacross a piece of string every few hoursthat seemed to lead him farther down arabbit hole, toward what looked like adark and dirty conspiracy. In late

February, as Jennifer Emick wascreating her own theories about whoAnonymous was, Topiary was lookinginto theories that went beyond theAnonymous world and involved theAmerican military. Sabu and Kaylaweren’t that interested in this subject orthe e-mails anymore, but a sense ofpossibility kept Topiary hooked, and thiswas largely thanks to Barrett Brown, ablond, twenty-nine-year-old freelancewriter from Texas who was passionateabout exposing government corruption.

Topiary had first heard of Brown theday before the HBGary attack. Brownhad published a spoof statement fromAnonymous on the left-wing politicalblog the Daily Kos on Saturday,

February 5, a day before the HBGaryFederal attack. The title was“Anonymous Concedes Defeat.”Rambling and comical, it claimed Barrhad discovered that the true leaders ofAnonymous were “Q and Justin Bieber.”

He added: “Mr. Barr has successfullybroken through our over 9,000 proxyfield and into our entirely non-publicand secret insurgent IRC lair, where hethen smashed through our fire labyrinthwith vigor, collected all the gold ringsalong the way, opened a 50 silver keychest to find Anon’s legendary hackerson steroids password.” It was a word-for-word quote from Topiary on IRC,and Topiary was flattered to see himselfquoted.

Brown then published a more formal“press release” on the Daily Kos afterthe attack, titled “Anon pwns HBGaryFederal.” Most Anon press releaseswere posted on AnonNews.net, butreally, who was keeping track? Whatannoyed many Anons was that Brownhad published the press release underhis real name, and they christened him anamefag. Still, Topiary didn’t mind him;in fact, from the start, he rather likedhim. After the attack, Topiarycomplimented Brown on the spoof post.Brown was eager to see the HBGary e-mails, which at that time were still beingpublished on torrenting sites bit by bit.

“I need some more of those e-mails soI can piece some stuff together,” Brown

told him.It turned out that Brown was a big

research nut. He had downloaded thefirst batch of Barr’s 23,000 e-mails,searching for clues that would crackopen a wider case of corruption thatstarted with HBGary’s misinformationcampaign against WikiLeaks and endedwith the U.S. military. After a fewweeks of scanning, he picked up thephone and called William Wansley, oneof the vice presidents of a militarycontractor called Booz Allen Hamiltonand a name that had popped up in Barr’se-mails.

“Hi, is this Mr. Wansley?”“Yes,” a small voice replied.“Hi, Wansley, this is, uh, Barrett

Brown, I’m sort of a, uh, informalspokesman for Anonymous?” Brownsaid, hiding his nervousness. “Thereason I’m calling is because we’regoing over some e-mails and wehappened to see some correspondencebetween yourself and Aaron Barr ofHBGary. I was curious as to whatexactly the project is that you guys wereworking on, regarding Anonymous.”

There was a long pause.“Oh,” Wansley said. “If you’d like to

call our public affairs office, they shouldbe able to help you.…”

“Well, I’m not sure they would beable to help me as much as you could,”Brown barked, his confidence growing,“because you were actually more

involved in those discussions. I don’tthink public affairs offices are that good,in my experience, at, uh, you knowproviding, uh, actual intelligence.”

There was another long pause asWansley took in what he was hearing,then a loud roar in Houston as a planefew over Brown’s house.

“Uh, basically for instance I’mlooking at an e-mail right now,” Browncontinued, shouting to be heard over theplane. “Says you had a meeting at theoffices of Booz Allen, ten thirty on, let’ssee, somewhere in late January withAaron Barr. Aaron Barr of course as youknow was researching Anonymous, heattempted to dig up our leadership. Hewas going to sell a list with my name on

it to the FBI, with the names of a lot ofpeople who aren’t actually INAnonymous. His methodology was a bitoff, you might say…Um, and I’massuming at this point you’re probablynot working—”

“I’m—I’m familiar with theorganization,” Wansley said, soundingweary. “First of all we don’t commenton our client work at all, to protect theconfidentiality of all our clients.”

“Right.”“I can tell you we have no business

dealings with HBGary anymore.”Brown paused.“So you weren’t in business dealings

with them, you were just discussing thetopic?” he asked.

“I can’t comment on what someoneelse asked me to do, but we had nobusiness dealings at all with HBGary.”

“But you did have business dealingswith them previously, right?’ Browntried again.

“Never.”“But you met with him not for social

matters, but to discuss Anonymous.”“I have no relationship and I can’t

make any comment.”“You have no relationship with Aaron

Barr?” Brown knew the conversationwas coming to an end, and he wasfloundering.

“Please call my public affairs officeand they’d be happy to talk to you.”

“Thanks,” Brown said.

“Thank you. Bye.”Click.Brown hung up, then laughed out loud

without smiling. “Tee hee hee!” Hequickly wrote up a blog post titled“Booz Allen Hamilton VP Caught Lying”in which he explained: “He said he hadno relationship with HBGary, which isodd insomuch as that this e-mail wouldseem to indicate otherwise.” Brownadded a link to one of Barr’s e-mails,saying, “I had a meeting with BillWansley over at Booz yesterday.”

Over the next few days, Brown keptsending messages to Topiary aboutHBGary. Topiary soon got the hint thatBrown was serious and he invited himinto a private Skype group with Gregg

Housh and a few others to focus onresearching the e-mails more deeply.Topiary kept the Skype group open at alltimes and found for the next two weeksthat he was increasingly being pulledinto its conversations, spending at leastseven hours a day on the investigationinto what Barr had really been workingon. Brown gave it a name: OperationMetal Gear, after an old Nintendo game,and its goal, in a nutshell, was to find outhow the intelligence community wasinfiltrating the Internet and social mediasites like Facebook and Twitter to spyon American citizens. Cyber securitybuzzwords like sockpuppets, personamanagement software, data monitoring,a n d cognitive infiltration frequently

cropped up, every lead branching outfrom the work and research of HBGaryFederal and Barr. Whenever Topiarystumbled upon an e-mail from Barr’scache that could lead to new informationon these issues, he’d send the link toBrown and let him know.

The project was intense, largelybecause of Brown himself, who seemedto never sleep. Topiary would wake upin the morning in his part of the world tofind the Texan had been up all nightreading through the HBGary e-mailtrove. Brown would then spend the nexttwo hours explaining what he haddiscovered overnight, often speaking at ahundred miles a minute. One particularlylong conference call with him lasted

thirteen hours, and another six hours,with Brown often using overly formalphrases like pursuant to ourinvestigation. Topiary found thisirritating at first, but he couldn’t helpadmiring Brown’s work ethic andpassion for his activism. It seemed alevel above even the most die-hardmoralfags in Anonymous.

The son of a wealthy real estateinvestor, Brown had a penchant for pin-striped shirts and cowboy boots, as wellas a knack for keeping Topiary’s interestpiqued. “We’re about to unravelsomething big,” he’d say.

“To begin with I felt sorry for him,”Topiary later remembered. “He wasputting in a lot of hard work, but just

came across the wrong way to Anon.” Itdidn’t help that his IRC nickname wasBarrettBrown. “Everyone hated him.There were all kinds of anti-Barrettdiscussions in private channels, oftenmocking his methods and drugaddiction.” Brown was widely known inthe Anon community to take hard drugs.One journalist who interviewed himover lunch recalled Brown starting offby smoking a joint, drinking alcohol, andshunning food throughout the meal, thentaking a dose of a synthetic form ofheroin—all the while speaking withextraordinary lucidity. Topiary droppedhints when he could that Brown wasn’tso bad if they overlooked a few things,but Brown’s rambling YouTube videos

and conspiracies “just made thingsworse.”

Chanology and Operation Paybackhad shown that if they were manipulatedin the right way, Anons in their hundredswould suddenly want to collaborate on araid or project. But key to that wasmaking a raid fun and exciting. Topiary,who was becoming Brown’s liaisonwith AnonOps, noticed that whileBrown’s campaign to uncovercorruption had sounded sexy to theAnons at first, the fact that he had tostruggle to maintain their interestdemonstrated how difficult it was toharness the spontaneous, unpredictablepower of Anonymous. Brown wantedAnonymous to help him carry out long-

term research, but it was tough gettingpeople in a community rooted in lulz tostick to a project for weeks, even monthson end. It got even harder when Browntried to get Anonymous on the eveningnews.

Between January and March of 2011,Brown’s name got passed around amongjournalists who covered Anonymous, ashe was among the rare few in thecommunity who would consent to be onthe end of a phone line, not a confusingIRC network. Newsweek, Rolling Stone,and CNN all wanted to talk to him.Then, on March 8, NBC Nightly Newsbroadcast an “exclusive,” a televisionreport by Michael Isikoff, whodescribed Brown as “an underground

commander in a new kind of warfare.”The interview took place in Brown’sapartment and had shots of him typinginto his white Sony netbook, his deskstrewn with cigarette packets and otherparaphernalia. Toward the end, Brownwas seen leaning back in his greenplastic chair and pontificating to analmost awestruck Isikoff as the Texandangled a cigarette from his fingers.

“It’s cyber warfare,” he said in asouthern baritone, looking relaxed.“Pure and simple.” Brown was actuallyracked with pain throughout theinterview, having stopped injectinghimself with Suboxone four days prior.His bones ached in a way most peoplewould never experience. (He would

relapse in April on a trip to New York,where he would take heroin, and then getback on Suboxone when he returned toTexas.)

During the interview, the camerabriefly panned over the screen ofBrown’s laptop to reveal a snippet of anIRC chat Brown was having withTopiary, Q, and several others, asIsikoff sat by and looked on with his TVcrew. The nicknames were visible.

“Yo,” Barrett had typed. “NBC ishere.”

“Awesomesauce,” said someonecalled &efg. “Welcome to the internet.”

“They want to talk about stuff,”Brown said in the next shot. “He sayshe’s honored. So, what’s next for

Anonymous?” The question appearedhave been dictated by Isikoff.

The feature later showed Isikoff andBrown strolling side by side down abusy road and talking, Browngesticulating, Isikoff’s khaki-coloredslacks flapping in the breeze as helistened intently. Then it was back to theapartment, and Brown once moresprawled in his chair.

“I mean we got Stuxnet off of this,” hesaid, flicking his hand, referring to anattached file among Barr’s e-mails thatwas in fact a defanged version of theinfamous computer virus that was bestknown for attacking Iranian nuclearinfrastructure in the early 2000s. “Itshouldn’t have been available by this

federal contractor to get ripped off by asixteen-year-old girl and her friends.”

“And it shouldn’t be in the hands ofAnonymous!” Isikoff exclaimed.

“But it is,” Brown replied, waving hishand again and shaking his headsomberly. “C’est la vie.”

Brown was not happy with theinterview when it aired. He had hoped itwould go deeper into the informationrevealed by the HBGary hack—themilitary contracts on personamanagement software—but instead ithad focused on him and madeAnonymous look like a seriousorganization. This hurt his reputation inAnonymous further. Here again wasanother example of how difficult it was

to push an agenda from withinAnonymous—you had to convince notonly the Anons of its importance but themedia too. More people were criticizinghim on AnonOps and Twitter as anamefag, moralfag, and leaderfag. OtherAnons posted his address, phonenumber, and other personal informationon Pastebin.org. They hated the way hetalked up Anonymous as a force forgood, a fighter against corruption andevil regimes.

Brown ignored them all. “If I don’trespect the laws of the U.S. imagine howI feel about the non-rules ofAnonymous,” he later explained.Anonymous had been born out of a halfjoke, after all. But both Topiary and

Brown agreed Brown’s reputation wasmaking it difficult to recruit supportersfor Operation Metal Gear, and theyneeded another approach. Browndecided to announce the project on theairwaves. In recent months, someone onAnonOps IRC had set up a digital radiostation, called Radio Payback,consisting mostly of techno music played24-7 and interspersed with occasionalchatter from anonymous DJs. Brownapproached one of the DJs in the#RadioPayback IRC channel to ask if hecould go on the air to announce recentfindings of Operation Metal Gear, withno success. Then Topiary tried.

“Barrett’s not so bad,” Topiary toldthe DJ. “We should give him a chance. It

might be worth it in the end.” Eventuallythe host relented, and Brown, Topiary,and another man from their team,nicknamed WhiteKidney, took to thedigital airwaves on the evening ofMarch 16 and spent a good hour tellingany Anon who would listen about theirresearch. Topiary had told Brown tospeak slowly, repeating the wordslowly. “Voices are not bullet trains,” hetried to explain. “I don’t think itworked,” he later recalled. On air,Brown’s voice was loud, as if he weretoo close to his microphone.

“Booz Allen met with Aaron Barr,”he blared, with some distortion. “Hisspecialty was this software that usedsocial media.”

Topiary explained the controversialsoftware, the soldiers who controlleddozens of fake social media profiles, theway that could subvert democracy andwarp online opinion.

“We have informants,” Topiaryadded, referring to people who hadoffered information on Booz Allen.

“We won’t talk about informants,”Brown said quickly. There wereapparently two informants. One hadreached out to Brown, and the other wassomeone Brown had found among Barr’se-mails. “This is what we’ve trained forfor five years,” he added toward the endof their segment, before the discussiondescended into jokes about Brown’spenis.

Still, the presentation worked. Withina couple of days, Metal Gear’s rankshad swelled to twenty regularresearchers. Hundreds of people haddownloaded a link to their team’scurrent research via the radio show,suggesting that listeners may have beenin the thousands. One IRC operator whohad previously mocked Brown anddismissed Metal Gear as trolling wasnow talking it up as a success on IRC.The investigation team retreated to theirprivate Skype group and spent manymore hours trawling through e-mails,making phone calls, and listening toBrown. Brown sometimes assigned jobs,but more often people volunteered to dothings.

“Once we explained about ‘sockpuppets’ and ‘robots,’ everyone gotexcited,” Topiary later remembered.There was no proof at this point—onlyspeculation. For example, thegovernment of Azerbaijan had recentlyarrested online political dissidents, andTopiary and Brown stated on RadioPayback that Booz Allen’s spyingsoftware must have been used. Theirreasoning: Booz Allen had an office inAzerbaijan.

It was a credible lead, but as usual,the group would struggle to find the timeand concentration to follow it up. OtherAnons would pick out yet more juicyleads from Barr’s e-mail hoard.Occasionally someone would come with

a completely new lead.Then there was a bigger distraction,

this time showing how easily a personcould get the mainstream press excitedabout a supposed Anonymous operation.A young man nicknamed OpLeakSapproached Brown on the chat network,claiming that he had acquired a trove ofe-mails and needed some advice. Theleak, he said, involved Bank of America.

Intrigued, Brown invited him into hissecret Skype group with Topiary andWhiteKidney for a conference call.OpLeakS came on with a thick NewJersey accent and monotone voice. Atfirst Brown and Topiary were excited bywhat they were hearing. OpLeakS, astaunch Anonymous supporter, said he

had been contacted by a formeremployee of Bank of America, someonewho had worked there for seven yearsand who had joined when the bankbought Balboa Insurance. OpLeakS andthe ex-employee talked by e-mail forseveral days. Whenever OpLeakS askeda question about Bank of America, hewas met with increasingly damningresponses about how the lender had beenhiding loan mistakes or how managerspracticed favoritism. It all pointed tofraudulent mortgage practices, he toldBrown and the others on Skype, stuff thatcould bring down Bank of America.

“Why don’t you send them over so wecan take a look,” said Brown, who bynow had become skeptical. OpLeakS

sounded out of his depth with the subjectmatter.

“I can probably help you with gettingthe word out,” Topiary offered, thinkingany kind of leak involving Bank ofAmerica would generate interest afterthe WikiLeaks affair. He added theycould host OpLeakS’s e-mailcorrespondence on the new AnonLeakssite.

OpLeakS wasn’t interested in eitheroffer, but he forwarded a handful of e-mails in the hope of some validation.Now Brown was definitely unimpressed—the claims by the ex-employeesounded embarrassing to Bank ofAmerica, but OpLeakS had nothing thatcould bring down an entire multinational

bank. Because of recent rumors thatWikiLeaks had a cache of explosive dataon Bank of America, it was easy to getconfused by OpLeakS’s claim and thinkthat they were somehow related. Bynow, Anonymous and WikiLeaks wereclosely associated with each other,through the Payback DDoS attacks andthen the announcement of the nameAnonLeaks. But of course, OpLeakS’sdata had nothing to do with WikiLeaks,and it was not substantially damagingeither.

“He didn’t seem to have what hethought he had,” Brown later recalled inan interview. Topiary remembered theman promising more information but notdelivering. “He wasn’t forthcoming with

it,” Brown added.But in spite of flimsy evidence and

limited understanding of finance,OpLeakS posted several tweets over theweekend of March 12 and 13 hinting that“Anonymous” had e-mails that exposed“corruption and fraud” at Bank ofAmerica.

Amazingly, the tweets were picked upby the media and taken seriously.“Anonymous, a hacker groupsympathetic to WikiLeaks, plans torelease e-mails obtained from Bank ofAmerica,” Reuters breathlessly reportedon Sunday, March 13. Blogging siteslike Gawker and Huffington Post echoedthe news. OpLeakS had, by happyaccident, stumbled upon the big story

that everyone was waiting for. InDecember of 2010, Forbes magazinehad published a cover story in whichJulian Assange promised to leak a majorcache of secret information from Bank ofAmerica that would be highly damagingto the bank. Aaron Barr had beenworking off this very threat when he hadprospected the bank’s lawyers Hunton &Williams with proposals to discreditWikiLeaks. The trouble was, no oneknew when the big leak would come, sowhen it appeared that Anonymous,attackers of HBGary, PayPal, Visa, andMasterCard, were about to hit Bank ofAmerica on their own, expectations ranhigh. Too high.

On Monday morning, as promised,

OpLeakS posted his e-mailcorrespondence with the ex–Bank ofAmerica employee on a website hostedby his own Wordpress blog,bankofamericasuck.com, and under thetitle “Black Monday Ex-Bank ofAmerica Employee Can Prove MortgageFraud Part 1.” (There never was a part2.)

“I’m OperationLeakS,” the poststarted, “read every line andscreenshots.” This was followed byscreenshots of the e-mails betweenOperationLeakS and the former bankemployee. Among the questions were“Do you have proof you work at Bank ofAmerica?” “It’s like a cult?” “So whydo you want BoA head so bad?” “When

you were fired did you take your thingslike pictures etc.?” This last questionwas followed by a photo, provided bythe ex-employee, of a mangled plant,some soil, and a small American flagcrammed into a cardboard box.

Traffic towww.bankofamericasuck.com was sohigh that morning that many people tryingto access the site got an error page orfound it slow to load. Forbes’s WallStreet writer Halah Touryalai was oneof the first to check out the e-mails, andearly Monday morning she put together ablog post called “Bank of America E-Mail Leaks Are Here, How Much WillThey Hurt?” Within a couple of hoursthirty thousand people had looked at her

article. As of today it has received morethan forty thousand views.

“It’s tough to tell if there’s anythingtruly damning in these e-mails,”Touryalai ventured in her story. Shenoted that while Julian Assange had toldForbes in December that he had trovesof data that could “take down a bank, ”in February Reuters had reported thatAssange was no longer sure his goodswould have a truly negative impact. Thebank’s publicity department was alreadycalling the OperationLeakS assertions“extravagant.” The market woulddecide.

Touryalai and other financialreporters watched Bank of America’sshare price that morning. As the bell

rang for the New York Stock Exchange’sopening, Wall Street traders looked overthe e-mails—and did nothing. Thebank’s share price moved down by justfifteen cents at the close of trading onMonday, suggesting investors didn’tcare.

The mainstream media, from CNN toUSA Today to the BBC, had excitedlyreported on the e-mails, but by the end ofthe week all agreed the “take-down” hadbeen a flop. “Forgive me if I suppress ayawn,” said Annie Lowrey at Slate. Theex-employee’s comments to OpLeakSwere small potatoes and too perplexingto mean much.

This was perhaps the moment whenthe media learned a disappointing lesson

about Anonymous. The collective haddone damage, to be sure, but it was justas good at creating hype about secrets ithad found as it was at finding anythingsecret at all. Worse, the hype had comenot from a group of hackers, but fromone monotone-sounding man with alimited understanding of finance whosevoice had been globally amplified byinvoking the name “Anonymous” at theright time and with the right subjectmatter. If Anonymous wanted credibleattention, there needed to be somesemblance of central organization, aswith Operation Payback and Chanology,even if they hated the idea of leaderfags.

After roughly two weeks of working

with Operation Metal Gear, Topiary felttorn between his two different groups:the hackers who’d hit HBGary and thenow ten or so investigators who weresupporting Brown (numbers had beenslowly dwindling since Radio Payback).He found he couldn’t explain to eitherside what the other was doing. Brown’sinformation group was too complex;Sabu’s and Kayla’s too secretive.

Brown’s ideas also started to soundoutlandish, especially after he begansuggesting that someone from themilitary might assassinate him. Topiarythought he was joking at first, but Brownwas serious.

“I’m at the center of the world ofinformation and I’m fearful for my

safety,” Brown told him at one point. “Iknow too much about Middle Easterngovernments working with the UnitedStates.”

Brown confirmed this in an interviewmonths later: “Someone else who has asemiregular dialogue with people at theState Department and is very wellconnected to these things was raisingthat possibility,” he said, quickly adding,“I didn’t take it that seriously.”

At the time, Topiary did not doubtBrown’s sense of impending danger—Topiary also felt he was in too deep. “Itwas intense,” Brown agreed. “We weregetting informants telling us much wilderthings. Several of us were getting theimpression that what we were looking

into, and accidentally learning, wasmuch larger than anything else, and byvirtue of looking into it we were gettingourselves into trouble.”

The topics they were delving into hitclose to home because they encapsulatedthe one thing Anons had to fear:technology that was better than theirsand that could identify them. Then, inlate March, Congress started a smallinvestigation into the HBGary contracts.“Shit’s getting real,” Topiary observed.

“Imagine losing your anonymity,”Topiary had said during the RadioPayback show to explain what personamanagement software was. “Imaginecreating an online account under onealias and, months later, creating

another… Imagine software that cancorrelate every login time from both ofthese accounts, every piece of grammaryou use, every nickname…automaticallyfinding out who you are online.” Topiaryknew that people could tear out anAnon’s true identity by simply followinga Google trail that started with the nameof his favorite movie. He hated the ideaof government-contracted softwaredoing that a hundred times moreefficiently.

But the stress, the stream-of-consciousness Skype discussions, theconspiracies about the military weregetting to be too much. He startedthinking about his other group—Sabu,Kayla, and the others in #HQ. The hack

on Westboro Baptist Church, on theTunisian government, on Egyptiangovernment websites, on copyrightalliance, on the Tunisian anti-snoopingscript, HBGary—it had all happenedbecause of people from that concentratedteam. Topiary thought that if this groupleft, Anonymous, as the outside worldknew it, would die. More important thanBrown’s research was this other groupsticking together.

“Barrett,” he finally said in mid-March, “I have to step out of this. It’sjust getting too weird andconspiratorial.”

“Okay,” Brown replied. “I can’texpect you to be as involved as youalready have been.” Brown was quietly

irked, but Topiary got the feeling heunderstood. He closed his OperationMetal Gear documents and organizedthem in a folder holding about a hundredand fifty megabytes of data—text filesand audio files from Brown’sconference calls—that he wouldprobably never look at again.

As he did so, Topiary was asked in aninterview if he thought this“concentrated team” might ever breakoff from Anonymous to do its own thing.

“Not really,” he answered. “I canenvision it now. We could probably goon a rampage around the Web undersome kind of nerdy hacker group name,get on the news a lot, leak, deface,destroy.” It would get boring, he said.

“Under the Anonymous banner it’s donewith a purpose, and a meaning, andwithout ego.”

A few weeks later he wouldcompletely change his mind.

Chapter 14

Backtrace Strikes

It was late February and bitterly cold inMichigan. A blizzard had followed afalse spring and covered JenniferEmick’s front lawn in several feet ofsnow. Squirrels were poking in hermailbox and stealing packages in thehopes they contained cookies, but Emickdidn’t consider going outside to check.Not only was there the muscle-spasmingfreeze, she was now deep into theinvestigation into Anonymous she hadinitiated. It had reached a new levelafter Laurelai had passed over logs fromthe HQ channel. Emick’s goal was to

show the world what Anonymous reallywas—vindictive, corrupt, and not reallyanonymous at all.

Back in December of 2010, whenOperation Payback had really taken offwith its attacks on PayPal andMasterCard, Emick had already pulledaway completely from Anonymous. Itwasn’t that she didn’t like the targets—itwas the cruelty she was seeing more andmore throughout the network, ever sinceChanology. Emick had kept friendshipswith a few Anons, hosted somesupporters in her home, and joined aSkype group sometimes called theTreehouse. She described them as “justsome friends who hung out and talked.”Chanology had spawned new

Anonymous cells, or sometimes justfriendship groups. Some of these groupsdied off, and many Chanologyparticipants went off to college orstopped associating with Anonymous forgood. There were a dedicated few, likeLaurelai and Emick, who had come backfor the next wave in 2010. Except Emickhad become part of a minority thatwanted to stop Anonymous.

Like Barrett Brown, Emick tended tosee the world through theories, and herbig one about Anonymous was that it hadbecome just like Scientology: vindictive,reactionary, and a scam. When shewatched the creation of the AnonOpsIRC network, she believed operatorswere trying to revive “this old spirit of

being intimidating.” Emick saw youngpeople who wanted to be part of a groupof nameless bullies because they weregetting picked on at school. Suddenly,they could be part of a group that peoplewere afraid of, she explained.

Emick was gradually creating acrusade that was part principle, partpersonal. She had four children, three ofthem teenagers, and she resented the ideathat they could fall for “some idiotstory” online that romanticized bullyingtactics. “Kids are dumb,” she said. Theyweren’t going to question legalities.“They’re going to say, ‘Ok, cool.’”

She was right about the lack of legalawareness. When thousands of peoplejoined the AnonOps chat rooms eager to

help take down PayPal, most didn’trealize that using LOIC could land themin jail. Emick became indignant whenshe went into the chat rooms at the timeand saw IRC operators telling newAnons they had nothing to fear fromtaking part in a digital sit-in. WhenEmick confronted the operators Wolfyand Owen under a pseudonym andaccused them of trying to raise apersonal army, they banned her from thenetwork.

By late February, authorities in theNetherlands and Britain had arrestedfive people involved in OperationPayback; the FBI continued to follow upon its forty search warrants in the UnitedStates. Later, in July, the authorities

would arrest sixteen suspects. The onethousand IP addresses that PayPal hadgiven the FBI were paying off. Theoperators had been wrong, or possiblylying, and what irked Emick more wasthat they knew how to avoid arrest betterthan new volunteers.

Soon after learning about the HBGaryattack, Emick had started spending hoursin front of her computer, egged on bysuspicions that the people controllingAnonymous were criminals. She wasespecially interested in the nicknameKayla, and when she started searchingon forums, the name appeared on apopular site for aspiring hackers calledDigitalGangsters.com.

Started by twenty-nine-year-old Bryce

Case, known on the Internet atYTCracker (pronounced “whiteycracker”), DigitalGangsters was foundedas a forum for black hat hackers, and oneof its users was named Kayla, a twenty-three-year-old in Seattle. Emick didsome more digging. YTCracker was ahacker himself; he’d been programmingsince he was four, gaining notoriety afterhe hacked into government and NASAwebsites and defaced them. He went onto develop a taste in hip-hop music, andhe founded a record label and gaveconcerts at the hacker convention DEFCon. DigitalGangsters had originallybeen a production for his club nights andraves, but he turned it into a forum forhis hacker friends who were moving off

of AOL chat rooms and onto IRC. It wasa hub for old-school hackers and aproving ground for new ones. In 2005,one of its users, a sixteen-year-old fromMassachusetts, hacked into ParisHilton’s T-Mobile account and accessedher nude photos. Four years later, aneighteen-year-old hacker got thepassword credentials for PresidentObama’s official Twitter account.Another hacker got photos of HannahMontana. The forum was a place wherecrackers could trade ever moreambitious bragging rights, a place wherea person could get in touch withspammers (also known as Internetmarketers) and sell a stolen database ortwo.

YTCracker didn’t like Anonymousbecause he didn’t like the way innocentpeople got caught in the crossfire. It hadhappened to him. In March of 2011, afew hackers on his forum, including onenamed Xyrix, attacked his site for noreason other than that he hosted some oftheir enemies. To get his administrativeaccess, they called AT&T and reportedYTCracker’s phone stolen, got a newphone and SIM card, and were able tograb his Gmail password. From that theywere able to hack into the DigitalGangsters forum, then deface it with amessage that said it had been “hacked byKayla, a 16-year-old girl.”

Here’s where Emick stumbled into aworld of confusion. Kayla was

described as a twenty-three-year-old onthis site, but she had read anEncyclopedia Dramatica article sayingthat back in 2008, “Xyrix posed as awoman using the name ‘Kayla’ on thePartyvan network.” Xyrix was widelyknown to be a heavyset twenty-four-year-old man from New Jersey namedCorey Barnhill. Emick thought,incorrectly, that this meant Kayla wasBarnhill.

Kayla had an explanation for whyeveryone thought she was Xyrix: back in2008, she had hacked his main webaccount and pretended to be him to getinformation out of a Partyvan admin; theadmin then mistakenly thought that Xyrixand Kayla were the same person and

added her into Xyrix’s EncyclopediaDramatica page. The “hacked by Kayla,a 16-year-old girl” deface onYTCracker’s site may well have beenXyrix taking advantage of thatmisunderstanding to try to humiliateYTCracker.

Emick was going down the wrongpath with Kayla, but she still felt shewas onto something. She startedspending more time on these forums,piecing together nicknames, fakeidentities, and false information, beingled down new trails. While manyhackers varied their nicknames, a lustfor credibility compelled many more tostay with one name. In many cases, allEmick needed to do was plug a

nickname into Google, search for itagainst forums like DG and Reddit, andthen talk to a few of that person’s friendson IRC. She used note-taking software tocross-reference everything.

“You have to be anal retentive,” shelater explained. Soon she had amassedgigabytes of data on her computer andhad enough to put real names, evenaddresses, to a few Anons.

Emick felt an urgency to turn herresearch into something that wouldbetter Barr’s faulty approach. BeatingBarr at his own game became a personalchallenge. Realizing she would needhelp, she began talking to an onlinefriend from her old Chanology days

about forming an anti-Anonymous tagteam.

Jin Soo Byun was a twenty-six-year-old security penetration tester who hadonce been an air force cryptologist buthad retired when he was caught in anIED roadside bombing in Iraq. Theaccident left him with serious braindamage and memory loss, but he threwhimself into the 2008 Chanology protestsand built up a reputation for socialengineering under the nicknamesMudsplatter and Hubris. He and Emickserved as administrators on Laurelai’swebsite, and the pair developed afriendship via Skype, instant-messagechats, and phone calls. Often they wouldjust gossip about the hacking scene,

taking pleasure in trash-talking theirenemies.

Emick told Byun about her plan.Anonymous had become an almostunstoppable mob. “Someone needs tostop them before something badhappens,” she told him. He was game.For a few years, Emick and Byun hadtalked about starting a digital securitycompany that used Byun’s technologyexpertise and Emick’s investigativeskills. Now they had something to workwith, what Emick was calling a“psychological operation.”

Byun reached out to friends in thecyber security industry, gathering aboutsix people who were willing to helptheir research. Among them was Aaron

Barr.“Right away after helping the [FBI]

investigation I wanted to understand thegroup even more,” he later explained.“Especially the ones that attacked us.”

They needed to act quickly.Anonymous was being riled up to attackSony, and to make matters worse,HBGary had made them feel they wereunstoppable.

They decided to call their groupBacktrace Security, a name that camestraight out of the 4chan-meme machine.It referred to the Jessi Slaughterincident, when /b/ users had viciouslytrolled a young girl who had beenposting videos of herself on YouTube,leading her mustachioed father to launch

a tirade into her webcam—which shethen uploaded. Choice quotes such as “Iknow who it’s coming from! Because Ibacktraced it!” along with “Ya donegoofed!” and the “cyber police” allbecame memes. Sarcastically using theword backtrace was meant to infuriateAnonymous because it was reclaimingone of their inside jokes.

Emick got everyone connected to aspreadsheet that they could all edit. Achat bar ran alongside it for discussingtheir work in real time. She provided along list of nicknames from AnonOpsIRC that they would dox. Everyonepicked nicknames at random, thendelved into finding their true identities.Sometimes someone in the group would

get a tip-off that would lead him to add anew name to the list. Barr joined in theonline discussions too, sharing generalinformation about Anonymous that hehad gleaned from his research. The mosttime-consuming task was sifting throughthe compiled data. Emick and the othersdownloaded reams of information, butpicking through it took days.

Once her kids were out the door andon the school bus, Emick was rooted toher desk, sometimes for the next eighteenhours or until her concentration flagged.She skipped lunch and often got the kidsto cook dinner. They ate a lot of pizza.Emick said her kids were supportive,though she didn’t let them know what shewas up to most of the time. She raised

them to be self-reliant. Emick was theoldest of five kids, and her father andstepmother had been alcoholics wholargely left her to cook, do laundry, andpay household bills. Although her dadsometimes cooked, her stepmom rarelyleft the couch.

Emick worked from a seven-foot-wide custom-built desk that was tuckedin a corner of her divided living room.On it were her phone, notebooks, files,lamps, a box of Christmas cards from thelast holiday season, and two computers.One was a laptop that ran on Linux, theopen-sourced operating system, whichshe used for chatting on IRC. She neededtwo PCs for when she was pretending tobe two people in chat channels at the

same time or tweeting on more than oneTwitter account. Her main one was@FakeGreggHoush. When she snoopedon AnonOps and tried to weed outinformation, eagle-eyed operatorsnoticed her nickname and attempted toidentify her IP address. Each computerworked off a proxy server that put her intwo different time zones to prevent themfrom getting a location match.

Many names on Emick’s list only tookabout ten or twenty minutes to trackdown. Some Anons were reusing theirnicknames on sites like Facebook,Reddit, YouTube, and Yelp, where someof them were openly discussing theirlocations or talking on a public IRCwithout hiding their IP address behind a

VPN. Instead, their IP addresses were“naked,” and linked to their homeaddresses. In a few cases, Emick and hercrew would use different names, claimto be from Anonymous, and talk to theAnons on IRC, sometimes evenconvincing them to do a video chat.

The investigation really took off whenher old friend Laurelai fell for theintimidation tactics that Emick was usingthrough @FakeGreggHoush. WhenLaurelai handed over the 245-page logof chats from the HBGary hackers’ #HQchannel, Emick couldn’t believe herluck. On top of implicating thenicknames Sabu, Kayla, Tflow, andTopiary in the HBGary attack, the loggave her something even more revealing.

A tiny snippet of the chat log showedSabu telling the other hackers that theycould still log into a backdoor accounthe had created on HBGary Federal’sserver—something that could allowthem to snoop on the company’s e-mailsagain if they wanted. But when he typedout the web address, he accidentallygave away the name of his privateserver: www.google.com/a/prvt.org.

“Oops,” he had said. “Wrongdomain.” He then typed outwww.google.com/a/hbgary.com. “Thereyou go.”

But Sabu’s server address hadremained in Laurelai’s log. Emickquickly highlighted it and, knowing thatshe was onto something, pasted it into

Google. Sure enough, she came across asubdomain called ae86.prvt.org. Thename ae86 was important. Thesubdomain linked to cardomain.com, asite for car enthusiasts, where Emickfound photos and a video of a souped-upToyota AE86. With that model number,it had to be Sabu’s car. Cross-referencing the information on the carsite with the YouTube video of theAE86, she eventually found a Facebookpage with the URL,facebook.com/lesmujahideen, and thename Hector Xavier Montsegur. She hadslightly misspelled his last name, but thiswas the closest anyone had ever gottento doxing Sabu. Emick could not get hisaddress in the Jacob Riis housing

complex, but she did figure out that helived on New York’s Lower East Side.

She did some more research onSabu’s online exploits. She found that,years before, he had hacked into anobscure porn site calledChickenChoker.com and, oddly, defacedit with a message about being PuertoRican:

“Hello, i am ‘Sabu’, no one specialfor now…lately i’ve been seeing ALOTof Brazilian and asian defacers justcome out a leash their skills, i didn’t seeany Puerto Rican hacker’s, or well:‘defacer’s’, show up, so i guess i’ll beyour Puerto Rican defacer for now huh?elite…”

“It was political, but pointlessly

political,” Emick later said. Sabu wentto the top of her most wanted list. Hewas “megalomaniacal,” and “not verybright,” she added.

Eventually Emick and her team pulledtogether research on seventy identitiesand were dropping hints on Twitter andto the media that a large group of Anonswould soon be exposed. When shefinally wrote her stinging profile onSabu, published on the BacktraceSecurity website, she concluded that hewas Puerto Rican, close to thirty, andhailed from New York’s Lower EastSide. He’d had a “troubled” high schoolcareer and was relatively intelligent butresentful of authority and “success ofpeople he perceives to be less worthy

than himself…After sufferinghumiliations a decade ago following hisposting of rambling, incoherentmanifestos on defaced websites, he fellinto obscurity until publicly associatinghimself with the Anonymous protestgroup.” She got ready to announce hisreal name to the world.

Sabu, the notorious, well-connectedhacker who had rooted nationaldomains, had just been discovered by amiddle-aged mom from Michigan.

By mid-March, Emick had organized herlist of seventy names into a four-pagePDF file she named Namshub. In it shelisted Kayla as Corey “Xyrix” Barnhill,and Sabu as Hector Xavier Montsegur

from New York’s Lower East Side.Anyone who was a senior Anonymousmember was listed in red. She and Byuncontacted a few journalists and offeredto send them the list. They offered the#HQ chat logs, naturally, to AdrianChen, the Gawker reporter known forwriting skeptically about Anonymous.Since it would be difficult tocorroborate the list of names and Chendidn’t want to out innocent people, helatched onto the #HQ logs. They werebursting with juicy tidbits about the innerworkings of Anonymous hackers. OnMarch 18, he published an article titled“Inside the Anonymous Secret WarRoom,” featuring choice quotes from the#HQ channel. It showed Sabu

lambasting Laurelai, the grouppresumptuously congratulating oneanother after the resignation of Egypt’spresident, and the suggestion that thiswas a leading group for Anonymouswith Sabu as its head honcho.

Sabu, meanwhile, was seething.“I’m going to drive over to his house

and mess him up,” he told the others.Topiary and Kayla tried to calm himdown. Sabu was referring to Laurelai,noting angrily that he had alwayssuspected that “he/she/it” would betraytheir trust. What was worse for Sabu,and what he wasn’t telling anyone, wasthat Backtrace had noticed his “oops,wrong domain” comment that led to“Hector Montsegur.” With a close

approximation of his real name and hisprvt.org server address now out in theopen, Sabu had a potentially bigproblem. If the police followed up onBacktrace’s findings, they could come tohis door any day now.

But there was some upside. No onehad heard of Backtrace till now, and itwas possible that no one would take thedoxers behind it seriously. Besides,Sabu thought, his last name had beenspelled wrong; his real address had notbeen found; and there were probablyseveral Hector Monsegurs on NewYork’s Lower East Side. (This wastrue.) Sabu contemplated whether hecould laugh this off like everyone elseand continue hacking with this new team

of people that seemed to get on so well.Despite all the dangers, he was temptedto keep hacking.

“All wrong,” said Topiary in an IRCchannel with the others after he’d readthe four pages of names fromBacktrace’s document. Emick had namedhim as Daniel Ackerman Sandberg fromSweden. “I’ve never even been toSweden and have no idea who DanielSandberg is,” he said. He, Kayla, Tflow,and AVunit had met again in a new IRCroom to discuss the “exposé” and getsome light relief.

“They all still think im Xyrix!” saidKayla.

“It’s as if Aaron Barr is working with

them ;),” Tflow quipped. The group hadlong suspected (correctly) that Barr wassecretly collaborating with Backtrace totry to take down the people who hadattacked him.

“They got literally nothing right onme,” said AVunit, who had beendescribed in Emick’s document as a“coder” named Christopher Ellison fromIpswich, Britain. “Well, I suppose‘coder’ is right.”

“I’m also a paypal scammer,” Tflowjoked; he had not been given a name inthe document. “The only part they gotright about me is ‘Tflow’ and ‘phpcoder.’ But yeah, I feel flattered. Myname is in red.”

“Is this a new trend :D to see who can

make the worst dox file ever?” askedKayla. The group was feeling confident.Aaron Barr’s research had been wrong;Backtrace’s appeared to be wrong.People were trying, yet no one couldcatch them.

What they didn’t know was that whileBacktrace had been wrong on manynames, a few, including Sabu, had beenspot-on. One hacker who spotted his realname on the spreadsheet immediatelystopped everything he was doing withAnonymous and lived in terror over thenext few months that the FBI was comingto arrest him.

“I still get heart palpitations,” he saidduring a face-to-face meeting about halfa year later. “It’s the not-knowing that

kills you, whether you’ll have nothing,or twenty-five years, up in the air all thetime.”

Incidentally, Emick had shown nomercy for her mole, Laurelai, who alsoappeared on her list under her old real-world name, Wesley Bailey, and whowas described as “transgender” and a“former soldier from Duncan, Idaho.”Laurelai still did not believe (or at leastdid not want to believe) that Emick wasthe driving force behind Backtrace orthat Emick had betrayed her. No one hadproof yet of who was behind this anti-Anonymous group. That was fine withEmick. Once the spreadsheet of namesand HQ logs were leaked, she continuedto offer a sympathetic ear to Laurelai as

the “former soldier” complained aboutthe whole experience and about howdeeply she regretted passing the chatlogs to the person on Twitter named@FakeGreggHoush.

It wasn’t until many months later, atthe annual hacker conference DEF Conin Las Vegas, that Emick gave a speechand outed herself as the Backtrace co-founder.

“I was so pissed off [at Emick],” saidLaurelai after watching the video ofEmick’s speech on YouTube. “Believeme, I think about this daily.”

Later that year, in October, FrancoisPaget, an analyst at IT digital giantMcAfee, would do a study onAnonymous and the effectiveness of

investigative attempts by people likeBacktrace’s members, Aaron Barr, andThe Jester, who set out in late Decemberto unmask people in Operation Payback.His conclusion was that these attemptswere largely unsuccessful, even ahindrance to the police. At the time ofhis study, anti-Anonymous groups likeBacktrace had released about 230 namesfor pseudonyms, while police around theworld (excluding Turkey) had made 130arrests. In those arrests, police came upwith thirty names, yet there was hardlyany overlap between the names releasedby vigilante doxers and those discoveredby the authorities.

“I imagine they were more confusingthan useful,” Paget wrote.

Sometimes, though, you needed justone good name. A few weeks afterBacktrace’s release, the FBI contactedEmick and asked for her assistance intheir investigation. They were interestedin the name she had discovered for Sabu,but they needed to corroborate theirevidence with hers to see if this HectorMonsegur was definitely the right guy.What Emick had found so far wasn’tenough to make an arrest, and the FBIwanted to make sure they didn’t scarethe real Sabu away. He could proveuseful.

The HBGary hackers meanwhile hadsome hard decisions to make about howto approach the Backtrace drop. Theypredicted (correctly) that there would

later be other groups trying to outdoEmick’s work, in the same way she hadtried to outdo Barr’s. If they reallywanted to avoid handcuffs, Topiary andthe others had to think very carefullyabout what they did next.

Chapter 15

Breaking Away

In Anonymous there were three waysto respond to a dox:

(1) You could outright deny it.This was a common tactic butdidn’t always work. If theinformation was true, most peoplewould nonetheless deny it. It wasalso dangerous. The worst thing todo was state honestly what wasright and wrong about theinformation, since that would pointan investigator in the rightdirection.

(2) Go back to the doxers andbombard them with a stream offalse information and conspiracytheories, making them think youhave come around to their sidewhile confusing their research. Thisis along the lines of what Sabu did.Not long after the Backtrace drop,Sabu hopped over to the chatnetwork where Emick and hercolleagues sometimes hung out andpretended to offer her a private chatof the HBGary crew. Sabu pastedall the logs of his own chat withEmick back to the crew showinghow they had become friendly. Theteam had a good laugh.

(3) Say nothing and exit stage

left.

Topiary decided that the Backtracedrop had provided the perfect excuse fora clean break from Anonymous. Onceagain, he was feeling the urge to learnand experience something new. In thethree months he’d been with Anonymous,from December to February, he’d seenevery corner of Anonymous: fromwriting deface messages, flyers, andpress releases to watching a botnet takedown PayPal.com; from humiliating afederal security contractor and watchingthat turn into an international exposéinvolving a major bank and WikiLeaksto fronting a live-on-air hack of theWestboro Baptist Church.

Though Topiary had learned andexperienced so much, he was restless.Anonymous was starting to becomeboring. What had begun as one majoroperation had splintered into too manyside operations. It felt milked. Hecouldn’t tell if he was growing up orgetting bored with having destroyed somuch in a short period of time. And hewas tired of having people expectTopiary, Sabu, or Kayla to be at theforefront of everything.

Topiary had quit his part-time job in abike and auto shop after tiring of hisboss and had signed up for welfarechecks, which he was now fully relianton. He was keen to get out of the housemore and go back to school. He toyed

with applying to a course at his localcollege in Lerwick that could lead totaking a full psychology degree. In themeantime, the government housingauthority was ready to offer him a newplace to live in England. In a fewmonths, he planned to move off theremote Shetland Islands, find a new job,maybe study at college.

He wasn’t the only one who wanted tobreak away. Sabu had talked to Topiaryabout wanting to go dark after Backtraceand get away from all the heat. EvenTflow had recently moved away fromthe AnonOps network. The small cliquethey had formed was the one thingTopiary wanted to take with him. He notonly enjoyed their company but learned

from them. Kayla taught him how to hidehimself online, and Sabu taught himabout what was wrong with the world—from the rumors in Anonymous thatFacebook spied for the CIA to thecorrupt practices of white hat cybersecurity executives like Barr. Pressurefrom Backtrace and other enemies hadbrought them closer together andincreasingly made them isolated from therest of Anonymous.

Their group now consisted ofTopiary, Sabu, Kayla, Tflow, AVunit,and occasionally the hacktivist called Q—a concentrated group of elite Anons.AnonOps had been a gathering of theelite in Anonymous; #InternetFeds agroup of even more elite; and #HQ was

a distillation of that. This was the eliteof the elite, Topiary thought. Sabu hadonce used the phrase outside Anons todescribe Anonymous supporters in themain IRC channels and the words stuckin Topiary’s mind now.

The small group was nowpermanently based on a small IRCnetwork on Sabu’s own server. Theyrarely went on AnonOps IRC anymore, anetwork now swarming withcantankerous operators and what theyassumed were undercover Feds.Besides, their team was tight-knit.Relationships between Anons could bemore important than the circumstancesthat brought them together when it cameto deciding how successfully they would

go after big targets. It didn’t matter howpopular a target was or how easily itcould be attacked. If a group workedtogether well, they were more likely toachieve a good hit against an outsideparty. If they squabbled, they mightrecklessly attack one another instead,sometimes through a war of words orthrough doxing each other or perhapseven by trying to DDoS one another’sIRC networks.

Much of the drama between people inAnonymous stemmed from fights aboutstatus on an IRC chat room. Organizingthings on the network was a bit likeorganizing a company in a headquartersbuilding. Some rooms, like theboardroom, were designated well-

known places where executives coulddiscuss important issues. But important,deal-breaking events were just as likelyto be muttered under the breath in thebathroom or at the local bar. It wassimilar on IRC, except here the entirebuilding was constantly in flux, withrooms you could create out of thin airand destroy in a moment, where youcould decide who entered, how manypeople could come inside, and what sortof speaking status each could have.There was never one channel where allthe important things were discussed, andif there had been, it wouldn’t have beenaround for long. Anons were alwaysswitching from one network to another toprevent leaks like Laurelai’s, and

hackers in particular rarely met on thesame servers, networks, or channels fortoo long, lest someone snitch on them.

“I sometimes curse at the amount ofchannels,” said a member of the #HQhacker team, AVunit. The hackers oftenneeded to keep their rooms secret forsecurity’s sake, and there weresometimes hundreds floating around onAnonOps. Of course, this made otherAnons feel there was a hierarchy andthat operations were being directedbehind closed doors. (Not entirelywrongly.) Putting a +i or invited-onlymode on a channel like #InternetFedswas like waving a red flag in front of abull. “It makes people think the weirdestthings” about what was really going on,

AVunit said. And despite #HQ’s name,it wasn’t a headquarters for all ofAnonymous. It was just a name oneperson had picked on a whim. Making achannel was like making coffee foreveryone else in the group. People tookturns.

There were different ways of gettinginto the secret channels. One idea ofAaron Barr’s had been to infect theLOIC program and then, under a newnickname, call out the infection to gethimself into private coding channels.And you could be in multiple channels atonce. By mid-March, Topiary himselfwas moving between twenty-threedifferent AnonOps channels, includingCommand, OpMetalGear, OpNewBlood

(for coaching new Anons), andStarFleetHQ, the channel that housed amassive botnet belonging to theAnonOps operator Ryan. Tflow was inmore than fifty. People tried pretendingto be one another but it often didn’t worksince nicknames were registered with apassword.

There was an array of symbols— ~,&, @, %, and +—used to show thestatus and power of each person in eachchannel; every symbol corresponded toone of the five levels of status. Thesestatus levels were known as channelowner, super op, admin op, half op, andvoice. The sight of these seeminglyinnocuous icons could mean everythingto people who were regularly on IRC

because of what they allowed you to do.If you were an op (% or above) youcould mute the majority of users whodidn’t have a symbol by hitting +m.Someone with % could kick out anyonebelow their status. With @ you couldedit a channel topic and ban people,while & could ban a user on sight.

The idea behind all this was to ensureIRC channels didn’t turn into a spam-fest. Unfortunately, power often went topeople’s heads, and operators wouldsquabble and kick out people they didn’tlike. The ability to threaten permanentbans gave them the power to disruptentire operations if they wanted.

No, the name of the female operatorwho had told new Anons that LOIC was

legal and fine to use was known forregularly booting users out of theinformal #lounge channel if they werespamming too much. It wasn’t clear ifshe did this just for kicks or because shewas genuinely trying to maintain thepeace. You didn’t have to own serversor have technical skills to become anAnonymous IRC operator. Rumor had itthat No had gained her status by flirtingwith other male operators.

Many Anons hated or feared the IRCoperators—they were like the bosseswho didn’t deserve to be bosses. Andthe operators could get away with tellingpolice that they were not part ofAnonymous. The police came to No’shouse in Las Vegas at 6:00 one morning

in February. Mercedes Renee Haefer,who was nineteen at the time, answeredthe door in her pajamas to find policeofficers wearing vests and wieldingguns. They raided her home, took twocomputers (one a Mac), an iPhone, and arouter, all part of a sweep by the FBI tofind people involved in OperationPayback and the attack on PayPal. Whenthey found a mock-up flyer of her littlesister with revolutionary imagery, partof a family joke, they asked with deadseriousness if it was an upcomingoperation for Anonymous. She laughedand almost said yes.

Other Anons had been getting arrestedtoo, mostly men in their midtwenties. OnJanuary 27, about a week before the

HBGary attack, British police arrestedfive men in connection with theOperation Payback attacks onMasterCard, Visa, and PayPal. Two ofthem were alleged to be AnonOpsoperators: Christopher “Nerdo”Weatherhead, a plump twenty-year-oldstudent from the city of Northampton inEngland, and “Fennic,” a skinnyseventeen-year-old with long hair fromSouth London whose suspected realname could not be published for legalreasons. By June of 2011, at leastseventy-nine people in eight countrieswould be arrested in connection withAnonymous activities.

News of these early arrests inJanuary, followed by persistent doxing

by people like Emick, meant thatTopiary’s primary concern was nolonger what would happen toAnonymous if his small group wentquiet. Others would find a way to carrythe movement forward. If the IRCnetwork collapsed, they would moveback to image boards. If someone wasarrested, more would join. Almostnothing had happened with Anonymousfor two years until #savethepiratebaysuddenly snowballed into WikiLeaksand thousands of newcomers startedseeing a solid infrastructure toAnonymous. Then the buzz on AnonOpsIRC had nearly died until HBGarymagically came along. It was often just amatter of circumstances—major news

events like WikiLeaks or a singleclarion call on /b/ to fight Scientology.

Topiary marked his split fromAnonymous with an elaborate getaway.He typed up a fake IRC chat log betweentwo friends discussing how Topiary hadbeen arrested and then made sure it waspassed around until several peoplebought the story.

<contact> i need to talk to…

someone…are youQ?

<marduk> lol. depends. whoare you?

<contact> i was told to geton anonops andfind either a Q orTflow. someoneyou know once

gave me anemergency contact.you should knowthat guy as topiary

<marduk> top? haven’t seenhim in around thelast days

<contact> i know him in reallife. i live close by.there was majoraction near hishouse. somepeople and carsgathering aroundthere. since then ihavent seen him

<marduk> it wasn’t policewas it?

<contact> i dont know but idont think so.

The complete fake log was long and fullof typos, inept questions from “contact”about AnonOps to suggest he was new tothe network, along with healthyskepticism from Marduk. The idea wasto make the “friend” sound scared butnever push the idea that Topiary hadactually been arrested. If he left enoughgaps, others would come up with therumor themselves.

Topiary leaked the log to five trustedindividuals, making sure each versionwas slightly different—an extrapunctuation mark or a tiny difference inspelling. If the log ever leaked to agroup like Backtrace, he would be ableto pinpoint who had done it. Topiarychanged his nickname to Slevin and,

with a slightly heavy heart, whittled hiscontacts on Skype down to threeunnamed people.

There was the sound of clattering asJake put dishes in the sink, including aplate covered with crumbs from a fishpie he had just eaten. Still a frequentvisitor to 4chan’s “cooking” board, heenjoyed making his own meals,particularly fish or meat pies. Turning onthe water, he glanced out his kitchenwindow and noticed a police van parkedon the road a few houses down. Hisheart raced. Quickly he went back to hislaptop to let his small group know whatwas up.

“Back in 15,” he told AVunit under

his new nickname, Slevin. He would notmanage to keep the name for long; it justwasn’t how people knew him.

“Good luck and stay safe, Top.”By the time Jake had signed out of his

IRC channels and put his coat on, thepolice van was gone. It was a sunny day,cold and brisk, with the usual windcarrying scented undertones of the saltysea. Jake put on his earphones and tookthe twenty-minute walk into town, hishead lowered as usual, his shouldersslightly hunched. He glanced around forany sign of the police van. There wasnone.

He went to a café near a hill.Resplendent with leather chairs, woodentables, and soft lighting, it was probably

the most modern eatery in town. Heordered a latte to go and hiked to the topof the hill to sit in his usual thinking spoton finely cut grass, a place where hecould drink and look out at the view.Next to him were a handful of iron-blackcannons, used generations ago to blastholes into the ships of marauders tryingto invade Shetland. Now they were quietrelics, their shells varnished withprotective paint. He could have sat onone, but it felt somehow disrespectful.

He walked back. The police van wasstill nowhere to be seen. Most likelythey had been there to check on the localdruggies. Jake lived in a poorneighborhood, and the several heroinusers next door often played loud music.

One male resident had once been so highhe had hung a heavy rug outside on theclothesline to dry even though it wasraining. The next morning he wrestled itoff the line and swung it around in anattempt to dry it even though it was nowwaterlogged beyond repair. When thedruggies were being loutish or annoying,Topiary would redirect their wirelessconnection so every click would go tothe Goatse shock site and then renametheir WiFi connection heroin-hidden-under-the-house. In the past year, theyhadn’t so much as thrown a beer can onhis front lawn.

Jake stepped back into his house andwent to his laptop. He got online andcaught site of a news headline about

Anonymous. It appeared that Anonymoushad just declared war on Sony, anenormous target. This time he had noidea who was driving the attack, and hewas completely fine with that, evenhappier to have stepped away from itall.

It was April 1 and a few Anons had justpublished a new digital flyer.“Congratulations, Sony,” it read. “Youhave now received the undividedattention of Anonymous.” This time,while Topiary was AWOL, 4chanvigilante William had jumped into theattack with gusto, his main role being tohelp dox Sony executives and theirfamilies as part of a side operation

called SonyRecon. All of this washappening because earlier that spring,Sony had sued a hacker named George“Geohotz” Hotz after he had figured outhow to jailbreak the until-thenunhackable PlayStation 2 game consoleand then announced on his blog howpeople could download games onto theirown systems for free. Age twenty-one atthe time, Geohotz was already wellknown for jailbreaking Apple’s iPhoneand iPad. Now Sony was accusing himof breaking the U.S. Computer Fraud andAbuse Act by hacking their console.

Over the next few days, Anons whohad downloaded LOIC launched a DDoSattack on several Sony websites and itsPlayStation Network (PSN) for gamers.

The PlayStation Network then wentoffline, angering millions of gamersaround the world.

William, who was usually skepticalof larger Anonymous raids, was inspiredby this particular attack and the sideoperation he was working with. Alreadyhis team had dug up personalinformation on several Sony executivesand their families, including Sony CEOHoward Stringer and his grownchildren.

“This is the most focused attack yet,”he enthused at the time in an interview.“The social engineers know their placeand so do the hackers. This is one of thefirst times I’ll be working as part of ateam, and knowing EXACTLY my role

within that team.” He reasoned that Sonyhad treated Geohotz (“one of our own”)in a way that was anti-freedom, anti-expression, anti-individualism, and,thus, “anti-Anonymous.”

William did not mind that there wereobvious tiers in Anonymous, withhackers and writers at the top and socialengineers and LOIC users near thebottom. Each side rode on the other’sreputation—William scared his targetsby claiming he was a hacker, andhackers could ride on the infamy ofAnonymous because of the way lessskilled people bandied the name around.

The DDoS attacks on Sony continuedfor several more days, and they becameso unpopular that just before April 7,

Anonymous announced it was callingthem off.

“Anonymous is not attacking the PSNat this time,” a new press release said.“We realize that targeting the PSN is nota good idea. We have thereforetemporarily suspended our action, until amethod is found that will not severelyimpact Sony customers.”

Strangely, though, the downtime forthe PlayStation Network continued, andgamers were furious. On April 22,Anonymous posted a new press releaseon AnonNews.org titled “For Once WeDidn’t Do It.” The network had beendown for almost three weeks now, and itwas clearly not because of an ongoingDDoS attack.

Just as strange: Sony itself had beenquiet for weeks. Finally, on May 2, thecompany made a startling announcement.There had been an “intrusion” to itsnetwork some time between April 17and 19. Hackers had compromisedpersonal and financial details of morethan seventy-five million accounts withthe PlayStation Network. This was ahack that affected tens of millions ofpeople. Nobody in Anonymous wastaking responsibility, and nobody onAnonOps seemed to know who hadstolen all those user details. Yet by theend of that month, Sony had spent $171million trying to patch the securitybreach, and within a few months, newsoutlets were reporting that Sony’s

related costs from the breach could pushpast $1 billion.

Sony then wrote an explanatory letterto the U.S. House of Representatives.The cyber criminals, they said, had left afile marked “Anonymous” and “We arelegion” in the system. It might have beena calling card or an attempt by criminalhackers to throw police off their scent,but in any case the news quicklyremoved any public legitimacyAnonymous had gained from its protestsfor WikiLeaks and the Middle East andfrom the information it had uncoveredduring its attack on HBGary.

At first, many Anons liked the notionthat hackers had damaged Sony sodrastically—but the taste was

bittersweet. No one knew who hadperformed the heist, and there had beenno official Anonymous statement—onlya strange file left in secret. The wholeaffair had a dishonorable feel to it.

To make matters worse, AnonOpssoon had internal problems to deal with,as word started spreading of a majorleak on the network. A rogue operatorhad published a list of 653 nicknamesand their IP addresses, the strings ofnumbers that if naked could lead police,Internet trolls, and anyone who knewhow to use Google straight to theindividuals’ doors. Once again thenewbies, not the real hackers, were mostat risk.

Almost immediately, AnonOps IRC

became a ghost town. The hundreds ofregular participants who’d been on thelist were too scared to sign back on.Some retreated to other IRC networkslike EFnet and Freenode, while somekept talking on blogs and forums.Anonymous was suddenly a diasporawith no natural meeting ground.

Former AnonOps admins, includingOwen, Shitstorm, Blergh, and Nerdo,released an official statement saying theywere “profoundly sorry for this drama”and urging visitors to stay away from theAnonOps IRC servers.

After two days the name of the culpritfinally emerged. Ryan had been an IRCoperator who used his servers to hosttwo popular websites for Anonymous

supporters. He was known for being atemperamental web administrator whogot a kick out of hosting thousands ofpeople on his servers, and as the guywho had told Topiary about faking theLOIC hive number back in January. Hewas also one of the rare handful ofpeople who controlled a large botnet.Ryan was considered something of aloose cannon, and it seemed that asclashes with network operators becamemore bitter, he had gone off the rails.

Ryan should have expectedrepercussions, and they came whensomeone dredged up his real-life details.Ryan had allegedly begged Sabu toprevent his details from gettingpublished. When that didn’t get him

anywhere, he used his botnet to DDoSthe AnonOps network and several otherAnon-related websites. Despite this, onMay 11, Ryan’s full name was publishedonline, along with his home address inEssex, Great Britain, his age, cell phonenumber, Skype name, and the e-mailassociated with his PayPal account—allpresented on a simple black web page.The doxer had listed his full name,correctly, as Ryan Cleary. The top of thedocument said “Doxed by Evo,” adding,“Shouts to Kayla, Sabu, Owen, #krack,#tr0ll and all of AnonOps.” Evo wassomeone who frequented Kayla’s IRCnetwork, #tr0ll. As a few media outletsreported on a “civil war” in Anonymous,Ryan denied the details were true,

claiming in one IRC chat that they werefalse details he had released himselfthree years prior.

Anonymous was starting to look like ajoke. Operation Sony had been called offand then apparently hijacked by hackerswho had tried to use it for cover. Andnow a former AnonOps operator hadturned against the network too. Nobodywas interested in raids and operationsanymore, only in gossip, politics, anddefending Anonymous’s reason forexisting.

“Sony and Ryan may have capped anend to a crazy roller-coaster ride,”Topiary observed at that time. But whilehe was glad to be on his break from theongoing drama, he was also talking to

Sabu again. He couldn’t help feelingcompelled to relive the whirlwindexperience of the previous winter. Ifthey got the HBGary hackers backtogether, they could show Anonymoussomething new, something that would benot only inspiring, but jaw-dropping.

Chapter 16

Talking About aRevolution

Distance from Anonymous meant Jakewas getting real-life things done. Hishouse had never been cleaner. To the leftof his desk was a large notice boardwith paperwork and a calendar, andthere was a thirty-eight-inch monitor tosupplement his laptop. The couch in hisliving room was cleaned, and next to itwas a table with cables stored neatlyunderneath. Psychology books werestacked on top, along with a JamesPatterson novel about wizards called

The Gift. He had time to iron his clothesproperly—no more creases that madehim feel like he was wearing crumpledpaper. Some of his recently washedclothes were hanging on a rack, soakingup the heat from a radiator that wasinches away. It was spring but stillbitterly cold outside.

The local college had liked hisapplication for a preliminary psychologycourse and had accepted himstraightaway. Having been out of theeducation system for four years, Jakewas looking forward to the brisk twenty-five-minute walk to his new courses andpushed away concerns that someone inclass might recognize his voice from theWestboro video. He had always known

that Anonymous would come and go, andhe didn’t want it to overshadow his firstreal crack at college. With around sevenhundred pounds now saved in the bankaccount that he rarely touched, he hadeven started treating himself to a mealevery Thursday night at the Ghurka, whathe considered to be the island’s bestIndian restaurant. Its Chicken-MadrasCurry, complete with french fries, garlicnaan bread, and Gurkha beer, cost£13.75 ($21.80), but he always paidwith a twenty-pound note and didn’t takechange. He liked the waiters and the waythey chatted amiably about their livesback under the scorching sun in India,while the cold Shetland wind blewoutside. Inside, the restaurant was a

haven, garnished in Asian decor andwith calming sitar music playing in thebackground. Jake would mostly sit andbrood by himself. Over the comingmonths, as he became busier again, hewould visit the Ghurka more than twentytimes as a form of therapy, a chance torest his mind before climbing up the hillto his front door and opening it to seelines of text frantically moving up thescreen of his open laptop.

Kayla, Tflow, AVunit, and Q had alsotaken a break from Anonymous, leavingjust Jake (as Topiary) and Sabu in thegroup’s private chat room. Sabu wouldlater remember the others leavingbecause they had “got scared,” and heand Topiary being stuck together on their

“own little island.”The two were talking sometimes for

several hours a day in between the othergoings-on in their lives. They got toknow each other a little better. Topiarynever dared ask Sabu what he had donein the past, but the older hacker laid itout anyway. He told stories abouthacking the Puerto Rican government,about cyber war with Chinese hackers,about his defacing spree, about goingunderground, and about why he hadcome back to support Anonymous theprevious December. Topiary foundhimself in awe of Sabu’s relentlessdrive to be a hacktivist after anincredible eleven years, and of his longmonologues about refusing to sit down to

an authoritative society. Even whenSabu was tired after a long day of workand family, he’d perk up when talkturned to politics and society.

Though Sabu loved technology andhacking, it seemed that his heart lay insocial and political change. In the realworld, Hector Monsegur had come fromNew York City, gotten into real-lifepunch-ups with other men, and evendone some jail time. He was deeplyresentful of people who abusedpositions of authority, holding aparticular disdain for white hat ITsecurity firms and corrupt policeofficers. Right up to adulthood he wasregularly getting stopped and searchedby the police, the feeling not much

different to when his high school’s headof security had taken away hisscrewdriver.

Monsegur claimed in one interviewthat, earlier in 2011, two cops, oneAfrican American and one hailing fromthe Dominican Republic, had stoppedhis car while he was driving through awealthy part of town. One of the officerscame to his window and claimedMonsegur had run a red light. Monsegursuspected it was more likely because hedidn’t fit in with the local area. Theofficer requested his license andregistration then asked what he wasdoing there. Monsegur showed him hispapers. Then he was asked to step out ofthe car.

“What happened?” he asked.“Just go to the back of the vehicle,”

the officer said. Monsegur walkedaround to the back, where the secondcop handcuffed him.

“What’s going on?” Monsegur criedas they put him in their squad car. “I gota family. Why you handcuffing me?”

“You fit the description of someonewe’re looking for,” one of the policemenfinally said.

“Okay. All right,” Monsegur said,trying to stay calm. “Give me thedescription.” The officers hesitated atfirst but eventually described a manwho, while slightly similar to Monsegur,had a different height, date of birth, haircolor, and skin tone. They finally

showed him a picture of the suspect.“Yo, listen,” he said after looking at

it. “Look at me. We’re different in everyway. He’s got tattoos on his neck. I’vegot short hair.” Then he turned to theDominican cop and asked in Spanishwhy he was being arrested.

“You do kind of look like him,” thecop replied in English.

“So…where are the tattoos?” heasked, glaring at the cop.

“You could have had them removed.”Monsegur rolled his eyes and fell

back into his seat, his mind blazing. Itwas true he had tattoos, but nothing onhis neck. As they drove him away, heheard one of the officers get on the radioand tell the precinct they were bringing

in a “boy” that matched their suspect’sdescription. He heard a crackling,disembodied voice from base ask fordetails and if he definitely matched. Assoon as one of the cops mentionedMonsegur’s height and date of birth, thevoice asked why they were bringing himin. The cops looked at each other. “Lethim go right now,” the voice continued.They shrugged and turned the car around.

Monsegur felt relief wash over him.As they pulled up next to his car, herealized his lights and radio had beenleft on. The battery was dead, and hewas stranded at ten o’clock at night.

It was an especially maddeningexperience, but by no means the onlyone. Monsegur claimed that he was used

to walking down the street, beingstopped, and getting frisked, the phraseYou fit the description echoing in hisears. Growing up on the Lower EastSide in the 1990s, he had seen the effectsof Mayor Giuliani’s order for the NYPDto concentrate on neighborhoods withhigh rates of drug use, and using recentlyenlarged tax revenues to hire aroundthree thousand new police officers to hitthe streets, bringing the total number ofNYPD cops to around forty thousand.Monsegur saw them as the city’s biggestgang, authoritative thugs who madecitizens like himself feel like animals.He wanted to change that. In addition tohis hunger for recognition and respect asa skilled hacker, he wanted people like

himself who had been brought up in theprojects to know their rights.

Monsegur had not come from a familyof political activists, but hacking hadgiven him a voice. It got him noticed.Breaking into databases and disruptingservers was how you subverted themodern world’s corrupt powers. As hegrew older, he had become more cynicalabout the world around him, and moretemperamental when he became thetarget of criticism himself. Perhapstellingly, for instance, he hated nothingmore than being called a snitch.

But his cynicism was broken for awhile when Operation Payback camealong in late 2010. So excited was he atits potential he couldn’t help but inflate

the importance of Anonymous and, later,his own importance in it.

“We give police officers in the UnitedStates the power to shoot us and getaway with it. Anonymous can now standup to that threat,” he said during aninterview in April 2011. “The world hasallowed dictatorships and tyrants to gounquestioned for decades. Noworganizations like Anonymous can askthose questions.”

Sabu believed Anonymous’s greatestpower was its lack of hierarchy. Hepointed to a U.S. governmentcounterintelligence program in the 1960sand 1970s called COINTELPRO, whichsaw the FBI quietly subvert activist andpolitical organizations. They had used

HBGary-like tactics of subterfuge andmisinformation to erode the power oforganizations from the Black Panthers tothe Puerto Rican FLN to the KKK toMexican gangs, often doing it from theinside. The reason many of theseorganizations died out, Sabu believed,was that they had a structured hierarchy.

Anonymous was different. If someonearrested Monsegur, there would be tenmore like him to take his place. Byleaking e-mails or helping Internet usersaround the world bypass governmentfiltering, Anonymous could assist peoplelike Julian Assange and his allegedwhistle-blower Bradley Manning oncethey were arrested. When he had firstheard about Assange’s arrest, Monsegur

had gone online as Sabu and looked forvulnerabilities in the networks oforganizations related to Assange’s case,from the court that allowed Assange’swarrant to those who ended up takinghim to jail. Sabu claimed his researchled to a wealth of information for futureoperations, though he never released itto the public.

“[It’s] for future use,” he said in oneinterview. “I’m sure sooner or lateryou’ll see my results. Juicy stuff,though.” A verbal teaser like this abouthaving dirt on Assange’s prosecutorswas typical of the Sabu persona. Hintingat the prospect of a big operation or leakwas key to how he would later hook theattention of other Anons, like Topiary,

and even of major newspapers, all fromthe comfort of his computer. As Sabu, hewould often say things like “Somethingbig is about to go down. I’ve foundsomething. You’ll want to see it.” Hewould then keep quiet on details forseveral weeks, and sometimes he neverexplained it at all.

Sabu knew that many saw Anonymousas a group of miscreant trolls. “And I’msure some people want it to stay thatway,” he said. Even as AnonOps hadbecome disorderly, Sabu believedAnons could become organized andchange the world. “It lives, it thinks, itbreathes,” he said.

As he and Topiary reflected onAnonymous throughout April, they

realized that as much as they wanted toleave, they also wanted to stay. For Sabuit was the activism and recognition; forTopiary it was the fun, the learning, andthe ability to cause a stir. If Topiary wassocially awkward in real life, he hadbecome a wisecracking hero online.They wondered how they could makethese experiences continue now thatAnonymous had gone quiet.

One night around mid-April, Sabutold Topiary again that as much as hebelieved in Anonymous, he wanted to goback into hiding more permanently.Suddenly, alarm bells went off inTopiary’s head. Something about thatfelt wrong, as if they were on the vergeof missing out on something truly

remarkable. He started talking Sabu outof it.

“You’re already out in the open now,”he told Sabu. Their team had created amedia storm, meaning there was enoughattention and momentum to work towardhis goals, to continue the hacktivistmovement. “If it doesn’t happen now itwon’t happen ever,” he added.

Sabu took this in.“Now’s a good chance to do it,”

Topiary pointed out. “We’ve got theattention, the contacts, we’ve gotAnonOps servers up and everythingrunning smoothly. This might be yourlast chance to get this out there.”

In reality, Topiary wasn’t interestedin hacktivism the way Sabu was. He had

just enjoyed chatting with his team andwanted to have fun. Their elite team haddrifted apart, with Kayla, Tflow, andAVunit still on their respective breaksfrom hacking. But the two hadreminisced frequently about how wellthe group had gelled before, and nowTopiary was broaching the idea ofgetting everyone back together again. Hemade a convincing argument, and Sabustarted agreeing that in spite of his realname now out in the open, he and theothers could do something great together.Sabu later talked about reaching a pointof no return, and it may well have beenduring these discussions with Topiarythat he decided to cross a line and notturn back.

Sabu later remembered things“clicking” with Topiary when talk hadturned to inspirations and aspirations. Itwasn’t that they suddenly wanted to hackthe planet. “It was more like we bothbelieve in Anonymous. Let’s worktogether and go from there. And ofcourse, he [Topiary] liked the mediaattention.…I guess the obviousconnection there is I do the hacking andyou do the speaking.”

Sabu had been wary of how publicTopiary could be, but he admired hisspeaking and debating skills. Thisexplained the unusual nature of theircollaboration; though they were almostpolar opposites in personality, therewere ways in which the two dovetailed.

Sabu seemed to like Topiary’s tabularasa worldview, which made a goodsounding board for his rails against thesystem. Topiary hadn’t had a personalbeef with white hat security firms, butafter enough conversations with Sabu onthe matter, he soon hated them too.

Sabu was also drawn to Topiary’scelebrity in the world of AnonOps IRC.His nickname had a buzz—if it appearedin a chat room, conversations stoppedand people called on him to talk. It wasthis point that would later give Topiarypause when he thought back to why hehad ended up collaborating with Sabu. Itwasn’t that Sabu was using him,necessarily, “but there was definitely areason he wanted me around.”

Sabu was open about this.“When you’re in a chat room, it

motivates people,” he told Topiary, whocouldn’t help but feel flattered. AndSabu would also tell Topiary that hewas his “brain of reason.” The tautologyreferred to the way Topiary would helpcalm Sabu down when he got too excitedor upset about an issue. “I would explainthings,” Topiary later remembered. “Iwould guide him on how to go about anoperation a certain way, rather thangoing full throttle. Don’t releaseeverything in one go. Release it bit bybit.” HBGary was a case in point: theteaser e-mails, the Tweets to draw pressattention. There would be much more ofthat in the coming months.

Within the space of two weeks, eachhad somehow convinced the other to stayin the game and to bring the old HBGaryteam back together. With their smallgroup, maybe they could get the massesmoving again. They could supportAnonymous 100 percent, but they didn’thave to be called Anonymous.

“This means if we want to mess withsome white hat company, we wouldn’truin the Anon image,” Topiary saidduring an interview in April 2011, whilehe and Sabu were still discussing theidea. “We figured it’d be too far to callourselves a hacking team with a cheesybanner, so we haven’t decided much.”

Kayla had been flitting about online,so they created an IRC channel called

#Kayla_if_you_are_here_come_in_this_channel.Once Kayla came back, she said she wasinterested, and the three of them startedthrowing ideas around. One was to setup a new IRC network for Anonymous,since Ryan’s leak in April had turnedhundreds of users off its channels.Detractors had bombarded the networkwith DDoS attacks, and while regularvisitors had dwindled, the number ofpeople claiming to be operators hadswelled to forty. With AnonOps now sotop-heavy, there was chaos in ninedifferent “command” channels, leader-of-leader channels, and secret channelsto talk about other operators. Thenetwork was about to crash under itsown weight, and Anonymous needed a

safe, organized place to meet. But byearly May, the AnonOps operators hadgot it together. They had whittled theirservers down from eight to two, andtheir operators from forty to eight. AnIRC network now looked less necessary.

“I probably would have quit if wehadn’t talked so much and ended upgetting Kayla back,” Topiary would saymany months later. “In a way I wishSabu hadn’t trusted me so much.” In afew days, AVunit came back from hisbreak and joined the group too. Therewere now four of the old team backtogether who were interested in doingsomething big—they weren’t sure whatexactly—to reinspire Anonymous. Therewas no turning back now.

One late morning, during a period whenthe team was still mulling over what theycould do together, Topiary got out ofbed, got on his laptop, and saw Sabuonline, along with Kayla. It must havebeen about five in the morning in NewYork.

“Guys I was up all night looking atsites to go after,” Sabu said. “And Ifound this big FBI site.” Topiary’sbreath quickened for a moment. “I’ve gotaccess to it,” he added.

Sabu then pasted a long list of aroundninety usernames and encrypted hashes(which corresponded to theirpasswords) from a website calledInfragard. The list of names represented

half the site’s user base. Topiary andKayla immediately started trying tocrack them, excited by the prospect of“hacking the FBI.” Just a few minutes in,Topiary Googled Infragard, and herealized they were dealing with anonprofit affiliate of the FBI, not theorganization itself. He thought brieflyabout asking how Sabu had found thesecurity hole or pointing out that itwasn’t exactly a “big FBI site.” But hedidn’t want to dampen the team’sexcitement.

All the users had been verified by theFBI to gain access and all worked in thesecurity field; some were even FBIagents. Yet their password choices werequestionable, at best. One of the users

had used “shithead” as a password foreverything online; another had“security1.” Only about a quarter of theusers had passwords the team couldn’tcrack. It is a general rule in IT securitythat any password that isn’t acombination of letters, numbers, andsymbols is weak. It is not particularlyhard to memorize “###Crack55##@@”or “this is a password 666,” but both ofthese would be extremely difficult tocrack. (The hardest passwords todecipher are phrases, which are alsoeasier for password holders toremember.)

After someone downloaded the entiredatabase of users and then converted itinto a simple text file, Sabu loaded the

25 percent of password hashes that theteam couldn’t crack into the don’t-ask-don’t-tell password cracking servicehe’d used for HBGary Federal,HashKiller.com. Sometimes kids usedthe site to send encrypted messages toone another, with the challenge to crackthem. When nefarious hackers broke intothe user base of a website, they wouldtypically dump all the so-called MD5hashes into a database and start crackingthe easy ones first, then let HashKiller’sforum users do the rest.

An MD5 hash was a cryptic languagethat corresponded to words or files, andit typically looked like this:

11dac30c3ead3482f98ccf70675810c7

This particular string of letters andnumbers translated to “parmy,” so theresult on the site would look like:

11dac30c3ead3482f98ccf70675810c7:parmy That information would then be stored inHashKiller’s database, so if anyonetried to crack the password “parmy” andhad the MD5 hash, he could do itinstantly. The result from Hashkiller.comwould look like this:

Cracking hash:11dac30c3ead3482f98ccf70675810c7Looking for hash…Plain text of11dac30c3ead3482f98ccf70675810c7is parmy

It was that simple. This was why it wasa bad idea to use single-wordpasswords, like “parmy” or—evenworse, because it is commonly known—“shithead.” Each password alwayshad the same MD5 hash. And once itwas in HashKiller.com, everybody knewit. A lack of context kept thingsrelatively secret: everyone could see thehashes and cracked passwords inplaintext but nothing else. Using the sitewas free, and Sabu had only to sit backand wait for the passwords to becracked by volunteers.

Once someone cracked the admin’spassword, the surprisingly easy“st33r!NG,” Sabu created a web pagethat he secretly attached to the website

for Infragard Atlanta, known as a shell.It was the same sort of page that thesite’s administrators would use tocontrol its content, allowing him to addnew pages or delete others. Thedifference was that the admins knewabsolutely nothing about Sabu’s page.Since the page for the original controlpanel had been xootsmaster, Sabu namedhis new shell page /xOOPS.php. Hecould have just gone through the maincontrol panel since he had the rightpassword, but that would mean clickingthrough a series of options and a longlist of directories. The shell was a moresimply designed page that made itquicker and easier to mess with things.

The team lurked on the site for a few

weeks while sitting on its entireusername and password base: twenty-five thousand e-mails from the personalaccounts of the site’s users, a mixture ofsecurity consultants and FBI agents.Topiary and his friends had all theirpasswords, full names, and e-mails. IfTopiary had been feeling malicious, hecould have logged into the PayPalaccounts of one of the more senior usersand started splashing money all over theplace.

“That would be bad,” he said at thetime.

They had access that could let themdeface the site in seconds, but theywould wait it out. The crew was stillfeeling the heat from HBGary, the #HQ

log leaks, and Backtrace, and theyweren’t quite sure what they werebecoming yet. So they settled for spyingon the users’ Gmail accounts, justwatching the mails roll by. Nothingparticularly significant was beingdiscussed, but the group decided that ifone of them got arrested, they wouldpublish everything.

“Most professional and high-levelhacks are never detected,” one hackerwith Anonymous who went on to supportSabu and Topiary’s team said monthslater. Not long after the Infragard breach,another group of hackers broke into thecomputer network of Japan’s parliament,stealing login information and e-mails. Ithad taken three months before anyone

figured out what had happened. The hackhad involved infecting the computerswith a virus, most likely by sendingemployees e-mails that carried Trojans.This was how script kiddies worked, theAnonymous hacker said dismissively. Itwas loud, common, and didn’t requiremuch skill.

Sniffing around passively withoutanyone knowing always made sense.You could steal a database, sell it tospammers, and move on to other ways ofhustling for money. With Anonymous,there was also that obligation to cause astir. But it depended what you hadhacked into. The Anon claimed thatwhen he breached a network, most of thetime he acted “passively.” At one point,

for instance, he and another team hadfound a hole in a large foreign-government server leading to data onvarious hospitals. His team did notdisclose the data and instead notified theadmin of the problem. They even deletedtheir own copy of the data, sincereleasing the information would be“counterproductive.” On that same hack,however, they also found anadministrative server for that sameforeign government that contained all IPranges for its online services. “We surereleased that,” he said.

The paradox for hackers who becamepart of Anonymous was that there wassuddenly a reason to go public with theirleaks to make a point. With Infragard,

Sabu, Kayla, and Topiary were takingthe sniffing-passively route. What thegroup did with this information wouldset them apart from other hackers whosought money, curiosity, or a sense ofpersonal achievement. They just neededthe right moment.

Chapter 17

Lulz Security

Soon it became clear to Sabu, Topiary,and Kayla what they were reallydiscussing: the creation of a new hackingteam. It would be, in one way, likeWikiLeaks. It would publish classifiedinformation that hadn’t been leaked, butstolen. The idea didn’t sound as nerdy asTopiary had thought a few months back.

They decided unanimously that theydid not want to be constrained by thebroad principles underlying Anonymous,which were:

1. choosing targets because they were

oppressors of free expression2. not attacking the media.

The idea was to do whatever it tookto inspire Anonymous with new lulz, andmaybe even grab the limelight again. InTopiary’s mind, this would lead tosomething far greater than any of thepranks he had ever pulled. The wholeidea of lulz didn’t sit comfortably withSabu, who was more interested inhacking as a form of protest. But herealized Anonymous needed someinspiration, and he figured he could steerTopiary and the others toward moreserious pursuits. Kayla was just happy atthe chance to tear up the Internet again,and since they needed to target more than

just the Infragard website, she startedlooking for the Web’s hidden securityholes the same way she had secretlydone for WikiLeaks’s q.

Kayla had a powerful web script thatlet her scan the Internet for any websitewith a vulnerability. This process oflooking for security holes in manydifferent websites at the same time wascalled automated scanning, or crawling.When she was ready to start using it,Kayla hooked the bot to Sabu’s chatserver and then cast it out like a net. Shehad only to type commands into the chatbox, like find SQLI, to direct it. The botconstantly churned out new addresses ofweb pages that had vulnerabilities, thenfiltered them again. She had spent hours

configuring the script so that certaintypes of URLs would show up indifferent colors. There were hundredseach day, and about 20 percent led tosecurity holes. About 5 percent led todatabases of ten thousand users or more.Over the course of two days, Kaylascoured the websites of hotels, airports,and golf clubs, even Britain’s NationalHealth Service, leading the team tohundreds of thousands of user details.They started stealing (or dumping) theinfo and came up with eight databasescontaining fewer than five thousandusernames and passwords and two bigones, of five hundred thousand and fiftythousand.

By now Tflow, AVunit, and the Irish

hacker from #InternetFeds namedPwnsauce had joined, making them ateam of six. It was a number and set ofnames that would remain fixed to theend. Pwnsauce was a skilled andamiable young man who had beeninvolving himself with Anonymous sinceOctober of 2010, when he helped withthe attacks on anti-piracy groups. Nowhe was happy to help comb the Internetfor security holes.

“Sabu, I may have a lead here,” hesaid at one point after finding something.When asked why he was working withthe team, he said that while he agreedwith the aims of Anonymous, “moreso Iam here because of the people.”

“I’ve never found more respectable

and hardworking people in my life thanthose in this group,” added Topiary, whohad been part of the conversation. “Andlikable.”

Anonymous attracted hackers with aconscience, Pwnsauce explained. In apast life he had consorted with a“horrible mix” of hackers who “eitherdid not know what they were doing orwho solely wanted to steal frompeople.” These were people who stolecredit card details from small retailoutlets and chains. Mom-and-pop shopsand gas stations were frequently theeasiest to hack when they stored creditcard information at the end of the day,data that often included the securitycodes on the backs of people’s cards—

even though saving them was illegal.They saw these targets as easy pickings,but Pwnsauce had found a moreinteresting and varied bunch of peopleon AnonOps, and since they had a widerarray of skills, he claimed to havelearned three times as much aboutprogramming and the Internet itself fromAnonymous than from darker hackingcircles.

Pwnsauce was studying biology butlonged to get out of Ireland. When hewasn’t studying or dealing with what hewould only describe as “family issues,”he, like Kayla, was in front of hiscomputer, poking around the back endsof websites in what felt like a lifelongexploration of the Web’s hidden

vulnerabilities.“He’s a perfect blend of technical

skill and imagination,” Topiary latersaid of Pwnsauce. The two of them oncehad a lengthy discussion about the bestway to disrupt an airport’s securitysystem, which moved them to remotelyjack into a McDonald’s menu screen andimport green hacker text to confuse itsattendants. “We were in hysterics,”Topiary remembered. “I really want tohave a pint with this suave Irishgentleman.”

One of Pwnsauce’s friends in thehacking scene was a fellow Irish hackernamed Palladium; the two had hackedinto the Irish opposition party Fine Gaeland called out Anonymous as being

responsible back in February. Palladiumhad come in when the team had found avulnerability but needed help carefullyand secretly exploiting it to take internalinformation.

In mid-April, Tflow had found avulnerability in the servers of mediapowerhouse Fox, but he hadn’t doneanything with it. He showed it toPalladium, who was able to get a shellon it and break in. The two decided tocollaborate on breaking into Fox. One ofthem eventually found a sales databasethat held the personal information of Foxemployees and journalists and seventy-three thousand e-mail addresses andpasswords for people who wanted toreceive updates on auditions for the

network’s forthcoming X Factor, a talentshow on American television. This wasa model for how the group would lateroperate—keeping strategic decisions tothe core six but working with a secondtier of trusted supporters to help themcarry out attacks.

After breaching the Fox servers onApril 19, the team members stayed therefor days leeching all sorts of data, fromuser logins to the passwords of radiostation announcers. The team hadn’t setout to attack Fox, but its vulnerabilitystood out among all others because itwas a right-wing media force that mostpeople in the Anonymous communityhated. They hoped to find somethingfunny in the trove of personal

information.It took a week for Fox’s IT

administrators to notice the breach, butby then the team had reams of data to siftthrough; it had been handed over byTflow, who had received it fromPalladium. Topiary told both of themthat he would go through a list of aboutthree hundred and fifty Fox staffmembers and test their names andpasswords out on social media sites likeTwitter and LinkedIn. It would be aslow, methodical process, but hopefullyhe would find the misfortunate few whohad reused the same passwords (asAaron Barr had done) so he could thenhack their accounts and create anothershitstorm.

Kayla’s scanning script had brought ina hefty list of vulnerabilities, andTopiary, who had had only a basicknowledge of hacking five monthsbefore, also found the transaction logs of3,100 ATMs in the United Kingdom.With normal hacker groups, none of thisinformation would have ever seen thelight of day. It would have been storedfor the hackers’ own personalcollections or sold to spammers. ButTopiary, Sabu, and Kayla were comingfrom the world of Anonymous, whereyou didn’t hack just for data but to makesome sort of social or political point.Their twist would be, for now at least,that there was no significance to therelease all. They would publish it for

shits and giggles, for lulz. It was a badgefor Anonymous as much as for theirsmall, increasingly tight-knit gang, and itmeant they had a wider array of potentialtargets to hack into and leak. First thingsfirst: the team needed a name.

That task fell to Topiary and Tflow,who decided it was paramount that thename included the word lulz. They toyedwith the combination of several namesuntil they got to Lulz Leaks. It seemed tofit with their modus operandi, soTopiary created a Twitter account forthe name on May 3 and put out a singlefirst tweet: “There is much to do—prepare yourselves.” A little while later,he needed to do a second tweet, but hecouldn’t sign into the account—he had

forgotten the password.The two went back to the drawing

board. Lulz4ULeaks and Lulz Cannonwere a mouthful, and the Lulz Boat,which they liked, was already taken onTwitter. Then they thought about a namethat would be a twist on BacktraceSecurity: Lulz Security. Topiary checkedand @LulzSec was free as a Twitteraccount. He set up a new account, thistime making sure he had a record of thepassword, then wrote a bio that readsimply “LulzSecurity® the world’sleaders in high-quality entertainment atyour expense.”

They needed a picture, so Topiarylooked through a folder of two thousandimages called reaction faces. Anyone

who used 4chan had a folder like this toillustrate responses on a thread. Hepicked the drawing of a mustached manwearing a monocle and a top hat andholding a glass of red wine. Topiary hadno idea where it had come from, neverconsidering that, given Topiary’s lazyeye, the man with a single lens might berepresenting him.

It was time to give Anonymous a peekat what they were working on. When thenames Topiary, Kayla, and Sabusuddenly appeared in a key AnonOpschat room for the first time in more thantwo months, there was an almost visiblebuzz.

“You know shit is going down whenthe HBGary hackers are here,” someone

said.“Is that THE Sabu/Topiary/Kayla?”

another asked.Hearing that Anonymous supporters

were at that time keen to attack the U.S.Chamber of Commerce, Topiary andKayla started looking for vulnerabilitiesin the site right then, racing to see whocould find the most. Topiary was quicklytrounced. The two then started pastingthe page addresses for each of thesecurity holes in the chamber’s site intothe chat room. The chat roomparticipants cheered and thanked them.Soon word got out that the core HBGarytrio were up to something big.

LulzSec, as hackers, were in very new

territory. Stealing data was one thing,but announcing it through Twitter so thepress could report on it was odd.Topiary volunteered to the others towrite a short statement to accompany theFox and X Factor releases, which wouldotherwise have been just long lists ofdata. Everyone agreed. It was clear thatTopiary’s role would always be that ofmouthpiece for the group. Nobody reallythought about who should man theLulzSec Twitter feed—it was justobvious that Topiary would do it. Hepublished the statement via theapplication Pastebin.

“Hello, good day, and how are you?”it started. “Splendid! We’re LulzSec, asmall team of lulzy individuals who feel

the drabness of the cyber community is aburden on what matters: Fun.” This wasa world away from the graveadmonishments he’d written forAnonymous press releases, the ones thathad scolded PayPal for “censoringWikiLeaks” or that had warringly toldHBGary “you don’t mess withAnonymous.” If Anonymous had been thesix o’clock news, LulzSec was TheDaily Show, publishing similar contentthrough a similar process, but spunprimarily to entertain, not to inform orencourage. They were free agents.

On May 7, he put out the first LulzSectweet announcing that Fox.com had beenhacked. “We’re releasing the X-Factorcontestants database publicly tonight,”

he said, adding, “Stay tuned. Wink,wink, double wink!” A few minutes laterhe let it rip.

“And here you are my lovely Internetfolks, the X-Factor 2011 contestantdatabase.” Topiary added a link to atorrent file that Tflow had packaged andput up on The Pirate Bay website, as hehad done months before with theHBGary e-mails. Topiary hadn’t beenexpecting an immediate response fromTwitter users or from blogs, but thesilence that followed over the next fewseconds, then minutes, then hours, wasdeafening. Three days later Topiarypublished four more Pastebin pages ofthe Fox.com data, with anotherlighthearted introduction and more

tweets. At this point, but only for a littlewhile longer, hardly anyone wasnoticing.

Chapter 18

The Resurrection ofTopiary and Tupac

Topiary kept checking Google Newsfor any mentions of Lulz Security or theleaked usernames from Fox and XFactor. He noticed there were hardlyany mentions besides a few blog postsfrom technology news sites. No oneseemed to care.

If an individual or group hadthousands of Twitter followers, it wasmore likely to create a buzz amongbloggers and journalists and, eventually,to create headlines. Topiary’s

imaginative writing style, honed by manyhours writing for the satirical websiteEncyclopedia Dramatica, came into playhere. He could write a series of acerbiccomments soaked in the parlance ofInternet subculture in just a minute ortwo. It came naturally.

By the end of his first day using theLulzSec Twitter account, May 7,Topiary had amassed fifty followersfrom eleven tweets. The tone wastongue-in-cheek, cheerful and irreverent,quoting lyrics from the tacky pop song“Friday” by Rebecca Black and tauntingthe official Twitter feed of X Factor:“We stole your shit and now we’regoing to release it! Thoughts?”

Twitter, despite its 140-character

limits and status as a gimmicky tool forthe social media elite and technorati,could be a powerful communicationtool. If it was used smartly andprolifically, thousands of people couldstart paying attention to LulzSec. Byusing the @ symbol, or simply by sayinga name, he could speak to anyone whohad a Twitter account.

The following morning he employedSabu’s tactic of dangling the prospect ofmore tantalizing leaks: “Guys and girls,we’re working on lots of fun right now!Here’s your Sunday secret: We’renowhere near done with Fox.”

On Sunday, May 9, the followers hadinched up to around seventy-five, butTopiary kept up the showman-style

enthusiasm, as if each tweet were beingblared from a ringmaster’s bullhorn.“Monday spoiler: today’s leak will besignificantly smaller in quantity, butvastly higher in quality,” he broadcast.“You guys like passwords? So do we!”

He believed it was important to keepthrowing out teasers, so then tweeted:“The show starts in a few hours, folks!This one is quite interactive with afinale you’ll appreciate. We, we, we soexcited! :3.”

If Sabu had been doing this his way,he would have dumped all the Fox datathey had when they were ready, whetherthat was Friday or at some point duringthe weekend. But Topiary figured thatnews outlets were more likely to pick up

on stories on a Monday than on a Friday,when many were winding down for theweek. It seemed to make sense that ifsomething was released on Monday, itgot more attention.

The teasers kept coming on Mondaymorning: “LulzSec hashtag of the day:#FuckFox—let’s give it another hour orso, tell your friends. ^____ ”̂

Then: “30 minutes…#FuckFox”Twenty-eight minutes later: “You

ready?! #FuckFox.”When the moment arrived, Topiary

didn’t post a long document ofinformation but tweeted a series of URLaddresses for the LinkedIn accounts ofemployees at a Fox TV affiliate in SanDiego, California. The first said: “Meet

Karen Poulsen, Marketing Consultant atFox 5 KSWB.” Clicking on the linkshowed Poulsen’s LinkedIn account nowhad the LulzSec monocled man as herprofile photo. Topiary did the same forJim Hill, an account executive at Fox,and six other members of management atthe media company.

There were seven more managerswho got their LinkedIn accounts hackedand Tweeted, including Marian Lai, vicepresident of Fox Broadcasting. Inbetween, Topiary gave a shout-out to hisold constituency still hanging out onAnonOps: “Hey, AnonOps I hear youguys are having a rough time—let’scheer you up. Anonymous wants to joinin? You can very soon!”

There were more tweets to a secondpress release, all wrapped up in offbeathumor, using the instrument of hash tagsat the end of each tweet as a kind ofquasi punch line. This was definitely notyour ordinary hacking group. After threedays, Topiary had posted thirty-fivetweets, and he continued with confidentprofligacy.

Soon Topiary had tweeted a moredamaging “phase 2” leak from Fox: aspreadsheet of more than eight hundredFox.com users and details of the innerworkings of the company’s servers.

Moving quickly, he posted a spoofedlink to “Secret LulzSec IRC logs,” a nodto the #HQ leak and the eagerness inhacker circles to spy on others’ chats.

The post contained no logs, only theimages of black-and-white pirate shipsmade out of asterisk symbols, along withspoofed dialogue between nicknameslike Bottle of Rum (the nickname forTflow), Kraken (Kayla), Seabed (Sabu),and Whirlpool (Topiary). Topiary haddecided with the others that pirates andboats would be LulzSec’s theme.

“What gives guys, that boat looks likeit belongs in my bath,” Whirlpool says.Then Kraken uses twelve lines of thechat log to create a larger battleship,followed by a mushroom cloud.Whirlpool then claims to be “beaten,”“destroyed,” and “forever alone.”Topiary’s ditty made it clear thatLulzSec was not taking any of this, or

itself, seriously. “Don’t tell the FBIabout these pl0x,” the page’s subtitlesaid. “We will get in trouble and mightbe grounded.”

He released another document ofATM information for British cashpoints,none of it particularly harmful but ademonstration that they could get stuff.He linked the release to a YouTubevideo of the Love Boat theme song andpasted his own lyrics that ended, “YesLULZ! Welcome aboard: it’s LULZ!”

After a few days, most of @LulzSec’stwo hundred and fifty Twitter followerswere from the Anonymous community.People had heard something was goingon and wanted to keep track. Very fewpeople, outside of a few regulars on the

Anonymous IRC channels, had any ideathat these were the same hackers whohad hit HBGary, the same ones who hadsuffered from Laurelai’s reckless #HQlog leak.

Then Topiary noticed the LulzSecTwitter feed had a new follower: AaronBarr. He couldn’t help but be thrilled atthis and immediately started badgeringhim on Twitter. “We have the legendaryAaronBarr following us…we hear hehad a great time with #Anonymous, sogreat in fact that he quit his job. #ouch.We better watch out now,” he added.“AaronBarr is going to check our Tweettimes with every single Facebookaccount login.”

Then: “We’re following 0 people. if

we follow one person, does that meanthe e-detectives will pounce on them?Should we follow AaronBarr?.…Okay,we’re now following AaronBarr—he isour leader. He stole those Foxdatabases, he compromised over 3,000ATM machines. Wait…shit.”

Topiary thought for a moment aboutwhat all this attention on Barr wouldlook like: anyone who knew about theHBGary attack would know the samehackers were now LulzSec. He threwcaution to the wind and preemptively putit all out there: “Hey e-detectives:we’ve taken a lot of interest in Mr. Barr,therefore we must be the HBGaryhackers. Right? Of course.”

The team spent the next few weeksworking through data they already had toplan their next stunt. Topiary, Sabu, andKayla now had a small clutch ofpotential leads to work with. In thebackground was always Infragard, forwhich they could leak the details ofabout three hundred usernames anddeface the home page.

In the meantime, Topiary’srelationship with Kayla was shifting; hewas going from being her friend to beingher student. Knowing that he was gettinginto serious activity with LulzSec, heasked her about her setup for staying soincognito. Kayla taught Topiary how torun a virtual machine, then suggested herun Linux as a virtual operating system

and a chat client called X-chat throughthat virtual machine, which he did.

He also began to store his operatingsystems on a microSD card inside hisencrypted MP3 player: a 32 GB SanDiskmicroSD, inside an 8 GB SanDisk MP3,inside an encrypted volume. Opening itnow required a password and severalkey files, which were five MP3 songsout of thousands on his player. He hadlearned this entire setup from Kayla.

Despite many hours of conversations,he was still mystified by Kayla. Shewould sign off at around four or fivea.m. U.K. time most nights, suggestingthat was when she was going to bed. Shehad told Topiary she was not in theUnited States or the U.K. But in

conversation she often made referencesto things like Lemsip, a cold and flumedicine found in British stores, andbeans on toast, a very British snackfavored by debt-ridden students.

On another occasion, when Kayla hadagreed to meet online for an interviewon U.K. time, she missed it, and thenapologized that she had “got the timezones mixed up.” In May, Kayla alsocreated a Twitter account, under thename @lolspoon, and it served asanother way to confuse people about hertrue whereabouts. At 2:00 p.m. U.K.time, she would tweet, perhaps tongue incheek, “Just woke up, early morningXD.”

Topiary had seen screenshots of her

desktop, which featured a clock saying8.41, GMT -8 hours. She had claimed itwas a virtual install, which meant theclock wasn’t set up properly. Topiary’svirtual OS was also set to GMT -8hours. Kayla’s desktop had been verygirlie. She had colorful stars as onebackground for her host operatingsystem; rainbows for her virtual OS; andan anime girl as another one for aterminal window. It may have been toogirlie to be girlie—but then Topiary’sdesktop was arguably too manly: itfeatured one collage of comics aboutsharks and another of a largeSlenderman character—a mythicalcreature spawned on an image board afew years prior—in a black suit and red

tie.The online world has plenty of

elaborate liars. Topiary recalled a girlon an old IRC network who fooledeveryone online into thinking she wasskinny by providing fake photos andacting defensively when talk turned toeating disorders. Once, she told a groupof people in an IRC channel that she wasgoing out to get a tattoo. Three hourslater she came back online and uploadeda photo of a skinny human backcompletely covered with tattooed wings.

“This is it,” she said.Topiary was immediately suspicious.

He uploaded it to a website calledtineye.com and did a reverse-imagesearch to see where else the image had

appeared on the Web. The tattoo wasalready all over the Web, so it wasn’treal. Eventually it led him to a video siteand an account that included anotherimage avatar (a painting) that the girlhad used on her Skype account. One ofits videos featured an obese girl playingthe ukulele. The voice and alias detailsmatched up.

Topiary had laughed a little but didn’treveal the details. He didn’t want todestroy her online life.

Though he knew it could make his arrestmore likely, Topiary started thinkingabout bringing his nickname back ontothe public Web by using it on Twitterand on AnonOps IRC. But he needed

some convincing, in the same way Sabuhad needed convincing to get the teamback together.

“Why have you kept ‘Kayla’ after allthis time?” Topiary asked her.

“No one has ever doxxed me,” shereplied. “It makes sense to just keep it.”People were always going to try to doxthe nickname Topiary, she added. “But ifyour dox aren’t known you should justbe Topiary and say ‘fuck you’ to all thehaters.” Kayla’s mantra was to do allyou could to be technically secure, thengo out there and dismiss anyone whodoubted you.

“Kayla’s words had really sunk in thatday,” Topiary later said. “I loved hersimplistic yet compelling argument:

nobody knew who she was, so whyshould she feel pressured into changingher name? It was a sassy kick in the teethto the doxers. A kind of ‘Yes, I’m stillhere, bitches, what of it?’ I wasinspired.”

For the past two months, Topiary hadbeen constantly changing nicknames tothings like Slevin and Mainframe andtrying not to say anything that wouldmake people think he was the originalTopiary. He was tired of the stress;maybe it would be nice for his onlinename to get some of the credit for whatwas about to go down, and he didn’t likepeople thinking that Topiary had beenarrested and had turned snitch.

So he opened up his old personal

Twitter account, called @atopiary, andposted a single tweet. People in the#anonleaks chat room on AnonOps IRCwent into a frenzy. Some suggested thatthe person behind the account was a spy.It was classic Anonymous. Topiaryknew the rumors would die down soonenough. They always did.

In mid-May, the PBS news programFrontline showed a documentary aboutWikiLeaks that Sabu didn’t like one bit.It painted Julian Assange in a bad light.When he talked about it to the group,everyone else agreed. By chance, Kaylahad found a vulnerability in one ofPBS’s websites a few weeks earlierwith her auto-scanning bot. Now Sabu

asked the team if they agreed to makePBS their next big target. Never mindthat it was America’s publicbroadcasting service and home toSesame Street. There was no question—everyone was up for it.

As usual, Sabu entered the PBSnetwork through a security hole Kaylahad found, and then he started removinguser data—a database of thirty-eightstaffers here, hundreds of pressroomusers there. Sometimes it was hard toknow what was being taken. It didn’tmatter. They’d publish it anyway. Theteam used a tool called Havij to morequickly download the databases for easyviewing. While Sabu and Kayla did thegrunt work of hacking, Topiary and

AVunit worked on some dramaticcalling cards, something that wouldmake Anonymous laugh. The groupworked through the night, adding severalnew pages to the PBS website, startingwith www.pbs.org/lulz/, which went toa page with a giant picture of Nyan Cat.This was a cartoon image of a cat flyingthrough space and pooping a rainbow,one of the most famous Internet memesof all time.

They made another page,www.pbs.org/ShadowDXS/, featuringthe photo of a fat man eating anenormous one-foot-tall hamburger withthe caption “LOL HI I EATCHILDRENS.” This was a shout-out toanother Anon nicknamed ShadowDXS, a

man of ample proportions who lookedlike Hugo from the TV series Lost.(Topiary went on to tweet somethingabout Hugo from Lost, but then deletedit, thinking it was too silly. The Jestercame to believe this signified a cover-up, that Sabu was someone actuallynamed Hugo.)

Before the PBS hack, Topiary,Shadow, Pwnsauce, and about fifteenAnons whom they knew from AnonOpshad all gone on TinyChat on Saturdaynight and gotten drunk while chatting viatext, with a few on voice and even feweron webcam. Topiary ended up posting aseries of drunken tweets to severalthousand followers through his personalaccount, including, “dudd, you have no

idea how uch hotgowg repeat the sameproces as the nigger behing barryshadow exx rainbows ubunche fa…”People kept sending him telephonenumbers, hoping for a good show, andTopiary kept prank-calling them.

The next morning Barrett Brown wokeup to several voice mails from Topiarysaying he was “pursuant to beingpursuant” as well as messages from afew raunchy transvestites who’d beengiven Brown’s number and promised a“booty call.” Topiary slept through mostof Sunday, then, out of curiosity, dialedone of the many random U.S. numbers onhis call history from the night before. Hegot an angry man with a Southern accentwho said, “If you call me again you

stupid Indian prick I’ll chop your fuckinghead off.” Topiary couldn’t rememberthe man at all but figured he’d had agood time with him. The fun that nightseemed to overlap with LulzSec itself.Booze had put Topiary on a high whenhe was doing prank calls. LulzSec’ssmall audience and the team’scapabilities did the same when theywere hitting PBS.

To Sabu’s later annoyance, Topiary’sNyan Cat page seemed to say that thishack wasn’t about Assange but aboutlulz. To drive the point home, in theearly hours of Monday British time,Topiary got into NewsHour’s contentmanagement system, essentially thesystem PBS used for publishing stories

to its website, and realized he couldpublish a legitimate-looking news storydirectly on the PBS NewsHour website.

At first he wanted to make it aboutObama choking on a marshmallow. Butwhen he suggested it to the others in thegroup, they decided a better story wouldbe about Tupac Shakur, the Americanrapper who had been fatally shot in LasVegas in 1996 but who in death hadenjoyed Elvis-like rumors that he wasstill alive. In about fifteen minutesTopiary had written up an elaboratestory, paragraph by paragraph, in theIRC chat, titled “Tupac Found Alive inNew Zealand”:

Prominent rapper Tupac has been

found alive and well in a smallresort in New Zealand, localsreport. The small town—unnameddue to security risks—allegedlyhoused Tupac and Biggie Smalls(another rapper) for several years.One local, David File, recentlypassed away, leaving evidence andreports of Tupac’s visit in a diary,which he requested be shipped tohis family in the United States.

“We were amazed to see whatDavid left behind,” said one of[his] sisters, Jasmine, aged 31.“We thought it best to let the worldknow as we feel this doesn’tdeserve to be kept secret.”

David, aged 28, was recently the

victim of a hit-and-run by localknown gangsters. Having sufferedseveral bullet wounds on his wayhome from work, David wasannounced dead at the scene. Policefound the diary in a bedsidedrawer.

“Naturally we didn’t read thediary,” one officer stated. “Wemerely noted the request to have itsent to a U.S. address, which wedid to honor the wishes of David.”

Officials have closed downroutes into the town and will notspeculate as to whether Tupac orBiggie have been transported toanother region or country. Localtownsfolk refuse to comment on

exactly how long or why therappers were being sheltered; oneman simply says “we don’t talkabout that here.”

The family of David File havesince requested that more action betaken to arrest those responsible forthe shooting. “David was a lovely,innocent boy,” reported his mother.“When he moved to New Zealand,he’d never been happier.”

His brother Jason requested thatone part of David’s diary be madepublic in an attempt to decipher it.“Near the end,” Jason says,“there’s a line that reads ‘yank upas a vital obituary’, which we’veso far been unable to comprehend.”

David’s girlfriend, Penny, didnot wish to make a statement.

The final line in the elaborate story wasa nod to HBGary’s Penny Leavy, whilethe phrase yank up as a vital obituarywas another calling card: an anagram forSabu, Kayla, Topiary, AVunit.

PBS’s IT admins were scrambling invain to reaccess their system; Sabu andKayla were hitting them with a Denial ofService attack, so they were paralyzed.Topiary added a photo of Tupac Shakurto the story and clicked publish. Then hetweeted links to a Pastebin post ofpasswords for almost every journalistwho worked with PBS, then to a post of

all login passwords for PBS affiliatestations, then to a post of MySQL rootpasswords for PBS.org (the rootpassword for the database), so thatpeople could hack into the site wheneverthey wanted, or at least until someonepatched the security hole. There wasmore: login details for anyone whoworked on PBS’s Frontline and a mapof the PBS server network. For the mostpart, he didn’t want to push the idea thattheir hack had been motivated byWikiSecrets or that their fun wasfounded on politics. But he made thepoint at least once on Twitter. “By theway,” Topiary added, “WikiSecretssucked.”

Almost immediately, readers started

sharing the Tupac story with theirfriends, posting it on Facebook andTwitter, and latching onto the rumor thatTupac was alive. PBS’s contentmanagement system might have beenwoefully unprotected, but it was still areputable news source. Teresa Gorman,P B S NewsHour’s social media andonline engagement worker, scrambled toreply to a dozen readers publicly askingher on Twitter about the story’s veracity:“No it’s a hack.” “No it’s a hack,thanks.” “It’s a hack.” Then to fourpeople at once: “It is a hack, not a PBSstory, apologies.” Within the same hour,@LulzSec had received a hundred andfifty tweets and re-tweets.

“Dudes. Of course Tupac is alive,”

the LulzSec account tweeted. “Didn’tyou see that official @PBS article? Whywould they lie to their 750,000+followers?

“u mad, Frontline?” he added.Within three hours, four thousand

people had hit the Facebook Like buttonbeside Topiary’s fake article. The PBSpublishing system was so outdated thatthe hackers could make updates tocontent being stored on thirty differentservers by interfacing with just oneserver. The result was that when the ITadmins deleted the Tupac story, LulzSecdeleted every single blog on the PBSNewsHour website. Fortunately forPBS, the admins had backed up the blogcontent elsewhere and could replace the

deleted posts in a few hours. Until then,anyone who tried to click on anotherstory got a 403 error—but the Tupacstory was still showing up on the PBShome page. The hackers had deleted allof the site’s user and admin login dataand declared themselves administrators,which made it almost impossible for thereal admins to initially regain control.When the admins made changes, thehackers were always there to changethings back. And when PBS Frontlineposted an official statement about thehack on its website, LulzSec replaced itwith a blank page saying only“FRONTLINE SUCKS COCKS LOL.”

It was Labor Day, a slow day fornews, and mainstream outlets like the

New York Times and the Wall StreetJournal picked up on the Tupac spoofand the hacker group Lulz Security forthe first time. By 10:30 a.m. on Mondayin London, Google News showed that ithad logged fifty-three articles about thehack. It was unclear what the group wasofficially called at this point, and somereporters referred to it as Lulz Boat andlater, in a misreading of the autocue onRupert Murdoch’s Sky News on TV, theLouise Boat. When one news outletreported that the hacker group wasAnonymous, Topiary posted a tweetsaying, “We aren’t Anonymous youunresolved cow-shart.” An hour or solater, that tweet alone made the news,with the respected tech news site

Venture Beat posting a story with theheadline “PBS Hack Not Anonymous.”To Sabu’s surprise, the members of thepress weren’t that interested in theleaked user data or the fact that the hackhad been done in retaliation for theAssange documentary. They were mostlyenthralled by the fake Tupac Shakurstory.

LulzSec gave a single interview afterthe attack, to Forbes, saying they hadgone after PBS for two reasons: “Lulzand justice. While our main goal is tospread entertainment, we do greatlywish that Bradley Manning hears aboutthis, and at least smiles.”

“Some people would say that youwent too far in attacking a media

company—not to mention a publicservice broadcaster,” Forbes said in theinterview with Topiary, who wasanswering questions under the nicknameWhirlpool. “What’s your response tothat?”

“U mad bro.”In a moment of candor afterward,

Topiary said that LulzSec wasn’t afterfame as much as they wanted to makepeople laugh.

He started taking requests on Twitterfor pages to add to the PBS site, thesame way he had taken random numbersfrom people during his drunken night onTinyChat. One Twitter user requested aweb page showing unicorns, dragons,and chicks with swords. All this was

possible because the team still hadadmin access to the site.

“Sure thing,” the LulzSec feed said.“Wait a sec.” Topiary and Tflowscrambled to put together an image, andabout half an hour later posted the link tothe gaudy-looking new web page,pbs.org/unicorns-dragons-and-chix-with-swords.

Topiary wanted to respond to some ofthe group’s detractors who wereaccusing it of using simple SQLinjection techniques to get into PBS. Hewrote up a note explaining how the hackwas done and published it to Pastebinwith a tweet saying, “Dear trolls,PBS.org was owned via a 0day wediscovered in mt4 aka MoveableType

4.” It went on to describe in detail howthe hack had been carried out with ashell site and how the hackers hadgained root control of the PBS servers.They had been able to take over thenetwork because a number of staffers atPBS with access to its most secure partshad used their passwords more thanonce. He had then pasted a list of thosefifty-six staffers. They could havepermanently destroyed the site’s entirecontents and defaced its home page, butthey didn’t.

Topiary felt exhilarated. He wasuninterested in food, sleep, or anythingbeyond the bubble he now inhabitedwith Sabu, Kayla, Tflow, AVunit, andPwnsauce, a team more elite than any he

had been part of before. With the help ofTopiary’s prodigious communiqués tothe outside world, LulzSec was startingto look less like a hacker team and morelike a rock band. Topiary beganmonitoring LulzSec’s Twitter followersand press mentions on a website calledIceRocket and saw everything suddenlyshoot up after PBS. The following day,LulzSec appeared in most major printednewspapers for the first time. A group ofhackers had taken over “the U.S. public-television broadcaster’s website andposted an article claiming the late rapperTupac Shakur had been found alive inNew Zealand,” the Wall Street Journalreported. “The group posted a string ofTwitter messages in which it took credit

for the breach.”Topiary started requesting donations

for LulzSec and used Twitter andPastebin to provide the thirty-one-digitnumber that acted as the group’s newBitcoin address. Anyone couldanonymously donate to their anonymousaccount if he converted money into theBitcoin currency and made a transfer.Bitcoin was a digital currency that usedpeer-to-peer networking to makeanonymous payments. It becameincreasingly popular around the sametime LulzSec started hacking. By May,the currency’s value was up by a dollarfrom where it had been at the start of theyear, to $8.70. A few days aftersoliciting donations, Topiary jokingly

thanked a “mysterious benefactor whosent us 0.02 BitCoins. Your kindnesswill be used to fund terror of the highestquality.”

He used Twitter to drop hints aboutwhom LulzSec would hit next. “PoorSony,” he said innocuously on May 17.“Nothing is going well for them thesedays.” The papers picked up on thisimmediately, saying that Sony lookedlike the group’s next target.

On Twitter, Backtrace founderJennifer Emick publicly criticizedLulzSec through her @FakeGreggHoushaccount, and was joined increasingly byother online colleagues who didn’t likeAnonymous or this apparent splintergroup. A day after the PBS hack, one of

these detractors tweeted the yank up asa vital obituary phrase in the fakedTupac article. It was “an anagram for‘Topiary, Kayla, Sabu, AVunit,’” theyadded. “What did [Topiary] mean bythat? Taking credit? Red herring?” Veryfew people outside of the LulzSec teamand a few of their closest online friendsknew that LulzSec was made up of theold HBGary hackers, and the anagramquestion was quickly drowned out.Hundreds of people on Twitter weretalking excitedly about this new hackinggroup and its audacious swoop on PBS.Many more started following the@LulzSec Twitter feed to hearcommuniqués directly from Topiary.Almost at once, he was getting tens of

thousands of followers.

Chapter 19

Hacker War

The victory of the PBS attack had leftTopiary in a daze of newfound fame andhubris. He knew he wasn’t leading thehacks or really even partaking in theirmechanics, but acting as the mouthpiecefor LulzSec certainly made it seem tohim, and sometimes to the others in thegroup, like he was steering the ship. Thatmeant speaking on behalf of LulzSecwhen he got into verbal tiffs with someoften impassioned enemies on Twitter.

The PBS hack had ushered a blast ofattention from the media and earned thegroup a sudden wave of fans, with even

the administrators of Pastebin, the freetext application that LulzSec was usingto dump its spoils, apparently happywith the extra web traffic they got witheach release. But in a world alreadysteeped in trolling, drama, and civil war,there were plenty of eager detractors.Jennifer Emick flung a few diatribes atthe LulzSec Twitter feed, as did theDutch teenager Martijn “Awinee”Gonlag, who had been arrested inDecember of 2010 when he used theLOIC tool against the Netherlandsgovernment without hiding his IPaddress.

Awinee and many other “Twittertrolls” appeared to align themselveswith The Jester, the ex-military hacker

who had DDoS’d WikiLeaks inDecember of 2010, then taken down theWestboro Baptist Church sites inFebruary. He was never as dangerous asthe actual police, but he was certainly asource of drama and distraction. TheJester hung out in an IRC channel called#Jester, on a network aligned with themagazine 2600: The Hacker Quarterly.

The name 2600 came from thediscovery in the 1960s that a plastic toywhistle found inside certain boxes ofCap’n Crunch cereal in the United Statescreated the exact 2,600 hertz tone thatled a telephone switch to think a callwas over. It was how early hackers ofthe 1980s, known as phone phreaks,subverted telephone systems to their

desires. Unlike AnonOps IRC, on the2600 IRC network, any talk of illegalactivity was generally frowned upon. Ifpeople talked about launching a DDoSattack, they were discussing thetechnological intricacies of such anattack. If 2600 was a weapons storewhere enthusiasts discussed double- andsingle-action triggers, AnonOps was thebar in a dark alley where thedesperadoes talked of who they’d like tohit next.

After hitting PBS, LulzSec’s foundersdecided that as attention to LulzSecgrew, they would eventually need theirown IRC network just like AnonOps and2600. Sabu also wanted to create asecond tier of supporters, a close-knit

network beyond the core six membersthat could help them on hacks. The teamhad decided from the beginning that theircore of six should never be breached oradded to, and when Topiary heardSabu’s plans, he felt skeptical. Just lookwhat had happened in #HQ when Kaylahad invited Laurelai. But Sabu arguedthey needed at least a fluid secondaryring of supporters. These were peoplethat Sabu already knew from theunderground and trusted 100 percent orthey weren’t in. Sabu had started talkingto some of his old crew and he invitedthem into an IRC chat room they hadcreated for these new supporters, called#pure-elite, named after a website hehad created for his hacking friends in

1999. These were genius programmersand people with powerful botnets,veteran hackers from the 1990s who hadgotten into the networks at Microsoft,NASA, and the FBI. The combinedskills of the group were almostfrightening. Topiary reminded Sabu thathe wasn’t comfortable with all the newpeople—it seemed risky. Who knew;one of these people might leak logs, asLaurelai had done so devastatingly in#HQ. It also brought up the question ofwhy Sabu even needed him anymore.

All the same, he could hardly believethe company he was now in. He focusedon picking up tips from the others. If theyused hacker terminology he didn’tunderstand, he would Google it: jargon

like virtual machines, hacking methodslike SQL injection, various types ofattack vectors and programmingterminology. If he hit a brick wall, theycould give him a quick summary.

Soon there were eleven supporters in#pure-elite to learn from, plus theoriginal six. Sabu was still the mainperson to ask about finding exploits;Kayla about securing yourself. AVunitand Tflow were still the experts ininfrastructure. For Sabu, the extrasupporters weren’t there to teach himanything—he believed he and LulzSecwere training them. Sabu tended to thinkof everyone in the subgroup as a studentand he told Topiary privately that hehoped this could lead to the start of

another anti-security, or Antisec,movement. The last time Antisec hadbeen in the headlines was the early2000s, when the Web’s disrupters werea few hundred skilled hackers, asopposed to the thousands of Internet-savvy people joining Anonymous today.

By now Kayla and the others who hadbeen scanning for big-name websiteswith security vulnerabilities hadhundreds to work from. But each one hadbe checked out, first to see if it could beexploited so that someone could enterthe network, and second to see if therewas anything interesting to leak from it.All these things took time and were oftendone sporadically without roles beingassigned. People would volunteer to

check a vulnerability out. LulzSec nowhad a raft of much bigger targets beyondPBS and Fox that they could potentiallygo after, some with .mil and .gov webaddresses. None of them correspondedto any particular theme or principle; ifhackers found a high-profileorganization that looked interesting, theywould go after it and explain theirreasoning later. Knowing that Sabu had atendency to inflate his rhetoric abouttargets, Topiary did not yet understandwhat hitting some of these websitesactually meant.

The associates were hackers likeNeuron, an easygoing exploit enthusiast;Storm, who was mysterious but highlyskilled; Joepie91, the well-known and

extremely loquacious Anon who ran theAnonNews.net website; M_nerva, asomewhat aloof but attentive younghacker; and Trollpoll, a dedicated anti–white hat activist. In the most busyperiods of LulzSec, both the core andsecondary crew were in #pure-elite oronline for most of the day and sometimesthrough the night. Some were talentedcoders who could create new scripts forthe team as their own side projects;Pwnsauce, for instance, had beenworking on a project to create a newtype of encryption.

In the end, Topiary never invitedanyone he knew into #pure-elite, andwhile Kayla had recommended a fewfriends, Sabu wasn’t comfortable with

letting them in either. According toTopiary, about 90 percent of the hackerswho ended up in #pure-elite wereSabu’s friends or acquaintances from theunderground. The #pure-elite chat roomwas an invite-only hidden commandcenter, but the original founders wouldoccasionally retreat to an even moresecretive core channel to talk about thenew recruits, the enemies, and, on rareoccasions, strategy. The atmosphere in#pure-elite was often buzzing as thecrew celebrated over the latest attackand resultant media attention. WhenM_nerva entered the room, he seemed tobe noticing this for the first time.

“Lots of news coverage,” he said onthe evening of May 31.

Topiary showed him a photo of thefront page of the Wall Street Journal ’sMarketplace section. The lead story hadthe headline “Hackers Broaden TheirAttacks” and the subtitle: “AlmostAnyone Is a Target.’“ Underneath it wasa large image of the cartoonish Nyan Catimage they had uploaded to the PBSwebsite, and the LulzSec monocled man.Above the rainbow emanating fromNyan Cat’s butt as it flew through spacewas the Internet meme “All your baseare belong to LulzSec.” It was a mostsurreal combination of old media andInternet subculture.

“Fucking Wall Street Journal printeda Twitter name and a fucking cat inspace,” said Topiary, incredulous.

The group was shooting the breezemostly, chatting about the technicalintricacies of Internet browsers, whileTopiary would drop updates on thegroup’s Bitcoin donations. Participantswould report on leaks they were beingoffered by other hackers outside thegroup and, increasingly, on whatLulzSec’s enemies were up to. Theseantagonists were made up of onlinecolleagues Backtrace and hackers likeThe Jester; both camps often chattedtogether on the 2600 IRC network. Therewas no requirement to being invited intothe #pure-elite room and no rules otherthan the obvious one to keep everythingthat was said there secret. The channeltopic, set by Sabu, always said: “NO

LEAKS—RESPECT EACH OTHER—RESEARCH AND EXPLOIT DEV!”The one policy of #pure-elite was thatno one was to store chat logs from thechannel.

The secondary crew generally knewtheir place, aware that directions wouldcome from Sabu, Topiary, and Kayla,and they were meant to be followed.Overall, they were happy to be comingalong for the ride, though a few wereshocked at the backlash LulzSec wasgetting.

“By the way,” Storm said oneevening. “FailSec? WTF is this shit?”He was referring to another Twitteraccount with a few hundred followersthat had been set up to publicly heckle

LulzSec with messages like “Load failcannons!” and ominous hints that theteam would soon be in jail.

“Storm, we’ve had stalkers like thatfor months,” said Topiary. “They followus everywhere we go. They monitoreverything we do. They make parodiesof our accounts.” He thought for amoment then added, “We’re kind of likea rock band.” With stardom cameinfamy. Some of their detractors were soobsessed with heckling LulzSec thatwhen Topiary blocked one on Twitter,the detractor would create two or threemore accounts to keep talking.

Kayla pointed out that Adrian Lamo,the hacker who claimed to have outedthe WikiLeaks alleged mole, Private

Bradley Manning, had even registeredthe web address LulzSec.com to stop theteam from using it as a website. Lamo,age thirty and diagnosed withAsperger’s syndrome, had been calledthe “world’s most hated hacker” forpassing information on Manning tomilitary intelligence.

Storm offered to find a different URL,but Topiary declined. He and Tflowwere already designing a simple-lookingofficial site for LulzSec in their sparetime. Naturally, the background wouldbe of the Nyan Cat flying in space andwould borrow the design template ofHBGary.com.

“Night guiz,” M_nerva suddenly said.“Night,” said three of the others.

M_nerva signed off. It was nighttime inthe United States, but LulzSec and itssupporters were bored and looking forthings to do.

“Wanna find something to hit?”Topiary asked the room.

“Sure,” said Storm.“There’s a shit cool site, FBI.gov,”

said Topiary jokingly. There was apause.

“Are you really that open to just goingto jail?” Storm said.

“I suppose we could piss off someIRC for lulz,” said Topiary, pointing to aless risky target.

“Sure,” Storm said. Topiary andKayla decided that, high on their victoryagainst PBS, it was time to go after their

biggest detractor, The Jester. Theywould not just spam his channel #Jesterand boot off his so-called Jesterfags butflood the entire 2600 chat network withjunk traffic and take all of it offline. Itmay have housed hundreds ofparticipants, but it was still The Jester’shideout, and Topiary hoped that theresult would be the 2600 admins gettingangry not at LulzSec but at The Jester forprovoking them. Topiary was sure thatThe Jester’s supporters included peoplelike Emick and Byun from Backtrace andconsidered sending spies into hischannel at some point to see what theywere up to, maybe profile some of itsmembers. If Jester’s people were tryingto provoke, it was working. Topiary and

the others had become increasinglyirritated by The Jester over the past fewdays and now were set on attacking hiscrew for both fun and revenge.

“Best thing to do when bored,” saidKayla in #pure-elite, “go to 2600 irc andjust cause drama :D.”

“Should we just go on over to 2600,flame them, and then packet it?” Topiarysaid, already getting ready for the action.He connected to the 2600 network to geta firsthand view of the network goingdown.

Storm’s role was to launch a Denialof Service (DoS) attack on the 2600network. This was like a DDoS butwithout the extra D for “distributed,”since Storm was sending junk packets

from a single computer or server, notfrom multiple machines. (It was a looseterm in any case—if your computer wasrunning a virtual machine, or VM, andyou launched a DoS attack, that could beconsidered more than one computer andthus a DDoS attack.) How could onecomputer launch a DoS attack against anIRC network? It would need a server ortwo to help amplify the data transfer.Sabu had used a similar method for hisattack on the Tunisian government,though to a much greater degree, with thehelp of broadcast servers that he’dclaimed to secretly hijack from a hostingcompany in London. Storm rented abasic server, so while his attack wasn’tas powerful, it could easily take down a

small IRC network. Many people inAnonymous and in hacker circles,particularly those who acted asoperators for AnonOps IRC, rented orowned servers. Controlling a server wasmore common than controlling a botnet;it was like owning a nice car. You paidgood money for it but were happy to letother people ride in what was a statussymbol as much as a useful tool.

Storm could use his server to fling ahundred megabytes of junk traffic persecond to a target. The process was notthat different from uploading a picture ormovie to Facebook or to a file-sharingsite. In that case, you are uploadingsomething useful at perhaps fourmegabytes a second. Storm’s extra

server acted like an electric guitaramplifier, but increasing data speed, notsound.

Storm would use his server to aimjunk packets at certain sections of the2600 chat network, server nodes of thenetwork known as leaves. If you’resending junk packets instead of usefuldata, it can overload a server and take itoffline. An IRC network was like a tree,and 2600 had three so-called leaves.Instead of attacking the whole network atonce, Storm flooded each individualleaf. Using this plan, he could needle thehundreds of participants to scramblefrom one leaf to another instead ofdisconnecting altogether and waiting forthe network to come back up. The

ultimate goal was to annoy them as muchas possible.

Through the IRC command map, theLulzSec group could watch how manyusers were on each of their enemynetwork’s leaves. Before Storm’s attackthere had been about six hundred peopleon all leaves, and then the numberstarted dropping. In just over tenminutes, one of the leaves went down.

“It’s nulled,” said Storm.“Haha,” said Kayla.After seven minutes, as the users were

jumping around to stay connected, Stormtook down another leaf and kept it downfor about fifteen minutes. He let it upagain for twenty minutes so participantswould think everything was okay, and

then he took it down again.“I can’t even connect to 2600,”

reported Kayla. Storm laughed.“These guys are so fun to fuck,” said

Topiary.“Wait :D let us troll the shit out of

them first :D,” said Kayla, “then we canPUSH/SYN/ACK/UDP them to oblivionhahahahahahaha.” That was a referenceto different types of junk packets.Attacking an entire network to get backat one annoying clique didn’t seem tostrike anyone in the group as an abuse ofpower or an act of bullying. Instead,with Storm now getting the limelight,Kayla couldn’t help but mention her ownsuccessful attacks of the days ofChanology, and she started reminiscing

about how she had DDoS’d threeChanology sites for three weeks back in2009—the incident where she had beenstumbled upon by Laurelai.

“Ahaha that was you?” asked Topiary.“Yes :D,” said Kayla.“Gregg Housh was bitching about

that.”“A lot of people were bitching about

it.”“Sending packets of size 40…” Storm

reported. Another server leaf wasnulled. “Dude, they’re not gonna haveanywhere to chat.” Now three keyservers hosting the 2600 chat networkwere down. He and Topiary startedtrying to connect to the network andcouldn’t.

“Lolz,” said Storm.“We should do this everyday until

they refuse to house Jester,” saidTopiary. He pointed out the small cliqueof people communicating with Jester onTwitter, and Awinee, from Holland, wasbeing especially vindictive. “These arethe same guys who specifically wentafter Sabu and our crew back inFebruary with HBGary,” Topiary added.“They’re a lovable bunch ofscoundrels.”

Topiary sent some messages from theLulzSec feed: “What’s wrong withirc.2600.net AKA Jester’s hideout?Oops, I think we just fucked it. Sorry,Awinee and crew. Have fun explainingto the 2600.net admins that we just took

down the entire network because ofJester people. Uh-oh!”

Back on #pure-elite, weapons werestill firing at the 2600 servers. “Should Ilet it back up?” Storm asked Topiary.

“Whatever you want.”When he saw more criticism from

Jester’s people on Twitter, Stormswitched to a different type of junkpacket. And as Awinee kept up hisrhetoric, LulzSec kept attacking. LulzSecwas behaving like other hacker groupswith its tit-for-tat behavior, except thatmore traditional hackers wouldn’t havebeen riled up by a few relativelyunskilled hecklers on Twitter. Perhaps itwas because LulzSec was so open andpublic, but it was the critics who spoke

the loudest that seemed to get under thegroup’s skin the most.

Storm was proving a useful supporterwith his DDoSing ability. In front of thecrew, Topiary called him the LulzSec“cannonfire officer,” working in tandemwith Kayla, who was the group’sassassin and spy. “We dock in ports andshe immerses, and eliminates.”

“I also bake cookies,” she added.Everyone was laughing. They were all

game for more attacks when Sabu finallyentered the room. By now it was early inthe morning New York time.

“I wake up to Storm packeting, andKayla excited,” he said. “What youniggas been doing without me?” Therewas a pause. His tone was lighthearted,

but the crew knew about his hot temperfrom the #HQ channel with Laurelai andabout his general tendency to blow up atothers who disagreed with him. Hispresence made some a little anxious. Ifthis had been real life, everyone mighthave been glancing at one another or atthe floor.

“Owning 2600.net,” said Storm.“About it.”

“Lol, they’re going to end up losingsome servers,” said Sabu. “I want toown 2600 servers themselves.”

“That would be awesome,” Topiarysaid.

“Topiary my brother, how are you?”Sabu asked.

“Good Sabu, what’s up?”

“Nothing broscope. Just woke up,tired as balls.” Sabu took a break fromthe discussions, and people went back toplanning ways to mess with Jester’screw or configuring software tools andscripts for future hacks.

Quickly the group was splitting intoall manner of channels to find new leadsfor hacks or flush out spies. Hoppingfrom channel to channel and network tonetwork was no trouble for these guys,some of whom were used to jumpingaround twenty-five IRC networks at thesame time.

When 2600 came back online,Topiary, Joepie91, and others startedhopping over to the network to spy on itsparticipants before coming back to

report new gossip. Rather brazenly, theythen set up their own #LulzSec channelon the 2600 network. Pretty soon it wasteeming with dozens, then more than ahundred people. It was impossible to tellat first who they all were, but enoughobservation showed they were a mixtureof Anons, script kiddies, general fanswho had heard about LulzSec frommedia reports, and white hat hackers.Over time the LulzSec crew came tobelieve that around half the makeup ofthat channel, which anyone could access,was a mixture of spies from enemygroups like Jester’s and Feds. In theirnew, public #LulzSec chat room on2600, the crew were disguised by theirmaritime-related names: Whirlpool for

Topiary, Kraken for Kayla, and Seabedfor Sabu.

As Sabu observed thesedevelopments, he grew concerned thatthe crew was getting too excited abouthaving fun on the 2600 network—aplace they had attacked but where theyhad also set up their own public meetingroom. It was impossible to distinguishthe real fans from the spies who wantedto manipulate the crew for informationand access. At one point it looked likeKayla had gone back into Santa Clausmode and offered some stolen vouchercodes from Amazon to someone outsidethe crew. When Sabu found out about theconversation, Kayla explained that shehad merely given someone a few of the

coupons so they could be tested andeventually sold on the black market.Sabu, who was already wary of Kayla’sconnection to Laurelai, was perturbed.

“Ok guys,” he suddenly said. “I don’thave to say this more than once I hope.But people on 2600 are not your friends.95% are there to social engineer you. Toanalyze how you talk and makeconnections. Don’t go off and befriendany of them.”

He didn’t mind that the reprimandpierced the lighthearted atmosphere.Four other secondary-crew membersquickly insisted that they were beingcareful about hiding their identities,doing so by speaking in broken Englishso they would appear to be foreign. But

Sabu added that if anyone gave themprivate info, they should log it and showit to the team. If they were sent a link,look at it from a secure connection.

“Be smart about shit,” he concluded.“If any of you get owned, I’ll LOL.”

Kayla then piped up, as if she wantedto show the others that she was on thesame page with Sabu. “Another protip,”she said. “Even if you are American,don’t spell it ‘color,’ use ‘colour,’which is wider used around the world.Just saying ‘color’ means you areAmerican.”

Sabu didn’t seem to be listening andgave Kayla a new order. He wanted herto change the topic of the public#LulzSec chat room to say that anyone

with 0days and leaks should message hernew pseudonym in the channel.

“Make sure we take advantage ofthat,” he said. “See what niggers gotaccess to.” Kayla signed out. Sabuenjoyed the banter that took place in#pure-elite between the organizationaltalk, but he was constantly reminding thegroup to stay focused on finding newexploits and keeping the group as tight-knit as possible. It made for a tenseatmosphere, but it was necessary. Theteam’s profile was rising faster than theyhad ever expected. Googling the nameLulzSec on June 1 had yielded twenty-five thousand mentions on the Internet. Inless than twenty-four hours, that numberhad risen to two hundred thousand.

Chapter 20

More Sony, MoreHackers

By the first of June, the LulzSec teamand its associates had gathered a longlist of vulnerabilities found by teammembers like Kayla, Pwnsauce, andSabu. None were stored on an officialgroup document since that was too risky—instead, whoever found avulnerability kept it on his or her owncomputer and shared it with the groupwhen needed. Here LulzSec was settingitself apart from Anonymous, not justbecause it was picking media companies

but because of its focus on stealing data.HBGary had shown that stealing andselectively leaking data could be farmore damaging—and “lulz-worthy” withall the attention it was getting—than astraightforward DDoS attack.

When the team found a vulnerability,the hope was that it would lead tocritical secret data they could publish.Often following up a lead would happenspontaneously. Kayla had found the PBSsecurity hole earlier in May, but thegroup had only followed it up because ofthe WikiSecrets documentary. Findingthe security hole was one thing, butexploiting it took more work, and theywould have to have a good reason toturn it into an operation. With one

vulnerability they had recently found,though, the target company itself wasreason enough.

Sony’s lawsuit against George Hotz inApril, the resultant DDoS attack fromAnonymous, and the devastating datatheft by a small group of black hathackers had snowballed into a newcraze among hackers to hit Sony in anyway possible. It meant that Sony hadbecome something of a piñata forhackers. Partly the black hats found itfunny to keep hitting the company overand over, and partly they believed Sonydeserved it for waiting two weeks afterthe original data breach had beendiscovered before reporting it.

The PBS heist was finished, and the

2600 network was still smoldering fromthe attack, but Sabu and Topiary werenow knee-deep in organizing data stolenfrom Sony’s servers: hundreds ofthousands of users, administrators,internal upcoming albums releases fromSony, along with 3.5 million musiccoupons. Three weeks prior, the grouphad been poking around looking forvulnerabilities in Sony websites, findingand publishing the securityvulnerabilities in the website of SonyJapan but also looking at Sony’s HongKong site and others. Wheneversomeone found a vulnerability, he wouldpaste the web address in his private chatroom, and someone else would go intothe source code to see how it could be

exploited. There was no order to this;people simply contributed when theywere around.

Just for the heck of it, Sabu checkedSonyPictures.com, the main website forSony’s $7.2 billion film and televisionfranchise. To his astonishment, therewas a gaping hole in the innocuousGhostbusters page that left the networkwide open, once again, to a simple SQLinjection attack.

“Hey guys, we need to dump all thisnow,” he said excitedly. He rushed tomap out the area and gather everyonetogether so they could start takingdifferent sections. “We’ve ownedsomething big here. Sony are going tocrash and burn.”

When the group entered the networkthey found a massive vault ofinformation. It took a while to makesense of the data, but soon they hadfound a database with two hundredthousand users.

More shocking was that all of thedata, including passwords, were storedin plaintext. The only encryptedpasswords were those of server admins,and the team managed to crack thoseanyway.

It was a damning indictment of Sony’ssecurity, just weeks after the bigPlayStation Network data breach. Smallschools and charities had better databaseencryption than Sony. In fact, by thistime, rumor had it that the PlayStation

Network had been hacked because adisgruntled employee at Sony had givenhackers an exploit; the breach hadoccurred two weeks after Sony had firedseveral employees responsible fornetwork security. Rumor also had it thatthose hackers had sold the database ofmore than a hundred million users for$200,000.

Kayla stumbled upon another Sonydatabase that looked exploitable but didnot bother to look inside. As per theusual custom, she pasted its location intothe chat room for someone else to scan.When Topiary finally opened thedatabase, he found a table with rows androws of names and numbers that seemedto go on forever. Looking around he

finally noticed a counter at the top withthe number 3.5 million. It looked likecoupons of some sort. It felt like gettingan exceptionally good Christmaspresent.

“Sabu, this one is pretty massive,”Topiary called. Sabu came over andproceeded to poke around the new,massive database before coordinatingthe team’s gathering of it all.

“Wave bye-bye to Sony,” one of theteam remarked.

“Kayla can you take users?” Sabuasked. He assigned one person to takecare of the music codes, another the 3.5million coupons, and Sabu himself tookthe admin tables. There were four coremembers and two other secondary-crew

members helping out.This was the kind of labor that would

have put off a single hacker toilingalone. It involved downloading reams ofdata, sometimes manually. The workwas monotonous and could take days.But as a group effort, the whole processsuddenly became faster and morecompelling, the team members motivatedby the fact that this was a target theywere about to publicly embarrass. Thetasks of compiling the databases—one of75,000, one of 200,000—took eachperson between a day and several daysto complete, depending on how detailedthe information he or she was dealingwith was. Each member then set up acomputer to download each database.

The files were so big that it would takethree weeks to download them, typicallyin the background of whatever else wasbeing done online.

The team eventually decided theywouldn’t keep any of the coupons—theyhad tried taking them and got to only125,000 when they realized thedownloads were happening at the glacialrate of one coupon a second; all told thewhole thing would take several moreweeks. They didn’t have the time orresources to cope with such a hugedownload. Instead, they took a sample ofthis and a sample of that to demonstratethat they had gained access. They wouldalso publish the exact location of theserver vulnerability in the Sony Pictures

site that led to the data (the Ghostbusterspage) so that anyone who wanted coulddive in to loot the bounty before Sony’sIT admins patched the hole.

Sabu gathered all the data together,and Topiary dressed the numbers andpasswords up to make everything lookpalatable to a mass audience. “We havea lot of different files for various Sonysites,” he explained. “Press—less smartpress—will get confused. Gotta have asummary document.” He would publishseveral documents revealing the heist inone big folder. He created a file calledFor Journalists that explained what theyhad found, using words that would grabheadlines, such as compromised insteadof stolen.

Topiary had been up since six o’clockthat morning to keep up with Sabu’s timezone, but he wasn’t feeling tired. OnTwitter he was counting down to theirofficial release time, buildinganticipation among followers and themedia. Gawker’s Adrian Chen quicklyposted a story headlined “World’s MostPublicity Hungry Hackers TeaseImpending Sony Leak.”

Topiary had gone through the SonyPictures database looking for anyonewith a .gov or .mil e-mail address. Hefound a few and started posting theirnames and passwords on Twitter. ThenAt 5:00 p.m. eastern time on the sameday that Sony finally restored itsPlayStation Network, Topiary published

everything.“Greetings folks. We’re LulzSec, and

welcome to Sownage,” he said in theintroduction. “Enclosed you will findvarious collections of data stolen frominternal Sony networks and websites, allof which we accessed easily and withoutthe need for outside support or money.”LulzSec was kicking Sony just as it wasgetting back up.

Thirty-eight minutes after the release,Aaron Barr tweeted that LulzSec hadreleased stolen Sony data. “The amountof user data appears significant.” Inforty-five minutes fifteen thousandpeople had looked at the message, a rateof eighteen people a second, and twothousand had downloaded the package of

Sony data from file-sharing websiteMediaFire.

Topiary didn’t have time to sit backand watch the fallout. He and Tflowwere putting up the new LulzSecwebsite, complete with a retro–NyanCat design and the soft tones ofAmerican jazz singer Jack Jones singingthe theme song of The Love Boat in thebackground. The home page showedTopiary’s revamped “Lulz Boat” lyricsas plain black text in the middle. A linkat the bottom offered viewers the optionof muting it—when clicked, the linkraised the volume by 100 percent. Sabuinitially hated the website and yelled atTopiary and Tflow for creatingsomething that had the potential to be

DDoS’d, which would make the teamlook weak. Eventually Topiaryconvinced him that they should keep it.

They moved quickly to put the site inplace, then worked to ensure it didn’tcollapse under the weight of thousand ofvisitors and the inevitable DDoS attacksfrom enemy hackers. They also madesure the torrent file of Sony data stayedup, that there weren’t any more LulzSecBitcoin donations (they totaled $4 sofar), and that everything else was incheck. The LulzSec Twitter feed nowhad 23,657 followers, and there weredozens more people pouring into thepublic #LulzSec chat room. Topiarywould go to bed and find it difficult tosleep knowing that he was getting new

tweets every two minutes. It waschaotic, but satisfying. He would goback onto Twitter with greaterconfidence each day, dismissing hisdetractors with withering put-downs andkeeping the followers enticed. If LulzSecannounced a new operation, it was nowguaranteed to get on the news.

Often they didn’t need to go into thedetails of what they were about to do—the media and the public often assumedthat LulzSec was causing more damagethan it really was. But as people’sexpectations rose, the stakes wenthigher.

“We don’t want to be the hackinggroup that just leaks once a week somelittle thing,” Topiary said at the time.

“We will only do big things from nowon…Unless we find someone we don’tlike.”

One of those “big things” wasimminent. The time had come forLulzSec to play its ace card andannounce the hack on Infragard.“Welcome to FuckFBIFriday, whereinwe sit and laugh at the FBI,” Topiaryannounced on Twitter. “No timesdecided, but we’ll cook up somethingnice for tonight. <3.”

As the group scrambled to prepare theInfragard drop, a few from the teamdecided to pay particular attention to oneperson in the database of usernames andpasswords they’d taken from the FBI

affiliate site: a digital securityentrepreneur named Karim Hijazi. Hijaziwas thirty-five and ran a start-up calledUnveillance. When the team checkedHijazi’s Infragard password againstGmail and found a match, they startedsnooping around his e-mail account tosee if they could expose some dirtylaundry, as they had with Aaron Barr.

Sabu hated white hat security firms.That much Topiary knew. And now hewas talking about the subject more thanever in private, particularly about arevival of the anti-security movement.Sabu’s beef with white hats went back along way. Anti-security got going in1999, when a vulnerability in widelyused Solaris servers that was known to

only a couple hundred hackers in theworld led to their hacking into a widerange of companies and organizations.Then they started stealing e-mails fromwhite hat security firms. The reason wasthey hated a new edict in cyber securitycalled full disclosure. The idea was thatif cyber security experts (white hats)publicly disclosed a website’svulnerabilities quickly, they got fixedmore quickly. But black hats preferred tokeep the flaws hidden so that they wouldstay within the underground communityand continue being exploited.

Antisec had seen its share ofhacktivist groups like LulzSec, and oneof the first was a notorious clique called~el8. The shadowy hackers would target

white hat security researchers andcompanies, steal their passwords and e-mails, and publish them in a regular e-zine. It was a single white page with el8elaborately spelled out in symbols at thetop, not too dissimilar from the Pastebinposts of LulzSec and filled with newweb scripts, exploits, stolen e-mails,and jeering commentary. The groupcalled its work project mayhem, or“pr0j3kt m4yh3m.” The phrase wasborrowed from the movie Fight Club,and their e-zines heavily referenced thefilm. The bulletins never spelled out~el8’s motivations, but project mayhemappeared to be a violent incarnation ofthe Antisec movement. Many in thewhite hat industry figured ~el8’s real

motivation was to fight full disclosure sothat black hats and gray hats would bethe only people who knew about theInternet’s secret vulnerabilities.

“One of these days, these kids aregoing to have to pay a mortgage and geta job,” said Eric Hines, an executive ofone of the white hat firms that wasattacked, in a Wired article. “Andthey’re not going to become lawyers ordoctors—they’re going to do whatthey’re good at. And that means getting acareer in the security industry.”

Sabu had nurtured a dislike for whitehats even after the 1999 Antisecmovement dwindled. Emick believedSabu was simply resentful after gettingturned down for a job in IT security.

Either way, the sentiment was rubbingoff on Topiary as the two had more one-on-one discussions. Sabu would pointout that white hats charged $20,000 forpenetration testing, stuff that the LulzSeccrew could do for free. He explainedthat Topiary himself could have donewhat HBGary was charging $10,000 for.The message was that white hats werelike unscrupulous car mechanics,tricking people into believing theyneeded to pay thousands when the realcost was much lower.

This line of reasoning was verydifferent from the original Antisecargument over full disclosure. That’sbecause a decade later, the Web wasnow so chock-full of websites, data, and

vulnerabilities that white hats weren’tpushing for full disclosure anymore. Theview had flipped, and fully disclosingserver flaws was veering into a criminaloffense. The notorious Internet trollAndrew “weev” Auernheimer, who hadcome up with the meme “Internets isserious business,” had learned that thehard way. In 2010, he and a few hackerfriends from their trolling group GoatseSecurity poked around in AT&T’swebsite and found a security hole thatled to internal data on 114,000 iPadusers. Weev “fully disclosed” it, albeitthrough mainstream media and not acyber security newsletter. The followingJanuary, six months after journalists atGawker did an exposé on the AT&T

security flaw for iPad users, the U.S.Department of Justice announced that itwas charging weev with fraud andconspiracy to access a computer withoutauthorization.

A successful revival of Antisec couldkeep the authorities busy with morepeople like weev. Sabu wanted to keepthe focus on white hats, like the olddays, so it was crucial to find some realdirt on Hijazi’s tiny firm Unveillance.The company made money by hunting formalicious botnets, but digging around inits e-mails, Sabu and the others thoughtthey found evidence that he was workingwith others to snoop on Libyan webusers. They decided to confront him onIRC under different guises to let him

know they had all his e-mails and thatthey could do worse. On May 26, they e-mailed him his password, with thesubject line, “Let’s talk,” and said theywanted to see his botnet research.

Hijazi immediately picked up thephone and called the FBI. When hefinally got through to someone and triedto explain what was happening, Hijazigot the impression the people on theother line weren’t interested, or perhapsdidn’t understand what he was talkingabout. They referred him to an agent inhis local office. When he called thatnumber and told a local staffer thatmalicious hackers were trying to accesshis botnet research, he was surprisedwhen that individual replied, “What’s a

botnet?”Eventually, an agent advised Hijazi to

start logging all of his conversationswith the group and to play along to see ifhe could get any information on them. Onthe other side of the fence, Sabu,Topiary, and Tflow were trying toposition Hijazi to admit that he wantedto hire the hackers to attack hiscompetitors. Both sides ended up lyingto each other to obtain information,which made for a confusing encounterfilled with misinterpretation.

“The point is a very crude word:extortion,” Topiary had told Hijaziunder the name Ninetails, adding thatHijazi would be paying for their silence.“You have lots of money, we want more

money.”The team kept offering to help Hijazi

by attacking his corporate competitors.Playing along like he was supposed to,he eventually replied: “I can’t ask you toget someone and stay a ‘legit’ firm.Agreed?” When Topiary read this hebelieved that Hijazi was falling intotheir trap and that it was proof of yetanother corrupt white hat, just as Sabuhad predicted.

“Can I take a guess at who you are?”Karim had later asked.

“Karim, we’ve been expecting you tobe secretly guessing since day one,”Topiary replied under a secondnickname, Espeon. “Do share.”

“808chan.”

Sabu burst out laughing. “Are youserious bro?” he asked, using thenickname hamster_nipples. “How dareyou call us a fucking chan.”

“Then tell me,” replied Karim, whowas keeping his responses as measuredas possible while playing their game.

“If we tell you who we are, you willshit yourself and shut the fuck up,” Sabusaid. “But yes we are very well known.”The group kept prodding Hijazi, callinghim dense and warning him about whatthey could do with his e-mails. ButHijazi had to pretend to be oblivious—he knew just as well as Sabu and theothers that playing stupid was one of themost effective ways to social-engineersomeone. It could sometimes trick him

into revealing facts about himself.“Why be hostile? Just curious,” Hijazi

said.“We’re not a chan,” replied

hamster_nipples, who seemed to have anissue with status. “Don’t refer to us as achan. We are security researchers.”

“No worries,” said Hijazi. “You’renot a chan.”

“Heh,” hamster_nipples said. “You’retesting my patience.”

Though Sabu came across asmenacing in the resulting chat logs(released by both LulzSec and Hijazihimself), Hijazi’s press officer later saidin an interview that the most aggressivehacker in the team had been Ninetails,the alias of Topiary. “He is very blunt,”

Michael Sias said, “and forceful aboutthe extortion.” Hijazi, he added, hadbeen trying to do the right thing.

“It was tough, not pleasant,” Hijaziremembered a few weeks later. “I’m notsure what their motivation is. They’rejust name-calling, which seems veryjuvenile. I thought at minimum therewould be some belief system and theredidn’t seem to be anything behind it. Itwas petty.”

Of course none of that struck Topiaryand Sabu, who figured they weregradually picking up proof that whitehats were bad, and black hats were theiravengers.

“There are a lot of companies thatovercharge and abuse the fact that

people know nothing,” Topiary saidexcitedly in an interview after a recentconversation with Sabu on the topic ofAntisec. “Computers aren’t ourintelligence. Buy a book or two andlearn it yourself. That’s what I find.”The message Topiary was getting fromSabu was the same: that the white hatsecurity industry was keeping regularpeople in the dark about how to navigatethe Internet, undermining andemasculating the public when they couldeasily learn things on their own, just ashe had.

With LulzSec unveiling these apparentlynew and hitherto unspoken corruptions,Anonymous was starting to look

irrelevant. LulzSec had quickly rackedup fifty thousand Twitter followers andwas gearing up to spread the Antisecmessage. AnonOps IRC was a mess;everyone was on edge. There was nothrilling atmosphere anymore, no humor.Where there had once been eighthundred regular participants in a chatroom like #OpLibya, there were nowfifty or a hundred at most. The hot-tempered operators had gone back tofighting one another and kicking outparticipants on a whim. Feds werecrawling all over the network. It wasn’tfriendly, or safe. Topiary and Sabufigured they were creating a far betterworld in LulzSec and its public chatnetwork.

As Sabu nursed ambitions to revive acrusade against white hats, heencouraged the group in #pure-elite toseek leads from black hat hackers in thepublic LulzSec chat room, now beinghosted on a new IRC network calledluzco.org. The crew were still gettingready to drop Infragard, and in themeantime Topiary, Joepie91, and otherswere hopping over to their channel tosuss out some of its visitors. Later thatday, a hacker named Fox came in theroom and approached Topiary. Itseemed he had some leads for futurehacks.

“You got a messenger?” Fox asked.“I’d be happy to toss exploits andbusiness back and forth.” Topiary had

never heard of the guy but figured itcould lead to something.

“We got people offering us exploits,”Topiary announced to the team when hecame back to the #pure-elite channel.“He’s legit, but not so sure we can trusthim.” There was no chance Fox wouldbe invited into their channel, unless Sabusaid the words 100 percent trusted.Instead, the team invited Fox into a new,neutral channel where the others couldfeel him out. It was hard not to beparanoid.

“He’s probably a spy,” Topiary toldthe others. Sabu suggested he might beJester himself. “If he is then we canthrow them off course. If he isn’t, freeexploits.”

Often when the group started talkingto a new contact, they used it as a chanceto practice their banter and have somefun. When Sabu joined in the chat withFox, he pretended to be a LulzSechacker from Brazil. The team memberswere hopping back and forth, fromchatting in the neutral channel tochuckling over their antics back on homebase, particularly at Sabu’s Brazil act.

“Have you guys ever talked to a realhardcore Brazillian hacker?” Sabuquickly asked the crew. Sabu knew manyBrazilian hackers, to the extent that hecould impersonate the way they spoke,in very basic English mixed with hackerslang, and in text chat rather than voice.

“HEUHEAUEHAUHAUEHAHEAUEHUHheuheushHUAHUehuuhuUEUue.”

Sabu had quickly typed out a typicalBrazilian online laugh.

“Fox, a gentlemen never tells,” Sabuhad told the new hacker, still playing thepart of a Brazilian.

“Ah, I love that answer,” Fox hadreplied.

The LulzSec crew seemed to fall overlaughing. “Sabu, you are a god,” saidNeuron.

“Thanks, sir,” Sabu replied.“Consider yourselves lucky no onereally gets to see me work in action. Noone is trustable outside our crew.Remember that, Neuron.”

The crew kept jumping from thepublic #LulzSec to the private #pure-elite where they would report more

openly (though never completely openly)about what was happening. Newparticipants could instantly tell who wasimportant to talk to because the LulzSeccrew all had operator status, teetering atthe top of the long list and with specialsymbols prefacing their names.

At one point Joepie was privatelyapproached in the teeming room bysomeone named Egeste, a name that wasfamiliar to anyone who had been onKayla’s #tr0ll IRC channel. “So, I wantto play with you guys and this channel islike, gayer than gay and full of newfags,”Egeste said. It was true that LulzSec nowhad more participants than all of the2600 network. “Where’s the reallulzsec?”

“Play in what sense?” answeredJoepie, who was using the nameYouAreAPirate.

“You know what I mean. I know youguys don’t know me, but you probablyknow people that do. Xero, venuism, e,insidious, nigg, etc etc.” Then he added,“Kayla.”

Joepie reported all of this verbatimback to the crew in #pure-elite. Thosenicknames were very well known,pointed out a secondary-crew membercalled Trollpoll. Another laughed.

“He’s just name dropping,” said Sabu.Neuron, a friendly and analytical Anon,suggested asking Egeste to provide azero-day as proof of his skills. Alsoknown as a 0day, this referred to an as-

yet-unknown server vulnerability, andfinding one meant big kudos for anyhacker, white hat or black hat.

Sabu asked Kayla if she’d heard ofEgeste, and it turned out the new guy hadalso been in the #Gnosis channel whenshe had coordinated the hack onGawker, but “he did not do shit,” shesaid. For all the names he hadmentioned, Egeste was just anotherdistraction. Soon the encounter was justa drop in the ocean of dozens of otherswith potential supporters and trolls.

Once in a while the #LulzSec chatroom was graced with the presence of adisgruntled company employee who waseager to leak some internal data via acharismatic new group. Not more than a

day after LulzSec’s first attack on Sonymade headlines, a new visitor to the#LulzSec chat room approachedsecondary-crew member Neuron,offering what appeared to be sourcecode for the official website for Sonydevelopers. Neuron reported it to homebase.

“Just looked at this guy’s source for‘sonydev.net,’” he said. “It seems ligit.php file etc. Still investigating.”

“Neuron, that source you got,” saidSabu. “[Post it on] pastee.org so we cananalyze also.” Neuron sent the others alink to the fifty-five-megabyte file alongwith a thirty-three-digit password toaccess it.

“Downloading,” said Sabu. “Which

site is this for? Sonydev.net?”“Aye,” said Neuron. “I’m sure we can

find the pass somewhere on Sony.”“Analyzing ‘scedev’ source codes

now,” said Sabu. Neuron checked inabout ten minutes later.

“What’s the word on that source?”Neuron asked.

Sabu seemed to approve of it.“Should we just leak the source code?”he asked Topiary and Neuron.

“I wouldn’t suggest it just yet,”Neuron replied. “We could use more ofhis shit. He’s a Sony developer.”

“You serious?” asked Sabu.“If we keep quiet we can get more,”

said Neuron, who took the view that itwas better to lurk than dump everything

at once like a script kiddie.“So tell him to give us access into

[the] Sony network.”“I’ll see. He said he was an ex-Sony

developer but has access.”“Social engineer him into that shit,”

said Storm, who was listening in.“Ok,” said Sabu. “So bro. What are

you doing here talking to us? Social hisass. Haha.” Neuron had gone to try totalk to the source again but it wasalready too late.

“He logged off,” said Neuron.“Gay,” Sabu said, a little

disappointed. “So he messaged you,gave you source, logged off?”

“Yeah,” said Neuron. “He likes us orsomething.”

This was how it often went. Thepromise of leaks and exploits wouldcome from gray and black hat hackers oranyone who had something worthoffering. Often the data wasn’t asexciting as originally promised, but inthe end, the team used the source codethat the ex–Sony developer had passedthem. And over time they stopped beingsurprised that so many outside peoplewanted to pass them vulnerabilities toexploit—it seemed like everyone in theIT security field, itself a medley of whitehats with a darker past, was talkingabout LulzSec. A few secretly wishedthey could be a part of the fun.

One hacker had a particularly unusualway of demanding to be let in. One

afternoon, the LulzSec crew foundthemselves getting individually kickedout of the public LulzSec chat room.

“Wow, bro,” Storm suddenly said on#pure-elite. “People are trying to downour ops.” Someone was sending junkpackets and bumping each LulzSec crewmember off the IRC channel. It wasn’taffecting their computers, but the virtualmachines or virtual private networksbeing used to displace their truelocations were getting hit. DDoSingsomeone’s IP could make him disappearfrom the Internet for a while, but if youdid it enough he’d be booted from hishosting service altogether.

“We gotta get off that server,” said asecond-tier member called Recursion.

“We’re getting hit,” cried Neuron.There was a general hubbub among thesecondary crew as they floundered overa response to the attack.

Sabu almost rolled his eyes. “Neuron,so sign off? Look guys.” No one waslistening.

“The whole room is hit,” Stormexclaimed. “He’s hitting randompeople.” It seemed a lone mercenarywho went by the nickname Xxxx wastrying to disrupt LulzSec’s attempts tomeet with its fans.

Then Joepie received a privatemessage: “Hi Kayla or Sabu or Tflow.”It had come from Xxxx. Joepie ran asearch on the user’s IP and realized itwas Ryan, the botnet-wielding

temperamental operator from AnonOps.Neuron received the same private

message, then others in the secondarycrew did too.

“Everybody shut the fuck up,” Sabusaid. People were still talking excitedly.“EVERYONE. SHUT THE FUCK UP.”That seemed to get their attention.

“Relax,” he continued. “As for Ryan,ignore him. He doesn’t know it’s us.Jesus.”

“Relax,” said Joepie, adding a smileyface.

“Ryan, huh?” said Topiary.“The situation is getting horribly

stressing,” said Trollpoll.“I know, Jesus,” said Sabu. “Look.

From now on, no one goes on 2600

unless you prep yourself for the socialengineering.”

Everyone was listening now. “If youdon’t know how to social engineer donot get on 2600,” he said. “If you do nothave a DDoS protected IP, do not get on2600. That’s it.”

“Aye,” said Neuron.“Exactly,” said Storm.“Aye-aye, Storm,” said Recursion.

“Err, Sabu. I meant to say aye-aye Sabu,not Storm.”

“Ok,” said Sabu. “Sony was leaked.We got bigger projects.” He pointed toNeuron’s work on the new Sonydevelopment source code. “How aboutthose who are not too busy work onauditing that source code.” Everyone got

back to work.

Chapter 21

Stress and Betrayal

As LulzSec’s targets got bigger, Kaylastarted drifting away a little fromoperations, more interested in takingrevenge on enemies like Jester andBacktrace. She had always been a freespirit, loyal to her friends but neveraligning herself too closely with anyparticular cause for too long.Sometimes, she just got bored. She alsowasn’t as interested in reviving theAntisec movement as Sabu or Topiary.Instead, she started developing anelaborate plan to creep into the #Jesterchat room as a spy, embed herself, then

infect the computers of its members witha key-logger program so that she couldmonitor their key strokes, learn a fewkey passwords, and take them over. Itwas called a drive-by attack, and whilein this case it was an elaborateoperation, typically the attack was just amatter of enticing someone to visit awebsite and installing malware on theirsystem as a result. It meant she was nowspending just a couple of hours a daychatting with the crew beforedisappearing for a day or more.

In the meantime there was somesurprising news coming from the UnitedStates. The Pentagon had announced thatcyber attacks from another country couldconstitute an act of war and that the U.S.

could respond with traditional militaryforce. Almost at the same time, a draftreport from NATO claimed thatAnonymous was becoming “more andmore sophisticated” and “couldpotentially hack into sensitivegovernment, military and corporatefiles.” It went on to say that Anonymoushad demonstrated its ability to do justthat by hacking HBGary Federal.Ironically, it stated that the hackers hadhit Barr’s company and hijacked hisTwitter account “in response” to Bank ofAmerica hiring the security company toattack adversaries like WikiLeaks. EvenNATO seemed to be inflating theabilities of Anonymous, seeing reasonand connections where there were

coincidences. The hackers hadn’t knownabout Barr’s plans with WikiLeaks untilafter they had attacked him. Even so, thenews got everyone’s attention.

“Did you read the NATO doc aboutanonymous?” asked Trollpoll in the#pure-elite hub. Trollpoll did not soundlike he was from the United States,though it was impossible to be sure ofanyone there. “They will put tanks onour houses?”

“Obama will be like ‘Lol you justDDoS my server?’” said Kayla,“‘Nuke.’”

With the world’s attention nowmoving to LulzSec and the fightingwords from the U.S. administration, itseemed as good a time as any to drop the

FBI affiliate Atlanta Infragard. They’dhad the site under their control formonths and felt they now had enough onwhite hat Hijazi to expose him at thesame time. This would bring more heatthan ever on LulzSec, but the group wason a roll and felt safe.

LulzSec’s founding team memberswould carry out the final Infragardswoop. As they got ready to deface thesite, Sabu entered the shell, theadministrative page he had set up calledxOOPSmaster, opened his terminalprogram so he could start playing withthe source code, and, on a seemingwhim, typed rm –rf /*. It was a short,simple-looking piece of code with anotorious reputation: anyone who typed

it into his computer’s back end couldeffectively delete everything on thesystem. There was no window poppingup to ask Are you sure? It just happened.Web trolls famously got their victims totype it in or to delete the crucial system32 file in Windows.

“Oops,” Sabu told the others. “Justdeleted everything. rm –rf /*.” Kaylamade the face-palm gesture, andeveryone moved on. On top ofeverything they had already done,deleting the Infragard website contentsdidn’t seem like a big deal. They thenused the /xOOPS.php shell to upload agiant image and title onto the Infragardhome page—their deface. It was noserious admonishment of the FBI but

another prank aimed at Jester’s crew.The team had replaced the AtlantaInfragard home page with a YouTubevideo of an Eastern European TVreporter interviewing an impeccablydrunk man at a disco. Someone hadadded subtitles spoofing him as awannabe hacker from 2600 who didn’tunderstand what LulzSec was doing.Above the video was the title “LET ITFLOW YOU STUPID FBIBATTLESHIPS,” in a windowcaptioned “NATO—National Agency ofTiny Origamis LOL.”

Topiary’s official statement was alittle more serious—but not much. Wheneveryone was ready, he hit publish.

“It has come to our unfortunate

attention that NATO and our good friendBarrack Osama-Llama 24th-centuryObama have recently upped the stakeswith regard to hacking,” Topiary hadwritten in their official statement. “Theynow treat hacking as an act of war. So,we just hacked an FBI affiliated website(Infragard, specifically the Atlantachapter) and leaked its user base. Wealso took complete control over the siteand defaced it.” Of course, LulzSec hadnot hacked Infragard in the past day ortwo or in response to the Pentagon’sannouncement, but news outlets reportedthe attack as a “response.”

Infragard’s web contents had beendeleted, the site defaced, and details of180 people in its user base had been

published on the Web, along with theirpasswords in plaintext, their real names,and their e-mail addresses. Topiary hadsigned off the missive, declaring, “Nowwe are all sons of bitches.”

Since Topiary had been reminding theworld for the past day on Twitter that anFBI hack was imminent, mainstreamnews agencies jumped into the story,leading a whole new stream of people tofollow the group on Twitter. Theirwebsite had now received more than 1.5million views. Despite the damageLulzSec had done to the 2600 network,the actual magazine 2 6 0 0 soundedimpressed. “Hacked websites, corporateinfiltration/scandal, IRC wars, newhacker groups making global headlines,”

its official Twitter feed stated, “the1990s are back!”

Television news stations were racingto find security experts who couldexplain what was going on and offersome lucid opinions. “We are facing avery innovative crime, and innovationhas to be the response,” said GordonSnow, the assistant director of the FBI’scyber division in an interview withBloomberg right after the Infragardattack. “Given enough money, time andresources, an adversary will be able toaccess any system.”

Yet LulzSec’s hack into Infragard hadnot cost that much in terms of “money,time and resources.” All told, theoperation had cost $0, had been carried

out with the relatively simple method ofSQL injection, and was made worsebecause an admin’s cracked password,“st33r!NG,” had been reused to getadministrative access to the Infragardsite itself. As for time, it had taken theteam thirty minutes to crack the admin’spassword and twenty-five minutes todownload the database of users. Withintwo hours, the LulzSec team hadcomplete administrative access to anFBI-affiliated site, and for severalweeks no one from the FBI had had aclue.

Of course, along with the Infragarddrop had been LulzSec’s condemnationof Hijazi. The team had kept some oftheir chat logs with the white hat and

published them online as evidence thathe was corrupt. And while the groupmembers had told Hijazi that theywouldn’t release his e-mails, theypublished them too.

“We have uncovered an operationorchestrated by Unveillance and othersto control and assess Libyan cyberspacethrough malicious means,” Topiaryannounced, meaning by assess thatUnveillance wanted to spy on LibyanInternet users.

“We leaked Karim because we hadenough proof that he was willing to hireus as hitmen,” Topiary added onTwitter. “Not a very ethical thing to do,huh Mr. Whitehat?”

Hijazi also released a statement

immediately after, explaining that he had“refused to pay off LulzSec” or supplythem with his research on botnets.Topiary shot back with a second officialstatement saying that they had neverintended to go through with the extortion,only to pressure Hijazi to the pointwhere he would be willing to pay for thehackers’ silence and then expose himpublicly. It was a war of words built onthe gooey foundations of lies and socialengineering.

Topiary still called on journalists andother writers to “delve through” Hijazi’se-mails carefully, hoping for the samekind of enthusiasm there had beenaround Aaron Barr’s e-mail hoard. Butthere was none. For a start, Hijazi just

didn’t have enough dirty laundry. More,the infamy of LulzSec wasovershadowing any more sobering,sociopolitical points the group wasdimly making with each attack—that itdidn’t like Fox, or that WikiSecrets“sucked,” or that NATO was upping thestakes against hackers, or whateverUnveillance might have been doing inLibya. It was quite an array of targets;LulzSec seemed to be attacking anyone itcould, because it could.

This was getting to some of thesecondary-crew members. The hackerRecursion came into the #pure-eliteroom late on June 3 after watching theInfragard events unfold. He hadn’t takenpart in the hack and was shocked when

he read the news reports.“Holy shit,” Recursion told the others.

“What the fuck happened today?”“A lot,” said Sabu, adding a smile.

“Check Twitter.”“LulzSec declared war on the U.S.?”

Joepie offered sardonically.“I caught the jist of it,” Recursion

answered before seeming to trail off. Hedidn’t say anything more on the subject,but twenty minutes later, afterpresumably holding a privateconversation with Sabu, he left thechannel, for good.

Sabu was disappointed in anyone whobailed on him in battle. It feltdisrespectful. But he moved on quicklyto guide the remaining troops. Sabu

came back to the room and addressed thehandful of participants. “Well guys.Those of you that are still with usthrough this, maintain alert, make sureyou’re behind VPNs no matter what.And don’t fear. We’re ok.”

“Sabu, did we lose people?” askedNeuron.

“Yeah.”“Who?”“Recursion and Devurandom quit

respectfully,” he answered, “saying theyare not up for the heat. You realize wesmacked the FBI today. This meanseveryone in here must remain extremelysecure.” It was a grave reminder of thepotential charges LulzSec was rackingup if its team members were to get

caught.A few of the members started

describing how they were strengtheningtheir security. Storm was getting a newnetbook and completely wiping his oldcomputer. Neuron was doing the same.He used a virtual private network calledHideMyAss. This was a company basedin the United Kingdom that Topiary usedand had recommended.

“Did you wipe the PBS [chat] logs?”Storm asked Sabu.

“Yes. All PBS logs are clean.”“Then I’m game for some more,” said

Storm. Sabu typed out a smiley face.“We’re good,” he said. “We got a

good team here.”Not everyone was good though, and

not all logs were clean. The aloofLulzSec secondary-crew member knownas M_nerva, the one who had said “goodnight” to the others just a few daysbefore and not said too much elseafterward, had just gathered together sixdays’ worth of chat logs from the #pure-elite channel and repeated Laurelai’sfrantic act in February. He leaked it. OnJune 6, the security website seclists.orgreleased the full set of #pure-elite chatlogs held on Sabu’s private IRC server.The leak revealed, embarrassingly, thatnot everyone in #pure-elite could be“100 percent trusted,” and that for all itsbravado, LulzSec had weaknesses. Theteam jumped into action, knowing thatthey had to send a message that they did

not accept snitches, even if M_nerva hadallegedly been persuaded to leak thelogs by another hacker, named Hann.They knew they could find out whoM_nerva really was because among theother black hats supporting LulzSec wassomeone who had access to pretty muchevery AOL Instant Messenger account inexistence. Since many people had set upan AIM account at one time or another,they only needed to cross-check thenickname and IP to come up with a realname and address. It turned out M_nervawas an eighteen-year-old fromHamilton, Ohio, named Marshall Webb.The crew decided to hold on to theinformation for now.

With Sabu’s trust betrayed, the older

hacker was now more paranoid thanbefore. Topiary felt vindicated. He hadknown that a leak could happen if Sabukept inviting people into #pure-elite, andit did. But he didn’t push the point. Whenhe brought it up with Sabu, the hackerbrushed off the topic quickly. He hadnothing to say about it. Instead, Sabuworked on making the wider group moresecure by separating it into four differentchat rooms. There was a core channel,which now had invited fifteenparticipants, and #pure-elite, then chatrooms called upper_deck, for the mosttrusted supporters, lower_deck,kitten_core, and family. Members couldgraduate up the tier system depending onhow trustworthy they were. Neuron and

Storm, for instance, eventually wereinvited into upper_deck, so that theycould be phased into the main channelfor LulzSec’s core six members: Sabu,Topiary, Kayla, Tflow, AVunit, andPwnsauce.

The heat wasn’t coming only from themedia attention; Topiary was seeinghackers with military IP addresses tryingto compromise the LulzSec IRC networkand users every day. Already, rumorswere spreading that LulzSec had beenfounded by the same crew that had hitHBGary. Enemy hackers were postingdocuments filled with details they haddug up online about each member, muchof it wrong but some of it hitting close tohome. LulzSec’s members needed to

switch their focus from finding targets toprotecting themselves.

Kayla suggested a massdisinformation campaign. Her idea wasto create a Pastebin document revealingthat Adrian Lamo owned the domainLulzSec.com; then to add details of otherJesterfags and claim they were membersof LulzSec; then to spam the documenteverywhere. It was a classic social-engineering tactic, and it sometimesworked.

“But saying more or less that LulzSecis CIA,” Trollpoll offered. It wasoutrageous, but some people would seesense in the idea that the CIA was usingfreelance hackers to hit Iran or Libyaand would build their own conspiracy

theories around it.Topiary and Kayla wrote up a

document titled “Criminals of LulzSec,”under the guise of a fictitious socialengineer called Jux who claimed to havebeen invited into the group’s privatechannel, saying, “I believe they arebeing encouraged or hired by CIA.” Inthe document, Jux claimed Lamo was akey member of the group, along with aPakistani hacker named Parr0t, aFrenchman named Stephen, and anunnamed hacker from the Netherlands.The document was viewed more than40,000 times, retweeted by notorioushacker Kevin Mitnick, and mentioned ina few tech blogs as a rumor.

When Gawker’s Adrian Chen started

reaching out to LulzSec via Twitter totry to investigate them, the crew, stillbitter about his exposé on the #HQ logleak, decided to aim a separatemisinformation campaign directly at him.They invited him into a neutral IRCchannel, where Sabu posed as an ex–secondary-crew member of LulzSec whohad run away and wanted to spill somesecrets. The crew made their hoax onChen especially elaborate, drawing upfake logs, fake web attacks on the fakepersona’s school, and fake archives ofdata as proof for the journalist. Sabuthen started feeding Chen a story thatLulzSec was a tool of the Chinesegovernment in a cyber war with theUnited States, that Kayla was working

with Beijing, and that Topiary wasfunneling money from the Chinesegovernment into the group.

“If he publishes, that old sack of crapis completely ruined,” Topiary said.They were planning to let the story dothe rounds for five days, then deny it onTwitter, posting a link to all their logswith the journalist. But Chen neverpublished anything. Like Hijazi, he hadbeen playing along with LulzSec’s storyin the hope of teasing out some truth,which he realized he wasn’t getting. Thelack of a story was disappointing forLulzSec’s members, but they weremanaging to keep outsiders from gettingtoo close; for now, at least.

By early June the members of LulzSecwere working flat-out on severaldifferent misinformation campaigns andthe odd operation and trying not to thinkabout the potential damage caused byM_nerva. One light in the darkness wasthat they had racked up five hundreddollars in Bitcoin donations. Topiarycontrolled the Bitcoin account and waspassing some of the money to Sabu tobuy accounts with virtual privatenetworks, like HideMyAss, to betterhide their ring of supporters and also toget more server space. Turning thatmoney into untraceable cash was adrawn-out task but relatively easy. TheBitcoins bought virtual prepaid cardsfrom Visa, with the help of fake names,

addresses, personal details, andoccupations at fake companies,generated in seconds on the websitefakenamegenerator.com. As long as thecontact address matched the billingaddress, no online store would questionits authenticity. The Visa account wasused to get in the online virtual worldSecond Life and buy the in-gamecurrency Lindens. Convert that moneyinto U.S. dollars via a currency transfersite (recommended by Kayla) calledVirWoX, then put those dollars into aMoneybookers account. Finally, transferthat money into a personal bank account.That was one method. Another moredirect route, which Topiary often used,was to simply transfer money between a

few different Bitcoin addresses:Bitcoin address 1 → Bitcoin address

2 → Bitcoin address 3 → LibertyReserve (a Costa Rican paymentprocessor) account → Bitcoin address 4→ Bitcoin address 5 → second LibertyReserve account → PayPal account →bank account.

If even the hint of a thought occurredto him that there weren’t enoughtransfers, he would add several morepaths.

Then on Monday, June 6, Topiarychecked the LulzSec Bitcoin account.Holy shit, he thought. He was looking ata single, anonymous donation of fourhundred Bitcoins, worth approximately$7,800. It was more money than Topiary

had ever had in his life. He went straightinto the core group’s secure chat room.

“WHAT THE FUCK guys?!” he said,then pasted the Bitcoin details.

“NO WAY,” said AVunit. “LOL.Something has gone wrong.”

“Nope,” Topiary said. He pasted thedetails again.

Suddenly they all stopped what theywere doing and talked about splitting themoney: $1,000 each and the rest toinvest in new servers. They startedprivate messaging Topiary with theirunique Bitcoin addresses so he couldsend them their shares. Topiary had nointention of keeping quiet about themoney or cutting a bigger slice forhimself. Everyone was funneling the

money through various accounts to keepit from being traced. Who knew if thedonation had come from the Feds oropportunistic military white hats?

“Guys be safe with the Bitcoinsplease,” said AVunit. “Let it flowthrough a few gateways.…Use one bit toget out of financial trouble and then siton the rest.”

“Okay, beginning the sends,” Topiarysaid. “All of you are now $1,000richer.”

“Excuse me while I light up a victorycigar,” said Pwnsauce.

“I’m just going to stare at it,” saidKayla. “Let it grow as Bitcoinprogresses.” So volatile and popularwas the value of the Bitcoin crypto

currency that by the following day oneBitcoin had risen to $26 in value,making their big donation worth$11,000. Three months prior it had beenone to one with the dollar.

“I’m honestly sorry you guys aren’there,” said AVunit, “because I’m goingto open a bottle of great whiskey. One ofthe Highland Scottish.” Topiary barelynoticed the reference to where he lived.

“Now let’s all have some sex,” Tflowsaid.

Everyone was beaming inside,forgetting the enemies and the heat. Sabutook the chance to congratulate his crew.“Thanks, team,” he said. “We all didgreat work. We deserved it.”

For Sabu, the celebrations would not

last long. The next day, Hector “Sabu”Monsegur finally got a knock on the doorfrom the FBI.

It was late in the evening on Tuesday,June 7, and two agents of the FederalBureau of Investigation had entered theJacob Riis apartment building and wereheading for the sixth floor, where HectorMonsegur lived and often partied withhis family and friends. The FBI had beentrying to pin down Sabu for months, anda few weeks prior they had finallymanaged to corroborate Backtrace’spronouncment: Sabu had inadvertentlysigned into an IRC channel withouthiding his IP address. Just the one timewas all they needed. To make sure he

cooperated, the Feds needed evidencethat Monsegur had broken the law. Sothey subpoenaed Facebook for details ofhis account and found stolen credit cardnumbers he’d been selling to otherhackers. That alone carried a two-yearprison sentence. Knowing that he hadtwo daughters and a family, the FBI nowhad some leverage.

The FBI had watched and waited forthe right moment. Then on Tuesday, theagents got the call to move in. Amid thegrowing number of small groups whowere, like Backtrace, trying to doxLulzSec, one had published the nameHector Monsegur, along with his realaddress. Sabu had recklessly kepthacking till now, perhaps reasoning that

he had come too far already and thatarrest was inevitable. But the FBI didn’twant to take any chances. They neededhim.

The agents knocked on Monsegur’smaroon-colored door, and it swung opento reveal a young Latino man, broad-shouldered and wearing a white t-shirtand jeans.

“I’m Hector,” he said. The agents,who were wearing bulletproof vests as astandard precaution, introducedthemselves. Monsegur, apparently,balked. According to a later Fox Newsreport that cited sources who hadwitnessed the interaction, he told theagents that he wasn’t Sabu. “You got thewrong guy,” he said. “I don’t have a

computer.” Looking into the apartment,the agents saw an Ethernet cable and thegreen, blinking lights of a DSL modem.

They probed Monsegur further,launching into a traditional goodcop/bad cop routine. They told him thatthey wanted him to work with them as acooperating witness, to help themcorroborate the identities of the otherLulzSec hackers. Sabu refused at first.He wasn’t about to snitch on his ownteam.

Then they told him about the evidencethey had from Facebook that showed thathe had sold stolen credit cards and toldhim that this alone would put him in jailfor two years. What would happen to hisgirls if he went to prison? The good cop

told Monsegur he could get a lessersentence if he cooperated; he had tothink of his kids. Monsegur was stillholding back. That’s when bad coppiped up.

“That’s it, no deal, it’s over,” theother agent said, storming out of theapartment. “We’re locking you up.”Sabu finally relented.

“It was because of his kids,” one ofthe agents later told Fox. “He’d doanything for his kids. He didn’t want togo away to prison and leave them.That’s how we got him.”

The following morning at ten,Monsegur appeared in the SouthernDistrict Court of New York with hisnew lawyer, Peggy Cross-Goldenberg,

and agreed before a judge to let the FBImonitor his every movement—bothonline and in real life. It would take afew more months for prosecutors toformally charge him on a stream of othercounts related to computer hacking, buthis punishment would be agreed as partof a settlement. From Wednesday, June8, on, Sabu was an FBI informant.

Monsegur, who had climbed to thepinnacle of the international hackercommunity thanks to his technical skills,charm, and political passion, was nowfeeding information about his friends tothe FBI.

As Hector Monsegur was being

arrested in his secret New York

apartment, thousands of people weretalking about his crew of audacioushackers. Twenty-five thousand morepeople had started following LulzSec’sTwitter feed after the Infragard hack, andit now had seventy-one thousandfollowers. The name was getting 1.2million hits on Google. Topiary foundthat he would spend a few secondsthinking of something silly to tweet, thenhe would tweet it to find it immediatelyquoted in a news headline. When hetweeted a link to the group’s public IRCchannel, irc.lulzco.org, one Sundayevening at six, more than 460 peoplequickly piled in for random chatter and achance to rub virtual shoulders with themost famous hackers on the planet. “Join

the party,” he had announced. “We’reenjoying a peaceful Sunday.”

“LulzSec, you guys rock!” said onevisitor.

“I need someone to take down myschool’s cheap ass website, for thelulz,” said another.

“Hey can anyone hack this douche forme?” asked someone else who thenposted an IP address. Each time anothergroup of twenty or thirty people joinedthe chat, someone would shout, “Herecomes the flood!”

“You guys released my mom’s e-mail,” said another fan on Twitter. “ILOL’ed.”

Meanwhile journalists werestruggling to keep up with the fast-paced

developments. No sooner had LulzSecreleased Sony’s development codes thanit uploaded the user database for pornsite Pron.com, pointing out users whohad .gov and .mil e-mail addresses withthe note, “They are too busy fapping todefend their country.” One Americanfighter pilot had used the passwordmywife01 while the e-mail addressflag@whitehouse.gov had usedkarlmarx.

Australian IT security expert and theblogger behind cyber security blogRisky.Biz, Patrick Gray, wrote up a blogpost called “Why We Secretly LoveLulzSec.” It got re-tweeted hundreds oftimes and said, “LulzSec is runningaround pummeling some of the world’s

most powerful organizations into theground…for laughs! For lulz! For shitsand giggles! Surely that tells you whatyou need to know about computersecurity: there isn’t any.” His kicker atthe end voiced what many in the cybersecurity industry were thinking: “So whydo we like LulzSec? ‘I told you so.’That’s why.”

LulzSec’s flagrant use of often simpleSQL injection methods had broughthome how vulnerable people’s privatedata was, and done it more compellinglythan any IT security’s marketingcampaign had. Cisco even capitalized onthe interest, at one point sponsoringpromotional tweets at the top of anysearch results for the group on Twitter.

Then a white hat security company didthe same. The next morning Topiarywoke up to see news reports ofLulzSec’s supposed latest attack,defacing the home page of digitalsecurity company Black & Berg. Itshome page had a large title saying“Cybersecurity For The 21st Century,Hacking Challenge: Change thiswebsite’s homepage picture and win$10K and a position working withSenior Cybersecurity Advisor, JoeBlack.” Directly after that was: “DONE,THAT WAS EASY. KEEP YOURMONEY WE DO IT FOR THE LULZ.”Under the title was a photo of a U.S.federal building covered by the black-and-white image of LulzSec’s ritzy

monocled man. The InternationalBusiness Times quickly posted a storyheadlined “LulzSec Wins HackingCompetition, Refuses $10K Award,”then quoted Joe Black himselfcommenting, “What can I say? We’regood, they’re better.” When the Timesasked Black how LulzSec had done it, hereplied: “I’m going to go withreconnaissance, scanning, gain access,maintain access, and cover tracks.”

But when Topiary asked the teamabout the Black & Berg attack, nobodyknew anything about it, and this defacemessage didn’t have any of the nuttycreativity that marked their other attacks.Topiary didn’t know it at the time, butBlack had most likely defaced his own

site to get the white hat firm some much-needed clients. (A year later thebusiness had shut down and its founderhad aligned himself with Anonymousand Antisec.)

In another part of the world, the hard-core hacker community in Brazil wasforming its own version of LulzSec,called LulzSec Brazil. Another hackergroup calling itself LulzRaft brieflyemerged. Other black hat hackers sentover more leads. Each day the LulzSeccrew members were sent dozens of linksto web pages that could infect them withviruses, but among them there were afew genuine security exploits, and plentyof data dumps left and right; 1,000usernames and passwords here, another

500,000 there. Often they were fromgaming companies, a paradoxicallypopular target for hackers, since so manyof them were gamers too. They wantedto leak through LulzSec because theywere often too scared to do itthemselves and didn’t want the data orexploit they had found to go to waste.The team had to be choosy about what itleaked—Topiary had learned from histime with AnonOps not to say yes toevery request.

Though Topiary was finding it hard tokeep a steady hand on things with somuch happening at once, LulzSec wasabout to ramp up the pace of announcinghacks. The team was sitting on a moundof unused data, mostly provided by other

hackers, that needed to get out. ThePentagon had given them a reason tofinally drop Infragard, but soon theywouldn’t be waiting for the rightmoment. It would just be a fire sale ofattack after attack.

Feeling the strain that Wednesdaynight, June 8, Topiary sent a message toSabu asking if he was around andwanted to talk. He was hoping for asimple chat about security or maybe lifein general. But Sabu didn’t respond. Justa few hours earlier, Monsegur had beenin court signing agreement papers withthe FBI. With Sabu offline for severalhours now, Topiary battled a strangesense of foreboding.

“I’m starting to get quite worried

some arrests might actually happen,” heremarked that evening, U.K. time, in arare expression of emotion. It wasn’t theenemy hackers, Jester, or even theBitcoin donation that had come out of theblue. Backtrace had just published thedocument claiming to dox the teammembers of LulzSec, though again, hewas sure that all the names of hiscolleagues were wrong. “I just have aweird feeling something bad is inboundfor us, I don’t know why.”

He remembered how he hadmentioned similar concerns a few daysearlier to Sabu after the M_nerva leak,and how Sabu had suddenly seemedmore worried too. (This had been beforeSabu’s arrest.) Topiary had always been

the calm one in their group, Sabu’s brainof reason. Once Topiary started to getnervous, it was perhaps another signal toSabu that they were in too deep. As thetwo had continued talking, they bothdecided that in spite of all the heat theywere inviting, they could not just stopnow. Momentum was too strong,expectations too high. They would carryon and run on faith in their ability to stayhidden. A small part of each of them hadalso accepted that arrest would probablyhappen at some point.

Did Topiary now fully trust Sabu andKayla? In answering that questionWednesday night, he said that he trustedthem “more than anyone else” in thegroup, and Sabu in particular.

“I treat Sabu as more important to methan mostly anyone online,” he said. “If Iget arrested, I’m not snitching on them.”

But the niggling feeling came in partfrom knowing that Sabu had been social-engineering people for more than adecade and the weird fact that Sabutrusted him so much despite havingknown him for only a few months. Forinstance, Sabu had told Topiary his firstname, Hector, a month before, hadtrusted him with his Google Voicenumber, had told him the names of a fewof his friends, and even mentioned thathe lived in New York City. WhenTopiary had asked a few weeks priorwhat Sabu knew about him, wondering ifhe had the same amount of information,

Sabu had replied: “A U.K. guy that doesgood accents, which makes me thinkyou’re not really from the U.K.”Topiary, who had an unusual Scottish-Norwegian accent developed fromplaying online games with Scandinavianfriends, had never told Sabu his real firstname or confirmed that he lived on theBritish Isles or named any of his friends.It was almost as if Sabu didn’t reallycare anymore about hiding his own trueidentity.

Topiary considered himself to be lessreckless in that regard than Sabu. Plus,living in such a remote part of the worldhad made him feel safe. He doubted thepolice would even bother traveling up tothe Shetland Islands.

Topiary went to bed. Getting to sleepwas difficult. He tossed and turned, thenhad a strange nightmare and woke up at5:00 a.m., shouting. He hadn’t done thatin years. It was still dark outside, but hegot out of bed and went into his livingroom anyway. He sat in his gaming chairand signed in to #pure-elite. Suddenly,he was bombarded with messages.

“Sabu is gone,” one of the crewmembers said. The LulzSec team finallynoticed that he had been missing formore than twenty-four hours.

Chapter 22

The Return of Ryan,the End of Reason

Topiary was anxious and confused. Hewas sure someone was lying. FirstKayla had reported rumors on a publicIRC network that Sabu had been raided.Then someone else had said his twodaughters were sick and in the hospital.Then another person whom Topiaryknew as a real-life friend of Sabu’s alsoclaimed he had been raided. Then heheard the hospital story from yet anothersource. There was a fifty-fifty split onwhat had happened. Topiary wanted to

believe the hospital story. Typically, inparanoid hacker circles or Anonymous,if someone disappeared from a publicIRC for a while and without reason,people assumed the worst (an FBI raid).But if Sabu had suddenly wanted to goback underground, he would have told afew trusted people to say differentthings.

Topiary started calling Sabu’s GoogleVoice number every hour but got noanswer. It was unusual for him not to beonline for more than half a day. Topiarywaited and hoped Sabu wasn’t in a cellbeing questioned or, worse, snitching.On IRC, Sabu was still logged on. Oncehis nickname had been idle for twenty-four hours, the team killed it, just in case

Feds were watching.“I’m quite worried,” Topiary said that

morning.Sabu had given him instructions the

week before that if he was ever caught,Topiary should access his Twitter feedand tweet as normal while the teamshould keep announcing hacks. If theFeds did have Sabu, this could be histicket to avoiding some charges.Topiary’s heart sank when he looked atSabu’s Twitter account and wasreminded of how much the hacker hadmotivated him. The short bio read: “Toall Anons: you all are part of somethingamazing and powerful. Do not succumbto fear tactics that are so obvious andarchaic. Stay free.” Sabu may have been

hot-tempered, but he could also beinspiring.

Kayla was just as concerned. “I’mgonna turn the Internet upside down if Ifind out Sabu’s been hit,” she toldTopiary.

Still, the team was in a catch-22. IfSabu had been caught and forced todivulge information, then there was alarge chance the Feds could monitorwhat they were doing. If they did nothingor fled, that would immediatelyimplicate Sabu.

As evening fell, Topiary rang Sabu’snumber again. Suddenly, someonepicked up the phone. There was novoice. “Uh, who’s this?” Topiary asked.

“David Davidson.”

It was Sabu. Topiary let out a sigh ofrelief. Sabu sounded like he had a coldor had been crying. Sabu explained thathis grandmother had died and that he hadhad to help with funeral arrangements.He then asked if the rest of the team wasaround and if Topiary could inform themthat he was back. Topiary at first didn’tcare that Sabu might have been lying—he was just glad to speak to him again.Not long after, Sabu changed his storyand said that it had actually been theanniversary of his grandmother’s death.When they had first spoken, Sabu hadprobably changed his voice deliberatelyto make his story sound more genuine.By then, the FBI was logging everythingthat Sabu said online to LulzSec’s

members, as well as everything he saidon the phone to Topiary.

Sabu would end up being offline morethan usual for the next few days as hebegan collaborating with the FBI, evenworking out of their office on a dailybasis. Sabu occasionally kept his groupabreast of other developments, but thestill oblivious Topiary took moreresponsibility for the team.

As a precaution, Topiary deletedmore files, then he redid all hispasswords and encryptions to make themultra-protected. He kept all passwordsin a file on an encrypted SD card, withone character in each swapped around.Only he knew which characters wereswapped. Still, he couldn’t help

constantly looking outside his windowand jumping whenever a van drove past.For the first time, he started seriouslywondering if a couple of men in policeuniforms would splinter his door atdawn the next morning.

A few days earlier when he had beenout to buy some food, one of the localdruggies had approached Topiary on hisway home. “Hey,” the man had said,waving as Topiary took out his earbuds.

“There were some police knocking onyour door the other day,” the man said ina thick Scottish accent. Topiary’s hearthad started to pound.

“Really. What did they do?”“They drove by in their car. Then a

couple of them came out and knocked on

your door, but there was no answer,” hesaid, shrugging. Topiary played it cool.The druggie might have been lying, butthe police might also have stopped bywhile he was at his thinking spot,looking over the sea. And it was just aslikely that they were doing a drug sweepof the area. Still, he resolved to wipeevery shred of Topiary and Anonymousfrom his laptop, encrypt whatever hekept, and send it to all to himself in an e-mail via Hushmail. Eventually he wouldwipe his laptop completely.

If the police came to his door, they’dfind a clean house with one rarely useddesktop computer and his innocuous-looking Dell laptop, a couple of extramonitors for watching films, and one

phone line going over his living roomwith clips. None of the empty pizzaboxes associated with basement-dwelling hackers. Any documents thepolice might find about Anonymous oneither of his computers could be passedoff as research Topiary was doing for abook. They’d find some pirated musicand a handful of databases holding a fewhundred thousand names and passwordshe had acquired from acquaintances orfrom his own scanning for LulzSec.Topiary called it his personal collection.Sometimes he used it for his ownattempts at doxing people, but for themost part it was just nice to have.

He tried not to think that his virtualprivate network provider, HideMyAss,

would ever turn him in to the authorities.His logic was that if customers ofHideMyAss ever found out the companyhad turned in one of its users, they’dleave in droves, and HideMyAss wouldgo out of business. They would surelynever give him up.

As Sabu remained offline on the pretextof dealing with family matters, a familiarface came back into the LulzSec fold:Ryan. It made little sense at first,considering Ryan’s temperamentalbehavior in the past and his cyberattacks on the LulzSec communicationchannels, but that was hacker life foryou. Even the most explosive of disputescould be remedied when someone

needed something. In this case Ryanneeded some friends, and LulzSec coulduse Ryan’s mammoth botnet, whichinfected computers via a rogueFacebook app. Ryan was well connectedin the underground hacker scene andserved as an administrator of Pastebin,the text application tool that LulzSecused to publish all its leaks, andEncyclopedia Dramatica. Ryan was likethe kid in school that people didn’tnecessarily like but whom they werecompelled to befriend because he had abrand-new Hummer and a house with apool. Ryan wasn’t rich in real life, butonline he seemed loaded; he had spentyears building up an impressive array ofassets, from servers to his botnet. His

servers helped host EncyclopediaDramatica, and after he had reconnectedwith a member of the LulzSec crew inthe previous week, they also hostedLulzSec’s new IRC network, lulzco.org.

After Topiary first reconnected withRyan on IRC, he wanted to hear what thenew ally sounded like in voice to bettersuss him out, so the two became contactson Skype. When Ryan’s voice camethrough, his English accent was sostrong, he sounded almost Australian.Ryan spoke at a rapid-fire pace, openlybragging about his botnet, his hacking,and how he was making money on theunderground; he littered his prose withswearwords then described at greatlength a farmhouse-bread ham sandwich

his mother had once made him. Ryanseemed pretty unhinged and insecure, butTopiary’s opinion of him softened whenhe explained why he’d leaked hundredsof names from AnonOps months before.The network operators had been hasslinghim, and then someone else had gatheredall the data and given it to him to leak. Itwas water under the bridge. Oh, headded, and that dox of his full name,address, and phone number that had beenposted online? That was based on fakeinformation he had created four yearsago. Ryan assured Topiary that he hadmade the false documents and spreadthem everywhere so that his realinformation would remain hidden.

Topiary figured he could tell when

someone was bullshitting, especiallywhen it was in voice. Ryan, he believed,was genuine. In fact, Topiary started tofeel sorry for the guy. People onAnonOps had accused Ryan of being aperpetually angry cretin who logged andattacked everything. But he wasn’t reallyangry; he was just passionate. Perhapshe came across as rude, but he workedhard and got into things, Topiary thought.With Sabu gone, Topiary missed havingsomeone passionate and a little crazy totalk to, to counteract his laid backpersonality.

Ryan promised not to log any of thechats, and said he would give theLulzSec crew complete control over hislogging ability. He also said the team

could use his botnet any time theywanted. He had used it in the past toprank DDoS sites of the U.S. Air Forceand then call them afterward to mockthem. He could also make hundreds ofdollars a day by subletting the botnet toothers who wanted to use it for nefariouspurposes like extortion and hackerskirmishes. But LulzSec could use it forfree. This was like fresh meat to aravenous dog: with Ryan’s botnet,LulzSec could bring down almost anywebsite it wanted at the drop of a hat.

During one of Sabu’s occasionaldrop-ins on IRC, he mentioned toTopiary that he did not like having Ryanas a supporter. LulzSec was making toomany contacts, he added. (It is unclear if

this was the case, or why that might haveconcerned him now that he had startedworking as an FBI informant.) Topiaryargued back that Sabu himself had beeninviting his trusted associates into#pure-elite, including log leakerM_nerva. Topiary won the argument,and Ryan stayed. With Sabu mostlyaway now, Topiary was enjoying thefunnier side of what LulzSec could dowith its growing stable of Twitterfollowers. After he released theadministrative passwords of fifty-fiveporn sites and twenty-six thousand pornpasswords, he got replies from peopleon Twitter saying they had used the datadump to hack into other people’s e-mailsor, in one case, find out a guy was

“cheating on his girlfriend.”Topiary realized he could start

making things more interactive. He couldsend a hundred thousand people to aYouTube video and grant the accountholder a huge increase in views, or hecould send the horde to crash a smallwebsite or IRC network. LulzSec’sattacks would become a lot more fun. Heand Ryan started talking and doing someprank calls on Skype with some ofRyan’s friends as an audience. ThenRyan set them up with a joint SkypeUnlimited account so they could callanywhere in the world, dropping eightydollars in credit without blinking an eye.

Topiary had an idea. Instead ofmaking prank calls, what if they got

LulzSec’s Twitter followers to callthem? Topiary suggested setting up aGoogle Voice number so that anyone inthe world could call LulzSec (or at leasthimself). He wanted the number to spellout the group’s name, as in 1-800-LULZSEC, but he couldn’t find an areacode where the number would work.Eager to prove himself, Ryan spenthours going through every possible U.S.number till he found that 614, the areacode for Columbus, Ohio, was availablewith the corresponding digits. They nowhad a telephone hotline: 1-614-LULZSEC.

It was a free Google number thatdirected to their new Skype Unlimited-World-Extra number that in turn could

bypass to two other potential numbersregistered to fake IP addresses. The paircreated two voice-mail messages, usingvoice alteration and over-the-top Frenchaccents for the fictional names PierreDubois and Francois Deluxe, saying theycouldn’t come to the phone because “Weare busy raping your Internets.”

Once Topiary announced the hotlineon LulzSec’s public chat room, they gotseveral calls a minute; they answered afew and joked with their callers.Without giving any hints, Topiary statedthere would be a $1,000 prize foranyone who called in with the magicword—lemonade—but nobody guessedcorrectly, and around forty peoplethought it was please. At the end of the

day they’d received 450 calls.In between fielding calls, Topiary

wrote up an announcement of the group’slatest drop: a directory listing of everysingle file on the U.S. Senate’s webserver, which had come to them thanksto another black hat. This was a seriousattack that could earn someone five totwenty years in prison, but Topiary wasmostly eager to get back to his LulzSechotline.

“This is a small, just-for-kicks releaseof some internal data from Senate.gov,”Topiary had written. “Is this an act ofwar, gentlemen? Problem?”

Along with that release was a dump ofthe source code and database passwordsof the gaming company Bethesda—a

topic totally unrelated to the Senate, justone of the leaks they were sitting on.They also had a database of two hundredthousand users stored on the servers ofgaming company Brink, but theywouldn’t release that because “Weactually like this company and wouldlike for them to speed up the productionof Skyrim. You’re welcome!” At the topof each release was now a short list ofcontact and donation details for LulzSec,including the telephone hotline and theIRC chat room.

“It is unclear why LulzSec decided toattempt to embarrass yet another videogame company other than to show off,”said Naked Security journalist ChesterWisniewski. “It is difficult to explain

random acts of sabotage and defacement,so I am not going to attempt to get intothe heads of those behind these attacks.”Yet this was not a matter of motivation,but of circumstance. Back when Kaylahad used her botnet to scan the Web forvulnerabilities, hooking it up to an IRCchannel and using basic chat commandsto run it, she had stumbled on avulnerability in the network of Bethesdathat had given her access to its servers.Since the company was so big, the teamchose not to root around for databasesright away, using Bethesda’s bandwidthto help search for other sites to hack intoand using it as a safe location to hidebots. The gaming company had no idea itwas effectively being used to hack other

sites. When the servers outlived theirusefulness, it was time to dump the datastored on them.

Now the hacks were about to get evenmore arbitrary. Knowing that Ryan’sbotnet could take out anything, Topiaryannounced the LulzSec hotline onTwitter and told the public: “Pick atarget and we’ll obliterate it.” Thehotline was suddenly inundated withcalls, and the three people that initiallygot through all requested gamingcompanies: Eve, Minecraft, and Leagueof Legends.

Within minutes, Ryan’s botnet had hitall three, as well as a site calledFinFisher.com, “because apparently theysell monitoring software to the

government or some shit like that.”DDoSing sites like this was nothingnew, and neither was one or two hoursof downtime, but it was the first timeanyone had boasted about it to a hundredfifty thousand Twitter followers orreferred to it as a DDoS party calledTitanic Takeover Tuesday.

“If you’re mad about Minecraft, we’dlove to laugh at you over the phone,”Topiary announced. “Call 614-LULZSEC for your chance to reachPierre Dubois!”

When Topiary started thinking aboutthe Internet meme phrase “How domagnets work?” made famous by thehip-hop duo Insane Clown Posse, hecalled up the offices at Magnets.com. He

asked the woman who answered thatquestion and got a bemused response,hung up, then redirected the LulzSechotline to the main switchboard ofMagnets.com.

“Everyone call 614-LULZSEC for afun surprise,” he tweeted. About threeminutes later he called the number againand heard dozens of phones going off atthe same time with answers of “This isMagnets.com…Uh…” He asked to speakto a manager. When a man’s voice cameon, Topiary explained the reason for theflood of strange calls. To his credit, themanager took it in good humor.

“How did you do it?” he asked.“We’re testing out our new Lulz

Phone Cannon,” Topiary said. “How are

you feeling?”“I’m a little out of breath.”

Magnets.com had been getting more thantwo hundred calls a minute to theircustomer support center.

“Okay, I’ll get it to stop,” Topiarysaid.

“Good, because I feel like I’m aboutto pass out.”

With a few clicks he stopped thehotline from redirecting, and he heard allthe phones in the background suddenlygo silent. It was like a DDoS attack bytelephone. It made sense to keep thisgoing. Soon he was redirecting theLulzSec hotline to the World of Warcraftonline game, then to the mainswitchboard for FBI Detroit, and then,

naturally, to the offices of HBGary Inc.“You take care of the horde while

we’re gone, AaronBarr,” Topiarytweeted to its former executive. “Thanksmate. Bye for now.” In the next twenty-four hours, in between his talking withthe other LulzSec hackers and manning aTwitter feed, Topiary’s busyswitchboard had received 3,500 missedcalls and 1,500 voice mails; thefollowing day, 5,000 missed calls and2,500 voice mails.

Soon, though, Ryan started to getrestless. He wanted to do more than justplay around with hotline callers; hewanted to go back to hitting websites,bigger ones. He had a rapt audiencenow, and a gang of people who were

willing to go after the big names underthis banner of LulzSec, or Antisec, orAnonymous. Whatever. On his owninitiative, he hooked up his botnet, thencalled up most of his bots and aimed atthe main website of America’s CentralIntelligence Agency. Then he fired.

Within a few minutes, CIA.gov hadgone down.

“CIA ovened,” Ryan said on Skypebefore beginning a monologue abouthow he disliked the United States.Topiary was stunned. He visited theCIA’s main site and saw it really wasdown. He couldn’t help feeling a littleuncomfortable. This was big. But hecouldn’t leave it unannounced. ThroughTwitter he said, almost quietly:

“Tango down—cia.gov—for thelulz.”

News outlets on television, print, andthe Web instantly took notice andpublished screaming headlines thatLulzSec had just hit the CIA. A few said,incorrectly, that the CIA had been“hacked.” LulzSec was clearlyprovoking the authorities now, almostinviting them to come and arrest thegroup.

At around the same time Aaron Barrcame onto Twitter to send a new, publicmessage to HBGary Inc.’s chief, GregHoglund. “Damn good to see you,” Barrsaid. “Let’s grab some popcorn. I feel ashow coming.” Topiary saw the remark,and it seemed out of the blue.

“Hello Aaron,” Hoglund replied inhis first-ever tweet, which he alsodirected to LulzSec. “I created myTwitter account because I wanted aringside seat for what is about to godown.” Topiary’s gut feeling was to beskeptical of the veiled threat—he wasgetting them almost every day now—andhe responded with sarcasm.

“What does kibafo33 mean?” heasked Barr on Twitter. “Is it aTurkish/Portuguese combination of ‘that’and ‘breath?’ Are you a 33rd degreeFreemason also?”

Besides, Topiary had other, biggerdistractions. About three hundred milesaway in London, WikiLeaks founderJulian Assange had heard about

LulzSec’s takedown of the CIA website,and he was chuckling to himself.

For Assange, a simple DDoS attack onCIA.gov was some much-needed comicrelief. Since Anonymous had leaped tohis defense in December, he had spentthe last few months fighting the threat ofextradition to the United States andaccusations of treason over WikiLeaks’srelease of diplomatic cables. Swedishauthorities had doubled his problems bycharging him with attempted rape, whichmeant he was now fighting extradition toSweden too. In the meantime, he wasstaying in the countryside manor of anEnglish journalist, wearing an electronictag, and trying to keep up with

developments in the world of cybersecurity. It had been hard not to noticeLulzSec. On the one hand, the grouplooked like fearless comedians. On theother, it clearly had skilled hackers onthe team.

Impressed and perhaps unable to helphimself, Assange had opened the mainWikiLeaks Twitter account and postedto its nearly one million followers:“WikiLeaks supporters, LulzSec, takedown CIA…who has a task force intoWikiLeaks,” adding: “CIA finally learnsthe real meaning of WTF.” Soon after afew news agencies and websitesreported that WikiLeaks was supportingLulzSec, he deleted the first tweet. Hedidn’t want to be publicly associated

with what were clearly black hathackers. Instead, he decided it was timeto quietly reach out to the audacious newgroup that was grabbing the spotlight. OnJune 16, the day after Ryan set his botneton CIA.gov, an associate of WikiLeakscontacted Topiary.

“I’ve got a contact in WikiLeaks thatwants to talk to you,” the person said,then directed him to a new IRC serverthat could serve as neutral ground for aprivate discussion. The network wasirc.shakebaby.net and the channel was#wikilulz. Topiary was immediatelyskeptical and believed the contact wastrolling him. When he finally spoke to aWikiLeaks staff member known as q,who was in the channel under the

nickname Dancing_Balls, he asked forsomeone to post something from theWikiLeaks Twitter account. Assange,who allegedly had sole access, did so,putting out something about eBay, thendeleting the post. Topiary did the samefrom the LulzSec Twitter feed. But heneeded more proof, since the WikiLeaksfeed could have been hacked. q said hecould do that. Within five minutes, hepasted a link to YouTube into the IRCchat, and he said to look at it quickly.

Topiary opened it and saw videofootage of a laptop screen and the sameIRC chat they were having, with the textmoving up in real time. The camera thenpanned up to show a snowy-hairedJulian Assange sitting directly opposite

and staring into a white laptop, chinresting thoughtfully in his hand. He worea crisp white shirt and sunlight streamedthrough a window bordered with fancycurtains. q deleted the twenty-two-second video moments later. Also in theIRC channel with Topiary and q wasSabu, now likely with very interestedFBI agents monitoring the discussion.

“Tell Assange I said ‘hello,’” Sabutold q.

“He says ‘hi’ back,” q said.At first Topiary was nervous. Here

was Julian Assange himself, the founderof WikiLeaks, reaching out to his team.He couldn’t think why he wanted to talkto them. Then he noticed what q andAssange were saying. They were

praising LulzSec for its work, addingthat they had laughed at the DDoS attackon the CIA. With all the flattery, italmost felt like they were nervous. For asplit second, LulzSec seemed to be muchbigger than Topiary had ever thought.

By now a few others from the coreteam knew about what was happeningand had come into the chat room. Sabuhad given them a quick rundown of whatwas going on, then said it could meanhitting bigger targets.

“My crew seems up for taking outtraditional government sites,” he toldAssange and q in the chat. “But seeing asthat video was removed, some of themare skeptical.”

“Yes I removed the video since it was

only for you, but I can record a new oneif you want :),” q said.

“If we need additional trust (mainlymy crew) then ok,” said Sabu. “But rightnow we seem good.”

Then q went on to explain why he andAssange had contacted LulzSec: theywanted help infiltrating severalIcelandic corporate and governmentsites. They had many reasons forwanting retribution. A young WikiLeaksmember had recently gone to Iceland andbeen arrested. WikiLeaks had also beenbidding for access to a data center in anunderground bunker but had lost out toanother corporate bidder after thegovernment denied them the space.Another journalist who supported

WikiLeaks was being held byauthorities. Assange and q appeared towant LulzSec to try to grab the e-mailservice of government sites, then lookfor evidence of corruption or at leastevidence that the government wasunfairly targeting WikiLeaks. Thepicture they were trying to paint was ofthe Icelandic government trying tosuppress WikiLeaks’s freedom to spreadinformation. If they could leak suchevidence, they explained, it could helpinstigate an uprising of sorts in Icelandand beyond.

The following day, q and Assangewanted to talk to LulzSec again. Perhapssensing that Topiary was still skeptical,q insisted on uploading another video. It

again showed his laptop screen and theIRC chat they were having being updatedin real time, then a close-up of Assangehimself, head in hand again, but this timeblinking and moving the track pad on hislaptop, then him talking to a woman nextto him. The camera was then walkedaround Assange before the video ended.The video had been filmed and uploadedin less than five minutes. Topiary, whowas experienced with Photoshop andimage manipulation, calculated thatdoctoring the IRC chat and Assange inthe same video image within such a shortspace of time would have beenincredibly difficult, and he veeredtoward believing this was all real.

But q was not asking LulzSec to be hit

men out of the goodness of their hearts.There was potential for mutual gain. qwas offering to give the group aspreadsheet of classified governmentdata, a file called RSA 128, which wascarefully encrypted and needed cracking.q didn’t send it over, but he describedthe contents.

“That’s pretty heavy stuff to crack,”Sabu told q. “Have you guys triedsimple bruteforce?” q explained theyhad had computers at MIT working onthe file for two weeks with no success.Topiary wanted to ask if Assange wasgoing to give the team other things toleak, but he decided not to. Part of himdidn’t want to know the answer to that. Itwas already starting to look like LulzSec

was on the road to becoming a black hatversion of WikiLeaks. If WikiLeaks wassitting on a pile of classified data thatwas simply too risky to leak, then it nowhad a darker, edgier cousin to leak itthrough.

Topiary decided to mention thatLulzSec had been the same team behindthe HBGary attack. Assange said he hadbeen impressed with the HBGary falloutbut added, “You could have done itbetter. You could have gone through allthe e-mails first.”

“We could have,” Topiary conceded,“but we’re not a leaks group. We justwanted to put it out as fast as possible.”

“Yes but you could have released it ina more structured way,” Assange said.

“We didn’t want to go through 75,000e-mails looking for corruption,” Topiarycountered again. He remembered how hehad trawled through those e-mailslooking not for scandal but for PennyLeavy’s love letter to Greg Hoglund andfor Barr’s World of Warcraft character.

The team decided to invite Assangeand q over to their IRC network onSabu’s server. Topiary created achannel for them all to talk in and calledit #IceLulz. q said he wished WikiLeakscould help the group more with thingslike servers or even advice, but theydidn’t want to link the organization tooobviously to LulzSec. In fact, whenTopiary told q to go ahead and send theRSA 128 file over any time, q seemed to

back off.“Yeah, maybe in the future we’ll see

how this goes,” q said. He never didsend the file, at least not to Topiary.

Still, Sabu was “the most excited hehad ever been,” Topiary laterremembered, over the moon thatWikiLeaks was asking for his help. It isunclear if Sabu was in reality haunted bythe fact that he was now also helping toimplicate Assange. Six months prior, hehad believed so passionately in theWikiLeaks cause that he was willing torisk bringing his hacker name out into thepublic for the first time in nine years.Another possibility: the FBI wasencouraging Sabu to reach out toAssange to help gather evidence on one

of the most notorious offenders ofclassified government data in recenttimes. It seems probable that if Sabu hadhelped, for instance, extradite Assangeto the United States, it would haveimproved his settlement dramatically.

“It’s our greatest moment,” Sabu toldthe crew. He and q started talking inmore depth about various websites, andthen Sabu sent links to two governmentwebsites and a company to the rest of theteam, tasking them with finding a way toget into their networks and grab e-mails.Over the next few days, Topiary passedthe job of staying in contact withWikiLeaks to Sabu, and for the next fewweeks, Assange visited LulzSec’s chatnetwork four or five more times.

Topiary left the #IceLulz IRC channelopen on his laptop and kept it open.Pretty soon, though, it became justanother one of the thirty other channelsdemanding his attention, another page offlashing red text.

Chapter 23

Out with a Bang

LulzSec was now so big that it madeAnonymous and its fountainhead 4chanlook like harmless pranksters. Over on4chan, hardly anyone wanted to talkabout the group. “Literally no one caresabout LulzSec enough to post aboutthem,” William noted at the time. “Theseguys are getting fame for the things thatwe’re used to getting fame for.” At onepoint, Topiary had made a /b/ threadasking what the locals thought ofLulzSec. He got a fifty-fifty response,and the thread capped at 350 posts aftera few minutes before disappearing.

When he confirmed the legitimacy of thefirst post as OP from the LulzSecTwitter feed, the board was in uproar.

But the newfags, the folks who werealways eager to be part of a raidorganized on 4chan and who were nowangry that LulzSec was stealing theirsite’s thunder, wanted to lash out at thenew champions of Internet disruption.When Topiary and Ryan saw a thread on/b/ plotting to “hunt” the LulzSechackers, the board, which hatedoutsiders knowing that it existed, wasthe next to look like fresh meat.

“Everyone go to /b/ and post stuffabout Boxxy, LulzSec sending you there,and triforces,” Topiary commanded theTwitter followers. He promised to

publish several thousand assorted e-mailaddresses and passwords in return, notmentioning it would come out of hispersonal collection. Going after 4chandidn’t mean LulzSec was hittingAnonymous, as a few blogs suggested.“That’s like saying we’re going to warwith America because we stomped on acheeseburger,” Topiary said.

The image board was soon overrun byLulzSec fans. “As always, LulzSecdelivers,” the account tweeted: “62,000e-mails/passwords just for you. Enjoy.”Within about ten minutes Topiary’sdatabase had been downloaded 3,200times, and people were using it to hackrandom web accounts from Facebook toWorld of Warcraft. One person found an

e-mail and password combination thathad been reused on an Xbox account,PayPal, Facebook, Twitter, YouTube,and “The whole lot!” he cried onTwitter. “JACKPOT.”

“Y’all were the inspiration I neededto mess with my roommate’s Facebookbeyond all repair,” said another.

“Good to see some refreshingcarnage,” Topiary told the horde, whomhe now referred to as lulz lizards; hecalled their intended victims peons.“Releasing 62,000 possible accountcombinations is the loot for creativeminds to scour. Think of it like digging avery unique mineshaft.” Pretty soonmore than forty thousand people haddownloaded the database and were

using it to hack all manner of socialmedia accounts.

LulzSec’s 220,000 Twitter followershad become a community for Topiary asmuch as an audience. For the next fewdays he was constantly joking with themon Twitter, telling the FBIPressOfficeTwitter account that “we pissed in yourCheerios,” then funneling more requeststo hit other smaller websites and sendingthe Twitter followers to a funny videoand watching the site crash.

Anyone who had met Topiary wouldsee hardly any similarity between hisreal-life persona and the cocksure voicehe used as LulzSec’s front man. It wasall an act, and to him it felt like acting. Afew times he would try to sound like

Sabu or Kayla so that it would look likemore than one person was manning thefeed, but for the most part he wasspeaking for the monocled man with thetop hat. And dozens of people constantlyasked how they could join in.

“We’ve got all this attention now,”Topiary said quietly to his core team,“and people asking to join us. Howabout I write something about the newAntisec movement attackinggovernments and banks? Is everyone upfor that?”

The others in the team, includingSabu, said yes. With a respected namelike WikiLeaks now silently behind themit made sense to, for once, put a seriousface on what they were doing.

Straightaway Topiary wrote up a newofficial statement saying that Antisecwould “begin today,” calling on morepeople to join the cyber insurgencyLulzSec was spontaneously reviving. Onthe evening of Sunday, June 19, hepublished a statement inviting whitehats, black hats, and gray hats, and justabout anyone else, to join the rebellion.Later he said that writing it was, asusual, like writing a piece of fiction:

“Salutations Lulz Lizards,” it started.“As we’re aware, the government andwhitehat security terrorists across theworld continue to dominate and controlour Internet ocean…We are now teamingup with Anonymous and all affiliatedbattleships….We fully endorse the

flaunting of the word ‘Antisec’ on anygovernment website defacement orphysical graffiti art.…Top priority is tosteal and leak any classified governmentinformation, including email spools anddocumentation. Prime targets are banksand other high-ranking establishments.”

Not really that interested in hittingbanks and governments but moreinterested in how people would respondto the call to arms, he posted the officialstatement and headed to bed. His mindwas still racing after another chaotic daykeeping up with the media, his constantlychanging passwords, the fast-pacedoperations, the new supporters, thetweets, the reactions, the uproar, thechaos of seeing more than a thousand

news and blog posts written over aPastebin post he’d typed out on Notepad.He had never expected this much tohappen when he and Sabu had firstdiscussed getting the team back together.It did not feel like things were spiralingout of control, at least not yet. Ifanything, Topiary was starting to feelthat old, familiar itch in the back of hismind. A sense that this latest experiencein disrupting the Internet through LulzSechad run its course and was becomingtedious. It was an echo of therestlessness he’d felt with AnonOps onlya few months ago.

In the meantime, Ryan had becomeincreasingly annoying to Topiary withhis lonely and desperate bids for

attention. A couple of days earlier, aftertwelve hours away from his computerbecause he’d been asleep, Topiary foundmore than a dozen messages from Ryanon his laptop asking why he was beingignored.

Of course, there was no way Topiarycould stop. He was the main mouthpieceof LulzSec and a prime motivator for theteam and its supporters, and leavingwould be an enormous practical andemotional effort.

It was hard to sleep. Topiary nowhabitually glanced out of his windowwhenever he heard a car drive past. Hesaid privately that he was expecting araid any day. Acceptance seemed thebest way to deal with these things. His

emotions lurched from the high of anoutrageous new leak to the gut-wrenching paranoia that he was about toget doxed or, worse, raided. Ryanthought the same. He claimed he oftenwent to sleep each night expecting to beraided the next day.

“I’ve given up caring,” Topiary said.Was he imagining what jail might belike? “I don’t like to think about that,” heanswered. He also couldn’t help thinkingabout the second, stiffly worded tweetthat Greg Hoglund had added just fewdays before, the one he had blithelydismissed at the time.

“Aaron,” Hoglund had said. “I wantedto be here to see the fruits of our labourover the last two months. LOL.”

Topiary woke up on Monday, June 20, toa surprise. There had been a muchbigger response to his Antisec statementthan he had anticipated. Tens ofthousands of people had read it(eventually almost a quarter of a millionaccessed the page) and the media waseagerly reporting the line that LulzSechad “teamed up with Anonymous” anddeclared war on just about everything ina position of authority in the hope ofrooting out corruption. It seemed thatcyber anarchists everywhere wererunning amok. That day CBS local TVnews for San Diego reported on somemysterious black graffiti that hadappeared on the boardwalk along

Mission Beach: a crudely drawn man ina top hat and mustache and the words“Antisec” in a speech bubble.

“I was taken aback,” Topiary laterremembered. “My Notepad-forgeddeclaration of Antisec had the AnonOpsservers teeming with users. It was likeOperation Payback’s prime on steroids.For a while I felt horribly guilty forsome reason. The words were almostfiction to me, just another piece ofwriting, but it got through to so manypeople, who were now putting theirnecks on the line for the cause. Someonehad even gone out and tagged beachwalls with Antisec, getting on the news.”

Ryan was also galvanized by the newmass enthusiasm for Antisec. Naturally,

he became more eager than ever to puthis botnet to good use. Later that day hestarted trying to lash out at other majortargets: Britain’s Ministry of Finance,then the NSA, then the FBI. Finally, hesuccessfully hit the site for the U.K.’sSerious Organised Crime Agency(SOCA). Anything ending in .mil or.gov, he wanted to get. Topiary watched,transfixed, and after a while decided itwould be good to calm Ryan down. Hedidn’t want things getting out of hand.Even so, he didn’t want to let LulzSec’scredit for the SOCA hit go to waste, sohe announced it on Twitter, againwithout the usual loud flair. “Tangodown—soca.gov.uk—in the name ofAntisec.”

Compared to the CIA, this felt like aminor attack, and it hadn’t evencompletely worked, since the SOCA sitewas down only for certain visitors. Butmoments later, someone at SOCA sentan e-mail to London’s MetropolitanPolice saying the website had beenbrought down. Ryan had been launchingDDoS attacks from his computer formany months, but now, finally, the policewere spurred into action.

Later that same Monday, at around10:30 p.m., while Ryan was stillDDoSing the website of the SeriousOrganised Crime Agency, ten policecars quietly pulled up outside his house.The address they’d been given belongedto Ryan Cleary, a nineteen-year-old

computer nerd who lived with hisparents in a nondescript, semidetachedhouse in Essex, England. It turned out thedox that Ryan had claimed was fake wasreal. He really did live at that address,and he really had been using his actualfirst name this whole time. When thepolice entered his rectangular bedroom,they found windows covered in foil toblock out any sunlight, a single bed, amessy desk covered in potato chips, andallegedly about £7,000 (about $11,340,based on the exchange rate that day) incash in his desk drawer. Ryan was pale,had a boyish wisp of a mustache, andwas a little on the chubby side. The lasttime he had been outside the house wasChristmas—six months earlier.

The police questioned Ryan for fivehours, then said they were arresting him.At around 2:00 a.m. he signed off fromMSN with the quit message “leaving.” Itwasn’t the “brb Feds at the door” insidejoke, but neither was it the leavingmessage he normally used. The policedrove him in the early hours of Tuesdaymorning back to Charing Cross policestation in Central London for furtherquestioning. At that moment, agents fromthe FBI were on a plane headed forLondon, and Topiary was fast asleep inhis bed, completely oblivious to whatwas happening.

That morning, London’s MetropolitanPolice announced that an eighteen-year-old had been arrested and charged with

launching DDoS attacks on severalorganizations. Within hours, Britain’stabloid newspapers had picked up thenews, followed by major media outletsin the United States. Though the policehadn’t mentioned LulzSec in theirrelease, several newspapers reported,strangely, that the “mastermind” ofLulzSec had been arrested.

When Topiary signed in to theLulzSec private chat rooms the nextmorning, there was the same kind offrightened chatter that had accompaniedSabu’s disappearance. Topiary slowlyrealized what was going on. Still, Tflowand Sabu said they were relieved. Theyhad heard about the arrest on the newsand each said they thought it was

Topiary.“Ryan is now fucked beyond all

belief,” Topiary said. He felt numb.Eventually Ryan’s name was releasedand a newspaper got hold of his family.They interviewed his mother, who talkedabout how she had to leave plates offood outside his door because he wouldnever leave his bedroom and how he hadonce almost killed himself when she tried to take his computer away. Itprinted a photo of Ryan as a doe-eyedschoolboy, along with a picture of hisroom. The photo had captions andarrows pointing out everything from thefoil covering his windows to the spoof-motivational poster on his wall of twosemi-naked women and the title

“Teamwork.” Topiary recognized it allfrom their video chats. The newspapersdidn’t seem to know the half of Ryan’seccentricities. The windowsill waswhere Ryan had grown weed a yearbefore. His desk was now clear of litterand potato chips and had probably beencleaned by his mother. Just a weekearlier Ryan had grabbed a hypodermicneedle and started stabbing his toe infront of the webcam. On top of all that,the idea of arrest now felt much closer tohome.

Sabu and Topiary spoke on the phone.They agreed to change their e-mailaddresses and their public nicknamesand everything Ryan knew about becauseRyan would snitch. They talked about

finding new servers to host their IRCnetworks and the LulzSecurity website.And for the public face, Topiary playedit cool. “Seems the glorious leader ofLulzSec got arrested,” he said onTwitter. “It’s all over now…wait…we’re all still here! Which poor bastarddid they take down?”

There was one other errand to takecare of: M_nerva. They had alwaysknown that the hacker who had leakedthe #pure-elite chat logs had workedwith Ryan on some of his moneymakingschemes. With Ryan out of the picture,there was no need to hold back fromM_nerva anymore. It was safe to finallytake revenge. Topiary published anofficial statement on Marshall

“M_nerva” Webb, addressing it to theFBI as a helpful offer of newinformation. “Snitches get stiches,” hehad written, unaware that his closestconfidant, Sabu, was a far moredangerous snitch. The public was keento see who had been the snitch, and thepage got more than a thousand views intwenty seconds. It took a few weeks forthe FBI to follow up on the M_nervainformation, but in late June, federalauthorities would raid Webb’s home inOhio.

In the meantime, there were now morethan three hundred thousand peoplefollowing LulzSec on Twitter, more than135 eager people in LulzSec Brazil,hacker groups in Spain and Iran wanting

to join forces, constant offers ofdatabase dumps, control of a few dozengovernment sites, and more than agigabyte of data to release. It includedtwelve thousand passwords from aNATO website, hundreds of randominternal police documents, governmentdocuments, a video of the policeaccidentally dropping a dead body froma plane, photos of human flesh scatteredacross pavements; “/b/ would love thisstuff,” Topiary thought. He tried not tothink about the fact that doing morewould pile on a greater jail sentence. Heconvinced himself that LulzSec hadbecome like WikiLeaks—it was justleaking information that other people hadhanded over.

The FBI, in the meantime, was racingto keep up with their new informant,who was plugged into this fast-movingworld. As hackers offeredvulnerabilities to Sabu in secret IRCmeetings, he passed them on to his newoverseers so that those security holescould be fixed. Sabu was deftly pullingthe strings of LulzSec, putting on the faceof genuine complicity while secretlyhelping the authorities prevent many ofthose potential attacks from happening.With things moving so quickly, Topiary,Kayla, Tflow, and the others had no timeto track how many of them led to deadends, thanks to Sabu. They were alwayson the lookout for the next big hit.

“We are challenging ourselves to

progress to bigger things,” Topiary saidat the time. “Funny, bigger targets.”There was no turning back now.

Among the stream of offers Topiary andSabu got for exploits and data, one stoodout. It had been evening in Topiary’spart of the world when a hacker who hadbeen talking to Sabu and had then beenunable to get through contacted Topiaryto say he had access to hundreds ofsecret files and user info after hackinginto the Arizona police departmentnetwork. He was an activist,passionately against the racial profilingthat took place in the state, and hewanted to release the data as retribution.Topiary recognized the name, since Sabu

had mentioned it before. After the hackerhad uploaded the data to a secret server,Tflow, Pwnsauce, and Topiary allgrabbed it to see what was inside. It wasa folder containing more than sevenhundred documents. There wereembarrassing e-mails complaining abouta scared officer who had run and hiddenin a ditch during a recent shootout,innocuous details about a new safe-driving campaign, and home addressesand contact details for Arizona policeofficers. Given enough digging, thehacker hoped his cache of documentscould shed light on corrupt practices inthe department. The hacker made aconvincing argument about systemicprejudice in the border police, and

Topiary, employing his usual carefreeoutlook on things, figured that the hackershould write his own press release—thefirst time anyone but Topiary wouldwrite one for LulzSec. Tflow created atorrent file.

There hadn’t been much time to checkover the press release, and there was noediting. Once everything was ready,Topiary published it. The press releasewas titled “Chinga La Migra” and nextto it were the words “Off the pigs”;beside that was the image of an AK-47machine gun fashioned from keyboardsymbols. Topiary did a double take.When he reread the press release, nowpublic for everyone to see, he didn’t seeLulzSec’s usual lighthearted dig at a

large, faceless institution but anaggressive polemic against real policeofficers that revealed their homeaddresses. When he Googled Chinga LaMigra, he learned it was a Spanishphrase for “fuck the police.” Heimmediately regretted posting the otherhacker’s statement. It was almostencouraging people to attack cops. Itturned out Tflow had also GoogledChinga La Migra and felt exactly thesame way.

He sent Topiary a message. It was toomuch. The statement had made him feel“radicalized.”

“We don’t want to get police officerskilled,” Topiary replied, agreeing.“That’s not my kind of style.” It wasn’t

Tflow’s either.Topiary had just set up an interview

via instant message text with the BBCtelevision news program Newsnight thatevening, June 24. It was one of his fewmedia interviews while LulzSec wasstill active. Putting on his acting hat, hemade grand statements about anti-security and the corruption his groupwas fighting. “People fear the ‘higher-ups,’” he told BBC producer AdamLivingstone, “and we’re here to bringthem down a few notches.” But thewords stuck in his throat.

When he really thought about whatLulzSec had turned into, he realized ithad moved far from being a group thatsimultaneously entertained and fixed the

world. It did neither of those things. Itwas chaos. Every day now the coregroup was spending more time dealingwith internal issues, conspiring againsttrolls like Jester and Backtrace, rootingout snitches, or worrying about whatRyan might say to the police. It had beenmore than a week since the team hadreally gotten together and worked atsomething as an original leak. Just hoursbefore Topiary’s interview with BBCTelevision, the Guardian newspaperhad gotten hold of the #pure-elite logsleaked weeks before by M_nerva andpublished a story saying that LulzSecwas “a disorganized group obsessedwith media coverage and suspicious ofother hackers.” The glow surrounding

LulzSec seemed to be fading.“This is annoying now,” Topiary

exclaimed in an interview. “Two monthsago we were a small team working onoperations with no outside hassle. Nowthere’s other people coming and going,‘enemy’ groups, press saying stupidthings, people trying to toss aroundpolitics, people starting drama all thetime. Kind of out of control.” Even theWikipedia page on LulzSec wascluttered with rumors.

The distractions from enemy hackers,trolls, the press, and misunderstandingsacross the blogosphere had becomeoverwhelming. Recently someone hadcopied and pasted the LulzSec logo on aPastebin post and claimed (posing as

LulzSec) that they had hacked the entireU.K. census database of more thanseventy million people. The nationalpress breathlessly reported it as anotherlegitimate LulzSec threat. LulzSec wasbecoming like Anonymous: anyone couldlay claim to the name and be takenseriously.

“People are pretending to be useverywhere,” Topiary said. Ignoring thetrolls wasn’t enough because whenTopiary signed in to the private LulzSecchat rooms with his crew, he could seethat people in the room had spent thepast hour talking about snitches andenemies. It was often impossible to lookaway, and when Topiary stayed quiet inthose conversations, Sabu would ask

him why he wasn’t saying anything, andthe conversation would becomeawkward.

Topiary finally made up his mind. Onthe evening of Friday, June 24, four daysafter Ryan’s arrest, he decided to tell theothers in LulzSec that he wanted out. Itwould be hard because, as themouthpiece of LulzSec, Topiary leavingmeant the team itself would probablyhave to call it a day. As he entered theLulzSec private chat channel, Tflow beathim to the punch. “Guys. Topiary,AVunit, you here?” Tflow asked.

“Yeah,” Topiary replied.“Well, I need to leave LulzSec / Anon

/ etc. for some time. I need to hand overany site-related stuff to you guys,

including domains.”Topiary felt a sudden rush of relief.

The very idea of leaving LulzSecseemed to make all the other distractionsand anxieties melt away. It was possiblethere was an end to this. He wantedTflow to lay out why he was leaving sothe group could have a discussion aboutit. Maybe others would say they wantedto stop too.

“Any reason for your departure?” heasked.

“I’ll be honest,” Tflow replied. “The‘off the pigs’ remark in the last release,which I did not know the meaning ofbefore, is making me feel radicalizedand depressed, so I need a break. Fedsprobably are going to leave no stone

unturned now, so I’m going to wipe myhard drive and start fresh.”

Another glimmer of optimism. Itwould be hard to let go of the name andthe action, but there was somethingappealing about starting over. He threwin his agreement.

“I was thinking kind of the same,”Topiary said. “Like you said, heat isinsane…I mean, a friend that has nothingto do with us saw Ryan on the front pageof a shitty local newspaper. I know Idon’t want to be on the front page of ashitty local newspaper. And neither doyou guys.” Besides, he added, “All ourleaks come from other people.”

“So do you think we should all justquietly split up for a while or what?”

asked Tflow.“I think it would be classy to sail off

into the distance and never be caught,”Topiary mused. “In 10 years we will bethe greatest hacking group in the entireworld. Ever.” It was tongue in cheek, butthe thought of leaving on a high note, likerock stars disbanding while they werestill on the charts, suddenly made endingLulzSec seem like a good idea. Obvious,even.

Topiary and Tflow started discussingtheir final, explosive release of some ofthe pile of data they had been sitting onfor weeks. An American hacker hadgiven Tflow a cache of stolen businessdocuments from AT&T’s servers. Therewere login details for a NATO

bookshop, as well as other .gov and .millogins. Tflow had thought the AT&Tdocuments were valuable enough to savefor a separate release, but Chinga LaMigra had opened his eyes to how futilethings really were.

“I don’t give a shit anymore,” he said.“Release everything.” Then Tflowchecked his calendar and saw this allmade even more sense. “On Monday itwill be exactly 50 days that havepassed,” he added. They could call thefinal release Fifty Days of Lulz. It mightalmost look like this had been plannedfrom the start.

Sabu appeared online. “Yo yo,” hesaid.

Topiary felt a twinge of anticipation

but continued discussing practicalitieswith Tflow as Sabu read over theirconversation. “Wow,” Sabu finally said.“I understand your point of views, butthere’s no turning back. We’ve passedthe point of no return.”

Topiary was getting tired of Sabu’spoint-of-no-return line and wanted toremind him that he and LulzSec weren’tas powerful as Sabu thought.

“Sabu, when was the last time we, asLulzSec, leaked anything that was ours?”Topiary asked. He listed leaks for Fox,Sony, NATO, Senate.gov—all targets ofcyber attacks handed over on a plate byother hackers. Only Infragard and PBShad truly been carried out by LulzSechackers. In the end, LulzSec had become

just like Anonymous, a brand that othercyber punks could exploit for their ownpurposes, whether it was to makethemselves look more important or tocower under. While that had broughtthem fame and respect, it was vastlyincreasing their culpability to the police.

“You guys can go,” Sabu finally said.“I’m fucked sooner or later, so I got nochoice but to continue.” Despite the heat,it had never truly felt like Topiary andTflow were trapped in LulzSec. Then,when Sabu changed tack and begantelling them to stay, adding that theywere abandoning him, it suddenly waslike trying to crawl out of a spinningbarrel. Soon AVunit and Pwnsauce hadentered the chat room and added their

agreement that it was time for a break.Even Kayla showed up and said thatwhile she didn’t mind—“I just let itflow” were her words—she saw thereasoning in wanting to stop.

Topiary sighed to himself. “You knowI’m all for this nihilistic ‘we have to goon’ theory,” he said, “but I like my life,bros. I don’t want to be arrested.”Encouraged by Tflow, he started talkingabout how the Antisec movement wouldcarry on without them anyway; they’dsail off in the distance, leaving behind atrail of mayhem and the revival of amovement against white hats,governments, and corporations. But nomatter how hard he tried, he couldn’tpacify Sabu, who seemed to be laying on

the guilt as thick as IRC allowed:“That’s alright, you guys leave. I’ll bethe only faggot left,” he said.

It looked as though Sabu had gonethrough several stages of intention withLulzSec, initially excited at the prospectof creating the group, then even moreenthusiastic as he took on support fromother older hackers and Julian Assangehimself. Topiary started to think Sabuwas almost acting suicidal. More likely:Hector Monsegur had nothing more tolose, and the FBI needed more evidenceon the LulzSec hackers.

“Sabu, we’re leaving behind theLulzSec public face with a classyending,” he tried. “The movement youstrive for is continuing.” It was no use.

After a few minutes, Sabu started talkingto each of the hackers individually. Hewas enraged.

Soon enough Topiary saw flashingtext on his screen that indicated Sabuwanted to have a private conversation.Reluctantly he opened it, and Sabustarted venting. Topiary kept saying thatending LulzSec had turned out to be amajority decision. It wasn’t just him—the whole team wanted a break. ButSabu saw a team that had been turnedagainst him by Topiary’s manipulation.When the heat increased, Topiary toldSabu to get off the computer and get adrink of water so he could calm down.

“Don’t fucking talk down to me likeyou’re elite,” Sabu shot back. “I treat

you with nothing but respect, but Idestroy kids like you instantly. Don’tforget this point. So treat me withrespect.”

“Sabu what are you thinking?”Topiary said. “You’ve got kids and needto stop this. At least change your nickfrom Sabu.”

“It’s too late anyway,” Sabu said,simmering.

“What do you mean? You can’t sayit’s too late. You don’t want your kids togrow up with their dad in jail. Changeyour nick, wipe all your stuff and comeback under a different name. If I had kidsI wouldn’t be doing this.” Sabu repliedagain that it was too late. The team wasabandoning him.

“We’re not abandoning you,” Topiarycountered. “We’re just stoppingLulzSec. We’re still here as friends.”Instead of mollifying Sabu, this madehim more angry. Topiary gave up tryingto reason with him. It was impossible toexplain why things happened in LulzSecor in Anonymous other than to say that somuch had been done on a whim: creatingthe group itself, picking the targets,suddenly reviving the Antisecmovement. LulzSec had never plannedits activities more than twelve hours inadvance. The media and the authoritieswere giving LulzSec too much credit andnot seeing it for what it really was: agroup of people with all the right talentsthat had come together at the right time

and had then lost control of what theyhad created. Now even Topiary wasstarting to get bored with it all.

Sabu began hinting that he saw lesswhim, and more conspiracy. He openedup private discussions with AVunit andTflow, who later passed on details ofthese conversations to Topiary. Sabutalked with each of them about howTopiary had been using him and Kayla tohack into websites like PBS. He arguedthat when his grandmother had died andhe had to go on a break, Topiary hadeffectively tried to wrest LulzSec fromhis control, then take off with the Bitcoindonations. Sabu’s brain of reason wasnow his fall guy. It was almost as if hewere trying to get the other team

members to implicate Topiary as muchas possible before they split for good.

When Topiary got wind from theothers about Sabu’s private discussions,he suddenly realized the other reasonwhy he wanted out: Sabu’s uncannyability to get inside his head. If Sabuwas a good hacker, he was an evenbetter social engineer. Despite his fiercetemper, he could coax love, admiration,and guilt out of just about anyone. Oftenit had been based on somethingintangible—the promise of a bigger hackon the horizon or the devotion that theLulzSec members had for one another asa team. The harsh reality was that themembers now all had to fend forthemselves.

Topiary tried to ignore Sabu’sprotestations and began writing his finalpress release, titled “50 Days of Lulz.”

“Let it be known in an entirely sexualway that we love each and every one ofyou,” Topiary told the more than325,000 followers on Twitter, “even thetrolls.” Ten minutes later he publishedthe release:

“For the past 50 days we’ve beendisrupting and exposing corporations,governments, often the generalpopulation itself, and quite possiblyeverything in between, just because wecould,” it said. “All to selflesslyentertain others.” These were Topiary’swords, not Sabu’s. It wasn’t the rousingaddress he and Tflow had discussed but

a metaphor of what LulzSec had beenover the past month: rambling, cocksure,and reaching for a sense of seriousconviction about some issue while neverseeming truly committed to it. It calledon more people to follow the Twitteraccount Anonymous IRC. Controlled byseveral hard-core hacktivists who didnot wish to be named, it had more than125,000 followers and was slowlylooking like an official line ofcommunication for Anonymous.

The final leak was a mishmash thatincluded a technical document for AOLengineers, internal documents fromAT&T, and user info from gaming andhacker forums. The statement revealedfor the first time that LulzSec had been a

“crew of six.” Topiary had said it loudand clear: LulzSec was over.

Chapter 24

The Fate of Lulz

LulzSec’s significance had not beencompletely manufactured. For those whospend most of their time in the world ofbreathable air, traffic lights, andbimonthly paychecks, it meant thecompanies that stored their personaldetails on flimsy databases reconsideredhow well those details were protected.LulzSec had pointed to an importantfallacy held by companies like Sony—that customer data was safe becausetheir own IT specialists couldn’t hackinto them. Now any company couldsuddenly become a random target of

someone else’s whims; it didn’t take anarmy of hackers to steal more than amillion passwords, but a merry crew ofsix. LulzSec was doing what fulldisclosure had done in the late 1990s:widely publicizing flaws that companiesmight have left bare and allowed blackhats to steal from if they hadn’t beenembarrassed into patching them up.

For those who spend more timelooking at screens, immersed in theworld of browsers, IRC, and new webscripts, LulzSec had revived an interestin disrupting the Web. You didn’t needto wait for a raid interesting or funnyenough to get a few hundred supporterson /b/ or for an incident like WikiLeaksto spark a cyber insurgency with

thousands of participants. You justneeded a handful of talented, motivatedpeople with a few good connections inthe black hat community. LulzSec hadreminded Anonymous that small groupscould make a lot of noise. They didn’talways need big resources orconnections with the press. Topiary hadjournalists contacting him every day viaTwitter, but he had given only a handfulof interviews as LulzSec. He had notused any special software, just theanonymous web tools of Twitter andPastebin, Notepad to write all hismissives, and a simple, retro-designedwebsite that used a design templateborrowed from HBGary Federal.

Anonymous, as an idea, had been

around for thousands of years. At somepoint, a few cavemen must surely havesmeared buffalo blood over the rocks ofa rival in the dead of night and then runaway giggling, Topiary thought. With thedawn of the Internet and anonymousimage boards, the process reachedbeyond a handful to dozens and then tohundreds of people reacting, thinking,and contributing to a collective thoughtprocess within very short spaces of time.Anonymous had become a jointpsychological state, a sanctuary where aperson’s mind could be relieved of theresponsibilities that came with identity,or of baggage like guilt and fear. Itspawned a new wave of creativity—memes and figurative writing—

unhindered by social conventions. Whenthat hive-thought turned to action, itcreated energy, a mass force that couldnot be contained. A few couldoccasionally direct it, but for the mostpart that nebulous force, as Topiarycalled it, seemed to have a life of itsown.

For those who wanted more controland more glory, there were the splintergroups. A month after LulzSecdisbanded, several new hacker groupshad popped up to launch their own ops,often in the name of Antisec and webactivism. In July a group called theScript Kiddies hacked into the Twitterfeed of Fox News to say that PresidentBarack Obama had been assassinated,

and then it defaced the Facebook page ofdrug giant Pfizer and claimed to havestolen data from Walmart. Groups fromthe Philippines, Colombia, Brazil, andPeru launched attacks in the name ofAntisec, mostly publishing data ofgovernment or police officials. Moregroups followed suit. Through no clearobjective of their own, Topiary, Sabu,and Kayla had inspired a trend foranarchic hacktivism.

It was often not to the benefit ofhackers, though. While Sabu had seemeddisappointed with the end of LulzSec,the revival of Antisec meant that hackersand script kiddies were stillapproaching him with vulnerabilitiesthat he could pass on to the FBI. He was

fast proving himself to be a valuableinformant. Days after the final releasefrom LulzSec, there were more than sixhundred people in the AnonOps chatroom Antisec discussing both legal andillegal forms of protest against varioustargets. They were now looking to Sabufor direction, hanging on his every word,trying to impress him with their ideas forhacks.

“I’m doing the same work, morerevolutionary,” Sabu said in aninterview on July 1, a few days after hisbitter send-off with the LulzSec teammembers, and of course now secretlyworking for the FBI. “No more ‘FORTHE LULZ’ as Topiary and Tflowturned it into. I’m doing real work with

real motivations.” With Topiary out ofthe picture, Hector Monsegur’s alter egoSabu could comfortably take the virtualreins of what looked like a resurgentglobal movement. Even if it was on falsepretenses, he could continue living thelife of a revolutionary. Perhaps in an actof self-justification for turning on his oldcolleagues, he professed nothing butcontempt for Topiary and Tflow. “Theyhad me breaking laws and putting myselfout there, and when the heat got too hotfor them they copped out,” he said.“They’re fucking frauds.”

Sabu dismissed the idea that he hadever controlled Topiary withintimidation. It’s “bullshit,” he said.“Never once have I mistreated anyone.

I…I feel if they did get caught they’dpoint all fingers at me. When in realityit’s them organizing this bullshit. Don’tmind me. I’m just angry about this. I feelused.”

If Sabu felt an ounce of guilt, he didn’tshow it. It seemed that his perception ofthe world was that it had always beenagainst him. In his version of events, theidea for LulzSec had started as a jokeand to get the old crew back together.Then Topiary had motivated him to getinvolved, then it had turned into anorganization, then something far moreserious, with a website, servers, andpress releases. Then Topiary had turnedhimself into the leader of LulzSec andclosed up shop.

“They wanted me to hack for them,”he said. “Then after I did that, they gottoo scared. It’s that simple.” Ironically,he claimed that the incident that hurt himthe most was when he had gone offlinefor more than a day, and Topiary hadworried that Sabu had been raided. Inretrospect, it seemed he hated the ideathat his colleague on the other side of theAtlantic might have correctly suspectedthe truth.

“The truth is for a few days I took abreak because I needed one and myfamily had some issues,” he explained,now giving a different version of whatreally happened that day. “And[Topiary] concocted some story in hismind that I got raided or something more

sinister. He hurt me deep with that act. Iwould love to speak to him, mainly tosee him apologize.”

Sabu claimed that he resented havingto clean up the reputational messTopiary had left behind in the hackercommunity, responding to comments thatLulzSec members were “shit scaredabout being nailed by the authorities”and had “run away.” After a coupleweeks, Sabu finally cooled down, and,perhaps unfortunately for Topiary, hereconciled with the Shetland teenager.The two started speaking to each otherregularly on IRC. It was awkward atfirst, but both accepted that they hadbeen under tremendous pressure andtensions had been running high.

Topiary had meanwhile taken a breakfrom Anonymous and was trying tospend less time online. He was sellingmore of his stuff, things like his cooker,fridge-freezer, and bed frame, packinghis books, playing his Xbox. His motherand brother had moved to a suburb inEngland, and he was planning to jointhem, then find his own place in thesoutheast region of Kent. He’d bought asixty-five-liter backpack to prepare forhis big move, and he would fiteverything else into his laptop bag and asmall suitcase. He chatted frequentlywith Kayla, with whom he was stillgood friends. She claimed to be onvacation in Spain with her dad and afriend, and on Twitter she dispensed

extraordinarily detailed stories abouthearing noises from the hotel roomabove her and splashing in the pool.Between these anecdotes, Kayla wouldteach Topiary more about hiding himselfonline and “reverse trolling.” He had setup an e-mail address,Topiaryhatemail@gmail.com, andposted it on the bio of his personalTwitter account. If anyone sent amalicious link to the account, he andKayla would grab it and reverse-engineer it, then embarrass whoever wastrying to infect him. It was a bit oflighthearted fun.

After a week, he signed back ontoAnonOps IRC and was inundated withabout fifteen private messages. People

asked him questions about LulzSec. Theyshowed him website vulnerabilities,invited him into secret channels.

“Fuck, it’s THE Topiary,” someonesaid without any hint of sarcasm. TheAnons were desperate to get him torespond to their comments andquestions, and several followed himfrom channel to channel. One person senthim seven hundred FBI logins. Anotherasked for advice on destroying a fewlawyers. He was asked to help with fivedifferent operations. Everything seemedto have gotten a bit more loopy sincehe’d left, even the operators.

“Topiary, you worm. You anarchist. Ilove you, bro,” said the AnonOpsoperator Evilworks. “I bet my left nut

that government is DDoSing us.…But Ihave news for you. AnonOps ain’t goingdown. NEVER EVER.”

“My private message windows wereflying,” Topiary remembered. “PeopleI’d known from the writing channel backin January were reminding me of whothey were, even though I rememberedthem perfectly.” One anonymous usereven mashed his keyboard in excitementwhen Topiary started talking back tohim, saying he didn’t expect “someonelike Topiary” to respond. “This mademe feel mindfucked to say the least.”

If he came up with a new channel,named something like#BananaEchoFortress, within minutes itwould have a dozen people in it simply

because so many were making /whoisrequests on his name to see whichchannels he was in.

“I couldn’t help but wonder what Ihad done to deserve this much praise,”he said. “I’m far from the most skilledhacker or comedian, writer, ordesigner.” Topiary came to theconclusion that, throughout the first halfof 2011, he was simply in the rightplaces at the right times, supported bythe right people.

Topiary eventually came across a newop that he couldn’t say no to. He didn’twant to get too involved, but a hackerwith ties to LulzSec had found avulnerability in the website for the Sun,

a tabloid that was the most popularnewspaper in the United Kingdom. Itwas also a staple title in NewsInternational, the media powerhouseowned by Rupert Murdoch. Around thistime, the issue of hacking was all overthe news—not computer hacking, butphone hacking. The British governmenthad just launched an investigation intoreports that journalists from the Murdochpaper the News of the World had hackedthe phone of a murdered Britishschoolgirl and then hindered the caseafter deleting some of her voice mails.Phone hacking was an open secret in theBritish press, used most often oncelebrities. In fact, the way to listen tosomeone else’s voice mail was well

known across 4chan and other imageboards: you simply waited for a dialtone, then held down the # key and hitthe common password of “0000.” Butnews that reporters had hacked amurdered schoolgirl’s phone got thepublic baying for blood. With Murdochhimself soon to be questioned by aparliamentary committee, it seemed afitting time to cut Murdoch down to size.

The hackers who had contactedTopiary on AnonOps wanted him towrite a spoof news story reminiscent ofhis Tupac article on PBS. It was asimple job, and Topiary agreed, thinkingit was a good idea. The hackers hadmanaged to take almost absolute controlover theSun.co.uk and on July 18 broke

into the tabloid’s network and redirectedevery link on the Sun’s website toTopiary’s story. It was headlined“Media Moguls [sic] Body Discovered”and detailed how Murdoch had beendiscovered dead in his garden. Topiarycouldn’t leave it without a calling cardfor himself and one of the hackers,adding that Murdoch had “ingested alarge quantity of palladium beforestumbling into his famous topiarygarden.” When News Internationalreleased an official statement about theattack, the hackers reconfigured the pageso it linked to the LulzSec Twitter feed.

Major news outlets picked up thestory immediately, sending it to the topof Google News and saying that LulzSec

had struck again. Topiary got messagesfrom the BBC and TV news reporters inthe United States, Canada, and Australiaseeking voice interviews, but hedeclined every one. Sabu capitalized onthe interest by announcing on Twitterthat he was also sitting on a huge cacheof the Sun’s e-mails, then announced,“We’re working with certain mediaoutlets who have been granted exclusiveaccess to some of The News of theWorld e-mails we have.” None of thiswas true, but several mainstream pressoutlets’ ears perked up in envy and theyreported on the claim.

LulzSec had successfully made theworld’s most powerful media man thebutt of a joke that millions of people

were laughing at. The day after the Sunhack, Murdoch appeared before theparliamentary committee, and a roguecomedian took things a step further byshouting “You naughty billionaire!”before throwing a shaving-cream pie atMurdoch’s face.

Rebekah Brooks, former editor of theSun and the News of the World, wasalso being investigated for herknowledge of phone hacking. In themidst of the police investigation, apolice officer found that her husband hadtried to discreetly dump her laptop in ablack garbage bag back behind theirhome. They retrieved it. Topiary readthe story and thought that the coupleshould have melted the laptop. He

considered that was something he shoulddo too but figured he could put it off. Hewas ready to turn over a new leaf, find anew apartment, and even meet his onlinegirlfriend for the first time. She wasplanning to fly over from Canada inSeptember. But he wouldn’t wipe hislaptop or say good-bye to Anonymousjust yet.

Then on July 20, two days after theS u n hack, Topiary was reading thenews, and his heart leaped into histhroat. According to a Fox news report,British police had arrested a suspectedcore member of LulzSec in London, aman who went by the nickname Tflow.The official statement said that the malethey had arrested was sixteen. Topiary

read that again. Tflow, the geniusprogrammer who had written theTunisian anti-snooping web script,configured their website, compiled allthat data, was just sixteen years old. Hechecked his IRC client and saw the lastmessage he’d received from Tflow hadbeen just four hours before his arrest:

“Nice work with Sun. Do you guyshave everything you need for a proper e-mail release? I don’t want to leave youguys hanging.” And that was it. Tflowhad been the most reserved member ofLulzSec. Mysterious, mature, and quiet,he was assumed by most people on theteam to be in his twenties. He was alevelheaded programmer and evadedmost questions about himself and his

personal life—the complete opposite ofKayla. And yet there was theMetropolitan Police statement in anarticle titled “Youth Arrested underComputer Misuse Act” that added thatcomputer equipment had been taken infor analysis.

“If that’s really him, I’m reallyworried now,” Topiary said at the time.“I’m on the same ISP as him andeverything.” Topiary was on a twelve-month contract with his Internet serviceprovider, and he couldn’t afford to breakthe clause by paying for the entire year.

Topiary saw a pattern with thearrests. He went to Sabu and suggestedthat Ryan and Tflow might have been onthe police’s radar for months but were

arrested only after a big U.K. hit, Ryanafter the SOCA attack, Tflow after theSun (though he had not taken part in thehack). Since several LulzSec memberswere located in Britain, “we should stophitting U.K. targets now,” Topiary said.

Sabu was indifferent. “So it’s ok forus to stop U.K. targets because yougimps are in the U.K., but not to stophitting USA targets because I’m in theU.S.A.? Thanks.” Topiary gritted histeeth. He felt he had a right to beworried, considering that he was in theU.K. too when the arrests had occurred,but Sabu was suggesting it was selfish toavoid British targets.

“I’ve missed you, brother,” Sabu thenadded, before asking if Topiary might

give him the password to the LulzSecTwitter feed. Topiary declined and leftthe chat room.

Topiary hated to admit it, but the lulzwere slowly coming to an end. Themusic had stopped; the harsh lighting hadflickered back on. By the time LulzSecofficially ended in late June, policeacross eight countries, including theUnited States, Britain, Spain, andTurkey, had arrested seventy-ninepeople in connection with activitiescarried out under the names Anonymousand LulzSec. Most of the arrested weremale, and the average age about twenty-four. Being part of the large crowdhadn’t helped. Fourteen, including

twenty-year-old Mercedes “No” Haefer,had been arrested for taking part in theLOIC attacks on PayPal and were nowon trial.

As people increasingly sawAnonymous and Antisec as a movement,the people arrested were painted asmartyrs. The absurdity of the pranks hadevolved into an exaggeratedsignificance, even delusions of grandeur,but its shaky foundations were revealedwhen people like Ryan finally had toconfront the grim faces of a courtroom.People like Topiary and even Williamhad joined 4chan, Anonymous, Antisec,or LulzSec for the lulz, but stayed whenit looked like they were part ofsomething even greater that they could

not put into words.On July 27, seven days after Tflow’s

arrest, two officers from theMetropolitan Police got out of a four-seater private plane they had hired forabout £8,000 and walked gingerly downits steel steps onto the asphalt below.The sun was shining and there was aslight breeze. They were met by localScottish police officers, who rarely hadmuch crime to deal with, let alone achance to meet their counterparts fromLondon. The two officers got into a carand were driven down the island’snarrow, winding roads.

Topiary was in his gaming chair, hislaptop on his knees, his mind on otherthings. He faintly heard a car driving

near his house and the whine of brakesas it came to a stop. Then the sound ofseveral car doors opening and shutting ina series. He stopped what he was doing,lifting his fingers from the keyboard. Helooked over toward the front door,willing it to stay silent. His heart startedto pound. There was a long moment ofquiet and the sweet, merciful possibilitythat car had been for his neighbors. Thenthere was a knock.

Part 3

Unmasked

Chapter 25

The Real Topiary

Call it a gut feeling or common sense,but as soon as he heard that knock on thedoor, Jake knew it was the police. Heclung to one hope: that they had not cometo arrest him. Police conducted raidsaround his neighborhood all the time,thanks to the druggies. There was everypossibility they were just doing anothersweep.

When he opened the door, six plain-clothed people were standing on hisdoorstep.

“We’re with the MetropolitanPolice,” one of them said. “We’re here

to search this address.”In the hope that they were looking for

drugs, he asked, “What for?”“Computer equipment.”Jake’s heart sank. If Aaron Barr had

ever hoped one of his adversaries wouldexperience the same kind of dread hehad felt less than a year earlier, Jake justhad.

“Are you Jake Davis?” one of themasked after they had all flashed badgesand identified themselves. Jake nodded.“Yes.” They added that they were alsothere to arrest him.

“What for?” Jake asked.“Conspiracy to DDoS the Serious

Organised Crime Agency.” Jake waitedfor them to mention something else, but

they did not. It almost seemed like theDDoS attack on SOCA had been thefinal straw that made the authorities flyall the way up to the Shetland Islands.

There were no handcuffs, no guns;there was no shouting, just politeconversation that made the encountercompletely surreal. A woman officerfrom the Met’s e-crime division walkedstraight to Jake’s Dell laptop and startedto engage the track pad. Before he couldeven try to make a move, she told himnot to touch it.

Despite everything that had happened,Jake had not yet wiped his laptop as hehad intended. Incriminating documents,notes, and databases were still on there,albeit on an encrypted hard drive. But

that was no trouble for the police. Theyhad only to ask Jake for his password;he gave it to them. The woman tried tosee what was on the hard drive, but shecouldn’t find it. She motioned for Jake tocome over and allowed him one finalinteraction with his computer: a click ofthe mouse to reveal his hidden harddrive so the officer could get a lookinside. He had forty programs running atthe same time.

Just as Barr had kicked himself forreusing the same password, Jake silentlyregretted not deleting everything the wayKayla had been encouraging him to, theway he had been telling himself to.

The officers moved ahead with brittlepracticality. They told Jake he had to

leave with four of them, now, while thetwo others remained in his home to closedown his laptop and search the house forother items they could use as evidence.There was no time to pack a bag or graba book or call his mother. He wasallowed to bring two changes of clothes.They opened his front door and led himdown the steps to the car with noceremony. If the local druggies had beenwatching, they might have thought theiryoung, hermetic neighbor was headedout to town with a few family friends,not being arrested for helping lead oneof the world’s most notorious cybergangs.

At exactly the same time, severalhundred miles south in the northern

English town of Spalding, Jake’s mother,Jennifer, was across the street from herhouse, chatting to a neighbor. Apoliceman showed up at the neighbor’sdoor and asked Jennifer to come home.Confused, she did, opening the door toher house to find it bustling with e-crimedetectives and other police officers whowere going through the family’s thingswhile questioning her other son,seventeen-year-old Josh. They took allthe family’s computer equipment.

Back in Shetland, as the private planethat had carried the detectives up northnow sped down the tiny runway and tookoff for London, Jake thought about theinevitable headlines. Till then, theShetland Islands had been merely a blip

in the British public consciousness. Adistant land of Scots with strong accentswho were partial to sheep-rearing. Thebiggest local news until that point hadoccurred that very week, with his town’shosting of the Tall Ships Races of 2011.Many of the island’s seven thousandresidents had taken part as dozens oflarge sailing ships manned by youngpeople had docked in the bay atLerwick. Jake remembered how he hadstepped out of his reclusive life for aspell, strolling down to the harbor andwatching with wonder as thousands ofpeople bustled between tents, food, andlive music.

He was brought back to reality with ajolt as the plane landed. Though it had

once taken an eighteen-hour bus trip plusa ferry to get to his home in Shetland, theflight had taken just forty-five minutes.Within another hour Jake was beingdriven up to the clean white stucco wallsof Charing Cross police station incentral London and then led into a tinyholding cell. There was a bed with ablue gym-style mat, a thin blanket, and atoilet in the corner. It was a warmsummer’s day outside, but the cell wascold. The sounds of singing and bangingby other inmates echoed down the hall.Eventually he had a chance to speak tohis mother, who was beside herself withworry. He told her he was all right andasked if she could bring him someclothes, books, and fruit. The food being

served in the custody cells was mostlytake-out: fried chicken or sausage andchips.

The following day, a woman wearingbrown corduroy trousers and leatherflip-flops walked up the white stonestairs into Charing Cross police station.Jake’s mother, Jennifer Davis, had darkbrown hair that had been dyed a subtleshade of red, and she was carrying acloth satchel with embroidered flowersalong with a large blue duffel bag stuffedwith clothes and fruit that she hadbrought down on the train from her homein Spalding. She had been expecting tosee her son in a few months’ time whenhe moved down to England to live withher again; not like this. Jake’s mother

was required to attend all of hisinterviews, since, owing to Jake’s age,an adult needed to be present.

The interviews went on for hours at atime, and Jake looked forward to them. Itwas a chance to get out of his cell. Hewas shocked at the amount of detailedresearch the police had carried out onAnonymous and LulzSec. They hadthorough chronologies of cyber attacks,with exact times, and tables of suspectsgoing back to 2006, often spread acrossgiant sheets of paper. Thanks to recentextra funding from the government, therewas now a dedicated team of about adozen detectives working on trackingAnonymous. They had arrested him inconnection with the SOCA attack and on

suspicion of several other offenses.Eventually, the police said that based ontheir interviews and what they had foundon Jake’s laptop, they were planning tocharge him with five specific offenses.The police were using innocuous thingsas evidence: printouts of his browserwindow being open on a ten-minute e-mail service; another window showingNyan Cat. Jake was cooperative wherehe could be, giving the police thepasswords to the LulzSec Twitteraccount and everything on his laptop.

Word spread that the police hadarrested the person they believed to beTopiary and were questioning him inLondon, and the world of Anon was inuproar. The AnonOps chat rooms were

ablaze with rumors about what hadhappened.

Sabu quickly posted “RIP Topiary,”on his Twitter feed, which had severalthousand followers, equating the arrestto a death in the world of hacking. “I’mpretty fucking depressed,” he said in aninterview that day. But that quicklymorphed into anger at governments and,perhaps, at his new overseers. “Theproblem is not hackers. It’s the thinkingof our governments. They need to showtheir citizens that the government canretaliate against civil disobedience.”

It is still unclear how the policemanaged to track “Topiary” to JakeDavis’s yellow wooden home on theremote Shetland Islands. Sabu may have

helped, since he had been arrested amonth before. But there are otherpossibilities. Like Sabu, Topiary wasn’talways as careful as he should havebeen. For just a few seconds, the nameJake had popped up on the AnonOpschat network. It happened just afterDecember 8, 2010, when Anonymouswas launching its pro-WikiLeaksattacks. Though Jake had layered two orthree VPNs to conceal his computer’saddress, a temporary connection error tohis broadband that coincided with afailed connection of one of the VPNs lefthim briefly unmasked. He’d had no ideathis had happened.

Then there were rumors that a friendof Jake’s from his days of hanging out on

Xbox forums had recognized his voiceon the Westboro Baptist Church videoand had started posting messages onTwitter that Topiary was “Jake fromShetland.”

Another more likely reason relates tothe VPN company that Jake paid amonthly subscription fee to to hide his IPaddress. Both Topiary and Sabu hadendorsed VPN provider HideMyAss tothe core and the secondary crew ofLulzSec, with Topiary spending a fewhundred dollars from the group’sdonations on seven online accounts.When someone needed an extra VPN,Topiary would lend him a login nameand password and cross it off his list.Some time after the #pure-elite logs

were leaked, showing the world thatLulzSec was using HideMyAss, Britishpolice served the British VPN companywith a court order. HideMyAss lateradmitted it had divulged information onone of the LulzSec accounts in response.The company explained that it regularlylogged its users’ IP addresses and logintimes to help weed out abusive users. Itscustomers were up in arms, but a courtorder was a court order, businessprospects be damned.

Among the things Jake noticed duringhis interviews with detectives was thatthe police seemed to see Anonymous asan organized criminal group, which wasprecisely the thing that Sabu had beenworried would happen when he had

railed against Laurelai for writing a userguide. When the detectives questionedJake, they seemed to want answers thatfit that point of view. Jake tried toexplain that Anonymous was not a group,was not organized, and did not have astructure. It was more of a culture or anidea than a group.

Yet in explaining that, Jake realizedthat the police were right in one sense. Inless than a year, Anonymous had indeedbecome more organized. In Novemberand December of 2010, duringOperation Payback, there had been nostable chat network and more than twodozen IRC operators entangled in abureaucratic mess. By July of 2011 therewas a lean, solid chat network with

about six operators far more in sync withone another. The Twitter accounts@AnonymousIRC and @anonymouSabuby then had more than a hundredthousand Twitter followers in aggregate,not as high as LulzSec’s but enough stillto grab mass attention. Pastebin had beenpopularized as a quick and easy way topublish stolen data. More people knewwhich hackers to approach to get thingsdone. There were servers around theworld, and Bitcoin donations were stillcoming in. In fits and starts, a systemwas being created.

American authorities were inagreement with the Met. In early Augustof 2011, the Department of HomelandSecurity said it expected more

significant attacks from Anonymous inthe coming years, and there was thepossibility of a “higher level actorproviding LulzSec or Anonymous withmore advanced capabilities.”

From the front lines and sidelines,Topiary, Sabu, and Kayla, along withWilliam on 4chan, had watchedAnonymous grow from nothing to anebulous, possibly dangerous entity withpockets of significant power andinfluence. Like some petulant teenager, itremained volatile and misunderstood.From WikiLeaks in December of 2010to Tunisia in January of 2011 to AaronBarr in February of 2011, operationshad popped up almost randomly. Therehad been no funding, no planning, and no

leaders. No one knew anyone’s name orhad ever met in person. Anonymous hadcome out of nowhere to create themirage of a criminal organization thatpolice were only just starting to rope in.

Now at least they had a face to showthe world. The police kept Jake incustody for as long as they could—ninety-six hours. After that, it was timeto announce his real name.

On Sunday, July 31, London’sMetropolitan Police announced on theirwebsite that they were hitting a Shetlandteenager named Jake Davis with fivecharges related to computer hacking,including violating the Computer MisuseAct and conspiring to attack the U.K.’s

Serious Organised Crime Agency. Now,for the first time, the name Jake Daviswas publicly associated with Topiary.Later that day, Britain’s Daily Mailpublished an article headlined “AutisticShetland Teen Held over Global InternetHacking Spree Masterminded from HisBedroom.” It was typical British tabloidfare, now with the suggestion that JakeDavis was the “mastermind” of LulzSec(instead of Ryan Cleary) and with noexplanation of how anyone knew thatJake was autistic. (He was not.) Themedia that Topiary had courted sosuccessfully before, that he had almostheld in the palm of his hand, was turningon him, gleefully invoking the hackerclichés of mental disorder and social

ineptitude.The following day, Jake was driven to

Westminster Magistrates’ Court for hisfirst hearing, which was in the samebrightly lit room where Ryan Cleary hadstood just a month before. Outside thecourt, cameramen with long lensesreached up to the windows of any policevan that drove in and took photosthrough the tinted windows. They wouldcheck what they got, then take more.About two dozen journalists were thereto report on the news, including editorsfrom the Guardian, the BBC, and theFinancial Times. They huddled togetherto talk about what a “soap opera” theLulzSec story had been.

“I expect he’ll be pale and

windswept, skinny or fat,” said thetechnology editor of the Guardian,which had published the #pure-elitelogs. That editor, Charles Arthur, hadbeen the target of Topiary’s trolling atone point, getting his cell numbertweeted and quickly getting two hundredvoice mails before the mailbox wasfilled and Jake deleted the tweet. “If theyhad just been corporations it would havebeen ‘Ok, bring in some sandwiches,’”Arthur said as he mused on LulzSec,“but to hit SOCA.…” He trailed off,giving a whaddya-expect shrug.

Inside the courtroom, peoplereadjusted their seating as Jake walkedinto the octagonal dock wearing a denimshirt and holding a book, his head

bowed. He glanced around as heconfirmed his name and address to thejudge, then took a seat and scratched hishead. He looked over toward thejournalists, who were straining to seethe book he was carrying, then lookeddown again. For the most part heappeared calm and collected.

“Sir, the picture that emerges is not askilled and persistent hacker,” Jake’sbarrister, a tall, bespectacled mannamed Gideon Cammerman, said, “butsomeone that sympathizes andpublicizes, and acts as a repository forinformation hacked by others.”

The government’s prosecutor, a portlywoman in a dark suit, disagreed.Referring to Jake’s group as “luke sack,”

she insisted he remain in police custodytill further notice. When he’d heardenough, district judge Howard Riddle, astern, red-faced man with short gray hairin a bowl cut, looked at Jake for amoment and then back at the prosecutor.This was the same judge who had ruledearlier that year that Julian Assange beextradited to Sweden.

“Make it explicit for me if youwould,” he said, looking over hisglasses, “the nature of the harm that hehas caused.” Jake’s mother looked onfrom the public gallery.

“Sir, he’s compromised personalinformation of hundreds of thousands ofmembers of the public,” the prosecutorsaid softly as she looked up at the judge.

“People who have used the NationalHealth Service, the bank accounts andpersonal details of the users of SonyEntertainment systems.” She mentionedthe ten-minute e-mail they had found onJake’s laptop and the fact that thecomputer had a 100 GB encrypted harddrive with sixteen separate “smallcomputers”—his virtual machines—operating independently of one another.

Judge Riddle asked Jake’s lawyerwhat his “temperament” had been like inpolice custody. “He was perfectlycharming,” Cammerman answered, thentook the opportunity to point out thatJake’s mother and brother had justmoved to Spalding, England, and stillhad no broadband. No Internet access at

all. The lawyer suggested Jake be bailedand sent to stay with them on conditionhe wear an electronic tag and not accessthe Internet. For someone like Jake whohad gone online almost every day sincehe was eleven, this would be the coldestof cold turkey. But it beat a jail cell.

In just a few minutes, the judge madeup his mind. “It is clear that there isstrong evidence that you have beeninvolved with a group that hascommitted very serious offenses,” heintoned as Jake nodded. “The objectionsto bail I understand. But I bear in mindthe following.” He stared at Jake moreintently. “You are still only eighteen.You’ve not been in trouble before.” Inspite of his tough appearance, the judge

granted Jake bail, with a list ofconditions that included a 10:00 p.m.curfew. The guard came up to Jake witha clipboard. Jake offered him a smallsmile and signed it.

“You’re a lucky man,” the guard saidquietly as he led Jake out. “I didn’t thinkthey’d give you bail.” The guard ledJake down a corridor and into a smallroom where he met once again with hismother and another solicitor whoworked with Cammerman. Knowingthere were cameras waiting outside,their small group wondered how best toleave the courthouse. The solicitorreported that members of the media werewaiting at both the front and backentrances to the building for Jake to

emerge. If they went out the front, wheremost of the cameras were, they would atleast exit onto a main road where aLondon black cab was already waiting.If they went out the back, they wouldneed to walk around to hail a cab andwould risk meeting more media. Jake’smother decided it was best to go out thefront, together as a family.

With his hands in his pockets, hisbook tucked under his arm, Jake walkeddown to the courthouse’s brightentranceway and stood in front of themain door. Looking out the windows, hecould see it was a perfect day outside,spots of sunlight dancing around thesidewalks and through giant deciduoustrees across the road. At the bottom of

the front entrance steps a throng ofphotographers and TV cameramen stoodwaiting in a semicircle, all of themstock-still in expectation. Jake’s mothereyed them warily from inside thebuilding. Jake put on a pair ofsunglasses, which his mother hadbrought along, to hide his amblyopia.

“Shall we go?” she asked.“Yeah.” He let out a breath as the

glass doors opened in front of him, thenstepped through the doorway. The darkmass of photographers erupted intoflashing lights, accompanied by an eeriesilence. There was no shouting andalmost no talking, only the passing ofcars and rustling of wind through thetrees. When they all got down to street

level, Jake flinched as he becameengulfed by the crowd. He startedslowly shuffling toward the black cabthat was waiting for him on the otherside of the street. Just inches away fromhis face, the cameras were exploding inflashes. The photographers soon enoughwere shouting to get Jake’s attention,knowing the cab was near and their timewas short.

“Jake! Jake!” It was the Guardian’sCharles Arthur, who was jostling againstthe photographers to get Jake’s attention.“What’s the book?” Jake stopped to lookat him, then held up the paperback foreveryone to see, the one he’d beenreading in his jail cell. The camerasflashed and clicked frantically. It was

c a l l e d Free Radicals: The SecretAnarchy of Science, about howscientists would do anything—lie, steal,or cheat—to pursue new discoveries.For the first time, as Jake looked throughhis sunglasses into one of the cameras,he gave a tiny, almost imperceptiblesmile.

After his court appearance, Jake took atrain up to northern England to the househe would be living in with his youngerbrother, his mother, and her partner. Thepolice would fit an electronic tag ontohis ankle to notify them if he ever brokehis curfew. He never would, becomingso paranoid about breaking his bailconditions that he refused to listen to a

YouTube video over the telephone whensomeone offered it. Photos of Jake’sface after leaving the courthouse wereshared across the Internet. How didAnons react to seeing the real Topiaryfor the first time? They presented him asa martyr, superimposing his face ontomovie posters from The Matrix to makenew propaganda images. Sabu, Kayla,and many others changed their Twitteravatars to read “Free Topiary.” Otherhackers with Anonymous who were stillat large followed the developments ofJake’s trial and wondered how he wouldfare. But since phone numbers wererarely given out in Anonymous, none ofthe hundreds of people Topiary hadchatted to on AnonOps knew how to get

in touch with him after his arrest. Thismeant that once he got home, Jake wasmet with complete silence.

Three months after his courtappearance, a few letters had comethrough the door—some from journalistsand one or two pieces of fan mail. Jakehad gone from communicating withhundreds of thousands of people everyday online to opening the occasionalpiece of mail, talking mostly to hisimmediate family, watching TV, playingcomputer games, and trying to use atypewriter to express his thoughts.

Then there came a chance forsomething different. After a few monthsof his new, sequestered existence, Jakewas offered the unique opportunity to

talk to someone from Anonymous face toface. It was not someone he hadcollaborated with or even met in person.It was William.

Like William, Jake Davis would neverhave found his way to the front lines ofthe Anonymous phenomenon if he hadn’tfirst found 4chan. This seeminglyinnocuous website, still mostly unknownto the mainstream but beloved bymillions of regular users, was at theheart of what had driven Anonymous toget the world’s attention. Despite theheadline-grabbing actions of hackers, theroots and lulz ethos of Anonymous wasstill firmly in image boards.

From the time he was fourteen, Jake

had been learning how to maneuver thehordes on 4chan and entertain them onother websites. William was different.From fourteen right up until he wastwenty-one, his age in 2012, Williamstill rarely left the world of /b/, the ever-popular random thread on 4chan. Therewere many like him—oldfags whobelieved they were the true Anons. Thesite continued to be a home to twenty-two million unique visitors a month, 65percent of whom were male, ageseighteen to thirty-five, and living inNorth America or Western Europe. Likemany other web forums, 4chan was aplace to discuss a wealth of subjectsboth crass and sophisticated, fromcamera lenses on the photography board

to Victorian authors on the /lit/ board.But thousands of visitors each day stillwent straight to /b/, hoping to discoveran “epic thread” that saw 4chan make itsmark on the real world, anything fromruining someone’s life to raiding awebsite to finding a kidnapped girl.

William was still pulling all-nighterson 4chan, terrorizing the enemies of hisbeloved /b/ and trying to improve hishacking skills. News of Topiary’s arresthad been disappointing—he had likedthe guy on that Westboro video—but ithad also made him more determined tobecome a hacker himself. Williamreasoned that since his emotions were soextreme, prison would be either mind-numbingly boring (which wouldn’t

matter because he was so depressed athome anyway) or “a laugh.” Either way,he did not care about the consequences.

“I won’t get caught, I am certain,” heexplained.

William’s online exploits had becomebolder, sometimes including a gang ofothers from /b/ to help him torment awider group of people. For example, afew days before Christmas 2011,William was browsing what he lovinglyreferred to as “my /b/” when he saw athread that started: “Post their contactinfo if you hate them.” These types ofthreads were common on /b/ and oftenheralded a night of fun for William.

Among the responses, one user hadposted the phone number and Hotmail

address of a sixteen-year-old girl inTexas named Selena, adding, “Make thisgirl’s life hell. She’s a slut.” WhenWilliam looked her up on Facebook, hesaw she had more than three thousandfriends on the network. He decided to tryto hack her account.

He wrote down Selena’s e-mailaddress on a piece of paper, went toHotmail, clicked on the link that said“Can’t access your account?,” and thenhit “Reset account.” He put in Selena’se-mail address, then answered thesecurity question: “What is your father’shometown?” Selena’s Facebook pageshowed that she lived in Joshua, Texas,which was the correct answer.

It then asked: “What is your

grandfather’s occupation?”William sighed. He signed into one of

his fake Facebook profiles, ChrissieHarman, and sent Selena a directmessage.

“There’s a group of hackers afteryou,” he told her without bothering tointroduce himself. He pasted ascreenshot of the thread from /b/ withher contact details as proof. Williamsaid he was part of this fictitious hackergang and that they were dangerous. Hewas willing to help but would need to bepaid.

“How do I pay you?” Selena asked,worried.

“Take a photo of yourself with a shoeon your head and a time stamp.” In the

past he would have wanted nude photos,but by now William had plenty andcouldn’t be bothered to ask. Sureenough, within a few minutes, Selenahad taken a self-portrait and sent it over.William felt a small victory.

“OK. Now I’ll ask you questions tohelp secure your account,” William said.He could have just told her to removeher security questions. Instead hebombarded her with technical-soundinggibberish about “randomized answers,”“servers,” and “a database string input,”a deliberate tactic in social engineering.Distract someone with enoughmisinformation and that person willforget what you are really trying to get,or to hide. “Pick a number between 1

and 100,” he said. “What’s yourmother’s middle name? Mine’s isDeborah.” After every answer of hers,he replied, “Yes, that will work verywell.”

Then he asked, “What does yourgrandfather do?”

“Oil,” Selena said. William openedhis other window and quickly typed oilinto Hotmail. Nothing. He tried oiloperative, oil technician, a n d oilexecutive. They didn’t work either. Hewould have to try something else.

“Ok. My questions will get moretechnical now, but don’t worry,”William said. “This will really secure it.After this you’ll be un-hackableforever.” He asked Selena how many e-

mail accounts she had and how manycharacters were in her averagepassword. Then he asked her to type outher Hotmail password backward.

“Here’s mine,” he offered, pastinggibberish. Selena hesitated, then shetyped it out. Within a few minutes,William had gotten into her e-mailaccount, and then he activated a series ofsteps that allowed him to reset herFacebook account too, still asking herquestions so she wouldn’t getsuspicious.

Before she could answer his lastquestion, he went into her accountsettings and signed her out. He set upsecure browsing to mask his IP address,then changed the password again. He

went back to /b/.“I’m in this girl’s account,” he said,

starting a new thread and pasting a linkto her Facebook profile. “Give me ideasfor things to do.” One person suggestedtalking to Selena’s boyfriend, a localboy named James Martinez. Williamdecided that was a good idea. He wentahead and changed Selena’s relationshipstatus from “in a relationship” to“single” then sent boyfriend James adirect message.

“OMG I accidentally made us single!”he told him, now in the guise of Selena.“Can you give me your password so Ican log into your Facebook and acceptour relationship status again?” Jamesagreed, but when he sent over the

password boobies1, it didn’t work.Exasperated, William passed the

work on James off to another pranksteron /b/. That was the benefit of having a/b/ behind you—if you got stuck on aproblem, someone else could help youfix it. A couple of /b/ users had by nowcontacted William via their own fakeFacebook profiles, and one, who usedthe fake name Ben Dover, offered to getJames’s correct password. Soon enough,James realized he wasn’t talking to hissixteen-year-old girlfriend, Selena, but amalicious hacker. The Caps Lock wenton.

“I’M GOING TO KICK YOURHEAD IN,” he told William, wholaughed.

“It was possibly the funniest momentof the night for me,” William later said.“I really like it when people get angrywithout realizing how helpless they are.It’s like walking up to the biggest man ina nightclub and saying ‘I’ll knock youout.’ It’s just not going to happen.”

James’s tirade had continued. “I’mgoing to slit your throat you faggot,” hewrote. In another window, Ben Doverreported that he was almost in James’sFacebook account.

“I’m going to do it now,” Ben finallysaid.

“Ok do it now,” said William.There was silence from James for

about ten minutes. Then came a newmessage from James’s account in the

same chat window: “I’m in.” It was Ben.William smiled. After chatting to Benmore, William realized he was a/b/rother who understood the art oftrolling softly. This was a more subtleform of pranking. For example, it wasfunny to hack someone’s Facebookprofile and post porn on his wall, butfunnier still to make it seem that theperson had accidentally uploaded a pornlink himself.

William and Ben set up a privateFacebook group and pasted a link to iton /b/. After half an hour about fiftyother fake Facebook profiles, all linkedto /b/ users, had joined. The groupdiscussed ideas for what to do next.

For now, William wanted to keep

Selena’s Facebook login credentials tohimself. Selena, with her network ofthree thousand Facebook friends, wasthe jewel in his crown. As soon as hesigned in to her account, ten tabs of chatmessages flashed up from boys trying totalk to her. It was a reminder of how biga magnet teenage girls could be onlineand how blinded a man could becomewhen he thought he was talking to one.This was the benefit the person behindKayla found in being a sixteen-year-oldgirl online. William picked one of theboys trying to chat to Selena, MaxLopez, and sent a reply.

“Hey, babe :),” William wrote, stillas Selena. “What you up to?” Maxresponded, and the two embarked on

inane small talk, Max oblivious of thefact that he was actually talking to atwenty-one-year-old man in the UnitedKingdom.

“I’m kinda horny :D,” William typedout. The conversation that followed waslike hundreds William had had before.Weeks later, when William described itin a quiet café, he looked off to the side,his hands held firmly together. As hesearched for the memory, he seemed toenter a trance, suddenly reciting anoddly seductive dialogue as if he wereSelena again:

“Sorry,” he had told Max Lopez, “Ishouldn’t have said that. It’s terrible.”

“It’s alright,” Max had replied.“My boyfriend never does anything

these days and I just want to be reallyslummy.”

“You shouldn’t do that if you have aboyfriend.”

“I know. It’s terrible…Sometimes Ifind a guy that’s up for it.”

“Oh. You found guys that have donestuff before?”

“Yeah.”“Well I hope you find someone.”“I was kinda hoping it would be you.”

Pause. “I feel dumb.”“No, don’t worry.”“Do you send pictures normally?”“Not really.”“Well, if it’s not too weird maybe I

could send you a picture. And if youdon’t like it, that’s ok.” William then dug

through his collection of downloadedporn and found a photo of a youngwoman’s breasts that he figured wouldpass for Selena’s, based on what hecould see from her profile picture. Thenhe sent it over.

The goal was to get Max Lopez tosend back a photo of his own genitalia.Like a charm, it worked. As soon asWilliam sent over the photo of breasts,Lopez promptly sent back a photo of hisown penis. “They’re all desperate to becomplimented on their penises,”William said. “I don’t know why guysthink girls want to see that but it works.”

“Oh my God this is so hot,” Williamhad written back as he opened anotherwindow and posted Max’s photo in the

private Facebook group with his/b/rothers. “Everybody add Max Lopez,”he told them.

Soon Max was being bombarded withfriend requests from the fifty other fakeFacebook profiles. Apparently not toosuspicious, Max accepted friendshipfrom fifteen of them. William and his /b/cohorts went to Max’s profile page andlooked for Facebook friends that had thesame last name, Lopez.

When the group thought they hadidentified an account that was Max’sbrother, William corroborated theinformation with Max directly. “Oh, Ithink I went to high school with yourbrother,” he said, still as Selena.“What’s his name again?” Max replied

that it was Kevin. Now William and the/b/rothers had mapped out Max’simmediate family. It was time to pounce.

“Don’t block me,” William suddenlysaid. Even in text, the tone had changedas his charade as Selena came to an end.“I have your penis picture and I’m goingto send it to all of your family if youdon’t give me your Facebookpassword.”

Max Lopez was stunned, and soonenough, distraught. He was seventeen.He worked for his local church. Thiswasn’t going to look good.

“I felt bad, but I just laughed,”William remembered. Out ofdesperation, Max gave his password, butWilliam had no qualms about going back

on his deal. Once he was in Max’saccount, he took the penis photo andposted it on the Facebook wall of Max’smother, along with the message “Hi,mom. Here’s a picture of my cock. Tellme what you think. LOL.” Other/b/rothers from William’s privateFacebook group had been given accessto Max’s account too and were nowposting the photo to around ten of Max’sfriends and family members. The benefitof posting from different accounts wasthat it was almost impossible for aperson to block all of them. As others inthe Facebook group took over spammingMax’s social network with his genitalia,William moved on to other boys inSelena’s chat list and did the same thing

all over again.It had been months since William had

laughed as much as he did that night. Itwas “a perfect evening” that finished ataround nine the next morning. In the end,his team hacked into more than tendifferent Facebook accounts, all thanksto his access to Selena.

“We split up several boyfriends andgirlfriends and appalled many people’smothers,” William remembered. “That’sone of the bits I enjoy more. Sending apicture of someone’s cock to their mum.The idea of it happening to me is sounimaginably embarrassing it makes melaugh.”

What he loved doing even more, fromthe time he’d begun pedo-baiting, at

fifteen, was getting another man onlinehighly aroused and then suddenlydousing the moment with the threat ofexposure to family and friends or police.As his victim shot from one end of theemotional spectrum to the other, Williamwas offering him a brief glimpse intowhat he felt all the time. What he calleda “bleach shower, a reactive depression,a hot flush and shiver at the same time.”Hacking into people’s Facebookaccounts wasn’t exactly life-altering, buthe got a buzz from knowing that at leastfor a moment, his victims felt their livescrumbling around them.

“I’d be lying if I said there was anygreat reason,” he said, leaning back inhis chair and stretching his arms to

reveal a large hole in his sweater, nearthe armpit. “I don’t feel guilty, it makesme laugh and it wastes a night. That’s allI want from 4chan. I want somethingthat’s going to leave me not depressedand give me something to focus on. Andit’s fun to make someone feel that awfulfrom such a distance. I could never do itface-to-face.”

William spent the next few nightskeeping hold of Selena’s credentials,meeting with his new Facebook group of/b/ pranksters, and terrorizing people onSelena’s social network, includingposting comments on the photos of herfemale friends and calling them fat. Themother of one of Selena’s Facebook

friends, who happened to be a policeofficer, eventually sent harassmentpapers to the real Selena’s homeaddress. Selena, William said, was “thegift that keeps on giving.” At one pointhe posted a status update on Selena’sFacebook profile, announcing to herfriends that her account had been hackedbut that everything was back to normal—then followed that up with anotherupdate purporting to be from a friend,saying Selena had been hit by a drunkdriver and died. This was how Williamliked to cause a stir. Not by entertainingan audience of thousands on Twitter,like Topiary did, but by embarrassingothers to entertain himself. Still, therewere things that William and Topiary

had in common, not least that both hadfound Anonymous through 4chan.

Two months after hacking Selena’saccount, he accepted the chance to meetJake Davis, who was now on bail, overan organized lunch to talk aboutAnonymous. It would be the first timethey would talk, offline or online, andthe first time either would meet anotherAnon face to face and discuss the impactof Anonymous on his life.

William and Jake both bought traintickets to a nondescript town in Englandwhere they would meet. Though Jakewould learn William’s real first nameand see him face to face, he would notask for any other identifying information

and would never know his full name.The morning of their meeting, William’strain snaked through the countryside,past green and beige fields, dawdlingsheep, and brown rivers that shimmeredin the harsh winter sun. He couldn’t helpbut feel nervous. Jake felt the same. Histrain was headed south, the electronictag snugly reminding him to be home by10:00 p.m. When Jake’s train arrived atthe station, he stepped out, walked overto a wall in the main concourse, andwaited.

Fifteen minutes later William’s trainsquealed to a stop along the oppositeplatform. He walked into the station’sentrance, wading through a large crowdof commuters, then saw Jake standing by

a wall in a small stream of sunlight. Jakewore a black coat, had a five o’clockshadow, and was small. He looked upand smiled. William wasexpressionless. The two said their hellosand shook hands before quickly lookingaway.

Anons almost never met in personsince, naturally, it defeated the point ofanonymity. So William and Jake’smeeting was awkward at first. Whatmade it harder was the fact that Williamwas going through a particularly darkphase in his mind, and in recent days hehad been constantly fighting thoughts ofsuicide. Jake, who wanted to speak topeople outside his immediate family,especially those he had something in

common with, was eager to talk.As the pair sat in a local pizza

restaurant for lunch, Jake chattedamiably about his court case and somerecent news he had seen aboutAnonymous on television. William wasquiet and sullen. When Jake told a funnystory from his LulzSec days, hoping itmight generate a laugh, William greetedit with stony silence. The meeting wasnot going well.

Finally, when talk turned to 4chan,William opened up a little. He talkedabout his frustration with the site hevisited so much, and how it had becomea community filled with “newfagcancer,” eager young participants whodid not understand the culture or how to

cause real mischief.Jake, like William, was not a skilled

hacker, but he knew a little aboutprogramming languages. When Williammentioned that he was interested indeveloping those skills, Jake pulled outhis netbook. The small laptop had beenstripped of its wireless card andEthernet, so that there was no way itcould connect to the Internet. But Jakecould still play around with Zalgo script,a type of programmable font that packedlots of digital bytes into each letter. Ifyou were looking for fun, you could useit to send someone a message overSkype; it might crash his or her program.

Jake started typing. “If you put thatinto Skype it’ll reverse your text,” he

said.William looked visibly impressed.

“Your memory is amazing,” he said,shaking his head and leaning forward inhis seat.

Jake kept going. “Just load up thecharacter map in Windows, dump thatanywhere, and it messes it up,” he said,now typing furiously.

“So I could do this on Windows?”“Yeah, it’s kind of complex.”“So eight bytes is equal to…one bit,”

William said, hesitating.“Eight bits is equal to one byte.”

William was getting a short lesson inprogramming basics.

“Yeah, yeah,” William said, laughinga little, now more relaxed. “I don’t know

any of this.”“I’m kind of enthusiastic about

Unicode,” Jake said, shrugging. Once thenetbook had been closed and put away,the two started talking about Anonymousand how it had changed them.

“It’s made me a more extreme versionof myself,” William said. “I used tosleep badly. Now I sleep terribly. I usedto be sarcastic; now I can be anasshole.” He didn’t just “like”tormenting people; he loved it. He didn’tjust “like” porn; he looked at it everyday. “None of it bothers me,” he added.“I don’t care about anything.” Williamhad said in the past that he had no moralcode; everything was case by case, hisdecisions based on a gut reaction. Ernest

Hemingway had said it best: “What ismoral is what you feel good after, andwhat is immoral is what you feel badafter.”

Jake was nodding. “I have to agreewith all of that,” he said. “It desensitizedme. You can have Japanese dubstepplaying to the Twin Towers falling. Itmight seem horrific, then it seems like anatural thing you see every day.” Thatwas the culture that so many outside ofAnonymous could not understand. Actingout with crowds of people on theInternet had created a detachment fromreality and a sense of obliviousness tocertain consequences. Anonymous didbad things, but its members were not badpeople, per se.

As if to illustrate the point, a womansitting nearby suddenly turned to Jakeand William and asked if they knew howto access the restaurant’s WiFi on aphone. The two looked at each otherblankly then quickly explained thatneither had a mobile that could goonline. Genuinely apologetic, they triedto help the woman with some advice.

“Maybe you could ask the staffdownstairs?” suggested William.“Sorry.”

The woman smiled and turned back toher panini. She would never haveguessed this pair of polite young menhad been two notorious members ofAnonymous. There was a commonmisconception about the lack of morals

on /b/ and in Anonymous. “It doesn’tmean you do bad things,” said William.“It just means there’s no rules. We don’trevert to being bastards at everyopportunity.”

“It’s also nice to just be nice,” Jakeadded.

Many of /b/’s most hard-core users,like William, didn’t care about jobs,family, or life’s typical milestoneevents. Both Jake and William relishedthe idea of living a life that had noimpact on real people. If William couldscrape enough money together fromblogging—he had a clever web scriptthat allowed him to exploit Google Adswithout his having to do too muchwriting—he would fly to mainland

Europe later that month and sleep roughin a major capital. He was tired of beinga burden to his father and brother, tiredof playing his guitar and knowing theycould hear him.

“To have as little impact on anywhereas possible is a really appealing thought,which is like never being born,” saidJake. No legitimate home, no name on apiece of government paper, nofingerprints. To be nameless, with noidentity, not bogged down by any systembut to “lightly live everywhere” wassomething they both craved in real life.

Did that craving come from whatthey’d experienced with Anonymous:vandalizing things often with littleconsequence?

“It’s Anon and Internet culture,” saidJake. “Online you see everything. Gore,disgusting things, and you realize youdon’t care. Let’s stop fussing over littlethings. There’s always something biggeror smaller or worse or better. Most ofwhat we do is what people have donebefore.”

Nothing that occurred on /b/ wasmeant to be taken seriously, Williamadded. They were just things thathappened. “Nothing matters.”

“Exactly,” said Jake. “That’s the mainthing about life. People think we aresuperior to animals. And they’re lookingfor this missing link, but what if we arethe link to animals and real humanbeings haven’t evolved yet? It’s

pretentious to think we’re superior in theuniverse because we can communicatewith each other.”

“It’s so arrogant,” said William.“Bees found out that the earth was

round before us,” said Jake. “So beesare more clever than us.”

“They don’t kick up a fuss,” Williamadded.

Did people take Anonymous tooseriously?

“Anonymous takes Anonymous tooseriously,” William said quickly. “WhenI started getting more involved it was 50percent fun and 50 percent passing thetime and that’s it. Now there are allthese political messages and I just don’tcare about it. It bothers me it’s a bunch

of rich kids whining about beingoppressed. There are much worse thingsgoing on in the world than copyright law[one of the big causes cited by the recentAnonymous attacks]. But I don’t thinkwe should kick up a fuss anyway.”

“I struggle with that,” Jake admitted.“Sometimes I care so much aboutsomething, but the next minute I don’t.When I try and explain that to people inthe real world they attribute that toschizophrenia.”

“Sometimes something will happenand then you suddenly care about it,”said William. “It matters for thirtyseconds.” Though this sounded unusualat first, it was not all that different fromthe twenty-four-hour news cycle or the

hype that surrounded popular newstories; they faded just as quickly fromthe public’s short-term memory.

“That’s what it was like writing pressreleases for LulzSec,” said Jake. “‘Icare, I care, I care.’ Then it causes ashitstorm in the news, and then I think,‘Whatever.’ I feel bad that people aregetting arrested and inspired and I don’tcare afterwards. Like the Antisecmovement.”

“Opinions on stuff like that are sofluid,” said William, “maybe becausewe’re young and impressionable. Maybewe’re just honest when we change ourmind.”

“We care suddenly about somethingbecause we’re more enriched by the

sense of victory,” said Jake, referring tothe large-scale attacks by Anonymousand the big LulzSec hits. “Then it goesand you don’t care anymore.”

Did either of them ever feel like hehad been manipulated by Anonymous?

“Not at all,” said William.Jake looked down for a moment, then

answered. “Not manipulated, butinfluenced,” he said. “When you’re in amob mentality with lots of others. Youhave a ‘mob extreme’ version ofyourself too, this one, unified mind-setwhere you don’t care that anything existsand you want to wreck something.”William was nodding now.

“I’ve said no but the mob thing ringstrue,” he said. The issue of mental health

meant a lot to him personally, butsometimes he’d see a thread on /b/where the original poster has said, “I’mreally depressed and want to killmyself.” If the thread’s participantsleaned toward telling him to commitsuicide, William would join in, postinga picture of a can of cyanide andreminding the OP to do it properly.“Which is something I don’t evenbelieve. I don’t want people to die,but”—he shrugged—“it’s something towrite and something to do.”

Of course, both William and Jake haddone their fair share of manipulating too.William was dismissive of the younger“goombie” users and newfags on 4chanwho cared about the V for Vendetta

revolutionary symbols of Anonymous,and sometimes he would rile them up forfun.

“They want to think the world isagainst them so there’s something tojustify their angst,” he said. That’s whyit was almost easy to get people to jointhe revolution in Anonymous. “You canjust make stuff up [about government orcorporate corruption] and they buy it.”To write a rousing post on /b/, forinstance, you just needed to write in away that would appeal to the Anoncrowd, using linguistic devices likealliteration, repetition, sound bytes, anddramatic words like injustice,oppress i on, a n d downtrodden todescribe corporations and governments,

and justice, freedom, and uprising whenreferring to Anonymous.

“You could inspire some fifteen-year-old, or someone with a fifteen-year-old’s mind-set, to hate whoever youwant them to hate,” said William matter-of-factly. In having no clear goal,Anonymous was like any other modern-day movement that had becomefragmented by the user-generated,crowd-sourced nature of a web-enabledsociety. Movements like the Tea Partyand Occupy Wall Street had the sameissue; they were often vague in theirgoals, but their supporters foughtpassionately against rival ideologies.Anonymous was a new movement, and anew process for fighting perceived

oppressors. And it could bemanipulated.

“It’s easy to come up with examplesof ways that we’re oppressed, and someidiot, some gobby student who has apolitical awakening at fourteen or fifteenwho thinks they’re clever will buy it!”William was almost shouting now. Hestopped in a moment of self-reflection,as if taken aback by the strength of hisown opinion, then laughed a little. “I’monly five years older than these guys andI feel like I’m their dad.”

But Jake was nodding again. If youknew how to communicate with theAnons, sometimes you could direct them.“It’s just so easy,” he said.

As Jake and William walked back to thetrain station through a biting wind, theyswapped stories about elaboratetrolling, barely noticing how theirearlier tensions had disappeared. Jakeran through one of his favorite incidentsas William listened: Years before, heand a friend had convinced an onlineenemy to perform a sexual act in front ofhis webcam in the middle of the night.They had filmed it, then told the boy theywould show the video to the local policeand his school if he didn’t wake up hismother so they could show it to her. Atfour in the morning, he did, and he criedmost of the way as his mother watched,horrified. Jake and his friend hadlaughed.

“We decided to let him off by justshowing his mum,” he said, raising hisvoice to be heard over the strong wind.

William looked shocked. “That’swhat you call letting someone off?” heasked, incredulous.

“Yeah,” said Jake, shrugging. Williamblew air through his lips, as ifimpressed.

William’s train pulled up and it wastime to go. There followed anunceremonious good-bye, the weightydiscussion and baring of souls quicklyforgotten in the final, awkwardhandshakes. Jake and William eachnodded quickly to the other and thenglanced in the opposite direction.William got on the train without turning

around. Jake went back to wait for hisown train.

They had found Anonymous in thesame place and adopted similarperspectives on life, but they were ondivergent paths. Even after meeting Jakeand seeing the consequences of gettingarrested for hacking, William stillwanted to learn to do more than just tricksomeone into giving him her Facebookpassword. He wanted to know how tobreak into a computer network. Forweeks afterward, he continueddownloading free e-books and readingsections about programming onEncyclopedia Dramatica. Gradually hestarted testing popular hackingtechniques like the Cain and Abel

password cracker, SQL maps,Googledorks, and Backtrack5. Then onMarch 10, 2012, William reached amilestone. After five hours of tinkering,he cracked the password of hisneighbor’s WiFi, and started using it.

“Next I’ll try and steal their shit,” hesaid hopefully, “but I think they’re old,so I’m not holding my breath for n00dz.”William had no plans to stop disruptingother people’s lives, and just like Jake,Sabu, and Kayla before him, he was surehe’d never get found out.

Jake, by March of 2012, had beenbanned from using the Internet for eightmonths. If his case went to trial, thethousands of pages of chat logs andcomplex computer configurations that

served as evidence meant it could easilylast a year. It was hard for him to thinkabout his future and what he might dowhen he got out of jail. He still liked theidea of “lightly living everywhere,”traveling to places where no one knewwho he was. He hoped that one day, hewould get a job where he could workoutdoors, maybe drive around. He mostdefinitely did not want to work withcomputers. He was tired of all the stressthey had led to in the past. Even withoutthe Internet, it was hard to escape thosefraught, paranoid memories. But thatmonth, they would come flooding backstronger than ever, when he found outwhy Sabu had been at large for so long.

Chapter 26

The Real Sabu

What ended up happening to Hector“Sabu” Monsegur? After the arrests ofTopiary and Tflow, he continued leadingthe revived Antisec movement, tweetingfrom the account he had labeled “TheReal Sabu” to a growing stable of tensof thousands of followers. Sometimes heincited revolution—“I love the smell ofcyberwar in the morning #fuckisrael”—and sometimes he funneled supportersinto the Antisec chat channel,“irc.anonops.li payload is comingsoon!” When his handlers needed him topull in the reins, he complied, cautioning

Anonymous on September 21, 2011, thatattempts to DDoS Wall Street financialfirms was “a fail…Not because of lackof manpower, but rather, wrongdirection. Own them, don’t wasteresources DDoSing.”

For someone who had been so loudabout hating the police, it had not beenall that hard to get Sabu to work for theFBI. On June 8, 2011, the day after hehad gone missing from LulzSec andcaused distress among his clique ofhacker friends, Sabu went to court,where a judge decided to release himfrom police custody on bail. Thecondition was that he let the FBIsupervise his every movement onlineand in real life.

For the next two months, as LulzSecfinished its hacking spree and thegroup’s founding members, Topiary andTflow, were arrested, Sabu continued toquietly work with the Federal Bureau ofInvestigation. According to later reports,he proved to be a devoted informant. Hecontinued to stay up until the early hoursmost nights, talking to other hackers andfinding out about upcoming attacks. Ifrumors swirled that Anonymous orLulzSec were about to hit a governmentor company, he would try to talk to thehackers involved to corroborate theattack was about to happen. Perhaps foronce Monsegur felt like he was gettingthe respect that he deserved—this timefrom the police.

On August 15, he stood before a judgeat a second secret hearing in theSouthern District Court of New Yorkand pleaded guilty to twelve charges,mostly related to computer hacking.Sabu agreed to help the FBI, and federalprosecutors agreed not to try Sabu forseveral other crimes he had committedoutside the world of hacking. Theseincluded carrying a handgun, selling onepound of marijuana in 2010 and fourpounds of weed in 2003, buying stolenjewelry and electronics, and running up$15,000 in charges on the credit card ofa former employer. And there wereplenty of other misdemeanors Sabu hadcarried out online; detectives found outhe had hacked into an online casino and,

in 2010, had hacked into a car partscompany and shipped himself four carengines worth $3,450. Given howenthusiastically Sabu had boasted abouthis decade “underground” in which hehad “owned entire governments,” therewas possibly plenty more the policemissed. But the Feds were moreinterested in the other prosecutions thatSabu could help them with.

“Since literally the day he wasarrested, the defendant has beencooperating with the governmentproactively,” U.S. district attorneyJames Pastore, the prosecuting lawyer,told the judge during the August hearing.“He has been staying up sometimes allnight engaging in conversations with co-

conspirators that are helping thegovernment to build cases against thoseco-conspirators.” Pastore read out thecharges and said they could lead to atotal maximum sentence of a hundred andtwenty-two and a half years in prison. IfMonsegur followed his “cooperationagreement” with the federal government,he could get a shorter sentence.

The judge then turned to Monsegurand asked if he was willing to pleadguilty.

“Yes,” he answered. Monsegur couldnow skip any sort of trial. He read out astatement in which he admitted to astream of illegal actions between 2010and 2011.

“I personally participated in a DDoS

attack on computer systems, PayPal,MasterCard, and Visa,” he said. “I knewmy conduct was illegal.” He repeatedthe admission after listing every count onhis indictment, from accessing theservers of Fox, to PBS, to InfragardAtlanta.

“Very well,” said the judge. “Theplea is accepted.” The judge agreed todelay publishing the court docketbecause Monsegur could be in “greatpersonal danger” if he were identified.Among the apparent risks laid out incourt: hackers could send hundreds ofpizzas to Monsegur’s apartment or havea SWAT team sent to his home (tacticswell known to 4chan users likeWilliam).

“It’s actually called swatting,”District Attorney Pastore had explained.

After the hearing, Sabu continued tocollaborate with the FBI, workingsometimes daily from the FBI offices.The Feds replaced his laptop, whichwas so old it was missing the Shift, L,and 7 keys, with a new laptop thatcontained key-logging software thatmonitored everything he typed. They putvideo surveillance in his home tomonitor his physical movements. Theyallowed him to continue the publiccharade of being America’s most wantedhacker, encouraging others to join theAntisec movement for which he hadpositioned himself as its leader, eventaunting the police and his critics.

“Sources inside Interpol tell me(besides ‘They like butter on theirtoast’) that I’m next to get raided,” heannounced on Twitter in August. “Iseveryone excited by this news?” Laterhe added: “Message to Interpol: SUCKMY DICK.”

But many people in Anonymous hadtheir suspicions about Sabu. Why hadeveryone else who had founded LulzSecbeen caught while the loudmouthedringleader who was widely known tolive in New York and be of PuertoRican descent was still at large?

Among the more suspicious was Mike“Virus” Nieves, a hacker whom Sabuhad collaborated with during LulzSec.On August 16, a day after Sabu’s second

court appearance, where he had agreedin writing to work for the FBI, Virusaccused Sabu outright of being a snitch.The conversation started when Sabu firstapproached Virus and made the veiledaccusation that a friend of Virus’s wasan informant. Virus saw through thisdeliberate tactic straightaway. It was atypical strategy among hackerinformants: to faze someone whosuspected you of being a snitch, youaccused him of being a snitch. Theirlong and eventually hostile chat tookplace two weeks after Jake Davis hadwalked out of his first court appearance.

“Regarding Topiary,” Virus told him.“You ratted him out. It’s so obvious,Sabu.”

“You better watch your fucking mouthbecause I’m not a rat,” Sabu wrote back.“And I definitely didn’t rat my ownboy.” Virus wasn’t listening.

“I can spot a rodent a mile away,” hesaid, adding for good measure,“‘Antisec,’ what a fucking joke.”

“For a fucking joke it’s doing moremayhem than it did a decade ago,” Saburetorted.

“You don’t even get what Antisec wasabout,” said Virus. “You’re not owningwhitehats. Just dumbass foreign .govs.”

“I was actually involved,” said Sabu.“Big difference man. I don’t sit here andrun automated tools. I’m a seasonedsecurity researcher going back to mid-to-late 90s.”

“You’re a low-level blackhat that gotowned,” Virus shot back. “I’m donebeing your friend. You’re way too shadyand I’m too old for this childish crap.Your lame-ass Antisec movement ishitting anything it can.” In truth, Sabu’sAntisec followers were often thwartedwhen they tried to hit out at “anythingthey could.” The FBI was takingadvantage of Sabu’s cult-leader status byfollowing up each hacker who presenteda vulnerability to his mentor in the hopeof a pat on the head. Sabu sometimesreceived more than two dozenvulnerabilities a day, and each time hewould alert his FBI handlers. By Augustof 2011, he had helped the FBI patch ahundred and fifty vulnerabilities in

computer networks that other hackerswere targeting or was at least helping tomitigate the damage. Over the comingmonths, he would reportedly assist inalerting about three hundred governmentand corporate organizations aboutpotential attacks by hackers withAnonymous, allowing them to patchflaws in their networks.

As Virus brought his standoff withSabu to an end, he waxed pragmaticabout what Sabu was probably doing.“Quite frankly, I don’t care if you’reworking with the Feds to clean up themess you created and getting your socalled ‘friends’ arrested,” he said. “It’shuman nature.”

“My nigga,” said Sabu. “You

seriously need to stop saying that.”“Or?”“We’ll meet up in Manhattan and talk

it out face to face.”“I know your tactics, and you won’t

gain access to any of my shit,” saidVirus.

“Bro, you know me less than the Fedsdo,” Sabu said, momentarily hinting athis working relationship the FBI. “Butlet’s be real.”

The two went back and forth abouthow offensive snitch was before Sabuobserved, “You’re talking a lot of shit,like you have some issue with me. Ialways gave you mad love even from thefirst day I met you.”

“I don’t care for your love,” said

Virus with finality. “There is no ‘love’on the internet.” This seemed to ring trueabove all else. Sabu may have been askilled rooter who could find networkvulnerabilities and exploit them, but hisgreatest skill was hacking into people’sminds. He lied to the very team membershe had brought together and led, all thewhile helping the police build upcharges against them and corroboratetheir identities. All the more impressivewas that Sabu’s charisma and lies wereso effective that other hackers continuedworking with him, even after Topiary,Tflow, and Kayla were arrested, andeven as other hackers remainedsuspicious of him. It was even said to bean open secret among hackers in New

York City that “Sabu” was Monsegur,with one rumor doing the rounds thatlocal hackers had sprayed graffiti on hisbuilding.

On the same day as Sabu’sconfrontation with Mike Virus, a groupof self-styled anti-Anonymousinvestigators published a blog postclaiming to dox Sabu. This time itincluded a photo of a large Latino-looking man in his late twenties, wearinga leather jacket and a hat. The photo wasof Monsegur. It also showed a detailedhistory of his exploits, and his IPaddress. It was perhaps the mostcomprehensive dox to date. Thefollowing day, August 17, Sabu posted acryptic message on Twitter, invoking a

quote from the movie The UsualSuspects about the film’s mythical badguy, Keyser Söze: “The greatest trick thedevil ever pulled was convincing theworld he did not exist. And like that…heis gone.” For the next few weeks,nobody heard a peep from Sabu onpublic IRC or Twitter. Most assumedthat he had either fled or been caught.Then exactly a month later, onSeptember 17, he started tweeting again,starting with:

“They tried to snitch me out, troll me,dox every one around me, bait me intoendless arguments but there’s one thingthey can’t do: STOP ME!”

All at once, Sabu dived back into theworld of Anonymous and Antisec,

jumping into conversations on publicIRC channels and asking to hear reportsfrom other Antisec hackers. For the mostpart, he didn’t join in any attacks. Otherhackers close to Sabu at the time do notremember him hacking anything for themonths after he came back. They knewthat he was bragging publicly on Twitterabout attacks he had carried out butassumed this was part of his role as amouthpiece for Anonymous and Antisec.Sabu instead pushed the “younger ones”with Anonymous by praising them andoffering to help facilitate attacks, onesource said.

At one point, for instance, he offeredto help Anonymous hackers in Brazil getroot access to government servers.

(Hacktivism is extremely popular inBrazil, in part because the country hasthe highest rate of Twitter usage and alsobecause of long-standing controversyover government corruption.) Sabu actedas the mediator, talking to the Brazilianhacktivists, then telling his crew ofhackers what the Brazilians wanted todeface. His crew rooted the Brazilianservers and then sent Sabu the logincredentials to pass on to the Brazilianhackers.

“We can’t remember one [hack] hedid, even before he got busted,” said onehacker who had been working with Sabufrom at least late 2011. “He liked to sayhe did it all. He did not.”

It is unclear to what extent Sabu was

allowed to hack with impunity during histime assisting the FBI. There aredifferent accounts. Some say that in hisrole to corroborate the public claims byAnonymous that a company orgovernment agency had been hacked, hewould enter the targeted network andcheck that the vulnerability was there.Others have said he would simply checkthe claims out by talking to other hackersin private IRC rooms. It was probably abit of both. For the most part, he waseither giving advice, barking orders, ortrying to keep on top of what was goingon. For instance, he asked a hackernamed Sup_g who had stolen data fromnychiefs.org in December of 2011,“What’s the latest with that nychiefs

ownage? You done with it or?”That month, Sabu helped the FBI get a

glimpse inside one of Anonymous’sbiggest attacks and bait that same hacker.The attack was on Stratfor, an Austin-based intelligence service that mademoney selling a newsletter to clientswho included the Department ofHomeland Security.

On December 6, Sup_g approachedSabu about Stratfor, excitedly, in aprivate IRC channel.

“Yo, you round? Working on this newtarget,” he said.

“Yo,” said Sabu. “I’m here.” Sup_gpasted a link to the admin panel forStratfor.com, saying that it could lead tocredit card data that he was confident he

could decrypt.Sabu notified his FBI handlers. Over

the next few days, Sup_g and otherhackers dubbed the Stratfor hacklulzxmas and deemed it a landmarkattack for Anonymous and Antisec. Aweek later, Sup_g spent around eighthours getting into the company’snetwork, and the following day,December 14, he told another hacker thathe was now in Stratfor’s e-mails.

“We in business baby,” he said.“Time to feast upon their [e-mail]spools…. I think they’ll just give upafter this goes down.” As the FBI lookedon, apparently helpless, the hackers stole60,000 credit card numbers, along withrecords for 860,000 clients of Stratfor,

staff e-mails and financial data, and awhopping 2.7 million confidential e-mails. At the FBI’s direction, Sabu toldthe crew to store it all on a New Yorkserver.

On Christmas Eve, December 24, thehackers defaced the Stratfor site andpublished the credit card details of30,000 Stratfor clients, claiming theyhad used them to donate $1 million tocharity—even publishing receipts. TheFBI later confirmed that the credit cardshad been used to make at least $700,000in fraudulent charges. Stratfor had tostop charging a subscription for its all-important newsletter and it estimated thebreach cost it $2 million in damages andlost revenue.

Sabu might not have stopped thebreach, but he did help the FBI identifythe person behind the Stratfor attack,Sup_g. He did this by corroborating thatSup_g also went by another nickname,Anarchaos. On December 26, Sabuapproached Sup_g online, going perhapsa little over the top in playing the role ofthe still-outlawed hacker.

“Yo yo,” he said. “I heard we’re allover the newspapers. You motherfuckers are going to get me raided.HAHAHAHA.”

“Dude it’s big,” said Sup_g.“If I get raided anarchaos your job is

to cause havoc in my honor,” Sabu said,subtly dropping Sup_g’s other nickname,anarchaos, and adding a heart—<3—for

good measure.“It shall be so,” Sup_g replied,

unaware that he had just implicatedhimself. Over the next few months, as theFeds pored over chat logs with Sup_g onSabu’s computer, they pieced togetherenough personal information to build upa picture of who the hacker really was. Itled them to twenty-seven-year-oldJeremy Hammond, a political activistfrom Chicago who wore long dreadlocksand was a practicing freegan—federalagents reported seeing him looking indumpsters for food once they startedphysical surveillance. His mother latertold reporters that Hammond had been acomputer genius who couldn’t stop hisurge to “get the goat of America.”

The FBI may well have had a biggertarget in mind than the dreadlockedHammond: Julian Assange. Soon afterthe hackers breached Stratfor’s e-mailsand started rummaging through them,they noticed that many e-mails talkedabout WikiLeaks. The hackers decided itmade sense to pass them over to thewhistle-blower organization and thatWikiLeaks would do a better job atdisseminating them anyway.

It is possible, though not conclusive,that as the FBI watched what was aboutto happen, they hoped to take advantageof the Stratfor hack and gather moreevidence against Assange so they couldfinally extradite him to the United States.The FBI later denied to the New York

Times that they “let [the Stratfor] attackhappen for the purpose of collectingmore evidence,” going on to claim thehackers were already knee-deep inStratfor’s confidential files onDecember 6. By then, they added, it was“too late” to stop the attack fromhappening. Court documents, however,show that the hackers did not access theStratfor e-mails until around December14. On December 6, Sup_g was notexactly “knee-deep” in Stratfor files: hehad simply found encrypted credit carddata that he thought he could crack.

It is also telling that Sabu, the manwho had jumped into Anonymous to helpavenge Assange, suddenly seemed verykeen to talk to the WikiLeaks founder

once his FBI handlers were watching.Beyond the initial contact he madeduring LulzSec, hacker sources havesaid, Sabu tried especially hard to speakto Assange again and again after theStratfor hack, “bugging” Assange’sassistant to talk to him.

“Sabu was trying to contact [Assange]for a long time,” one hacker said. Othersadd that when Sabu first heard thatAnonymous was planning to give theStratfor e-mails to WikiLeaks, he“freaked out,” then called WikiLeaks bytelephone and demanded to speak toAssange directly. It is unclear if he gotthrough to Assange himself or just hisassistant, but according to severalsources, Sabu then asked for money in

exchange for the Stratfor e-mails.Assange apparently said no.

When the Stratfor hackers got wind ofnews that Sabu had asked for money forthe e-mails they had stolen, they wereshocked, and quickly transferred the e-mails to WikiLeaks’s server for free.WikiLeaks has not denied, publicly or inprivate, that Sabu asked for money fromthe organization. But if WikiLeaks hadpaid for them, American authoritiesmight have had a much stronger caseagainst Assange. It seems doubtful thatthe FBI had the time or inclination todecide from the top down that it wantedto play along and try to nab WikiLeaks,but perhaps an agent somewhere had theidea to nudge Sabu to ask Assange for

money, and see what came of it.Once WikiLeaks had the Stratfor e-

mails, it formed partnerships withtwenty-five media organizations,including Rolling Stone a n d RussiaReporter, and published a drip-feed ofconfidential information. WikiLeakscalled them the Global IntelligenceFiles.

News commentators noted that thismarked the first time WikiLeaks wassourcing files from data that had beenhacked by Anonymous. Till then, hardlyanyone outside of LulzSec’s hackingcommunity, WikiLeaks, and the FBI hadknown that Assange had been dealing toSabu and other Anon hackers since Juneof 2011. That of course did not mean

there was a solid partnership in place.Two separate hacker sources said thatfor a long time, Assange did not trustSabu. Exactly why is unclear, butAssange would not have been the onlyone to sense that something was off.

“There is one thing that really struckme as funny after he came back,” saidanother hacker, referring to when Sabuhad returned to LulzSec after goingmissing for twenty-four hours (his secretFBI raid in June 2011). “He suddenlytalked about his family. He mentioned ina private chat to me that he had twokids.” This was deeply unsettling.Despite the unspoken rule in Anonymousto never talk about your personal life,Sabu was suddenly saying things like

“My family is the most important thing.”Before then, he had never talked abouthis two daughters. Another oddity: whenothers from Anonymous were questionedby police and then allowed to come backonline, they mentioned to other hackershow strange it was that the authoritiesnever asked them about Sabu.

Sabu was unflinching when he deniedto hackers, and in interviews, that hewas “Hector Monsegur,” using theimplausibility of the situation to hisadvantage and tweeting on June 26,2011, “How many of you actually fellfor that bad whois info? Haha. First off‘hector montsegur’ has been postedevery day for the last six months.” Herepeated this line to others in private.

Surprisingly, though, Sabu admitted tohis closest hacker friends that theseveral acts of doxing him—and therewere others besides Emick who came upwith Hector Monsegur—were correct.This, again, was bizarre, but manyassumed it was Sabu’s usual nihilism,the guy whose favorite saying was, “I’vegone past the point of no return.” Sabuseemed to relish the trouble he wasgetting himself into and at some pointdown the line, they figured, he would getbusted.

In late November of 2011 and thenagain in January of 2012, a hackerconfronted Sabu about not hacking intoany targets himself. “Man, get yourhands dirty for once,” the hacker told

him in exasperation, adding that it wasthe only way to prove to others that hewas not a snitch. Sabu responded withhistrionics, claiming he had done plentyfor the cause already, then adding that“haters” wanted to hunt him down. AsSabu ranted, the hacker typed out anemoticon for weariness, -.- , and wentback to work.

Despite their suspicions, most ofSabu’s associates never really believedthat this veteran revolutionary hacktivistwho was so passionate about his causecould really be a snitch.

“The idea was so horrid. And weweren’t sure who to trust to talk aboutit,” the same hacker said. Sabu had sucha strong psychological hold on his crew

that they actually feared asking aroundabout his true intentions lest the volatilefigure suddenly flip out on them.

While Sabu was an informant, his lieswere aimed at not only other hackers butalso journalists. Together with his FBIhandlers, he would lie to reporters whohoped for an online interview.Sometimes the reporters were speakingto federal agents, other times it wasSabu but with the agents looking over hisshoulder. In the end, it was just anotherdisinformation campaign.

Throughout his volatile year withAnonymous, Sabu had proved himself tobe a masterful liar. But there was onething he could not seem to fabricate: hisname. At one point in 2011, before his

FBI arrest, Hector Monsegur droppedthe nickname Sabu online and startedtrying to use the new nickname Kage orKaz in private IRC channels. The goalwas to start anew, burn the old Sabuname, and avoid arrest and doxing. Hadhe maintained the new names, he mightnever have been raided by the FBI andmight still be living with his two kids inhis Lower East Side apartment today,watching YouTube videos and payingthe bills with stolen credit card numbers.But Monsegur couldn’t manage the newonline identity. After a few weeks, hewent back to using Sabu.

This was the dilemma for hackers inAnonymous. There were practicalproblems when someone who was well

connected in the hacker underground,like Sabu, took on a new name. Hewould lose his contacts and the trust hehad with them. Sabu had brought indozens of useful contacts from his timeunderground to work with LulzSec,Anonymous, and Antisec. HectorMonsegur could never have orchestratedall that collaboration without the nameSabu. In the end, ego and a thirst forcontrol got the better of him.

By early 2012, FBI administrators hadbegun to go back and forth over whenthey should out Sabu as their informant.So far, he had helped fix a number ofvulnerabilities in targeted networks,helped identify Jeremy Hammond, andhelped bring charges on Donncha

“Palladium” O’Cearrbhail, from Ireland.In early January of 2012, O’Cearrbhail(a Gaelic name that’s pronounced“Carol”) had hacked into the Gmailaccount of a member of the Irish nationalpolice, an officer who routinely sent e-mails from his official police account tohis Gmail account. One of the e-mailscontained details of a conference callthat was to occur on January 17 betweenFBI agents and Britain’s MetropolitanPolice to discuss the LulzSec andAnonymous investigation. Palladiumquickly notified Sabu that he would belistening in and recording it.

“I am happy to leak the call to yousolely,” he said excitedly. “This will beepic!”

After recording the eighteen-minutecall, Palladium passed the audio file toSabu, who then passed it to the FBI tocorroborate that it was real. It was.When Sabu didn’t publish the file online,someone else put it up on YouTube,much to the delight of the Anoncommunity and embarrassment of theFBI. Behind the scenes, the FBI went onto identify Palladium (thanks to a searchwarrant they’d gotten on a friend’sFacebook account) and level asignificant charge against the hacker(thanks to Sabu’s chat logs). Sabu hadhelped gather evidence against fivepeople, all told: Topiary, Kayla, Tflow,Sup_g (Jeremy Hammond), andPalladium.

In early 2012, police on both sides ofthe Atlantic got ready to press chargesagainst the five Anons. The time to outSabu was soon, but choosing a datewasn’t easy.

“There were constant problems withthe relationships between the Britishauthorities and the FBI,” said one personwith knowledge of the FBI investigationinto LulzSec and Anonymous. ThoughSabu was in New York, at least fourLulzSec hackers lived in the BritishIsles, which meant Britain’sMetropolitan Police were more eagerthan their American counterparts to pullthe trigger and charge them. While theAmericans had a major informant whocould help them grab more hackers at

large, the Brits had four hackers theywere ready to send through the courtsystem.

The FBI wanted to capitalize on theirLower East Side snitch as much aspossible. He had helped patch thoseflaws, and the announcement of hisarrest and the revelation of his duplicitywould devastate the socially disruptiveideas of Anonymous and Antisec. But theFeds could not know for sure how usefulHector Monsegur would continue to be.Though he was smart and wellconnected, he was also a loose cannon.One evening in early February, a copfrom the NYPD encountered Hector atanother apartment in his neighborhood.He asked Hector for his ID.

“My name is Boo. They call me Boo,”Hector replied. “Relax. I’m a federalagent. I am an agent of the federalgovernment.” It seemed that Hector hadstarted to believe that he was both Sabuand a bona fide FBI agent. That sameevening he was charged with criminalimpersonation.

Just as complicated: In monitoringSabu, the Feds were getting a look athow quickly things moved in the worldsof Anonymous and Antisec. Sabu sawscores of ideas for attacks floated everyday, and while some got thrown out,others were followed up faster than theFBI’s red tape might allow. Hackersbragging on Twitter, Internet drama, lulz—this was all new territory for the FBI.

When London’s Met finally told theFBI that they had a “drop-dead” date ofMarch 7 to arrest and publicly chargethe person alleged to be Kayla, a datefrom which they could not budge, theFeds agreed to out Hector just beforethat deadline too. Everything wouldcome out into the open at the same time:the suspected identities of Kayla,Pwnsauce, Palladium, and Stratforhacker Sup_g, and the news that Sabuhad been working with the FBI for anextraordinary eight months. It was abombshell, and the police were about todrop it squarely on Anonymous.

Chapter 27

The Real Kayla, theReal Anonymous

Seven months earlier, on September2, 2011, British police had pulled up toa family-sized house in the quiet Englishsuburb of Mexborough, South Yorkshire.It was a cold and gray morning. One ofthe officers had a laptop open and waswatching the @lolspoon Twitter feed,waiting for the hacker known as “Kayla”to post another tweet. When she did,several more burst in the house through aback entrance, climbed the stairs to thebedroom of Ryan Mark Ackroyd,

walked in, and arrested him. Ackroydwas twenty-five and had served in theBritish army for four years, spendingsome of that time in Iraq. Now he wasunemployed and living with his parents.Appearance-wise he was short, haddeep-set eyebrows and dark hair in amilitary-style crew cut. When he spoke,the voice that emerged was a deepbaritone, and the accent stronglynorthern English. Ackroyd’s youngersister, petite and blond, was, perhapstellingly, named Kayleigh.

In the same way police hadsimultaneously questioned Jake Davis’sbrother, detectives also synchronizedAckroyd’s arrest with that of his youngerbrother, Kieron, who was serving in the

army in Warminster, England. Afterquestioning Kieron, the police releasedhim without charge. Kieron andKayleigh Ackroyd seemed close assiblings, with Kayleigh regularly postingon her younger brother’s Facebook wall,encouraging him at one point on aforthcoming driving test. “You’ll get thehang of it,” she said in January 2011. Buttheir older brother, Ryan, neverappeared in their public conversations.

“He is the archetypal Englishinfantryman,” said one person who knewof Ackroyd. “He will stand to attentionand if he’s told to jump he’ll ask howhigh—that type of personality. He’seither exceedingly clever to pull this off,or it genuinely isn’t him.”

“She’s a soldier in the UK,” Sabusaid quietly during a phone interview onNovember 5, when asked who he thoughtKayla was. “It’s a guy.” Then he seemednot to be sure, saying he’d heard it wassomeone who shared the “Kayla”identity with a group of transgenderhackers. “I don’t know what the fuck itis. They’re all weird transvestites andshit. I’m brain-fucked about it.”

In any case, on that cold morning inSeptember 2011, Kayla’s once-prolificTwitter feed as @lolspoon went quiet.(It has remained inactive ever since.)Then in March of 2012, as the FBI gotready to go public with the truth aboutSabu, British authorities got the go-ahead to charge Ryan Ackroyd with two

counts of conspiracy to hack a computernetwork.

On March 6, 2012, Fox News, thesubject of multiple taunts by Anonymousand LulzSec and at least one hack in2011, announced to the world that Sabu,the “world’s most wanted hacker,” wasan FBI informant.

“EXCLUSIVE: Infamous InternationalHacking Group LulzSec Brought Downby Own Leader,” the headline read. Foxhad been working on the story formonths and sourced much of its infofrom FBI officials and a few hackerswho knew Sabu. It outed Sabu as HectorMonsegur and reported that police werearresting and charging five other men,largely based on evidence that Hector

“Sabu” Monsegur had gathered.“This is devastating to the

organization,” the story quoted an FBIofficial as saying. “We’re chopping offthe head of LulzSec.”

Every major news outlet picked up onthe item, most of them sourcing the Foxstory. Journalists descended on theJacob Riis housing projects, takingpictures of Sabu’s apartment door;knocking on it but hearing nothing.Others talked to the neighbors, who gaveHector Monsegur mixed reviews. Hehad been quiet but friendly, they said,and would smile at people he passed byin the hall. One elderly neighbor wholived below confirmed she hadcomplained to the Manhattan community

board about the sounds of “shoutingchildren, barking dogs, screaming and‘pounding’” that came from hisapartment, usually lasting until fouro’clock in the morning.

The snitch revelations stunnedthousands of people who followed orsupported Anonymous. Some of the morepopular Anonymous Twitter feedssimply tweeted the news, unable toprovide much comment. One suggestedthe arrests were like cutting off the headof a hydra; more would grow back.Anonymous, the implication was, wouldbounce back from this.

Jennifer Emick had a field day,pointing out on Twitter that Anonymouswas now as good as dead.

Gabriella Coleman, a Wolfe Chair inScientific and Technological Literacy atMcGill University in Montreal, was oneof the rare few to meet Sabu in personwhile living in New York. He was notso different from his online persona, sheremembered. Though she’d studiedAnonymous for years, Coleman was inshock. She had suspected Sabu was upto something (why else would he meet?),but on the day the news came out sheclaimed it was “an all together differentthing to experience it and know it.” Justbefore he was outed, Sabu had beenallowed to notify family and friends bytelephone of what was about to happen.Coleman was one of the people hecalled. When recounting that final

conversation, Coleman described it as“part apology, part ‘It-is-not-what-it-seems.’”

When key people in Anonymous andAntisec heard the news, there was shockat the extent of Sabu’s cooperation. Butthere was just as much surprise at whatthe FBI had been privy to during theirexploits on Stratfor, the intercepted FBI-conference call, and other attacks.

“If I was Stratfor, I’d be pretty pissedoff at the FBI,” said one hacker. “Theywere basically sacrificed to arrest oneguy [Jeremy Hammond]. What the fuckman…what kind of investigation isthis?” Other hackers who had consortedwith Sabu were now “freaking out” andmany said they would go dark for some

time.“I knew something was shifty,” Jake

Davis said soon after hearing about theextent of Sabu’s betrayal against thepeople he had started LulzSec with. Jakewas, as usual, cool about the news. Hedid not seem angry at Sabu, perhapsbecause he had already built upresentment against the former friend whohad pushed him to take up the Antiseccause. What shocked Jake more washow the FBI had apparently carried outtheir investigation by monitoring cyberattacks as they happened. “I didn’t thinkthe FBI were that insane.”

Now it was clear: Sabu, Topiary, Kayla,Tflow, and Pwnsauce, five of the six

core members of LulzSec (it is notknown what happened to AVunit) hadbeen arrested. It seemed almostimpossible to become a hero inAnonymous and avoid handcuffs. But didthat spell the end of Anonymous? Jake’sfinal tweet as Topiary had been “Youcannot arrest an idea,” and it rang true.In Anonymous, there were no realleaders but symbols and smaller groupswho occasionally worked together.There were even different cultures: theold-school EFnet hackers like Sabu whohad embraced the vision of Antisec, the4chan users like William who lovedAnon because it helped him “waste anight.” And there were those who fellsomewhere in between, like Topiary,

Kayla, and Tflow, who saw Anonymousas a broad means to find fulfillment,have new experiences, and make adifference in the world in a way thatsuited their enjoyment of computers andthe Internet. Tying Anonymous alltogether and destroying it wasimpossible.

This was a phenomenon that camefrom the nascent world of memes, crowdsourcing, and social networks, thingsthat had a viral-like quality that couldnot be predicted, controlled, or stopped.As some members were arrested, othersjoined. The FBI said that they were“chopping off the head of LulzSec,” butby March of 2012, after LulzSec hadbeen disbanded for more than nine

months, other hacker cells were takingup the Antisec cause; in February of2012 alone, supporters of Anonymoushad taken credit for attacking thewebsites of the CIA, Interpol, Citigroup,and a string of banks in Brazil, amongother targets.

Then there was the growinginternational movement called“Occupy,” which emerged in September2011 and saw tens of thousands take tothe streets in major capitals to protestsocial and economic inequality, oftenusing the slogan “We are the 99%.”Activist-style supporters of Anonymouslargely showed their support forOccupy, promoting it on Twitter andblogs and wearing the V for Vendetta

masks at protests. Police had arrestedmore than 6,800 people in connectionwith the Occupy movement as of April2012, by which time it had gone intohiatus. But as observers marveled athow this apparently leaderless globalcrowd could organize itself soextensively online and in physicaldemonstrations, they only had to look atAnonymous to see it had already beendone before.

For the FBI, getting Sabu as aninformant had been a coup, but chasingthe day-to-day glut of bragging, secretdiscussions, conspiracies, and threatsprobably soon turned into a bureaucraticnightmare. Although they had Sabuworking for them for eight months, it is

not clear how instrumental he was ininitially identifying any of the fivehackers that were charged on March 6—at most, he may have helped drum upcharges.

Sabu was outed, but Anonymousseemed to refuse to be destroyed. Laterthat evening on March 6, a group ofhackers announced that Anonymous hadhacked into and defaced the website ofPanda Securities, the same IT companythat had observed the Anonymous DDoSattacks on PayPal in December of 2010.Their message: it isn’t over.

Then, over the subsequent days, thehackers who had worked with Sabubrainstormed about new ways to worktogether.

“Sabu’s shit makes things differentnow,” said one. “We mistrust a lotmore.” By mid-March the hackers werediscussing other methods of talking toone other besides IRC and how theycould raise standards for new people tojoin private discussions. Anonymous asan activist movement would stay public,but the hacking activities would gofarther underground. Anonymous hademerged from the shadows, the hackeradded, and it would go back into thedark for a while. “But don’t worry. Weexist.”

Anonymous had already beenchanging. The software tools itssupporters used, for instance, werebecoming easier to disseminate. When

members of Anonymous launched DDoSattacks on several companies in Januaryof 2012 to protest the shutdown ofMegaupload, a video-streaming site,they didn’t use the traditional LOICprogram. There was no need todownload anything. By then, supporterscould launch LOIC directly from a webbrowser. That meant that by posting alink on Twitter or Facebook, organizerstricked hundreds, perhaps thousands, ofoblivious web surfers into joining theattack. The attack method, dubbedmobile LOIC by digital securitycompany Imperva, was used as early asAugust of 2011 in the first of severalDDoS attacks against the Vatican andbecame more popular over the following

months.By early 2012, Anonymous attacks

were no longer carried out by thousandsof volunteers, as with the Paybackattacks for WikiLeaks. Just likeChanology’s real-world protests, theywere a one-off, as if Anonymous waslearning what worked and what didn’t.Anonymous was shifting from massgatherings and DDoS attacks to smallgroups stealing data, like LulzSec. Forthis, more were using the web toolHavij. After LulzSec used it to collatedata during the PBS heist, a splintergroup called CabinCr3w used Havij (orsomething like it) to expose the personaldata of five hundred police officers inUtah, while other Anons used Havij to

try to steal data from the Vatican inAugust 2011. Imperva’s studies showedthat only a year after its creation by whatare believed to be Iranian programmers,Havij had become, by the summer of2012, one of the most popular tools forSQL injection attacks. The program wasso simple that one Imperva executivetaught his eleven-year-old how to use itin fifteen minutes. The free-to-downloadtool performed SQLi automatically, evenfiltering data into helpful categories like“Passwords” and “Credit cardnumbers.” With the right free programsand just a few clicks, it seemed almostanyone could be a hacker.

Of course, keeping the idea ofAnonymous alive would be complicated.

The media, police, and even the hackersthemselves had their own concepts ofwhat it really was: an idea, a movement,a criminal organization, and other thingsbesides. By March of 2012, the publicand parts of the media still seemed tothink that Anonymous was a very largegroup that made plans and carried themout in an orderly way. Though the notionwas deeply misguided, it wasunderstandable. A newfangledphenomenon like Anonymous, born ofthe Internet itself, was something societywould struggle to make sense of at first.On top of that, the mystery surroundingwhat really happened inside the hive-mind had left just enough room for thepublic to create its own versions of the

Anonymous narrative, just as whenTopiary had spun a vague tale aboutgetting raided when he wanted to leaveAnonOps. Anonymous wasn’t just agroup or a process; it was also a storythat people were telling themselvesabout how the Internet was fighting back.Anons could grab headlines by simplytweeting a threat, which is why thepower of Anonymous spoke to thepower of myth. Anonymous was anotherexample of social engineering, on a massscale. It was not too dissimilar fromKayla herself.

Over the past few years, the onlineentity Kayla had been telling her friendsdifferent stories about who she was inreal life, tempting them to try to piece

together a puzzle of her real identity. Ateenage girl who hated her father; ateenage girl who loved him. In the end,though, her hacker colleagues stoppedbeing interested in the truth.

“We told her we’d prefer her to lie tous,” one longtime friend remembered.“We all loved the story. I don’t think wecared if it was true or not.” Likechildren wanting to keep the magic ofSanta Claus alive a little longer afterstarting to doubt his existence, to herhacker friends, Kayla’s story hadbecome more important than the truthitself.

This spoke to the constant strugglewithin Anonymous: weighing the ethosof anonymity and lies that came with it

against the need for trust and truth.Anons have spoken of how persistentlying detached them from reality and“warped” their ethics. It was hard forsomeone to remember what he wasultimately trying to achieve when he wasconstantly lying to others. Even Sabustarted to believe his own lies by openlyclaiming to the police that he was afederal agent.

During Operation Payback, thousandsof new volunteers had trusted AnonOpsoperators who claimed that using LOICwould not lead to arrest. That was naiveof the volunteers, but there was alsomanipulation at work, or at least a majorsplit in motives. The operators in#command had quietly latched onto the

idea of avenging WikiLeaks, because itwould lead to publicity for their newchat network. They hungered for thekudos of having thousands of peoplevisit their channels and follow theirorders. Then the botmasters hit PayPal,MasterCard, and Visa to show off theirpower. The thousands of volunteerswere oblivious to this, believing theywere part of a digital sit-in, for a causethey cared about. Similarly, in 2008Gregg Housh and his #marblecake teamhad thought they were spearheading themother of all pranks, but Chanology hadturned into serious activism. In manyways, Anonymous could be like a scam—with people attracted to thecamaraderie, learning, and new

experiences, but coming awaydisillusioned by the disorganization, bigegos, and sobering reality of arrest. ButAnonymous was something else too: agateway to political activism, a strangebut compelling elixir to the apathyamong young people in today’s real-timesociety.

These were issues Anonymous woulddeal with over time. No single personwould make a final decision about howit evolved; it would be a collectiveeffort. People from this currentgeneration of Anonymous would leave,having had enough of the Sabu drama.But plenty of newcomers would taketheir places and make changes. And afew, including hackers that were there

during #InternetFeds or even Chanology,would stick around. A few have indeedstuck around so far.

“They still haven’t caught Kayla,”said Emick on March 6, the day Sabuwas outed. “It’s an 18-year-old boy inCalifornia.” She laughed, then went backonline. Emick was still carrying on withher investigations, trying to track downwho Kayla really was. She was sure itwas a composite name that more thanone person had used and that while RyanAckroyd was getting charged for someof her offenses, others remained at large.If Anonymous could share a collectiveidentity, why couldn’t Kayla?

As for Jake, the Internet ban gave hima chance to reflect on the Web itself, a

new entity that has become an integralpart of everyone’s life. In February 2012he put a USB flash drive in the mail, andon it was this short missive—his viewof how the Internet looks at us:

Hello, friend, and welcome tothe Internet, the guiding lightand deadly laser in our hectic,modern world. The Internethorde has been watching youclosely for some time now. Ithas seen you flock to yourFacebook and your Twitterover the years, and it hasseen you enter its home turfand attempt to overrun itwith your scandals and “realworld” gossip. You need toknow that the ownership of

cyberspace will alwaysremain with the hivemind.The Internet does not belongto your beloved authorities,militaries, or multi-millionairecompany owners. TheInternet belongs to the trollsand the hackers, theenthusiasts and theextremists; it will never ceaseto be this way.

You see, the Internet haslong since lost its place intime and its shady collectivecontinues to shun the factthat it lives in a specific yearlike 2012, where it has to abideby 2012’s morals and 2012’ssociety, with its rules and itspunishments. The Internetsmirks at scenes of mass rape

and horrific slaughteringfollowed by a touch ofcannibalism, all to the soundof catchy Japanese music. Itsimply doesn’t give tuppenceabout getting a “job,” gettinga car, getting a house, raisinga family, and teaching themto continue the loop while thehuman race organizes itsown death. Custom-platedcoffins and retirement plansmade of paperwork…theInternet asks why?

You cannot make theInternet feel bad, you cannotmake the Internet feel regretor guilt or sympathy, you canonly make the Internet feelthe need to have more lulz atyour expense. The lulz flow

through all in the facelessarmy as they see the twintowers falling with a dancingHitler on loop in the bottom-left corner of their screens.The lulz strike when theyopen a newspaper and carenothing for any of theworld’s alleged problems.They laugh at downward redarrows as banks andbusinesses tumble, and theylaugh at our gloriousgovernment overlords tryingto fix a situation by throwingmore currency at it. Theylaugh when you try to makethem feel the need to “makesomething of life,” and theylaugh harder when you callthem vile trolls and heartless

web terrorists. They laugh atyou because you’re notcapable of laughing atyourselves and all of thepointless fodder they believeyou surround yourselves in.But most of all they laughbecause they can.

This is not to say that the Internet isyour enemy. It is your greatest ally andclosest friend; its shops mean you don’thave to set foot outside your home, andits casinos allow you to lose your moneyat any hour of the day. Its many chatrooms ensure you no longer need tointeract with any other members of yourspecies directly, and detailed socialnetworking conveniently maps yourevery move and thought. Your intimate

relationships and darkest secrets belongto the horde, and they will never beforgotten. Your existence will forever beencoded into the infinite repertoire ofbeautiful, byte-sized sequences, safelyhoused in the cyber cloud for all toobserve.

And how has the Internetchanged the lives of its mosthardened addicts? Theysimply don’t care enough totell you. So welcome to theunderbelly of society, theanarchistic stream-of-thoughtnebula that seeps its way intothe mainstream world—yourworld—more and more everyday. You cannot escape it andyou cannot anticipate it. It isthe nightmare on the edge of

your dreams and theominous thought that clawsits way through your onlinelife like a blinding virtualforce, disregarding yourphilosophies and feasting onyour emotions.

Prepare to enter thehivemind, motherfuck.

Since 2008, Anonymous had destroyedservers, stolen e-mails, and takenwebsites offline. But in the collectiveact of social engineering, its greatest featwas in getting people to believe in thepower of its “hivemind.” This was whatattracted the supporters, what got themarrested, and what inspired others toavenge their arrests. Anonymous washow a new generation of computer-

savvy individuals could show the worldthat they had a voice, and that theymattered.

What they do next has yet to bewritten. These small groups of youngpeople from around the world, oftenmale, often poor and unemployed, whomostly just talk together in Internet chatrooms, have finally managed to grabhold of the public consciousness. Theyare still holding on, and they will not letgo.

Acknowledgments

This book would never have happenedwere it not for the contributions ofseveral key individuals. First andforemost is Jake Davis, who has givenunceasingly helpful and clear insightsinto the bewildering world ofAnonymous, LulzSec, and Internetculture generally. There is more fromDavis than I could fit in this book, and Imaintain that he should, at some point,write a book of his own. I would nothave first started talking to Davis backin December of 2010 were it not for acrucial e-mail introduction from Gregg

Housh, whose own role in the history ofAnonymous is detailed in chapter 5. Atthat time I had just started coveringAnonymous for Forbes on its newblogging platform, but, being based inLondon, I was interested in speaking to aU.K. representative. I asked Gregg if hecould recommend anyone, and he gaveme a general e-mail address forAnonOps. It turned out that one of thepeople manning that address was Jake“Topiary” Davis. As I exchanged e-mails with this address, I became evenmore intrigued. This representativespoke confidently as “we” whenreferring to Anonymous, yet maintainedthat theirs was a fluid system, allowingjobs to be carried out by “anyone and

everyone.” I asked how he had foundAnonymous and I was told about imageboards. I’d never heard of them. “I knowit sounds a bit silly,” he added, “but itreally is a whole different world onceyou’re refined to it. You start seeingthings differently in life.” I found thisfascinating. When this person thenrevealed that his nickname was Topiary,I Googled the word and found referencesto gardening. Who were these people?

After covering the HBGary attack, Istruggled to figure out where to take thestory next and called Forbes managingeditor Tom Post seeking answers. Afterlistening to me ramble on about socialmedia vulnerabilities, he gave me whatwas probably the most valuable advice I

received all year: “Marshal everythingyou have on Anonymous that has notbeen reported, then let’s find a focusthere.” He told me to find out more aboutthe people behind Anonymous, likeTopiary. I took his advice and ran withit. The idea for a book came to me aftersome initial encouragement from staffersat Forbes in February of 2011, includingthe magazine’s cyber security writer,Andy Greenberg. Andy would laterbecome a brother in arms as we bothgrappled with the book-writing process—he has written a book aboutWikiLeaks, and hacktivism, published in2012. From there I went on to gaininvaluable advice and mentoring fromEric Lupfer at William Morris, whom I

cannot thank enough for having helpedme write and then rewrite a decent bookproposal.

By now I had met (via e-mail) theextraordinary young man referred to inthis book as William. That started whenhe first tried to friend me on Facebook,then sent a cryptic, direct message:“Hello. What would you like to know?In return for answering what you ask,may I ask some questions of you? I’dreally appreciate a response, negative orotherwise. Thank you, Chelsea.” Notknowing who or what this “Chelsea”was, I ignored the message. A weeklater another message came: “Pleasedon’t ignore me, it’s rude.” And then: “Isit really too much to ask to get a simple

dialogue going?” Today I am gratefulthat I did, not only because I might haveotherwise ended up on the receiving endof one of his “life ruins,” but because Ieventually discovered someone far morearticulate, helpful, and forthcoming thanWilliam’s original message suggested.Though he will come across to many asa somewhat vindictive individual,William has answered almost everyquestion I have ever asked him about4chan, Anonymous, his life, and even thedarker corners of his own mind. For that,and for helping to give this book animportant insight into 4chan culture, hedeserves enormous thanks.

Among the other key people whodeserve acknowledgment: Forbes’s

chief product officer, Lewis D’Vorkin.He met some skepticism when he firstestablished the Forbes contributorplatform in the summer of 2010, whichcompletely changed the way journalistsat the publication posted online stories.But this book would never havehappened if D’Vorkin had not made thatbold and rather brilliant move. It gavejournalists like me the freedom to pursuethe stories that truly intrigue us, and thenthe ability to measure how much ourreaders are intrigued by them, too.Thanks to D’Vorkin’s completerevamping of the architecture of Forbes,I could see there was a healthy appetitefor stories about the world ofAnonymous, and now had an

unprecedented opportunity to chasethose stories down. The Forbestechnology editor, Eric Savitz, who isalso my boss, has given me a wealth ofhelpful encouragement on this book.Coates Bateman, Forbes’s executiveproducer of product development, hasbeen an invaluable collaborator withthis book’s publisher, Little, Brown,w h i l e Forbes’s legal counsel KaiFalkenberg has also offered me soundadvice on legal matters.

I am grateful to all the other peopleassociated with Anonymous that I spoketo for this book, including LulzSec’score members Hector “Sabu” Monsegur,Kayla, Tflow, AVunit, and Pwnsauce,along with Barrett Brown, Laurelai

Bailey, Jennifer Emick, and a number ofothers who have asked to remain,fittingly enough, anonymous. Thoughsome of these people, particularlyhackers, were not always completelyforthcoming, or honest, when speaking tome, I was fortunate, as a journalist, thatthey would speak to me at all. Manyhave asked how I was able to get accessto people who frequented such hard-to-reach corners of the Web, and theanswer is that I had enormous help fromsources who made introductions andvouched for me. I also believe thatpeople, no matter how sociopathic,narcissistic, or duplicitous they mayseem to be, have a genuine urge to telltheir stories and carve out some sort of

legacy. I believe that is why it helpedthat, when I first started speaking inMarch 2011 to the hackers who hitHBGary and then formed LulzSec, I toldthem their interviews would becontributing to a book I was writingabout Anonymous.

In addition, Gabriella Coleman, nowWolfe Chair in Scientific andTechnological Literacy at McGillUniversity in Montreal, Canada,regularly provided me with a refreshingdose of clarity on who Anonymous wasas a collective and how it worked.Coleman has shown extraordinarydedication to studying the Anonymousphenomenon. She has spent more timespeaking to a broader base of regular

Anons on IRCs than I likely did for thisbook, and she is rightly seen as theexpert on Anonymous and its evolution.Be sure to keep an eye out for herforthcoming book on Anonymous in thenext year or so.

Sincere thanks goes to my formercolleagues at Forbes Anita Raghavan,who offered some smart advice on mybook proposal, and Stephane Fitch, whoalso introduced me to David Fugate ofLaunch Books. David has provedhimself to be a brilliant and continuallysupportive agent who helped me find thebest possible publisher in the form ofLittle, Brown. From the beginning of myrelationship with Little, Brown, I havebeen impressed with the company’s

genuine, solid championing of this bookand with the clear and incisive editingby John Parsley. Given the subject’sintricacies and complexities, its multipleidentities and sometimes unreliablestorytellers, I can imagine that We AreAnonymous might have been atroublesome manuscript for someeditors, but John did a masterful job ofkeeping me focused. He helped me tellthe story as clearly as possible, andaided me with just the right amount ofeditorial intervention.

I must finally acknowledge mywonderful circle of friends and family,whose constant support andencouragement kept me going through thesometimes ulcer-inducing process of

researching and writing this bookthrough most of 2011 and early 2012.Those friends include MiriamZaccarelli, Natalie West, Luciana andElgen Strait, Victor Zaccarelli, NancyJubb, Il-Sung Sato, Anthea Dixon, LeilaMakki, and ethical hacker MagnusWebster. My father has been my numberone cheerleader for writing this book,while my husband has shownunbelievable support and patience as Iworked my way from idea to proposal tomanuscript. Another member of myfamily who did not know about the bookbut has been a guiding light in spite ofthat fact was my grandmother, who diedon the day I finished revising the finaldraft of the manuscript and to whom this

book is dedicated. Though she wasninety-six years old and hailed from afarming village on a remote volcanicisland in the Azores, I think even shewould have found something familiar inthe stories that underlie Anonymous andits adherents. Despite their modern,mysterious world, steeped in jargon andtechnobabble, I think she might haveseen, as I did, that Anonymous is a veryhuman story.

Timeline

November 5, 1994—In one of thefirst known acts of hacktivism and cyberdisobedience, a group called the Zippieslaunches a DDoS attack on U.K.government websites, taking them downfor a week starting on Guy Fawkes Day.

1999—The Anti Security movement isspawned, as a post on the anti.security.iswebsite calls to end the full disclosureof known website vulnerabilities andexploits.

September 29, 2003—Christopher“moot” Poole registers 4chan.net. (It isnow 4chan.org.)

March 15, 2006—Jake Brahm,twenty years old, posts fake threats on4chan about detonating bombs at NFLstadiums; two years later he is sentencedto six months in prison.

July 12, 2006—Users of 4chan’s /b/raid Habbo Hotel, a virtual hangout forteens. They join the online game enmasse and flood it with avatars of ablack man in a gray suit and an Afrohairstyle, blocking the entrance to thevirtual pool and forming swastikas. Thisspawns the “pool’s closed” meme.

January 2007—Controversialblogger and radio show host Hal Turnertries and fails to sue 4chan after users on/b/ launch a DDoS attack on his website.

June 7, 2007—Partyvan’s

/i/nsurgency site is founded as aninformation hub on raids and, later,communications through theestablishment of the Partyvan IRCnetwork.

July 2007—A Fox News affiliate inLos Angeles describes Anonymous as“hackers on steroids” and an “Internethate machine.”

January 15, 2008—Gawker posts avideo of Tom Cruise that the Church ofScientology has been trying to suppress.The church issues a copyright violationclaim against YouTube. In response, anoriginal poster on /b/ calls on 4chan to“do something big” and take down theofficial Scientology website. Using aweb tool called Gigaloader, /b/ users

manage to take down Scientology.org,keeping it down sporadically untilJanuary 25, 2008.

January 21, 2008—A handful ofChanology participants publish a videoon YouTube of a robotic voice declaringwar on Scientology. The following daythousands more people join in the IRCchannel where Chanology attacks arebeing discussed.

January 24, 2008—Anonymouslaunches a bigger assault onScientology.org, taking the site offline.

February 10, 2008—Anonymoussupporters don masks from the film V forVendetta and hold protests outsideScientology centers in key cities aroundthe world, such as New York, London,

and Dallas, Texas.Late 2008—Protests and cyber

attacks against the Church of Scientologywind down as supporters lose interest inthe cause.

January 25, 2010—Anonymoussupporter and engineering student BrianMettenbrink pleads guilty todownloading and using the Web toolLOIC to attack Scientology as part ofProject Chanology and is sentenced to ayear in prison.

September 17, 2010—Supporters ofAnonymous launch a DDoS attack onIndian software company Aiplex after itadmits to launching its own DDoSattacks on BitTorrent site The PirateBay. Anonymous launches several more

attacks against copyright companiesunder the banner Operation Payback.Supporters collaborate on an array ofIRC networks.

October 2010—The FBI startslooking into the Anonymous attacks oncopyright companies ahead of what willbecome a full-blown internationalinvestigation.

November 3, 2010—Anonymoussupporters with server resources set upAnonOps IRC, a more stable chatnetwork to host discussions aboutOperation Payback and otherAnonymous operations.

November 28, 2010—Fivenewspapers begin publishing U.S.diplomatic cables that have been fed to

them exclusively by whistle-blowerorganization WikiLeaks. Over the nextfew days, a hacktivist known as TheJester launches a DDoS attack onWikiLeaks.org, taking it offline.

December 3, 2010—Online paymentgiant PayPal announces on its blog that itis cutting off funding services toWikiLeaks, which relies on donations.Shortly thereafter, a few organizers inthe #command channel on AnonOps IRCcoordinate a DDoS attack on the PayPalblog.

December 4, 2010—Anannouncement posted on Anonops.netstates that Anonymous plans to attack“various targets related to censorship”and that Operation Payback has “come

out in support of WikiLeaks.”December 6, 2010—Organizers on

AnonOps launch a DDoS attack onpostFinance.ch, a Swiss e-paymentcompany that has also blocked fundingservices to WikiLeaks. Roughly 900people join in the #operationpaybackchat room on AnonOps and around 500join in the attack by using LOIC.

December 8, 2010—AnonOpslaunches a DDoS attack on PayPal.com,using 4,500 volunteers with LOIC butonly becoming successful when oneperson using a botnet takes the site fullyoffline. Some 7,800 people have nowjoined the #operationpayback chat room.Later that day they hit MasterCard.comand Visa.com, which have also nixed

funding services for WikiLeaks, takingboth sites offline for about twelve hours.

December 9, 2010—Botnetcontrollers who had previously helpedtake down PayPal.com,MasterCard.com, and Visa.com turn onthe operators of AnonOps and startattacking the IRC network, upsetting aplanned attack on Amazon that day.

December 11, 2010—Dutch policearrest nineteen-year-old Martijn“Awinee” Gonlag for using LOIC toparticipate in an Anonymous DDoSattack, among the first of scores morearrests in Europe and the United Statesover the next year.

December 15, 2010—A member ofPayPal’s cyber security team gives a

USB thumb drive to the FBI that containsthe IP addresses of 1,000 individualswho had used LOIC to attack PayPal.

Mid-December 2010—AnonOpsadministrators grapple with maintenanceas their network is continually attacked,leaving them unable to oversee strategy.As a result, Operation Payback splintersinto several side operations, such asOperation Leakspin, OperationOverLoad, and an attack on SarahPalin’s official website.

Mid-December 2010—A fewtechnically skilled supporters ofAnonOps create a private IRC channeloff the network called #InternetFeds,where about thirty black hat hackers—such as Sabu, Tflow, and Kayla, along

with other interested Anons who havebeen offered invitations to the channel—can discuss future operations.

Early January 2011—The hackers in#InternetFeds discuss raids againstwebsites of repressive Middle Easternregimes like Tunisia, where populardemocratic uprisings are currently takingplace. The hacker Tflow writes a Webscript that allows Tunisians tocircumvent government Web snooping,while Sabu hacks and defaces thewebsite of the Tunisian prime ministerwith a message from Anonymous.

Mid- to late January 2011—Members of #InternetFeds continue tocollaborate on hacking and defacing thewebsites of other Middle Eastern

governments, including Algeria andEgypt.

January 27, 2011—British policearrest five men in connection with theOperation Payback attacks on PayPal,MasterCard, and Visa, includingAnonOps operators nicknamed Nerdoand Fennic.

February 4, 2011—A small group ofhackers from #InternetFeds meets inanother private IRC channel to discussan attack on IT security firm HBGaryFederal, after its CEO is quoted in theFinancial Times that day as saying thathe was investigating Anonymous and haduncovered the true identities of its coreleaders.

February 6, 2011—News breaks that

“Anonymous” has stolen tens ofthousands of Aaron Barr’s corporate e-mails, as well as those of two executivesat sister company HBGary Inc.; it alsotakes over his Twitter feed and DDoSesand defaces his site.

Early to mid-February—The samegroup from #InternetFeds publishesAaron Barr’s private e-mails on an e-mail viewer. Journalists and supportersdiscover Barr had been proposingcontroversial cyber attacks onWikiLeaks and opponents of the U.S.Chamber of Commerce. Barr resigns.

February 24, 2011—Anonymousconducts a live hack and deface of awebsite belonging to the controversialWestboro Baptist Church, while

Anonymous supporter Topiary confrontsa Westboro representative on a radioprogram. The resultant YouTube videoreceives more than one million hits.

Mid- to late February 2011—Jennifer Emick, a former supporter ofChanology turned anti-Anonymouscampaigner, decides to investigate thetrue identities of key Anonymous hackersand supporters and uncovers detailsabout Sabu, aka Hector Monsegur.

Mid-March 2011—Emick and ahandful of colleagues publish a list ofseventy names, including Monsegur’s,under the guise of a cyber securitycompany called Backtrace. Soon after,Emick is contacted by the FBI.

April 1, 2011—Supporters of

Anonymous publish a digital flyerdeclaring war on Sony after the companysues a hacker named George “Geohotz”Hotz. They follow this up with a DDoSattack on Sony websites and the SonyPlayStation Network, greatly upsettinggamers.

April 7, 2011—Organizers withAnonymous call off the DDoS attacks onSony, saying they do not wish to disruptthe PlayStation Network, but the networkremains offline for the rest of the month.

April 2011—Topiary and Sabudiscuss breaking away from Anonymous,then decide to get the team of attackersbehind the HBGary assault back togetherto collaborate on more raids. Thehackers Tflow and Kayla rejoin Topiary

and Sabu, along with anotherAnonymous supporter named AVunitand, later, an Irish hacker nicknamedPwnsauce. The group of six forms ahacker splinter group that is notconstrained by even the loosestprinciples of Anonymous—such as notattacking media companies. They callthe group LulzSec. They begin scouringhigh-profile websites for vulnerabilitiesthat “rooters” like Sabu and Kayla canthen exploit to steal and publish data.

May 2, 2011—Sony announces anintrusion to its network in mid-April,which has compromised the personaland financial details of more than 75million PlayStation Network accounts.Though Anonymous has not taken

responsibility, Sony later claims that thehackers left a file marked with the words“Anonymous” and “We Are Legion.”

May 9, 2011—A former operatorwithin AnonOps goes rogue, publishinga list of 653 usernames and IPaddresses, which, if not protected withVPNs or other proxies, could identifythe people behind them.

May 7, 2011—LulzSec announces onTwitter, via the new account @lulzsec,that it has hacked Fox.com and publisheda confidential database of potentialcontestants in the TV talent show The XFactor.

May 30, 2011—LulzSec hacks intothe computer network of PBS after itsPBS NewsHour program broadcasts a

documentary on WikiLeaks that thegroup claims to dislike. LulzSecpublishes a list of e-mail addresses andpasswords for PBS employees, whileTopiary writes a spoof news articleabout the murdered rapper Tupac Shakurbeing found alive, publishing it throught h e PBS NewsHour website. Thegroup’s founders discuss forming asecond-tier network of trustedsupporters, many of them hacker friendsof Sabu’s.

June 2, 2011—LulzSec announces itshack on SonyPictures.com and says thatthe group has compromised the personalinformation of more than one million ofthe site’s users.

June 3, 2011—LulzSec defaces the

website of Atlanta InfraGard, an FBIaffiliate, and publishes a list of e-mailsand passwords for 180 users of the site,some of whom are FBI agents.

June 6, 2011—LulzSec receives adonation of 400 Bitcoins, worthapproximately $7,800 at the time.

June 7, 2011—Two FBI agents visitHector “Sabu” Monsegur at his home inNew York and threaten to imprison himfor two years for stealing credit cardinformation if he does not cooperate.Monsegur agrees to become an informantwhile continuing to lead LulzSec.

June 8, 2011—The LulzSec hackersnotice that Sabu has been offline fortwenty-four hours and worry he has been“raided” by the FBI. Later that night,

U.K. time, Topiary makes contact withSabu, who claims that his grandmotherhas died and that he will not be activewith LulzSec for the next few days.

June 15, 2011—LulzSec claimsresponsibility for launching a DDoSattack on the official website of the CIA.The attack has been carried out byformer AnonOps operator Ryan, whowields a botnet and now supportsLulzSec.

June 16, 2011—A representative ofWikiLeaks contacts Topiary to say thatcore organizers want to talk to LulzSec.He and Sabu eventually hold an IRCdiscussion with a WikiLeaksrepresentative and someone purportingto be Julian Assange. The representative

“verifies” Assange’s presence bytemporarily uploading a YouTube videothat shows their IRC chat happening inreal time on a computer screen, thenpanning to show Assange on his laptop.The group discusses ways in which theymight collaborate.

June 19, 2011—LulzSec publishes apress release encouraging the revival ofthe Anti-Security (or Antisec) movementand advocating cyber attacks on thewebsites of governments and theiragencies.

June 20, 2011—Galvanized by thesurprisingly large response to theAntisec announcement, Ryan uses hisbotnet to DDoS several high-profilewebsites, including Britain’s Serious

Organised Crime Agency. Later, at10:30 p.m. that evening in the U.K., he isarrested in his home.

June 23, 2011—LulzSec publishessensitive documents stolen from Arizonalaw enforcement, including the namesand addresses of police officers. Feelingthat they have gone one step too far,LulzSec members, including Topiary andTflow, discuss ending the group.

June 24, 2011—Topiary and Tflowtell AVunit and Sabu that they want toend LulzSec; a heated argument ensues.

June 26, 2011—LulzSec announces itis disbanding after “50 Days of Lulz.”

July 18, 2011—LulzSec comes backfor one more hack, uploading a spoofarticle about the death of News

International owner Rupert Murdoch onthe home page of his leading Britishtabloid, The Sun.

July 19, 2011—British policeannounce they have arrested a sixteen-year-old male who they claim is LulzSechacker Tflow.

July 27, 2011—Police arrestShetland Islands resident Jake Davis,whom they suspect of being LulzSec’sTopiary.

September 2, 2011—British policearrest twenty-four-year-old RyanAckroyd, whom they believe to beKayla.

December 24, 2011—Anonymousannounces that it has stolen thousands ofe-mails and confidential data from the

U.S. security intelligence firm Stratforunder the banner of “Lulz Christmas.”Sabu, who claims to be still at largewhile other LulzSec members have beenarrested, keeps tabs on the operationfrom private chat channels and feedsinformation about the attack’s organizersto the FBI.

March 6, 2012—News breaks thatHector Monsegur has been acting as aninformant for the FBI for the past eightmonths, helping them bring chargesagainst Jeremy Hammond of Chicagoand five people involved with LulzSec.

Notes and Sources

Part 1Chapter 1: The Raid

The opening pages, including

descriptions of Aaron Barr’searly career, home, and familylife, are based on interviewswith Barr conducted both on thephone and in a face-to-facemeeting in London. Furtherdetails about his work withHBGary Federal came from aninvestigative feature article onWired’s ThreatLevel blog, whichdug through his published e-mails and pieced together a

picture of his plans for thecompany along with theproposals he was making toHunton & Williams. The articlewas entitled “Spy Games: Insidethe Convoluted Plot to BringDown WikiLeaks,” bycontributor Nate Anderson. TheFinancial Times article in whichAaron Barr revealed hisforthcoming research wasentitled “Cyberactivists Warnedof Arrest,” by San Franciscoreporter Joseph Menn, and wasfirst published Friday, February4, 2011, then updated thefollowing day. Further details one-mails between Barr and Greg

Hoglund of HBGary Inc. prior tothe attack came from the HBGarye-mail viewer published by thehackers in mid-February.

The details about Sabu hackingcomputers as a teenager comefrom interviews with the hackerconducted via Internet RelayChat in April 2011, two monthsbefore he was arrested andbecame an FBI informant.Further details about being bornand raised in New York comefrom court documents after hisarrest later that year.

Throughout the book, personaldetails claimed by Kayla stemfrom interviews with the hacker

conducted between March andSeptember of 2011 via e-mailand Internet Relay Chat. Therumor about stabbing herwebcam with a knife came froman online interview withTopiary. Also throughout thebook, details about Topiarycome from online, phone, andface-to-face interviews with him(Jake Davis) between Decemberof 2010 and the summer of 2012.Details about Tflow come frominterviews with Topiary andTflow himself; the informationthat Tflow had invited Sabu andTopiary into the secret IRCchannel come from Topiary, one

other hacker who wished toremain anonymous, and Sabuhimself. Details of how thehackers planned the HBGaryattack, including how they usedthe website HashKiller to crackthe company’s passwords, camefrom interviews with Topiaryconducted via IRC and Skype(voice only).

Details of Barr’s research onAnonymous, including the “hastynotes like ‘Mmxanon—states…ghetto,’” came from his researchnotes, which were posted onlineby the hackers.

Dialogue between Barr and thehackers, including with

CommanderX, comes from chatlogs that were published online—partly via the Web toolPastebin, and also on the ArsTechnica article “(Virtually)Face to Face: How Aaron BarrRevealed Himself toAnonymous,” by Nate Anderson.The dialogue between Barr andTopiary, which ends “Die in afire. You’re done” comes from asnippet of the chat log that wascut and pasted to a Skypeconversation between me andTopiary a few days after theattack. Further details about theattack came from interviews withJake Davis, as well as online

interviews with Sabu, Kayla, andother hacker sources. Details ofthe February 2011 Super Bowlcome from various news reportsand from my viewing of theactual game while I wasfollowing online developmentsof the HBGary Federal attack.Although I had already beeninterviewing Topiary on aregular basis, the attack led tomy being introduced to others inthe group—first Kayla, thenSabu, then Tflow.

SQL reads like a stream offormulas. An example is: “Selectcreditcard from person wherename=SMITH.” If someone were

to perform an SQL injectionattack, they might inject codesaying, “Select a from b wherea=SMITH.”

How did the hackers know thatBarr was CogAnon? Topiarylater explained that, almostimmediately after seeing theFinancial Times story andbreaking into the HBGaryFederal network, one of themhad seen that his internal e-mailheaders listed the IP address ofhis VPN (virtual privatenetwork). Barr had used thissame VPN connection to log intoan Internet Relay Chat networkused by Anonymous, known as

AnonOps. The hackers only hadto hand over the IP address toone of the chat networkoperators, who ran a quicksearch. Sure enough, the nameCogAnon popped up.

Chapter 2: Williamand the Roots ofAnonymous

Details about how Christopher

Poole created 4chan come froman interview that Poole gave tothe New York Times Bits blog.The article, entitled “One onOne: Christopher Poole, Founderof 4chan,” was published onMarch 19, 2010.

I sourced the information onJapan’s 2chan from the 2004New York Times article

“Japanese Find a Forum to VentMost-Secret Feelings” andWired’s May 2008 story “MeetHiroyuki Nishimura, the BadBoy of the Japanese Internet.”

Further details about thedevelopment of 4chan, such asits “TWO TIMES THE CHAN”announcement on SomethingAwful, come from an article on4chan history by Web developerJonathan Drain, onjonnydigital.com. Moot’sreferral to /b/ as a “retard bin”comes from an announcement onthe 4chan “news” page,4chan.org/news?all, on October2, 2003.

Though the story of Shii’senforcement of anonymity on4chan is relatively well knownamong image board users, thedetails come from testimonyprovided on Shii’s website,shii.org.

Details about the life, viewpoints,and exploits of the young mannamed in this book as Williamcome from scores of e-mails andseveral face-to-face meetings, alltaking place between February of2011 and the summer of 2012.After telling me—in a meetingthat took place in July of 2011—the story of hacking “Jen’s” (nother real name) PhotoBucket

account, William e-mailed mephotos of Jen and “Joshua DeanScott.” I have the images on file.Scott’s photo, for instance,shows him holding a piece ofpaper reading “‘Jen’ owns myass 3/2/11.” He wears a blackbaseball cap, a lip ring, and ablack Converse shoe on top ofhis head, along with a slightsmile. On several occasionsWilliam e-mailed mescreenshots of the conversationshe was having with the people hetrolled on Facebook, as well asthe raid threads he sometimesparticipated in on /b/, tocorroborate his stories. The

pranks and online intimidation ofindividuals described in thisbook are only a small fraction ofthe many nightly exploits thatWilliam alerted me to.

Further details about /b/ and 4chanwere sourced from the memerepositories EncyclopediaDramatica (now redirecting toohinternet.com) andKnowYourMeme.com, as wellas interviews with Jake Davis.

Chapter 3:Everybody Get InHere

The vast majority of details about

Topiary’s early childhood andlife on Shetland come fromonline and face-to-faceinterviews with Topiary (JakeDavis) himself, with furtherdetails and corroboration comingfrom discussions with hismother, Jennifer Davis, after hisarrest. As of mid-April he wasliving in her home on bail,

awaiting a plea and casemanagement hearing at a Britishcrown court on May 11, 2012. Afew key details, such as the deathof his stepfather, Alexander“Allie” Spence, werecorroborated by newspaperreports. Descriptions of thescenery and lack of modernshops in Shetland come from myown one-day visit to Lerwick,where I first met Davis in lateJune 2011.

Details of Davis’s frequent prankcalls to the Applebee’srestaurant in San Antonio, Texas,are a result of interviews withDavis himself. Though he could

not provide recordings of theApplebee’s calls, he did provideaudio files of other similar prankcalls.

A common feature of /b/ raids wasa “surge” of users against anonline target, the idea usuallybeing to overwhelm them.Among the examples providedare spamming shock photos on aforum; this is a common tactic of/b/ users, and was most recentlyperpetrated on the comedy site9gag. The raid in which /b/warped the votes for TimeMagazine’s “Person of the Year”took place in 2009, when 4chanusers famously teamed together

to program a bot that wouldcrank out fake votes that putChristopher “moot” Poole at thetop of Time’s ranking. As wellas giving him an unfeasiblesixteen million votes, they gamedthe system so that the first lettersof the following twenty names inthe ranking spelled out the words“Marblecake also the game.”This was thought to be areference to the IRC channel inwhich much of ProjectChanology was organized in2008 (see chapter 5). Timemagazine provided details of thehack in a video and quoted mootas saying that he had no idea who

was behind the vote rigging.The stories of the Habbo Hotel raid

and Operation Basement Dadcome primarily from Davis’stestimony, but are alsocorroborated by online newsreports, such asReadWriteWeb’s April 16,2009, article “OperationBasement Dad: How 4ChanCould Beat CNN & AshtonKutcher” and, in the case ofHabbo Hotel, the April 8, 2009,Fox News article “4Chan: TheRude, Raunchy Underbelly of theInternet.”

Details of the origins of InternetRelay Chat come from the online

article “History of IRC” bycomputer consultant and hackerDaniel Stenberg, posted on hisw e b s i t e , http://daniel.haxx.se/.Some extra descriptions, such asthe numbers of IRC channels andnumbers of users in channels,come from my own explorationof IRC. The source for thecommon “Everyone get in here”feature is Jake “Topiary” Davis,and I have verified the phrase’sfrequent use through repositoriesfor image board content, such aschanarchive.org.

Chapter 4: Kayla andthe Rise ofAnonymous

Main sourcing on the backstory that

Kayla claimed about herchildhood and parents came fromonline interviews with Kaylaherself (I refer to the onlineentity as “her.”).

The source for the notion that Kaylalied about being a sixteen-year-old girl comes from my ownobservations and discussion withother hackers, with further

evidence coming from theMetropolitan Police’s arrest ofRyan Ackroyd in September2011. As of mid-April 2012, Icannot confirm that the person Iwas interviewing on InternetRelay Chat between March andSeptember of 2011 wasAckroyd. As far as rumors thatKayla was “a transgenderhacker,” Ackroyd did not appearto be transgender when he firstappeared in WestminsterMagistrates’ Court, then agedtwenty-five, on March 16, 2012.

The quote “Kayla seemed to have adeep need to tell stories to proveher value to others” comes from

reading comments by Kayla inthe leaked chat logs from #HQand #pure-elite during the daysof LulzSec, including those inwhich she boasted about attacksshe instigated during ProjectChanology. So elusive has Kaylabeen online that phone and face-to-face interviews conductedwith Hector Monsegur, JakeDavis, Aaron Barr, GreggHoush, Jennifer Emick, LaurelaiBailey, and other anonymoussources yielded little more thanspeculation about who she reallywas.

Background information on thetendency for some men to claim

to be women online comes fromconversations with hackers andgeneral knowledge from theworld of memes and Internetculture. The phrase “There areno girls on the Internet” has itsown entry inKnowYourMeme.com, fromwhich some of this context issourced, while the popular /b/comment “Tits or GTFO” comesfrom my own exploration of /b/and discussions with William.Incidentally, the list of 47 Rulesof the Internet has been widelypublished online.

In my explanation of IP addresses, Iam referring in this instance to

IPv4 addresses (which have nowsold out). The latest IPv6addresses are a combination ofnumbers and letters that aresegmented by colons.

Details about Partyvan weresourced from interviews with anorganizer from the time ofChanology who wished toremain nameless, interviewswith Kayla, and content on thepartyvan.info website, alsoknown as the /i/nsurgencyW/i/ki.

Details of the Fox L.A. televisionnews report from July 2007 weresourced from a YouTube videoof the report.

Chapter 5:Chanology

Details about the publication of the

Tom Cruise video come frominterviews with anti-Scientologycampaigner Barbara Graham ande-mails exchanged withjournalist Mark Ebner. PattyPieniadz wrote her own detailedaccount, entitled “The StoryBehind the Tom Cruise VideoLeak,” and posted it on the forumWhyWeProtest.net under thenickname “pooks” on September4, 2011; some of the first part of

this chapter is also sourced fromthis account. Descriptions of thevideo come from watching thevideo itself on YouTube.According to Ebner, ex-Scientologist and TV journalistMark Bunker had originallyuploaded the video to hisYouTube account and notifiedseveral of his media contacts.Then, a few hours later, he tookthe video down.

The detail about Viacom’s $1billion copyright lawsuit againstYouTube parent Google wassourced from various newsarticles, including the New YorkTimes story, “WhoseTube?

Viacom Sues YouTube OverVideo Clips,” published March14, 2007.

Text from the original discussionthread on /b/ about a raid onScientology on January 15 comefrom 4chanarchive.org. Therumor that the original poster on/b/ for the first anti-Scientologythread was female come from aninterview with Gregg Housh.

Details about DDoS attacks comefrom numerous Web articlesabout how such cyber attackswork, along with backgrounddiscussions with IT securityprofessionals and hackers fromAnonymous. The Graham Cluley

analogy about “15 fat men”originally comes from an August6, 2009, article by Cluley on theNaked Security blog of theresearch firm Sophos.Background on the 4chan attackon Hal Turner comes fromnumerous blog posts, as well asfrom archived 4chan threads.The point that one coulddownload “at least a dozen freesoftware tools” from 4chan’s /rs/board to take part in some sort ofDDoS attack comes from aninterview with Housh. Details ofphases 1, 2, 3, etc., and how /b/was hitting Scientology.org,specifically with Gigaloader,

come from an archive of theactual thread. Details aboutGigaloader come from piecingtogether and corroboratingvarious Internet forumdiscussions about the Web tool.

Details later on in the chapter aboutthe hundreds of people that piledinto the #xenu channel on IRC,then the move to physicalprotests and establishment of the#marblecake organizational hub,come from a phone interviewwith Gregg Housh and e-mailsexchanged with one otherChanology organizer whowished to remain anonymous.There also exists a timeline of

the main Chanology events on theaptly namedchanologytimeline.com.

Housh confirmed in an interviewthat he had been arrested forcopyright violations. Furtherdetails were sourced from a“motion for booker variance”filed through the U.S. DistrictCourt of New Hampshire onNovember 23, 2005. The motionshowed that Housh had pledguilty to one count of conspiracyto violate copyright laws, relatedto creating a computer programin the summer of 2001, whichautomatically searched for newsoftware. Details about Housh’s

family background were sourcedfrom the court motion and thesection “The History andCharacteristics of theDefendant.” The motion alsostates Housh was approached bythe FBI about the case in 2001,and that he sought to mitigate hisoffenses by cooperating with theBureau “for four years.” Furtherdetails about Housh serving threemonths in federal prison comefrom Housh’s interview with theHuffington Post in the story“Anonymous and the War Overthe Internet,” published onJanuary 30, 2012. Housh’s age ofthirty-five was also mentioned in

the interview.The factoid about 25,000

Scientologists in America in2008 originally comes from theAmerican Religion IdentificationSurvey, cited in a report by theAssociated Press.

Information on the posting ofinternal church documents by thenewsgroupalt.religion.scientology issourced from the January 2008Globe and Mail article“Scientology vs. the Internet, partXVII.”

The detail that XSS is the secondmost common hacking techniqueafter SQL injection is sourced

from the Web Hacking IncidentDatabase (WHID) of 2011, anonline database that tracksmedia-reported securityincidents and is led by RyanBarnett, senior securityresearcher on Trustwave’sSpiderLabs Research Team.

Details about the technical impactof Anonymous DDoS attacks onScientology’s website comefrom research by ArborNetworks, along with courtdocuments related to BrianMettenbrink’s case; thesedocuments provide, among otherthings, the date when Scientologyhired Prolexic Technologies.

Details on LOIC come fromnumerous online articles aboutthe Web application, screenshotsof the interface, news reportsfrom tech site Gizmodo, andresearch from the IT securityfirm Imperva. Details on Praetoxcome from the programmer’sown website,http://ptech.50webs.com/, whichappears to have been created in2007 but was abandoned around2009 or 2010. The emergence ofNewEraCracker as anotherprogrammer to develop LOICcomes from details on GitHub, aWeb-based hosting service forsoftware projects.

The anecdote that Time Warnerwould profit from the V forVendetta mask comes from anAugust 2011 article on the NewYork Times Bits blog.

The example of a channel topic in#marblecake came from achatlog provided by JenniferEmick’s Backtrace Security, vialogs obtained from a leak amongChanology organizers.

The vast majority of details aboutBrian Mettenbrink come from aphone interview conducted withhim on December 16, 2011, aswell as from court documentsand an FBI transcript, both ofwhich were published on the

Partyvan website. A few extradetails came from an archivestarted when Mettenbrinkuploaded a scan of his driver’slicense and photo, along with thebusiness card of one of hisvisiting FBI agents, toWhyWeProtest.net, as well asfrom comments in that threadmade by Mettenbrink and others.Mettenbrink was banned fromusing the Internet for a year afterhis jail sentence and, at the timeof this writing, still had toreceive e-mails through a friend.

Chapter 6: Civil War

The vast majority of details about

the experiences of JenniferEmick are derived from phoneinterviews with Emick herself,as well as from a few interviewsconducted over Skype text chat.Extra details about the methodsof intimidation used byScientology representativesagainst Anonymous protesterscome from the testimony ofEmick, Laurelai Bailey, variousWeb reports, and YouTubevideos.

Details about the life and

experiences of Laurelai Bailey(formerly Wesley Bailey) comefrom phone interviews withBailey herself, along withseveral discussions held viaInternet Relay Chat and Skypetext chat.

The details of “simultaneousworldwide protests on February10” come from Bailey’s andEmick’s own testimonies as wellas from various blog posts thatreported on the events afterward.Details about playing an audioversion of OT3 at protests comefrom testimony by LaurelaiBailey as well as from the DerSpiegel article “Tom Cruise and

the Church of Scientology,”published on June 28, 2005.

The point about an alleged list of“murdered Scientologydefectors” came originally fromconversations with JenniferEmick, who also pointed me todiscussions on the anti-Scientology message boardocmb.xenu.net, also known asOperation Clambake. A numberof campaigners on this board, forinstance, believe that formerScientologist Ken Ogger, founddead in his swimming pool onMay 29, 2007, was murdered.

The description of Chanology as“full-blown activism” comes

from interviews with multipleparticipants in the raids andprotests, including Emick,Laurelai Bailey, and ananonymous Chanology organizer,with viewpoints split on whetherthe veering toward activism wasa good thing or not. The notionthat Scientology “stoppedcoming out to play,” i.e., stoppedresponding defensively to theantics of Anonymous, is sourcedfrom testimony by Bailey andEmick, as well as from variousonline forums in whichChanology is discussed, such asWhyWeProtest.net.

The rows between IRC network

operators, including the quote“you have no idea who you’refucking with,” are sourced fromEmick’s testimony, and thesquabbles are also chronicled indetail on the main Partyvanwebsite. Details of Scientology’slitigation against Gregg Houshare sourced from various newsreports, including an October2008 article in The Inquirerentitled “Anti ScientologyActivist Off the Hook. Sort of.”Scientology’s perspective onreceiving “death threats” issourced from a CNN video fromMay of 2008, in which the newsnetwork’s John Roberts spoke to

a Scientology spokesman whoclaimed that Anonymous was“terrorizing the church.”

Details about the way Emick“outed” Bailey’s onlinenickname, Raziel, leading totheir falling-out, come from theaccounts by both Emick andBailey.

The information about SWATing ahouse comes from testimonyfrom Emick as well as frominterviews with William, whodirected me to websites thatshowed the steps one needs totake to “SWAT” someone.

Details of Laurelai’s first onlinemeeting with Kayla come

primarily from interviews withBailey. The extra context ontransgender hackers comes frome-mails I exchanged withChristina Dunbar-Hester, PhD,Affiliated Faculty, Women’s &Gender Studies, at Rutgers, theState University of New Jersey.

Chapter 7: FIRE FIREFIRE FIRE

The introductory paragraph, which

suggests that Anonymous wentquiet between Chanology in2008 and WikiLeaks in late2010, comes from interviewswith various key players,including Jake Davis, JenniferEmick, Laurelai Bailey, andconversations with other Anons,along with my own observanceof a drop in news coverage aboutAnonymous between those dates.

The interview with Girish Kumar

from Aiplex that is referred to atthe start of this chapter issourced from the September 8,2010, article “Film IndustryHires Cyber Hitmen to TakeDown Internet Pirates” in theSydney Morning Herald. Kumarwas quoted as saying similarthings in the TorrentFreak.comarticle “Anti-Piracy OutfitThreatens To DoSUncooperative Torrent Sites,”published on September 5, 2010.It is unclear if Kumar or Aiplexwere ever prosecuted forlaunching DDoS attacks; thereare no press reports since thatsuggest the company was.

Details of the discussion of Aiplexon /b/ and then the creation of anIRC channel to coordinate a raidwere sourced from an onlineinterview with the hacker Tflowin April of 2011, and from theTorrentFreak.com article “4chanDDoS Takes Down MPAA andAnti-Piracy Websites.” I gleanedsome context on the attacks froma timeline of events that wasposted on the Partyvan.infowebsite. The story thatAnonymous supporters wereherded between IRC networks,along with the names of the mainIRC channels, was also sourcedfrom the interview with Tflow.

Extra details about Aiplex andMPAA attacks come from otheronline articles, such asTechCrunch’s “RIAA GoesOffline, Joins MPAA As LatestVictim of Successful DDoSAttacks,” from September of2010, and a blog post by ITsecurity firm Panda Labs entitled“4chan Users Organize SurgicalStrike Against MPAA,”published on September 17,2010.

Details about Tflow’s alleged realage and location come from thelater announcement (in July of2011) of his arrest by the U.K.’sMetropolitan Police. The

description that he was quiet and“never talked about his age orbackground” comes fromdiscussions with other hackers aswell as from my ownobservations of Tflow ininterviews, in chat rooms withothers, and in leaked chat logs.Details of the way Tflowapproached people in IRCchannels with more technicalknowledge than he, and the waythat group turned CopyrightAlliance into a repository forpirated material, come from aninterview with Tflow as well asfrom a September 2010 newsarticle entitled “Wave of

Website Attacks Continues—Copyright Alliance Targeted” onSkyck.com. Details of the attackson Gene Simmons and otherDDoS attacks come from variousonline news reports, while thenotion that the campaign “wentinto hiatus” comes fromtestimony by Tflow and Topiary.Tflow claimed that the SQLinjection attack oncopyrightalliance.org was thefirst of its kind under the bannerof Anonymous, though it ispossible that similar attackswere carried out duringChanology.

Among the technical remarks that

Tflow saw in the #savethepbchannel that led him tocollaborate with more skilledindividuals was, verbatim,“LOIC does not overwhelm itstargets with packets. It’s a matterof flooding port 80. Most webservers can not handle a vastamount of open connections.”

The account of the creation of theAnonOps IRC network comesfrom interviews with Jake Davis,Tflow, and one other keyorganizer of AnonOps, as wellas from the “History” page on theAnonOps website:AnonOps.pro/network/history.html.There, organizers describe the

original “cunning plan” of late2010, adding that they hadwondered, “How about a shipfor Anons, by Anons?”

Testimony from Topiary about first“checking out” OperationPayback, and then hearing aboutthe suicide of his father, comefrom interviews with Topiaryhimself.

References to WikiLeaks and theleaking of 250,000 diplomaticcables come from a wealth ofmainstream news reports thatwere published in November andDecember of 2010, such as aNovember 28 article in theGuardian entitled “How 25,000

U.S. Embassy Cables WereLeaked,” as well as the NewYork Magazine story “BradleyManning’s Army of One,”published on July 3, 2011. Theassertion that State Departmentstaff were barred from visitingthe WikiLeaks website camefrom my discussions with ananonymous State Departmentsource. The description of theattack by The Jester onWikiLeaks comes from variousnews reports, such as “TheJester Hits WikiLeaks Site withXerXeS DoS Attack,” by InfosecIsland, published on November29, 2010, as well as from

testimony by Topiary andreferences in leaked chat logs.The account of the subsequentnixing of funding services byPayPal, MasterCard, and Visa toWikiLeaks comes from a rangeof mainstream news reports.

Details throughout this chapterabout the discussions that tookplace in the #command channelon AnonOps—e.g., first goingafter PayPal to stoke uppublicity; operator names likeNerdo, Owen, and Token; or thecollaboration with botmastersCivil and Switch—wereoriginally sourced from Topiary,who had been invited into the

channel and was friends withseveral AnonOps IRC operators.Much of this information wascorroborated by news reports aswell as by blog posts written byPanda Securities researcherSean-Paul Correll, who closelytracked the PayPal attacks.Though Correll has been on sickleave from Panda Securities formuch of 2011 and wasunavailable for interviews, oneof his colleagues e-mailed meadditional, never-before-published details of hisconversations with the botmasterSwitch on IRC. The operatornames Nerdo, Token, and Fennic

were associated with real namesand faces when the four youngmen accused of cyber crimesunder these names appeared inWestminster Magistrates Courton September 7, 2011: PeterDavid Gibson (accused ofcomputer offenses under thenickname Peter), ChristopherWeatherhead (accused ofoffenses under the name Nerdo),and Ashley Rhodes(Nikon_elite). Because he was aminor, the real name of theseventeen-year-old known asFennic could not be revealed forlegal reasons. Further details,such as the nickname

BillOReilly, came fromscreenshots of AnonOps IRCpublished on EncyclopediaDramatica.

Details about the numbers ofpeople piling into AnonOps IRCduring the PayPal andMasterCard attacks weresourced from Sean-PaulCorrell’s research as well asfrom testimony by Topiary in themonth or two after the attacks.

Dialogue from the public#OperationPayback IRC channel,such as “Do you think this is thestart of something big?” came viaan online database of AnonOpschat logs from December 8,

2010, searchable here:http://blyon.com/Irc/.

Content from the digital flyer thatcontains instructions for usingLOIC was taken directly from theflyer, which is still availableonline. The LOIC message toPayPal servers was cited in theArs Technica article “FBI RaidsTexas Colocation Facility in4chan DDoS Probe,” publishedin late 2010; the exact date is notshown on the online article,which cites log entries in asearch request by the FBI.

The notion that operators probablydid not want public attentionfocused on botnets because it

could lead to heat from theauthorities comes from aconversation with academic andAnonymous expert GabriellaColeman.

Details about Ryan and the use ofhis botnet on OpItaly, and aboutthe manipulation of numbers,come from testimony by Topiary.Information about the fourteenpeople arrested for using LOICagainst PayPal comes fromwide-ranging news reports,including the Financial Timesstory “FBI Arrests 14 Suspectsin PayPal Attack,” published onJuly 20, 2011. The detail aboutRyan’s mental health was

sourced from the testimony of hislawyer, Ben Cooper, who told acourt hearing on June 25, 2011,that his client had beendiagnosed with Asperger’ssyndrome since his arrest.

A note about lying to the press: didsupporters of Anonymous lie tome in interviews? Sometimes,yes. Was I aware this was goingon? Yes, though admittedly notalways to start with. Over time,if I was not sure about a keypoint, I would seek tocorroborate it with others. Suchis the case with statementspresented as fact in this book.My approach to Anons who were

lying to me was to simply goalong with their stories, acting asif I were impressed with whatthey were saying in the hope ofteasing out more information thatI could later confirm. I havesignposted certain anecdotes inthis book with the word“claimed”—e.g., a person“claimed” that a story is true.Not everyone in Anonymous andLulzSec lied all the time,however, and there were certainkey sources who were moretrustworthy than others andwhose testimony I tended tolisten to more closely, chiefamong them being Jake Davis.

Tflow created the #reporterchannel for AnonOps, accordingto Topiary. Some dialogue thatrefers to the #over9000 channelcomes from the leaked #HQ logs.

Chapter 8: Weaponsthat Backfired

Much of the detail in this chapter

about the bugs inherent in LOICcomes from online and face-to-face interviews with aprogrammer and formersupporter of Anonymous whodoes not want to be identified.Additional descriptions of IRC,such as the topics at the top ofchat channels, come from myown observations when visitingthe chat network and fromrumors about “Feds” crawling

the network, which werementioned by Topiary and otherAnons that I occasionally chattedwith, as well as from onlinearticles about the general usageof IRC and the role of operators,such as “The IRC OperatorsGuide” on irchelp.org. Somedialogue about the legalities ofusing LOIC comes from theonline database of AnonOps chatlogs, http://blyon.com/Irc/. Extrastatistics about the numbers usingLOIC and about AnonOps IRCcan be found on Pastebin(http://pastebin.com/qQgxtKaj)and in the section aboutOperation Payback on the

website opensecuritylab.org.Further details come from theTorrentFreak article “Behind theScenes at Anonymous’ OperationPayback,” published in late 2010(the article does not give theexact date of publication).

There was a wide range of newsreports on the arrest of Martijn“Awinee” Gonlag, including“They’re Watching. And TheyCan Bring You Down,”published in the Financial Timeson September 23, 2010.

Regarding the sentence about usingLOIC behind “anonymizingsoftware”: users could not firethe tool from behind an http

proxy because their “packets”would hit their own proxy, takingthem offline; so it was VPN ornothing.

Details of the FBI’s initialinvestigation into OperationPayback were sourced partlyfrom an article on Wired’sThreatLevel blog entitled “In‘Anonymous’ Raids, Feds Workfrom List of Top 1,000Protesters,” published on July26, 2011. Additionally, detailsabout the initial contact betweenPayPal and the FBI agents, alongwith the passing over of onethousand IP addresses on a USBthumb drive, are sourced from an

FBI arrest warrant filed on July15, 2011, and available online.

Owen’s quote “Switch is basicallyunder a shoot on sight watch list”comes from screenshots of the#InternetFeds chat room made byfreelance journalist MatthewKeys, which were e-mailed tome by Keys in early 2011. Keyswas invited to observe thegoings-on in InternetFeds fromDecember of 2010 to January of2011. He used the nicknameAESCracked.

Details of the DDoS attacks onAnonOps IRC, and the detailsabout Operation Leakspin andOperation Leakflood, come from

testimonies by Anonymoussupporters, including Topiary, aswell as from various blog postsand news reports. The account ofsplitting into operations, such asthe DDoSes of Sarah Palin’swebsite and the Venezuelangovernment sites, comes from avariety of news reports onwebsites such as PandaSecurity’s blog,ABCNews.go.com, andKnowYourMeme.com.

Details about #InternetFedsgradually usurping #command asan organizational hub popularwith Anonymous hackers comefrom Topiary, Kayla, and two

other hackers who were in thechannel. Further description ofdialogue and content fromdiscussions in the channel comesfrom scores of screenshotsprovided by Matthew Keys.

Chapter 9: TheRevolutionary

At least two people have

corroborated that Tflow firstinvited Sabu into #InternetFeds;Sabu also claimed this. Detailsabout Sabu’s views come fromdozens of online interviews Iheld with him both before andafter his arrest by the FBI onJune 7, 2011. My phoneinterviews with Monsegurprovided insights into his accent,his way of speaking, thebackground sounds I heard when

I was speaking with him, and hisskills for lying and manipulation.At times they yielded little in theway of reliable insights since thephone interviews took placeafter he started working for theFBI and had been encouraged tofeed misinformation tojournalists. Further details abouthis life, upbringing, and addresscome from a series of courtdocuments that were unsealedafter the FBI revealed that he hadbeen acting as an informant sincesoon after June 7, 2011.Additionally, I have sourcedsome details from a three-partseries of Fox News stories about

Monsegur published in March of2012, one of which is entitled“Inside LulzSec, a MastermindTurns on His Minions.” Anotherhelpful source for corroboratingpersonal details on Monsegurwas the New York Times story“Hacker, Informant and PartyBoy of the Projects,” publishedon March 8, 2012, in whichreporters spoke to Monsegur’sneighbors to piece together apicture of the man. Interviewswith sources close to HectorMonsegur and the FBIinvestigation also contributed tothe information in this chapter.

Details about the incident at

Monsegur’s high school with thehead of security were sourcedfrom an essay purporting to bewritten by Sabu on August 14,2001, and bearing all his usualstylistic and verbal hallmarks. Itwas published via Pastebin onJune 7, 2011 (the day of hisarrest), and also sent to me via e-mail by a source. Full essayhere:http://pastebin.com/TVnGwSmG.

The details about Monsegur’sinternships as a teenager weresourced from a web archive ofthe iMentor website from August2002, which listed Monsegur asa member of the staff and

provided a short biography thatmentioned his stints at theNPowerNY Technology ServiceCorp and the Low-IncomeNetworking and CommunicationsProject (LINC) at the WelfareLaw Center.

Text for The Hacker Manifesto bythe Mentor can be found here:http://www.mithral.com/~beberg/manifesto.htmlI have exchanged e-mails withLloyd “the Mentor” Blankenshipto corroborate details about hiswriting of the 1986 essay.

Sabu/Monsegur provided me withlinks that still showed the defacemessage he published on thePuerto Rican government

websites. Further details on theU.S.-China cyber war that Sabuinvolved himself in werecorroborated by news reportssuch as Wired’s “It’s (Cyber)War: China vs. U.S.,” publishedin April of 2001, and CNN’s“China-U.S. Cyber WarEscalates,” published on May 1,2001. Further details aboutMonsegur and his attempts tostart a group for localprogrammers in 2002 also comefrom a “dox” file posted by asecurity researcher nicknamedLe Researcher, who pasted avariety of screenshots of e-mails,deface messages, and forum

posts onhttp://ceaxx.wordpress.com/uncovered/Sabu’s message on AnonOps, inwhich he asks how to findWired’s John Abell, came fromthe online databasehttp://blyon.com/Irc/.

Details about the anticorruptionprotests in Tunisia were widelyreported in late December of2010 and early January of 2011,and details of the government’sphishing campaign, aimed atspying on potential dissenters,were published by Al Jazeeraand Ars Technica. Censoredsites would typically say “Error404: page not found.” An

officially blocked site willusually say “Error 403,” so theuse of 404 suggested unofficialcensorship. One journalist andblogger, Sofiene Chourabi, hadreportedly been blocked fromaccessing his Facebook account;his 4,200 friends were alsohacked. Other journalistsclaimed that their entire blogswere deleted of content, andsuspected the Tunisian InternetAgency was behind it. ManyTunisians also claimed theywere unable to change theirFacebook passwords. Thephishing operation wassophisticated, hitting several

high-profile targets in a singleday, and was carried out by amalware code, according to AlJazeera, which cited “severalsources.” The TechHerald’sSteve Ragan reported seeingexamples of the embedded scriptand new source code injected inGmail, Yahoo, and Facebook,confirming with four differentexperts that the embedded codewas “siphoning off logincredentials” and that “codeplanting of this scale could onlyoriginate from an ISP (InternetService Provider).”

Details of the antiphishing scriptdeveloped by Tflow are

available on the script-sharingw e b s i t e http://userscripts.org,under the user name“internetfeds.” Sabu, Topiary,and one other senior figure inAnonymous said that Tfloworiginally wrote the script.Tflow had written a browserJavaScript plug-in thateffectively stripped thegovernment’s added Java codeand redirected Tunisian Internetusers away from its phishingservers (essentially fake Gmail,Yahoo, and Facebook sites) andback to the original, true hosts.Tunisian Internet users first hadto install the Greasemonkey add-

on for Firefox. Then it was just amatter of opening Firefox andgoing to Tools, then toGreasemonkey and New UserScript, to paste in the code.Having clicked “Okay,”Tunisians could within a minuteor two access Facebook,Twitter, Blogger, Gmail, andYahoo without exposing theirlogin details.

I have sourced the story about Saburemotely controlling a Tunisianman’s computer to deface thewebsite of the country’s primeminister from interviews withSabu himself, conducted in Aprilof 2011. It’s still not clear

exactly how Sabu hit theTunisian DNS, but one expertwho knew him suggests he mayhave used a so-called smurfattack to bring down the domainservers of the Tunisiangovernment. This refers to aunique type of denial of service(DoS, without the d for“distributed”) attack that can becarried out from a singlecomputer. Instead of using abotnet, it uses servers withsignificant space and speed totransfer the junk data. A smurfattack, specifically, needsbroadcast servers. It sends a pingrequest to one or more of the

servers, communicating (falsely)that the return IP address is thetarget. In hackerspeak, they aresending “spoof packets.” Thebroadcast server then tells itsentire network to respond to thetarget machine. One computer byitself can send perhaps 500megabytes worth of packets atmost, but a smurf attack allowedSabu to amplify 40 gigabytesworth. A screenshot of thedeface message that wasuploaded to Prime MinisterGhannouchi’s site is availableonline.

Chapter 10: Meetingthe Ninja

Opening paragraphs of this chapter

are sourced from onlineinterviews with Topiary. Hisdeface message on thegovernment of Tunisia was untilrecently viewable here:http://pastehtml.com/view/1cw69sc.html.The point about cyber attacks onthe governments of Libya, Egypt,Zimbabwe, Jordan, and Bahraincame from testimony by Topiaryand was corroborated withvarious online news reports. I

saw the deface of the Fine Gaelwebsite myself and confirmed iton the phone with a pressspokesman for the Irish politicalparty.

The description of Kayla’s style ofwriting, which includes “lol”sand smiley faces, is based on myown observations as well asthose of Anonymous members.Her view of hacking as anaddiction comes from a later,online interview.

The online poll by JohnnyAnonymous was described to mein a Skype interview with JohnnyAnonymous himself, conductedon March 7, 2011.

Descriptions of Kayla’s obsessiveattempts to keep her identityhidden are sourced frominterviews with Kayla,conducted largely by e-mail, inMarch of 2011. I was firstintroduced to Kayla (and Sabu,Tflow, and the others who wouldlater make up LulzSec) byTopiary. Details of Kayla’s lifeexperiences and getting hackedby a man who “screamed” downthe phone at her came frominterviews also conducted inMarch of 2011. Kayla’sinvolvement in the Gawker hack,which has been reported byGawker itself, was mentioned in

an Internet Relay Chat interviewwith the hacker on May 23,2011, in which she described indetail how she and a group ofonline friends in the IRC channel#gnosis carried out their hackover the course of severalmonths. Confirmation of theexistence of Kayla’s “tr0ll” IRCnetwork came from archivedweb pages and Pastebin poststhat mention the network, and asource who did not wish to benamed. In addition to telling meabout the “vulnerability in theservers hosting Gawker.com,”Kayla explained that she and theother hackers managed to obtain

user and password details for thesite’s root, MySQL. These arekey features that gave themalmost unfettered access to thewebsite’s database.

The vulnerability that Kayla foundin the United Nations websitewas shown to me in an IRC chatwith Kayla in the summer of2011.

Dialogue from #InternetFeds camefrom screenshots of the privateIRC channel e-mailed to me byMatthew Keys.

Regarding the WikiLeaks IRCnetwork, where Kayla first metq, anyone could access it via abrowser at chat.wikileaks.org.

Several sources close toWikiLeaks confirm q (real nameknown but not disclosed here)had habitually lied to supporters,and that he and Assange wereclose, like a “stepson toAssange,” according to one.

Chapter 11: TheAftermath

The opening paragraphs of this

chapter are sourced primarilyfrom phone interviews withAaron Barr. I have seen thecomment about Barr’s childrenthat prompted him and his wifeto temporarily flee their home onReddit.

Details about HBGary Inc.’s hiringof law firm Zwillinger &Genetski are sourced from phoneinterviews with lawyers MarcZwillinger and Jennifer Granick.

The detail about Ted Vera’s andGreg Hoglund’s passwords camefrom interviews with Topiary.

The subsequent quotes from AaronBarr are sourced from a phoneinterview with Barr that tookplace early that Mondaymorning, just hours after theSuper Bowl Sunday attack.HBGary's open letter was untilrecently viewable here:http://www.hbgary.com/open-letter-from-hbgary.

The hackers stored the socialsecurity numbers of HBGaryemployees and other data on aprivate Web text applicationcalled Pirate Pad, which anyone

from the group could edit. Theonline document was laterdeleted. Stolen data like thisoften wound up gathering dustsomewhere in the cloud, or onsomeone’s computer—forgottenuntil an arrest turned it intoevidence.

The account of Kayla informingLaurelai Bailey of the HBGaryattack and then inviting her intothe private IRC channel for thecompany’s attackers, #HQ, issourced from interviews withBailey. Those interviews werealso the source for details aboutBarr’s controversial proposalsto Hunton & Williams. In order

to stumble upon Barr’s all-important WikiLeaks connection,Laurelai had to first port Barr’spublished e-mails onto an e-mailclient called Thunderbird, thentransfer them to Gmail. Thisallowed her to search through thee-mails using key words like“WikiLeaks.”

The notion that Topiary, Sabu, andKayla didn’t know about theanti-WikiLeaks proposals in thedays immediately after the attackwere conveyed to me byTopiary, who I was interviewingat the time. I had also beenfollowing developments after theattack and noticing that his small

group was trawling throughBarr’s e-mails, looking forsomething controversial, beforeLaurelai spotted the motherlode.

Dialogue between the group in the#HQ room comes from logs thatwere eventually leaked byLaurelai to Jennifer Emick (seechapter 14). Details about thepublication of the HBGary e-mails and snippets of contentwere sourced from the HBGaryviewer itself,http://hbgary.anonleaks.ru (nowoffline).

Details about the investigation intoHBGary, its partners, and theirmilitary contracts by U.S.

congressman Hank Johnson wereconfirmed in a phone interviewwith Johnson on March 23, 2011.I first heard about theinvestigation on March 17, when,late that evening, Topiary saw aWired story saying thatCongressman Johnson hadstarted investigating the U.S.military’s contracts withHBGary Federal, PalantirTechnologies, and BericoTechnologies. Soon after, at leastten Democrats from the House ofRepresentatives had signed apetition to launch aninvestigation into Hunton &Williams and the three security

firms.The “growing sense of unease”

among the hackers comes fromobservations of their sometimesparanoid conversations in #HQas well as from testimony byTopiary, who was also thesource for the information aboutthe regular phone calls with Sabuand the coded greeting “This isDavid Davidson.” Sabu’smistrust of Laurelai is clear fromhis comments in #HQ, but wasalso corroborated by testimonyfrom Topiary.

Jennifer Emick has confirmed thatshe was behind the Twitterhandle @FakeGreggHoush; this

has been an open secret inAnonymous since Backtrace wasdoxed in the early summer of2011. I relied on interviews withboth Emick and Bailey to piecetogether how and why Baileyended up passing her the #HQlogs.

Part 2Chapter 12: Finding aVoice

The opening paragraph, describing

Topiary’s popularity onAnonOps, including details suchas the number of privatemessages he was regularlyreceiving, are sourced frominterviews with Topiary as wellas from observations of chatlogs, IRC conversations, andstatistics showing the number oftimes people were reaching out

to him through Twitter. Thedetail about requests to hitvarious targets, such asFacebook, also comes from thoseinterviews. According toTopiary, people sometimesdirectly e-mailed supporters inAnonOps or sent messages tocertain representative blogs. Itwas difficult to track the wayAnonymous chose its targets,since it was often donechaotically, spontaneously, andbehind the scenes. However, forthe most part, target requests thatcame from outside Anonymouswere rarely pursued.

Details about Westboro Baptist

Church are sourced from variousnews reports as well as fromLouis Theroux’s engrossing BBCdocumentary The Most HatedFamily in America, first aired in2007. The detail that Nate Phelpshad accused his father, Fred, ofabuse is sourced from a numberof press reports including NatePhelps’s official website, whichin its “Bio” page refers to hisfather’s “extreme version ofCalvinism” and “extremephysical punishments andabuse.”

The February 18 press releaseannouncing that Anonymous wasgoing to hit Westboro—the first

such announcement—appearedon AnonNews.org. The detailabout an IRC operator running asearch of the network’s chatchannels to find the organizerswas sourced from interviewswith Topiary. IRC operators,both within AnonOps and inother networks, regularly ransearches to keep an abreast ofany odd operations that no oneknew about, such as conspiraciesto take down the network orimproper discussions about childporn. Sometimes trolls wouldcreate a child porn channel to tryto make AnonOps look illegal.This was the only topic of

discussion that was banned onAnonOps IRC; everything elsewas fair game. Similarly, talk ofhacking was banned on othernetworks, which was why Tflowand the other supporters ofOperation Payback migratedfrom networks like EFnet,Freenode, and Quakenode in late2010—these IRC operators didnot like the heat.

The follow-up press release aboutattacking Westboro, written byfive writers in #philosoraptors,originated when one personstarted writing it on his computerand then uploaded it to PiratePad so others could edit it.

“Dear Phred Phelps and WBCPhriends,” it began. This releasewas much more in line with theirreverent, clownish tone ofAnonymous. It went on to say,“Stay tuned, and we’ll comeback to play another day. Wepromise,” and added areprimand: “To the Media: Justbecause it’s posted onAnonNews doesn’t mean everysingle Anon is in agreement.”

Details about The David PakmanShow, Pakman himself, and thelive Westboro hack are sourcedfrom a phone interview withPakman that took place onNovember 18, 2011, as well as

from interviews with Topiary.Comments made by ShirleyPhelps-Roper on Pakman’s showare sourced from YouTubevideos. All dialogue from theshow regarding the liveWestboro hack was sourcedfrom the main YouTube video ofthe program. Pakman’s andTopiary’s accounts differ abouthow much Pakman knew of whatwas going to happen toWestboro’s website during theshow. Pakman denied everknowing that Topiary or anyoneelse from Anonymous was goingto hit the Westboro site in themiddle of his show. “No.

Absolutely no,” Pakman said inthe phone interview, conductedabout eight months after theevent. “They basically said,‘We’ll come on your show totalk about this.’ It was veryvague. I said, ‘I’m interested.Would you be able to come onwith Shirley?’ and they said yes.I reached out to Westboro.…They both said yes. The timingworked out.” Today the numberof hits on the video of the liveWestboro hack has approachedthe two million mark and it is themost popular video ever postedfor The David Pakman Show.

Regarding Topiary’s deface

messages: he wrote all of them ina very simple text-editingprogram called Notepad++.Every PC has Notepad in itsAccessories folder, butNotepad++ is a free program thatone-upped the original Notepadby allowing users to organizetheir documents in tabs, enablingthem to have multiple open files.Topiary only had to hit the leftarrow key on his laptop to getdifferent text formats, a list oflinks to vulnerable websites, orother Anonymous press releaseshe hadn’t read yet. He wouldmake all his deface messagescompatible with the Web

language HTML by convertingthem at a website calledPastehtml.com. If Topiary copiedand pasted a two-hundred-wordmessage directly from MicrosoftWord, it would likely show up inPastehtml.com with theAnonymous logo too far to theleft, or with odd spaces withinthe text, which he’d have to thentinker with in the so-calledsource code, the complicatedprogramming commands behindthe text. Writing it in Notepad++,on the other hand, meant it wasautomatically “cleaned up,” sothat when it was converted intoan HTML file it looked exactly

the same online as it did offlineon his computer. No tweakingrequired. In total, Topiaryproduced approximately tendeface messages using thismethod for Anonymous, andhelped others to produce anadditional ten. The use of asimple program, combined withTopiary’s basic knowledge ofHTML, are the reasons that allhis messages, which made up themajority of defacements reportedby the news media in the springof 2011, appeared as plain texton a white background.

Chapter 13:Conspiracy (DrivesUs Together)

The opening paragraphs of this

chapter are sourced frominterviews at the time (and thenmonths afterward for hindsight)with Topiary. Sabu and Kaylahad moved on from the HBGaryattack and were not involved inreading through Barr’s e-mails.Both also claimed to have busylives outside of Anonymous andthe Internet. In my phone

interviews with Sabu, forinstance, he was often beinginterrupted by people in hishousehold and by other phonecalls.

Details about Barrett Brown’sexperience delving through theHBGary e-mails, forming a teamof researchers, and his personallife are derived from my phoneinterview with Brown,conducted on November 24,2011. Further details about hisdealings with Topiary and otherAnons have come frominterviews with Topiary. I alsosourced an audio recording ofBrown’s phone interview with

William Wansley, which heuploaded to the media-sharingsite MediaFire.com. I had beenalerted in advance to the RadioPayback appearance of Brown,Topiary, and WhiteKidney andwas taking notes as it happened,before I downloaded the audiofile itself. The description of theNBC Nightly News broadcastwith Michael Isikoff was takenfrom my viewing of the videoonline. The note that Brown’s“bones ached” because ofwithdrawal from Suboxone,along with the point about hisrelapse in New York in April of2011, were sourced from my

phone interview with Brown.Some extra details aboutOperation Metal Gear and itsresearch were sourced partlyfrom Brown’s Project PM wiki,http://wiki.echelon2.org/; partlyfrom the Metal Gear website,http://opmetalgear.zxq.net/,before it became disused; andpartly from the Booz AllenHamilton website.

Descriptions of the general opinionamong Anons toward Brownwere sourced from discussionswith a handful of Anons,including William, as well asfrom my observation of relevantcomments on AnonOps IRC.

Brown thought he saw aconnection to HBGary’s interestin bidding for a contract to sellthe U.S. military personnelmanagement software, atechnology that essentiallyallowed the user to spy on othersover the Internet and socialmedia.

Details about the young mannicknamed OpLeakS and hisoffer of apparently explosiveinformation from Bank ofAmerica were sourced frominterviews with Brown andTopiary, with further detailscoming from thebankofamericasuck.com website,

OpLeakS’s Twitter feed, and avariety of news reports. E-mailsposted on OpLeakS’s websiteclearly showed the name of thedisgruntled Bank of Americaemployee who was “leaking”information, Brian Penny.

When he used the term “nerdyhacker group,” Topiary wasreferring to the hacker groups ofthe eighties and nineties, some ofwhich used skull-and-crossbonesimagery and generally tookthemselves too seriously.

It was not unusual in Anonymous tohop from one operation toanother, reflecting the sometimeslimited attention spans of its

groups and supporters. Alongwith Operation Metal Gear, therewas Operation Wisconsin,Operation Eternal Ruin, andoperations focused on Libya andItaly, each of which hadanywhere from two to a dozenpeople involved. In early 2011,the original version of OperationPayback, launched againstcopyright companies, came backfor round two by targeting morecopyright-related websites.Topiary observed, however, thatits proponents kept switchingtargets—for instance, they calledagcom.it a target, causing a fewpeople to be fired but failing to

generate enough momentum totake the site down—providingothers with a reason to move onto something else. Frequentlyswitching targets is one of thecrucial reasons why OperationPayback had dwindled to aroundfifty people in October of 2010and nearly died out—untilWikiLeaks came along bychance, and thousands of peoplesuddenly jumped in.

Chapter 14:Backtrace Strikes

The opening paragraphs of this

chapter are sourced frominterviews with Jennifer Emick,with some added details—including the name of her Skypegroup, the Treehouse—comingfrom Anonymous-related blogs.

Details about the arrests in theNetherlands and Britain aresourced from various mainstreamnews reports. The U.K.’sMetropolitan Police announcedon January 27 that they had

arrested five people in morningraids across the country.According to a report in TheTechHerald at the time, theywere allegedly tracked with“little more than server logs andconfirmation from their ISP.”

Descriptions of what Emick wasfinding on DigitalGangsters.comwere originally sourced fromEmick and corroborated by myown observations of the website,especially its “About” page. Ialso interviewed a member ofthe forum site nicknamed Jess,who was a close friend of thetwenty-three-year-old Seattlewoman on the site who went by

the name Kayla and whose realname is Kayla Anderson. Jessconfirmed that the woman is notthe same Kayla of LulzSec,though she and her friendconsidered the hacker known asXyrix as an acquaintance. It wasmost likely a coincidence, sheadded, that Xyrix was beingconnected to both a Kayla fromDigitalGangsters.com and theKayla of LulzSec. Emickdoubted this account when I putit to her in November of 2011and believed that there was aconnection between the twoKaylas.

Incidentally, Corey “Xyrix”

Barnhill has denied being Kayla,both by leaving comments ononline news reports about Kaylaand by e-mailing me directly.The AnonOps Kayla also told meand certain members ofAnonymous that she went alongwith rumors that she was Xyrixbecause it helped obfuscate herreal identity.

The descriptions of YTCracker andthe story about the hack onDigitalGangsters.com weresourced from phone interviewswith Bryce “YTCracker” Casehimself, as well as from myobservations of the defacemessage that was posted on his

site when Corey “Xyrix”Barnhill, Mike “Virus” Nieves,and Justin “Null” Perras had,according to Case, switched theDigitalGangster.com domains topoint at their own servers.

My own observation ofDigitalGangsters.com showedposts advertising jobs thatrequired hacking into websitesvia SQL injection, stealingdatabases of names and e-mailaddresses, or just stealingaddresses and sending them tospammers. A database withpasswords was worth more,since spammers could then sendspam from legitimate addresses.

Occasionally a thread wouldstart with a post seeking“freelancers” who couldprogram in C, Objective-C, C#,VB, Java, and JavaScript. Onepost from June of 2010 had thetitle “DGs [Digital Gangsters] inWashington? Be my mail man inthe middle,” followed by:“Heres how it works. A deliverygets shipped to your address,You open the package removeitem, Reship the item to me in anew container with a false returnaddress. when item arrives youget paid. interested?”

The description of Jin-Soo Byunwas sourced from interviews

with Jennifer Emick and LaurelaiBailey; the note that Aaron Barrwas helping her investigationwas sourced from an interviewwith Barr. The details aboutEmick setting up the initialBacktrace investigation intoAnonymous, and then trackingdown “Hector Montsegur” [sic],are sourced from interviews withEmick. Descriptions of some ofSabu’s defaces come fromscreenshots provided by Sabuhimself as well as from a blogpost by Le Researcher, an anti-Anonymous campaigner whoworks with Emick. Anothergroup that includes longtime

EFnet user Kelley Hallisseyclaims it doxed Sabu inDecember 2010 and passed hisdetails to Backtrace in February2011. Emick denies this.

Sabu’s statement that he was “goingto drive over to [Laurelai’s]house and mess him up” wassourced from Topiary’stestimony.

The origins of the word backtracepoint to one of the most notorious4chan and Anonymousoperations ever conducted. Itstarted in July of 2010, when4chan’s /b/ users began trollingan eleven-year-old girl namedJessica Leonhardt. Online, she

was known as Jessi Slaughter,and was a minor e-celebrity afteruploading videos of herself ontoa site called StickyDrama. Whenother StickyDrama users startedbullying Slaughter, she filmed aseries of tearful ripostes,including one in which hermustached father could be seenover her shoulder jabbing hisfinger at the webcam andshouting, “You bunch of lying,no-good punks! And I know whoit’s comin’ from! Because IBACKTRACED it!” Thebroadside spawned a number ofInternet catchphrases and memes,including “backtrace,” “Ya done

goofed,” and “Consequenceswill never be the same!” ByFebruary of 2011, JessiSlaughter had been placed underpolice protection and admitted toa mental institution. Thefollowing August, her father diedof a heart attack at the age offifty-three.

The dialogue among Topiary,Kayla, Tflow, and AVunit,starting with the quote “They allthink i’m Xyrix!” was sourcedfrom their March 21, 2011,discussion on a private IRCchannel called Seduce. By thispoint, Topiary had introduced meto Kayla (with whom I had been

communicating by e-mail) and itwas in this room that I first spoketo AVunit, Tflow, and Sabu.From there I organized separateinterviews with each of them.The group was alreadycommunicating with each otherin their own separate channel,and #seduce was set up for thepurpose of speaking with me andproviding testimony for thisbook. The name Seduce camefrom the late-February revelationin the #HQ chat log that Kaylawould be talking to me; shequipped that “She wrote goodstuff about us so far…she talkedwith Topiary. he has her seduced

I guess.” Later, when the groupwould switch to a different IRCserver, they would create anotherchannel, named #charmy, alsofor talking exclusively with me. Iwas later told that Sabu wasextremely wary of talking to mein the #seduce channel in March,and I observed that he was rarelyin the room or would makeexcuses to leave. On April 13,2011, however, we held our firstreal interview on IRC and hebecame more forthcoming.

It is unclear if “ChristopherEllison,” the name associatedwith AVunit in Backtrace’s finaldocument, was correct or not.

There have been no press reportsor police announcements relatedto the arrest of someoneconnected to the nickname, andno information about thewhereabouts of the real AVunitas of mid-April 2012.

The study by Francois Paget waspublished on October 21, 2011,in a McAfee blog post entitled“The Rise and Fall ofAnonymous.”

The detail about the FBI contactingJennifer Emick comes fromconversations with Emick. Theadditional point that the FBIneeded to wait to corroborateSabu’s identity and gather

enough evidence to threaten himwith a long sentence wassourced from the FoxNews.comreport “Infamous InternationalHacking Group LulzSec BroughtDown by Own Leader,”published on March 6, 2012.

Laurelai Bailey hadn’t been theonly log leaker. Less damaging,though still embarrassing, was aleak from freelance televisionand Web journalist MatthewKeys, who had been givenaccess to #InternetFeds fromDecember of 2010 to January 6,2011, when he was banned afterthe channel’s members suspectedhim of leaking information to the

Guardian. Sabu later claimedthat Keys had given awayadministrator access to theonline publishing system ofTribune, his former employer, inreturn for the chance to “hang outin our channel.” Keys deniesthis.

A note on making IRC channels:generally, the person who comesup with the idea for a channel isthe person who creates thechannel. Creators can makechannels more secure by addingcommands like +isPu and +k togain more control of who comesin. But sometimes the best way tomake a channel secure is to make

it completely open, with noinvite policy at all, and to keepswitching between differentchannels every day or two.Making a channel “invite only”is “like holding a red flag infront of a bull,” according toAVunit, who added that this waswhy he and his the team avoidedinvite-only policies. To findeach other, team members woulduse normal IRC queries, checkwhich channel was active, or justtype in the relevant channel inIRC and rejoin the discussion.

It’s worth noting that Backtraceitself was the subject ofnumerous doxing episodes. From

at least the spring of 2011, anumber of Anonymoussupporters unveiled its membersas Jennifer Emick, Jin-Soo Byun,and John Rubenstein, publishingtheir home addresses, telephonenumbers, some family details,and other online profiles on theweb tool Pastebin.

Chapter 15: BreakingAway

The descriptions of “three ways to

respond to a dox” were derivedfrom my conversations withTopiary and my observations ofthe way Anonymous supporters,such as Ryan Cleary, reacted tohaving their true identitiesunveiled. Further details about“drama” in Anonymous and theculture bred through the morassof channels on IRC were sourcedfrom my conversations withadherents of Anonymous and my

own observations. The detailabout Aaron Barr’s idea forgetting into private codingchannels, as well as thedescription in this chapter of“No,” come from Topiary’stestimony. The details of ReneeHaefer’s FBI raid were sourcedfrom an interview that Haefergave to Gawker for an onlinestory entitled “An Interview witha Target of the FBI’s AnonymousProbe,” published on February11, 2011. Details on the fiveBritons arrested on January 27are sourced from a MetropolitanPolice announcement and fromnews reports.

The paragraphs detailing Topiary’selaborate getaway were sourcedfrom interviews with Topiaryhimself. I have edited the fakedlog substantially for brevity; thelog had mentioned that Topiary’swireless router had been left on.This was meant to cause furtherconfusion among the hundreds ofregular users on AnonOps,because routers were the numberone item that was looked for in araid. The ruse almost got tooelaborate. One online femalefriend was already freaking outso much that she had triedcontacting Topiary’s then-girlfriend, a Canadian girl he had

met online about three yearsprior. Problematically, thisfriend then let slip to others thatTopiary’s girlfriend existed.Until then, he had been trying toinsulate his girlfriend from hisactivities with Anonymous, sothat she would not be roped in asa co-conspirator if he were everarrested. To fix this problem, hewrote up another faked message,this time from his girlfriend,hinting that she was suddenlyjealous of the worried femalefriend. The suggestion distractedthe girl enough from suspectingthe truth: that Topiary had notbeen arrested but had broken

away from Anonymous.Quotes from the Anonymous press

release directed at Sony weresourced from the press releaseitself, which is still available onAnonNews.org. Details ofWilliam’s involvement inOpSony come from interviewswith him. William also e-mailedme a link to some of thehandiwork of SonyRecon,including Sony CEO HowardStringer’s old and current homeaddresses in New York, hiswife’s name, the names of hischildren, and the name of hisson’s old school. The post is stillonline at JustPaste.

The details about Sony’s lawsuitagainst George Hotz come fromvarious mainstream newsreports.

“Angering millions of gamersaround the world” is myinterpretation of myriad angrycomments on forums for gamersas well as on the officialPlayStation Network website,which contains statementsshowing that the PSN is used bytens of millions of people.

Sony’s eight-page letter to the U.S.House of Representatives datedMay 3, 2011, is viewable onFlickr.

The publication of 653 nicknames

and IP addresses on AnonOpswas pasted in a public documentonline, which I have seen andwhich was brought to light byvarious news reporters,including by Forbes’s AndyGreenberg. His story “MutinyWithin Anonymous May HaveExposed Hackers’ IPAddresses” was published onMay 9, 2011. I made the pointthat “AnonOps IRC became aghost town” as a result of myown and Topiary’s observationsof the network. The statement byvarious AnonOps operators thatthey were “profoundly sorry forthis drama” was posted and

reposted on various blogs. Theoriginal post also mentioned thatAnonOps would “stage acomeback and return to fullstrength eventually.” RyanCleary, who was behind the IPleak, gave an interview to thetech blog thinq_, saying that theoperators behind AnonOps were“publicity hungry” and had“begun engaging in operationssimply to grab headlines” and“feed their own egos.” “Theyjust like seeing thingsdestroyed,” thinq_ quoted Ryanas saying.

I saw the dox file about Ryan whenit was first posted online. It

included his real address inWickford, Essex, his cell phonenumber, and the names and agesof his parents. The dox page saidthat Ryan had been “owned” byEvo, adding “Who’s the ‘pet’now, bitch?” The document alsogave “shouts,” oracknowledgments, to Sabu,Kayla, Owen, #krack, and all ofAnonOps.

The assertion that Anonymous was“starting to look like a joke”comes from my ownobservations as well asdiscussions with supporters.

Chapter 16: TalkingAbout a Revolution

Most of the details and descriptions

from this chapter were derivedfrom interviews with Topiaryand Sabu over the course ofseveral months, includingInternet Relay Chat interviews,discussions by phone, and face-to-face meetings.

The point about New York mayorRudy Giuliani increasing thecity’s police force to 40,000 wascorroborated by the April 11,2000, Congressional Record for

the House of Representatives andby press reports.

The details about COINTELPROwere corroborated byinformation on the FBI’s ownwebsite, which states that theproject was “rightly criticized byCongress and the Americanpeople for abridging firstamendment rights and for otherreasons.” Seehttp://vault.fbi.gov/cointel-pro

The point that Kayla, Tflow, andAVunit had been on “breaks”before the formation of LulzSecwas corroborated by Sabu and atleast one other LulzSecsupporter.

The quote “Most professional andhigh-level hacks are neverdetected” comes from aninterview with a hackersupporting Anonymous who didnot wish to be named.

Chapter 17: LulzSecurity

The majority of details in this

chapter were sourced frominterviews with Topiary, Sabu,and Kayla. Additional details,including dialogue fromPwnsauce, was derived from myobservation of discussionsamong Topiary, Kayla, Tflow,AVunit, and Pwnsauce in the IRCchannel #charmy, which was setup for discussions that I couldrepeat in this book. I also heldinterviews with some in the

group, such as Pwnsauce, in thischannel.

The assertion that it “took a weekfor Fox’s IT administrators tonotice the breach” was derivedfrom interviews in #charmy.

Regarding the original Twitter feedfor LulzSec, @LulzLeaks: theoriginal account that contains thatfirst tweet is still online.

I corroborated that LulzSec hadindeed posted a database ofpotential contestants for The XFactor by speaking to aspokesman from Fox abouttwenty-four hours after the hackwas first announced. I also sawthe published database on

Pastebin.

Chapter 18: TheResurrection ofTopiary and Tupac

Details about the PBS hack were

sourced from interviews with thehackers involved, as well asfrom a post that Topiary had puton Pastebin that gave detailsabout what sort of tools, such asHavij, the group had used.According to a March 2012article on darkreading.com, thetool “favored by hacktivists”was created by Iranian hackers,

and its name is derived from thePersian word for “carrot,” also anickname for the male sexualorgan.

The statement that “people in the#anonleaks chat room onAnonOps IRC went into afrenzy” when Topiary postedsomething on Twitter from hispersonal account was sourcedfrom interviews with Topiaryafter he visited the chat network.

Chapter 19: HackerWar

Regarding Pastebin’s boost in

traffic, the website’s controllerswould later show theirappreciation for LulzSec byretweeting @LulzSec’s July 13,2011, announcement that “If@pastebin reaches 75,000followers we’ll engage in amystery operation that will causemayhem.” (This was one of therare tweets from @LulzSec afterthe group officially disbanded.)Hours later, @Pastebin tweeted,

“The # of followers @pastebinis growing very rapidly since@lulzsec is sending their love,”followed by “The twittermadness continues thanks to@lulzsec.” That same day,Topiary exchanged e-mails withPastebin owner Jeroen Vader, atwenty-eight-year-old Dutchentrepreneur, in which Topiaryrequested a “unique greencrown” icon next to his personal“Topiary” account on Pastebin,which, when highlighted, wouldalso say “CEO of consumingpie.” Vader agreed, saying, “I’llbe sure to fix you up with a veryspecial crown. Many thanks for

trusting Pastebin with your‘special’ releases.” Pastebinstatements from LulzSec andAnonymous rank among the top-trafficked posts on Pastebin,along with LulzSec’s final “50Days of Lulz” release on June25, 2011, which clocked411,354 page views as of April3, 2012. (Pastebin hosts ads onits site, so the extra traffic willhave aided its bottom line.)Ironically, Vader said in earlyApril of 2012 that he would hiremore staff to help police“sensitive information” that gotposted onto the site, according toBBC News.

Details about The Jester’s hangouton 2600 and the other peoplewho frequented it were sourcedfrom LulzSec’s leaked #pure-elite chat logs, from interviewswith Topiary, and from my ownobservations of the 2600 IRCnetwork. The points about theorigins of 2600: The HackerQuarterly were sourced fromvarious Web articles, includingt h e PCWorld feature story“Hacking’s History,” publishedon April 10, 2001.

The information about the creationof a secondary ring of LulzSecsupporters was sourced fromconversations with Topiary and

Sabu. The detail about Antisecand its original adherentscomprising “a few hundredskilled hackers” was sourcedfrom my conversations withAndrew “weev” Auernheimer,who was a hacker during theearly days of the Antisecmovement, and from variousWeb articles, including the 2002Wired story “White-Hat HateCrimes on the Rise.”

The nicknames of “secondary crewmembers” of LulzSec, such asNeuron and M_nerva, weresourced from the #pure-elite chatlogs that were first leaked onlineby Pastebin on June 5, 2011, in a

post entitled “LulzSec PrivateLog.” The logs were republishedby The Guardian three weekslater, on June 25, which garneredmore mainstream mediaattention. Further descriptionsabout the room and its members,and the context of theirdiscussions, were sourced frominterviews with Topiary andwith one other hacker, who didnot wish to be named.

The detail that Adrian Lamo wasdiagnosed with Asperger’s issourced from the Wired article,“Ex-Hacker Adrian LamoInstitutionalized, Diagnosed withAsperger’s,” published May 20,

2010.

Chapter 20: MoreSony, More Hackers

Regarding LulzSec and Sony: a

couple of days before the PBSattack, LulzSec had alreadypublished two databases ofinternal information from thewebsite of Sony Japan. It failedto cause a stir, since Topiary hadsimply pasted specific Webaddresses that were vulnerableto a hack by simple SQLinjection. One of them, forexample, looked like this:http://www.sonymusic.co.jp/bv/cro-

magnons/track.php?item=7419(no longer available). Topiaryannounced the finds with a pressrelease, telling other hackers,“Two other databases hosted onthis boxxy box. Go for them ifyou want.” He added that the“innards” were “tasty, but notvery exciting.” Details about theway LulzSec’s core andsecondary members gathered andexplored website vulnerabilitieswithin the network of Sony andelsewhere were sourced fromdiscussions with Topiary, aswell as with Sabu and Kayla.Dialogue among the hackers wasalso sourced from interviews

with the trio. Most of the datathat LulzSec stole from Sonycame from the websitesSonyPictures.com, SonyBMG.nl,and SonyBMG.bg—but 95percent of the hoard came fromSonyPictures.

Descriptions of Topiary’s style ofwriting are based on my ownobservations of the pressreleases he wrote and theTwitter feed he manned.

Context on the extent of the cyberattacks on Sony was sourcedfrom the cyber security websiteattrition.org and its article“Absolute Sownage: A ConciseHistory of Recent Sony Attacks.”

It includes what is probably themost comprehensive table ofcyber attacks on the company thattook place between the months ofApril and July 2011.

The rumors about the PlayStationNetwork hack involving adisgruntled employee and thesale of a database for $200,000come from press reports andfrom one source withinAnonymous who does not wishto be named. It was unclear if thePSN hackers had sold it all on acarders’ market or in chunks. Butin certain online markets it waspossible to make $1,000 sellinga six-year-old database

containing the names of 300,000users—the price in the market atlarge depended on the age of thedatabase, according to peoplefamiliar with the matter. Thismeant that more than 100 millionfresh logins from Sony wouldeasily have been worth tens ofthousands of dollars. A June 23,2011, Reuters article cited alawsuit against Sony that claimedthat the company had laid offemployees in the unit responsiblefor network security two weeksbefore the data breach occurred,and that while the company“spent lavishly” on security toprotect its own corporate data it

failed to do the same for itscustomer data. The lawsuit, filedin a U.S. District Court, cited a“confidential witness.”

Details about the way LulzSecattacked Karim Hijazi come frominterviews with Topiary andKayla, as well as from chat logsreleased by both LulzSec andHijazi. Further details come fromtelephone interviews with Hijaziin the days after his attack wasannounced and from interviewswith his press spokesman.

Details about the ~el8 hackinggroup were sourced from theirfour e-zines, which are stillavailable online, and from the

2002 Wired article “White-HatHate Crimes on the Rise.”

Details about Andrew “weev”Auernheimer’s disclosure of asecurity flaw for iPad users onAT&T’s website were sourcedfrom interviews withAuernheimer, from the Gawkerstory “Apple’s Worst SecurityBreach: 114,000 iPad OwnersExposed,” dated June 9, 2010,and from the CNET article“AT&T-iPad Site Hacker toFight on in Court,” published onSeptember 12, 2011. In July2011, a federal grand jury inNewark, New Jersey, indictedAuernheimer on one count of

conspiracy to gain access tocomputers and one count ofidentity theft. From September2011 and as of mid-April 2012,he was on bail, and reportedlybanned from using IRC orconsorting with people from hishacking group.

The statement that the AnonOpsIRC was “a mess, everyone wason edge” was sourced from myown observations of the chatnetwork and from interviewswith Topiary.

The assertion that a few white hats“secretly wished they could bepart of the fun” was sourcedfrom my observations of

comments made by white hatsecurity specialists on blogs andon Twitter, which oftenprofessed admiration for LulzSecand expressed gratitude that thegroup had demonstrated thenecessity of the Internet securityprofession. A good example isthe article by Australian securityexpert Patrick Gray on hisrisky.biz blog entitled “Why WeSecretly Love LulzSec,” postedon June 8, 2011. The postquickly went viral on Twitter.

Regarding Ryan’s DDoS attack onLulzSec’s public IRC channel—he had been sending the samemessage to anyone who was an

operator in the IRC channel.

Chapter 21: Stressand Betrayal

Details about Kayla’s side

operation were sourced frominterviews with Kayla andTopiary, while dialogue in thischapter was sourced from theleaked #pure-elite logs. Furthercontext on the InfraGard hack,#pure-elite discussions, andBitcoin donations comes frominterviews with the foundingmembers of LulzSec. Somedialogue, such as the reaction tothe $7,800 BitCoin donation,

was also sourced frominterviews.

NATO’s draft report onAnonymous can be found on theorganization’s website here:http://www.nato-pa.int/default.asp?SHORTCUT=2443. It was firstmentioned on tech blogs, such asthinq, in early June.

The deleting code rm -rf/* is wellknown among Web trolls, who atone time made a practice oftelling Mac and Linux users totype the code into their copy ofTerminal, the application thatallows users to engage with theircomputers using a command-line

interface. This can lead users toinadvertently wipe out their harddrives. According toKnowYourMeme.com, thetrolling scheme against PC usershas been around since the early2000s, but became popularthrough its promulgation on4chan around 2006. Users of /b/would post digital flyers or startdiscussion threads saying, forexample, that Microsoft hadincluded a folder calledsystem32 on all PCs and that thisfolder held 32 gigabytes of“worthless crap.” They addedthat the company did this to sellmore system-cleaning software,

and that the way to get back atmoney-hungry Microsoft was todelete the file. This was, ofcourse, completely untrue.

Here is a translation of the UNIXcode rm -rf/* itself: “rm” is thecommand short for remove; ablank space then indicates theend of the command. The “-”begins the options, with “r”meaning “recursively delete alldirectories” and “f” meaning“override file permissions.” “/*”means that everything after theroot of the tree (“/”) is to beaffected. The entire commandmeans “remove everythingforcefully.”

The assertion that “many newsoutlets bought this line”—i.e.,the line that LulzSec had hackedInfraGard in response to thePentagon announcement—wassourced from a number of newsreports. Among them is thedigitaltrends.com story “LulzSecHacks FBI Affiliate, Infragard.”

Details about the arrest of Sabuwere sourced partly from FoxNews reports, including the oneentitled “Infamous InternationalHacking Group LulzSec BroughtDown by Own Leader,” andpartly from an interview with ananonymous source who hadknowledge of the arrest and FBI

investigation. Further detailsabout Sabu’s arrest and his laterappearance in a secret courthearing are laid out in chapter26.

Details about Cisco’s promotionaltweet appearing on Twittersearches for LulzSec weresourced by my own observationsand were corroborated by Ciscospokesman John Earnhardt, whosaid that LulzSec was a “term ofinterest” in the security industry.The day after I wrote a blog poston the promotion for Forbes,entitled “How Cisco IsCapitalizing on LulzSecHackers’ Popularity” and

published on June 15, 2011, thepromotion disappeared.

Joseph K. Black, founder of theBlack & Berg IT securitycompany, most likely faked theattack on his own website. Thisassertion is based on interviewswith Topiary, who said that noone in the group had hit or hadplanned to hit Black & Berg, andon interviews with JenniferEmick, who spent some timeinvestigating Black. I also basethis conclusion on my opinionthat Black is not a crediblesource. Cyber security andantivirus expert RobRosenberger wrote a column for

SecurityCritics.org on February15, 2011, in which he referred toBlack as a “charlatan” whoseactivities until that point already“qualified as ‘unethicalbehavior’ done for shamelessself-promotion.” The cybersecurity site attrition.org laterwrote a damning indictment ofBlack on February 28, 2011, inan article entitled “Joseph K.Black: Social Media ExperimentGone Horribly Wrong,” whichoffered the prediction that Blackwould never obtain his professeddream job of “NationalCybersecurity Advisor.” Itposted screenshots of his Twitter

feed from January of 2011,including tweets such as “I justdid my 2nd line of coke and it’sonly 4.15; WOW!” Anothertweet, directed toward Attritionitself, said, “Your [ sic] justjealous that the Feds haven’ttaken you off the grid yet.Sucker.Im untouchable.I got theFeds in my pocket.Im comfy.” InOctober of 2011, Black waspursued by police in a thirty-five-minute car chase over fourU.S. counties, after which he gotout of his car holding a small dogand pointed his finger at thepolice, making shooting noises.He was promptly Tasered

(source: “Omaha Man Caughtafter Early Morning Pursuit,” theNorth Platte Bulletin, October31, 2011). By early 2012, Black& Berg had folded and Blackhad posted a photo of himself onan about.me Web page, where helisted himself as “Advisor toAnonymous and #Antisecoperations.” In the photo, Blackwas standing in front of a mirror,wearing a hoodie, sunglasses,and a gold chain necklace. Blackdid not respond to a question e-mailed to him on the matter of hiswebsite’s defacement, or to aninterview request. Ironically, inspite of the overwhelming

evidence that the deface onJoseph K. Black’s website hadbeen self-inflicted for publicitypurposes, British prosecutorswould later list an attack onBlack & Berg among the chargesagainst Jake Davis and threeother young men associated withLulzSec.

Details about other copycat hackergroups, such as LulzSec Braziland LulzRaft, were sourced fromthe groups’ own Twitter feeds,announcements, and pressreports, and from interviewswith LulzSec members.

Topiary’s statement “I’m starting toget quite worried some arrests

might actually happen” wasmade in an interview with me.

Chapter 22: TheReturn of Ryan, theEnd of Reason

Details in this chapter about

activities within LulzSec,dialogue about the disappearanceof Sabu, and descriptions ofRyan were sourced frominterviews with LulzSec’sfounding members. Details aboutTopiary’s first call with Sabuwere sourced from interviewswith Topiary.

The name David Davidson comes

from the widely panned 2000comedy film Freddy GotFingered, starring Tom Green. Ithas often been used online as ajoke name, but perhaps notenough to be considered anoutright Internet meme.

Ryan first rekindled hisrelationship with LulzSec’smembers by offering to let thegroup house its IRC network onhis servers. This was a welcomeoffer, although eventually thecrew would be hopping betweenservers owned by AnonOps andthe public IRC networksprovided by EFnet, Rizon, and2600.

Topiary did not believe that the doxreleased for Ryan earlier thatyear by Evo was real. He alsobelieved that the real Ryan wasrelatively safe, since Ryanclaimed, for instance, to have hisneighbor receive all hispackages, which were addressedto a fake name anyway, beforepassing them over to him, so thathe never had to give out his realaddress.

The Skype number 1-614-LULZSEC was off at all timesand redirected to another Googlenumber, which was also offlineand redirected instantly to themain Skype account that Topiary

and Ryan were using. Thisaccount had been registered via afake Gmail account on a randomIP address.

I have sourced the assertion thatAssange was “chuckling” tohimself from interviews withTopiary, who said that when hewas first talking to Assange onIRC, Assange claimed that heand others in WikiLeaks had“laughed” when they heard aboutthe DDoS attack on the CIA.

Details about Julian Assange’sstate of affairs in June of 2011,including his defense againstextradition and the wearing of anelectronic tag, were sourced

from various press reports, suchas “Julian Assange Awaits HighCourt Ruling on Extradition,”published by the Guardian onNovember 2, 2011.

Details about the IRC discussionswithin LulzSec (first betweenTopiary and Sabu, then amongother members of the team) weresourced from interviews withTopiary and with one otherhacker associated with LulzSecwho does not wish to be named.I have also seen and takenscreenshots of the video ofAssange taken by q, which wastemporarily uploaded toYouTube. The video showed the

IRC discussion between LulzSecand a panning shot of Assangelooking at his laptop. Dialoguefrom the discussion betweenSabu and q is taken from thesame video, which also featuredtext from the IRC channel theywere both in at the time. Sourcesclose to WikiLeaks confirm thatq had organized meetings in thepast between Assange and otherthird parties via IRC, and that qis from Iceland. Regarding thefilename RSA 128: RSA is acryptographic algorithm (byRivest, Shamir, and Adleman).The 128 would refer to the keylength, or the strength of

encryption measured in bits.

Chapter 23: Out witha Bang

Details about 4chan’s reaction to

LulzSec were sourced frominterviews with William andTopiary. Ironically enough,LulzSecurity.com was at onepoint hosted in the same datacenter as 4chan, according toTopiary.

Regarding the release of 62,000 e-mails and passwords, Topiaryhad uploaded the database asecond time to the file hostingsite MediaFire.com. However,

before it was again taken down,random users had downloaded italmost 40,000 times.

Further details about LulzSec’sinstigation of a revived Antisecmovement, and details aboutTopiary’s relations with Ryan,were sourced from interviewswith Topiary; context for thesedetails was provided byinterviews with Sabu.

Details about someone from SOCAe-mailing the MetropolitanPolice about a DDoS attack weresourced from prosecutor notes,which were passed on to thearrested LulzSec members.

Details about the arrest of Ryan

were sourced from press reports,such as the Daily Mail article“British Teenager Charged overCyber Attack on CIA as PirateGroup Takes Revenge on‘Snitches Who Framed Him,’”published on June 22, 2011, andfrom interviews with LulzSecmembers. Soon after Ryan’sarrest, an Anon with links toRyan Cleary approached Topiaryon IRC and told him with deadseriousness that a photographerfrom the Sun was planning to flyto Holland to try to snap a photoof the “real Topiary.”

Details about the Arizona policeleak, and dialogue from the

discussion between LulzSecfounding members aboutdisbanding, were sourced frominterviews with Topiary, withsome added context provided bySabu in later interviews.

Chapter 24: The Fateof Lulz

The analogy of “cavemen smearing

buffalo blood” over rocks wasdrawn from a discussion withTopiary.

Details about the Script Kiddieshacking into the Twitter feed ofFox News were sourced fromvarious news reports, such as“Fox News Hacker TweetsObama Dead,” published byBBC News online on July 4,2011. The group’s defacement ofthe Pfizer Facebook page was

sourced from their posts onTwitter and from my ownsubsequent observations of thedefaced Facebook page. Detailsabout other hacker groups fromcountries such as the Philippines,Colombia, and Brazil weresourced from various stories onTheHackerNews.com.

The statement that there were morethan six hundred people in theAnonOps chat room #Antisecafter LulzSec disbanded comesfrom my own observations whileon the IRC network.

Sabu’s statement “I’m doing thesame work, more revolutionary”was sourced from my IRC

interview with Sabu.Details about Topiary’s “break”

from Anonymous after LulzSecdisbanded were sourced frominterviews with Topiary.

The assertion that “severalmainstream press outlets’ earsperked in envy” at Sabu’s claimof granting certain media outletsaccess to News of the World e-mails was sourced from newsreports such as “LulzSec Claimsto Have News International E-mails,” published by theGuardian on July 21, 2011.

The detail about Rebekah Brooks’shusband dumping her laptop in ablack garbage bag is sourced

from the Guardian story “PoliceExamine Bag Found in Bin NearRebekah Brooks’s Home,”published on July 18, 2011.

The assertion that police acrosseight countries had arrestedseventy-nine people inconnection with activitiescarried out under the namesAnonymous and LulzSec wassourced from various newsreports about these arrests and atally on Pastebin. Details aboutthe looming arrest of Topiarywere sourced from Topiary, withcertain facts, including that aboutthe hiring of a private plane,corroborated by news reports,

such as the Daily Mail’s“Autistic Shetland Teen Heldover Global Internet HackingSpree ‘Masterminded from HisBedroom,’” published on July31, 2011.

Part 3Chapter 25: The RealTopiary

Details about Topiary’s arrest,

including descriptions of hisencounter with the police, weresourced from later interviewswith Jake Davis. The detailsabout the police’s visit to Jake’smother’s home in Spalding weresourced from discussions withJennifer Davis. Descriptions ofMs. Davis walking into theCharing Cross police station are

based on my own observationsafter visiting the station that day.

The assertion that the AnonOps chatrooms were “ablaze withrumors” are based on my ownobservations after visiting theIRC network; Sabu’s statementthat he was “pretty fuckingdepressed” comes from myinterview with him.

The statement that the name Jakehad popped up in the AnonOpschat room after an errorinvolving his VPN connectionwas sourced from myobservations of the December 8AnonOps public chat logdatabase on

http://blyon.com/Irc/. The rumorabout the friend from Xboxforums posting “Jake fromShetland” was sourced fromSabu’s published chat log withMike “Virus” Nieves (seechapter 26) and the Gawker story“How a Hacker Mastermind WasBrought Down by His Love ofXbox,” published on August 16,2011.

Details about VPN providerHideMyAss responding to a U.K.court order to help identify amember of LulzSec weresourced from a blog post onHideMyAss’s website entitled“LulzSec Fiasco,” published on

September 23, 2011.HideMyAss did not respond torepeated requests for interviewsand did not list a phone numberon its website.

The item about the Department ofHomeland Security expectingmore significant attacks fromAnonymous was sourced fromthe department’s NationalCybersecurity andCommunications IntegrationCenter bulletin published onAugust 1, 2011.

Details about and descriptions ofJake Davis’s court appearancewere sourced from myobservations while attending the

hearing, with added contextprovided by later interviewswith Davis.

The book Free Radicals: TheSecret Anarchy of Science got asignificant boost in its Amazonrankings after Jake Davis flashedits cover to the cameras,according to an interview withthe book’s author, MichaelBrooks.

Descriptions of the propagandaimages and digital posters madeof Jake Davis after his courtappearance were sourced frommy own observations afterspeaking to several Anonymoussupporters on AnonOps, one of

whom directed me to a growingrepository of these images.

Details about Jake Davis’s fan mailand his life at home weresourced from interviews withDavis, which included visits tohis home in Spalding, and frommy own observation of some ofthe letters he received.

Details about the raid executed byWilliam and other members of/b/ against a sixteen-year-old girlon Facebook named Selena (nother real name) were sourcedfrom interviews with Williamconducted via e-mail and inperson.

Davis’s meeting with William was

arranged by me. I had thought forsome time that it would beintriguing to observe what wouldhappen if two people fromAnonymous were to meet face-to-face. I had also wanted toarrange for an Anon and a victimof Anon—e.g., Jake Davis andAaron Barr—to meet in person.Distance and time constraintsmade a meeting between Barrand Davis impractical, so thenext best thing seemed to be ameeting between William andTopiary. I asked each of them ifhe was willing to meet the other,and after they agreed I set a datein February of 2011. On the

appointed day, I met first withWilliam before traveling withhim by train to the meeting placewith Davis. I accompanied themboth to a restaurant, where wetalked over lunch. As the twomen discussed Anonymous, Iasked questions and took notes.

Chapter 26: The RealSabu

Details about Sabu’s cooperation

with police, and his criminalmisdemeanors outside the worldof Anonymous and LulzSec,were sourced from his criminalindictment and from a transcriptof his August 5, 2011,arraignment in New York’s U.S.District Court. Further contextand description was provided byan interview with a source whohad knowledge of the FBIinvestigation of Sabu, as well as

interviews with Anonymoushackers who had worked withSabu in the months after LulzSecdisbanded and during his time asan FBI informant. All sourcesclaimed not to have knowncategorically that Sabu was aninformant, though they hadvarying degrees of suspicion.

The description of Hector “Sabu”Monsegur was sourced from theFox News report “InfamousInternational Hacking GroupLulzSec Brought Down by OwnLeader,” published on March 6,2012, and from the New YorkTimes story “Hacker, Informantand Party Boy of the Projects,”

published on March 8, 2012.Further descriptions of Sabu were

sourced from my ownconversations with him onlineand by telephone, from myobservations of his Twitter feed,and from a leaked chat logbetween Sabu and hacker Mike“Virus” Nieves. The chat logwas published on Pastebin onAugust 16, 2011, and entitled“sabu vs virus aka dumb &dumber part 2.”

The comprehensive dox of Sabu,which this time included a photoof Hector Monsegur, was postedby a white hat securityresearcher nicknamed Le

Researcher, who pasted a varietyof screenshots of e-mails, defacemessages, and forum posts onhttp://ceaxx.wordpress.com/uncovered/

The assertion that hacktivism is“extremely popular in Brazil”was sourced from a report byImperva entitled “The Anatomyof an Anonymous Attack,”published in February of 2012,as well as from my ownobservations of the number ofpress reports about cyber attacksby Anonymous in Brazil.

Descriptions of and dialogue fromSabu’s interactions with sup_g,aka Jeremy Hammond, ahead ofthe Stratfor attack were sourced

from Hector Monsegur’scriminal indictment, with furthercontext, including details abouthis relations with WikiLeaks,taken from interviews with otherhackers who took part in theStratfor attack.

The reference to the New YorkTimes article in which the FBIdenied they had “let [theStratfor] attack happen” issourced from the story “Insidethe Stratfor Attack,” publishedon the paper’s Bits blog onMarch 12, 2012.

Details about Donncha “Palladium”O’Cearrbhail hacking into theGmail account of a member of

the Irish national police to listenin on a call between the FBI andthe Metropolitan Police weresourced from bothO’Cearrbhail’s and Monsegur’sindictments.

Details about Monsegur passinghimself off as a federal agent tothe NYPD were sourced from hiscriminal indictment.

Chapter 27: The RealKayla, the RealAnonymous

Descriptions of Ryan Mark

Ackroyd were sourced from myobservations of Ackroyd at hisfirst court appearance, on March16, 2012. Details about hisyounger sister, Kayleigh, weresourced from a directory searchon Ryan Ackroyd’s name, whichrevealed the names of Ackroyd’sparents and siblings; the physicaldescription of Kayleigh was

sourced from her publicFacebook account, as were thecomments she posted on herbrother Keiron’s Facebook wall.

The dates and basic details aboutthe first and second arrests ofRyan Ackroyd were sourcedfrom Metropolitan Police pressreleases for both incidents.Interview requests with theMetropolitan Police for furtherdetails about Ryan Ackroyd andthe Met investigation intoAnonymous generally weredenied.

Details about the reaction in theAnonymous community to newsthat Sabu had been an informant

for eight months were sourcedfrom interviews with academicGabriella Coleman, Jake Davis,and a handful of Anons, alongwith my observation of variousTwitter feeds, blog posts, andcomments on IRC channelsfrequented by Anonymoussupporters.

Glossary

4chan: A popular online imageboard frequented by 22 millionunique users a month. Originallybilled as a place to discussJapanese anime, it morphed intoa meeting ground for thediscussion of all manner oftopics, including online pranks,or “raids,” against otherwebsites or individuals (seechapters 2 and 3). A key featureis the forced anonymity of itsusers, who are thus able to postfreely, fearing neither inhibition

nor accountability.Anonymous: A name that refers to

groups of people who disrupt theInternet to play pranks or as ameans of protest. Derived fromthe forced anonymity of users ofthe image board 4chan, it hasevolved over the last five yearsto become associated with high-profile cyber attacks oncompanies and governmentagencies. With no clearleadership structure or rules ofmembership, it exists as a fluidcollective of people who followa loose set of principles derivedfrom the 47 Rules of the Internet.The wider collective takes on

various guises, depending onwhoever happens to beendorsing the name at the time—e.g., the Chanology organizers of2008 (see chapter 5) and theLulzSec hackers of 2011 (seechapter 17).

Antisec (Anti Security): A cybermovement started in the early2000s in which black hat hackerscampaigned to end the system of“full disclosure” among ITsecurity professionals, often byattacking those same white hatprofessionals. LulzSec revivedthe movement in the summer of2011, with the vague goal ofattacking government agencies

and figures of authority in asometimes superficial effort toexpose corruption.

/ b/ : The most popular board on4chan, visited by about a third ofthe site’s users. /b/ wasoriginally billed as the site’s“random” board by 4chancreator Christopher “moot”Poole. It ended up serving as ablank slate on which a host ofcreative Internet memes, such asLolcats, were born, and iswidely considered to be thebirthplace of the Anonymous“hive-mind.” Many Anonymoussupporters say they first foundAnonymous through /b/. It is

infamous for its lack ofmoderators.

Black hat: Someone who usesknowledge of softwareprogramming for maliciousmeans, such as defacing awebsite or stealing databases ofpersonal information for thepurpose of selling it to others. Ablack hat is also referred to as a“cracker.”

Botnet: A network of so-calledzombie computers that have beenbrought together by spreading avirus or links to bogus softwareupdates. Botnets can becontrolled by one person, whocan order thousands, sometimes

millions, of computers to carryout Web-based commands enmasse.

Chanology: Also known as ProjectChanology, this is the series ofcyber attacks, protests, andpranks conducted by supportersof Anonymous throughout most of2008 against the Church ofScientology, the name being aportmanteau of “4chan” and“Scientology.”

DDoS (Distributed Denial ofService): An attack on a websiteor other network resourcecarried out by a network ofcomputers that temporarilyknocks the site offline by

overwhelming it with junktraffic. The attack can be carriedout by a network of volunteersbehind each computer (see“LOIC”) or a network whosecomputers have been hijacked tobecome part of a botnet.

Deface: When used as a noun, thisterm refers to the image and textthat is published on a site thathas been hacked, announcing thatit is a target and the reason it hasbeen attacked. When used as averb, it means to vandalize awebsite.

Dox: When used as a verb, thisterm refers to the act ofunearthing personal details, such

as real names, phone numbers,and home addresses, usuallythrough Google or socialengineering. The resultantinformation is a person’s “dox.”Doxing is often thrown around asa threat in Anonymous andamong hacker communities,which are inhabited by onlinepersonalities who use nicknamesand almost never reveal theirtrue identities.

Encyclopedia Dramatica: Awebsite that chronicles much ofthe goings-on in Anonymous,including Internet memes, 4chanlanguage, and online discussionsamong the more popular users of

various blogs and IRC networks.The site is almost a parody ofWikipedia; it has the same lookand is also edited by users, butits style is irreverent, profane,and occasionally nonsensical,filled with in jokes and links toother ED entries that onlyinsiders can understand.

Hacker: A loosely defined termthat, in the context ofAnonymous, refers to someonewho has the technical skills tobreak into a computer network(see “black hat” and “whitehat”). Generally speaking, theterm can refer to a computerprogramming enthusiast or

hobbyist who enjoys tinkeringwith internal systems andcreating shortcuts and newsystems.

Hacktivist: A portmanteau derivedfrom “hacker” and “activist,” itrefers to someone who usesdigital tools to help spread apolitical or sociologicalmessage. Among the more illegalmethods used are DDoS attacks,website defacements, and theleaking of confidential data.

Image board: An online discussionforum with loose guidelines inwhich users often attach imagesto help illustrate their comments.Also known as “chans,” they are

easy to create and maintain.Certain image boards are knownfor specific topics, e.g., 420chanis known for its discussion ofdrugs.

IP (Internet Protocol) address:The unique number assigned toevery device that is connected toa computer network or theInternet. Each IP addressconsists of four sets of numbersseparated by periods.

IRC (Internet Relay Chat):Perhaps the most prevalentmethod of communication amongsupporters of Anonymous, IRCnetworks offer the kind of real-time text conversation that image

boards cannot. IRC allows usersto talk to one another within chatrooms, or “channels,” and haveexisted since the late 1980s.Each IRC network attractscommunities who share acommon interest, such as theAnonOps IRC, which attractsthose interested in Anonymous.Network and channel“operators” moderate thediscussions on these networks;such roles are seen as anindicator of high social status.

LOIC (low orbit ion cannon):Originally created as a stress-testing tool for servers, thisopen-source Web application

has become popular amongsupporters of Anonymous as adigital weapon that, if used byenough people, can be used tocarry out a DDoS attack on awebsite.

Lulz: An alteration of theabbreviation LOL (laugh outloud), this term is thought to havefirst appeared on an InternetRelay Chat network in 2003 inreaction to something funny. Itnow refers to the enjoyment feltafter pursuing a prank or onlinedisruption that leads to someoneelse’s embarrassment.

LulzSec: A splinter group ofhackers who temporarily broke

away from Anonymous in thesummer of 2011 to pursue aseries of more focused, high-profile attacks on companies likeSony and government agencieslike the FBI. Founded byhacktivists nicknamed Topiaryand Sabu, it had six coremembers and between a dozenand two dozen second-tiersupporters at any one time.

Lurk: To browse a site, IRCnetwork, or image board such as4chan without posting for anylength of time, often with theintent of learning the site’sculture so as not to stand out as anew user. Lurkers can be deemed

unwelcome in certain IRCnetworks if they never contributeto discussions.

Meme: A catchphrase or imagethat has become inadvertentlypopular, thanks to the viralquality of the Internet, and whosemeaning is typically lost onmainstream Web users. Oftenserving as in jokes forAnonymous supporters, manymemes, such as “over 9000” or“delicious cake,” are sourcedfrom old computer games ororiginate from discussions on/b/. Other examples: “RickRolling” and “pedobear.”

Moralfag: A label attached to

either a 4chan user or anadherent of Anonymous whodisagrees with the moraldirection of a post, image,trolling method, idea, raid, oractivity. Often used as aderogatory term.

Newfag: A user on 4chan’s /b/who is either new or ignorant ofthe customs of the community.

Oldfag: A user on /b/ whounderstands the customs of thecommunity, usually afterspending years on the site.

OP (original poster): Anyone whostarts a discussion thread on animage board. In 4chan culture,the OP is always called “a

faggot.”Pastebin: A simple but extremely

popular website that allowsanyone to store and publish text.The site has been increasinglyused over the last two years bysupporters of Anonymous as ameans to publish stolen data,such as confidential e-mails andpasswords from Web databases.It has also served as a platformfor hackers to publish pressreleases, a method used by theAnonymous splinter groupLulzSec during their hackingspree in the summer of 2011.

Rules of the Internet: A list of 47“rules” that are thought to have

originated from an IRCconversation in 2006, and fromwhich the Anonymous tagline“We do not forgive, we do notforget” originates. The rulescover cultural etiquette on imageboards such as 4chan and thingsto expect from onlinecommunities, such as an absenceof women.

Script: A relatively simplecomputer program that is oftenused to automate tasks.

Script kiddie: A derogatory termused for someone who may holdambitions to be a black hathacker and who uses well-knownand freely available Web tools,

or “scripts,” to attack computernetworks. Script kiddies oftenseek to boost their social statusamong friends by hacking.

Server: A computer that helpsprocess access to centralresources or services for anetwork of other computers.

Shell: A software interface thatreads and executes commands.On certain vulnerable websites,a hacker can get a shell to aserver on which the site ishosted, using its admin controlpanel, and the shell, as the newinterface, then gives that hackercontrol of the site.

Social engineering: The act of

lying to or speaking to a personin the guise of a false identity, orunder false pretenses, in order toweed out information.

SQL injection: Also known asSQLi and sometimes pronounced“sequel injection,” this termrefers to a method of gainingaccess to a vulnerable Webdatabase by inserting specialcommands into that database,sometimes via the same webforms as the site’s normal users.The process is a way ofacquiring information from adatabase that should be hiddenfrom normal users.

Troll: A person who anonymously

harasses or mocks anotherindividual or group online, oftenby leaving comments on websiteforums or, in extreme cases, byhacking into social mediaaccounts. When used as a verb,“trolling” can also mean spinningan elaborate lie. The goal isultimately to anger or humiliate.

VPN (virtual private network):Network technology thatprovides remote, secure accessover the Internet through aprocess known as tunneling.Many organizations use VPNs toenable their staff to work fromhome and connect securely to acentral network. Hackers and

supporters of Anonymous,however, use VPNs to replacetheir true IP addresses, allowingthem to hide from authorities andothers in the community.

White hat: Someone who knowshow to hack into a computernetwork and steal informationbut uses that ability to helpprotect websites andorganizations.

About the Author

Parmy Olson is the London bureau chieff o r Forbes magazine. She lives inLondon.

Contents

Title PageDedicationBefore you read this book

Part 1: We Are AnonymousChapter 1: The RaidChapter 2: William and the Rootsof AnonymousChapter 3: Everybody Get In HereChapter 4: Kayla and the Rise ofAnonymousChapter 5: ChanologyChapter 6: Civil WarChapter 7: FIRE FIRE FIRE FIRE

Chapter 8: Weapons that BackfiredChapter 9: The RevolutionaryChapter 10: Meeting the NinjaChapter 11: The Aftermath

Part 2: FameChapter 12: Finding a VoiceChapter 13: Conspiracy (Drives UsTogether)Chapter 14: Backtrace StrikesChapter 15: Breaking AwayChapter 16: Talking About aRevolutionChapter 17: Lulz SecurityChapter 18: The Resurrection ofTopiary and TupacChapter 19: Hacker WarChapter 20: More Sony, More

HackersChapter 21: Stress and BetrayalChapter 22: The Return of Ryan,the End of ReasonChapter 23: Out with a BangChapter 24: The Fate of Lulz

Part 3: UnmaskedChapter 25: The Real TopiaryChapter 26: The Real SabuChapter 27: The Real Kayla, theReal Anonymous

AcknowledgmentsTimelineNotes and SourcesGlossaryAbout the Author

Copyright

Copyright © 2012 by Parmy Olson All rights reserved. In accordance withthe U.S. Copyright Act of 1976, thescanning, uploading, and electronicsharing of any part of this book withoutthe permission of the publisher constituteunlawful piracy and theft of the author’sintellectual property. If you would liketo use material from the book (other thanfor review purposes), prior writtenpermission must be obtained bycontacting the publisher atpermissions@hbgusa.com. Thank youfor your support of the author’s rights. Little, Brown and CompanyHachette Book Group237 Park Avenue, New York, NY 10017

www.littlebrown.comwww.twitter.com/littlebrown First e-book edition: June 2012 The publisher is not responsible forwebsites (or their content) that are notowned by the publisher. The Hachette Speakers Bureau providesa wide range of authors for speakingevents. To find out more, go towww.hachettespeakersbureau.com orcall (866) 376-6591. ISBN: 978-0-316-21353-0