We are continuing the subject of how others were taken down after Sabu was compromised and started cooperating with the FBI. According to this article.
The day after Christmas, sup_g had another online chat about the Stratfor hack and about some 30,000 credit card numbers that had been taken from the company. His interlocutor, CW-1, engaged in a bit of gallows humor about what might happen should they all get caught.
But the raid had, in fact, already happened. CW-1 was “Sabu,” a top Anon/LulzSec hacker who was in real life an unemployed 28-year old living in New York City public housing. His sixth-floor apartment had been visited by the FBI in June 2011, and Sabu had been arrested and “turned.” For months, he had been an FBI informant, watched 24 hours a day by an agent and using a government issued laptop that logged everything he did.
So we see here Sabu is chatting with a user sup_g to try and engage him about the hacks that took place.
Sabu suddenly addresses sup_g by a new name, “anarchaos.” It would turn out that sup_g went by many names, including “anarchaos,” “burn,” “yohoho,” “POW,” “tylerknowsthis,” and “crediblethreat.”
CW-1: if I get raided anarchaos your job is to cause havok in my honor
@sup_g: it shall be so
Normally, the attempt to link his various names would have raised the hacker’s guard; as he confided to Sabu, someone else had once tried to link the names “yohoho” and “burn,” but the hacker “never answered… I think he picked up some language similarities I’ve worked with [REDACTED] on other ops in the past.” But this was Sabu, a sort of hacker demigod in the world of Anonymous. If you couldn’t trust him, who could you trust? Sabu had even provided a server to store the stolen Statfor data, so he couldn’t be a fed (in reality, he had done so at the FBI’s direction).
And more details on how they looked through copious amounts of logs to correlate this user sup_g to his real identity.
To identify sup_g, the Bureau first turned to the voluminous chat logs stored on Sabu’s computer. They went through every comment that could be plausibly linked to sup_g or one of his aliases. The goal was to see if the hacker had slipped up at any point and revealed some personal information.
He had. On August 29, 2011 at 8:37 AM, “burn” said in an IRC channel that “some comrades of mine were arrested in St. Louis a few weeks ago… for midwestrising tar sands work.” If accurate, this might place “burn” in the Midwest. FBI Chicago agents were able to confirm that an event called Midwest Rising was attended by Chicago resident Jeremy Hammond’s twin brother. (Hammond had a history with anarchism and violent protest.)
“Anarchaos” once let slip that he had been arrested in 2004 for protesting at the Republican National Convention in New York City. Much later, “yohoho” noted that he hadn’t been to New York “since the RNC,” nicely tying both online handles to the same person. The FBI went to New York City police and obtained a list of every individual detained at the 2004 convention; they learned that Jeremy Hammond had in fact been detained, though he had not been arrested. The pieces were starting to fit.
“Sup_g” and “burn” both indicated later that they had spent time in prison, with “burn” indicating that he had been at a federal penitentiary. A search of Hammond’s criminal records revealed that he had been arrested in March 2005 by the Chicago FBI and had pled guilty to hacking into a “politically conservative website and stealing its computer database, including credit card information,” according to an FBI affidavit. Hammond was sentenced to two years in prison for the action.
In yet another chat, “Anarchaos” told Sabu that he had once spent a few weeks in a county jail for possession of marijuana. He also asked Sabu not to tell anybody, “cause it could compromise my identity,” and he noted that he was on probation. Both matched Hammond, who was placed on probation in November 2010 after a violent protest against the Olympics coming to Chicago. When the FBI ran a criminal history check on Hammond, it also revealed two arrests for marijuana possession.
The FBI was so thorough that it even followed up on a “POW” comment saying “dumpster diving is all good i’m a freegan goddess.” (“Freegans” scavenge unspoiled, wasted food from the trash of grocery stores and restaurants.) The FBI went to Chicago authorities, who had put Hammond under surveillance when they were investigating him back in 2005. As part of that earlier surveillance, “agents have seen Hammond going into dumpsters to get food.”
Now that they had a suspect, it was time to put him under surveillance.
This is why you all need to be extra paranoid with every single thing you say about yourselves on this forum. I have seen people talking about what country they live in, some even talking about which state they live in. If you think that the FBI will never put the pieces together, you may be sadly mistaken as Jeremy Hammond found out.
Watching the WiFi network revealed the Media Access Control (MAC) addresses of each device connected to the network. Most of the time there was only one, an Apple Computer—and sup_g had told Sabu that he used a Macbook.
On March 1, the agents obtained a court order allowing them to use a “pen register/trap and trace” device that could reveal only “addressing information” and not content. In other words, if it worked, agents could see what IP addresses Hammond was visiting, but they would see nothing else.
His Macbook’s MAC address was soon seen connecting to IP addresses known to be part of the Tor anonymizing network.
And while this definitely sounded like their man, the Bureau went to even greater lengths to double-check their target. The main technique was to observe when Hammond left his home, then to call Sabu in New York and ask if any of Hammond’s suspected aliases had just left IRC or the Jabber instant messaging system.
If this does not open your eyes to some of the mistakes many of you have been making online, then you need to reevaluate how you handle yourselves online. Read the entire article to get a better picture, but remember, I do not care if it is your best friend from elementary school, do not, under any circumstances ever admit anything online to anybody. Never under any circumstances take credit for any freedom fighting or hacktivism you have participated it online. And for christ’s sake, NEVER log into a server, especially one that keeps logs with your real IP address!