Exclusive: How FBI Informant Sabu Helped Anonymous Hack Brazil
Exclusive documents obtained by Motherboard detail Hector Xavier Monsegur's leadership in attacks against Brazilian government and commercial websites.
Illustrations by Clark Stoeckley
In early 2012, members of the hacking collective Anonymous carried out a series of cyber attacks on government and corporate websites in Brazil. They did so under the direction of a hacker who, unbeknownst to them, was wearing another hat: helping the Federal Bureau of Investigation carry out one of its biggest cybercrime investigations to date.
A year after leaked files exposed the National Security Agency's efforts to spy on citizens and companies in Brazil, previously unpublished chat logs obtained by Motherboard reveal that while under the FBI's supervision, Hector Xavier Monsegur, widely known by his online persona, "Sabu," facilitated attacks that affected Brazilian websites.
The operation raises questions about how the FBI uses global internet vulnerabilities during cybercrime investigations, how it works with informants, and how it shares information with other police and intelligence agencies.
After his arrest in mid-2011, Monsegur continued to organize cyber attacks while working for the FBI. According to documents and interviews, Monsegur passed targets and exploits to hackers to disrupt government and corporate servers in Brazil and several other countries.
Details about his work as a federal informant have been kept mostly secret, aired only in closed-door hearings and in redacted documents that include chat logs between Monsegur and other hackers. The chat logs remain under seal due to a protective order upheld in court, but in April, they and other court documents were obtained by journalists at Motherboard and the Daily Dot.
US Attorney James Pastore (left), Judge Loretta Preska (right), at Monsegur's sentencing hearing.
On June 7th, 2011, just hours after the FBI appeared at Monsegur's doorstep in New York City's Jacob Riis housing projects, he quickly confessed to his crimes and had his battered laptop swapped out for a fresh one provided by investigators. As "Sabu," he quickly resumed his communications with activists, journalists, and other hackers.
In a closed hearing on August 5th, 2011, government prosecutors noted that Monsegur worked “around the clock... at the direction of law enforcement" to provide information on “targets of national and international interests,” and "engaged his co-conspirators in online chats that were critical to confirming their identities and whereabouts.”
“During this time the defendant has been closely monitored by the government,” said prosecuting US attorney James Pastore, according to a transcript. “We have installed software on a computer that tracks his online activity. There is also video surveillance in the defendant’s residence.”
- More on the story from the Daily Dot: How an FBI informant orchestrated the Stratfor hack
The active monitoring and recording of Monsegur's online activity continued until at least March 6th, 2012, when the FBI revealed his cooperation. In tandem, the bureau announced hacking charges against Jeremy Hammond and several other hackers abroad.
Later, his chat records would be used to track down and prosecute no fewer than eight of his online acquaintances. Pastore said Monsegur had helped to "prevent a substantial number of planned cyber attacks"—possibly more than 300.
But the records confirm previous accusations that Monsegur played an integral role in a series of cyberattacks against government and private websites in foreign countries. The names of the countries are redacted in public court documents, but logs reveal that Syria, Iran, Nigeria, Pakistan, Turkey, and other government sites fell victim to attacks orchestrated by Monsegur while he was working with the FBI.
These included a wave of digital disruptions in Brazil, incited by Monsegur under the group "AntiSec," which he formed just weeks after his arrest:
We are working under the #antisec flag now gentlemen. LulzSec will live on forever as a successful operation. Much love to all— The Real Sabu (@anonymouSabu)
One day later, Monsegur formally disbanded LulzSec, an Anonymous offshoot that had wreaked havoc on the web for a span of 50 days starting before Monsegur's arrest. With LulzSec retired, Monsegur would move on to bigger targets under the banner of AntiSec.
As a federal informant, Monsegur maintained numerous ties to international hackers, and, through social media and interviews with journalists including Motherboard, regularly contributed to various hacking campaigns as one of the loudest and angriest public faces of Anonymous.
He would often discover vulnerable websites, either by himself or with the help of his contacts. He would then deliver those targets to other members of AntiSec, including Hammond, a 29-year-old hacker who at the time was the FBI's most wanted cyber criminal. Hammond is now serving a ten-year prison sentence for his role in the attacks on American websites.
The government said Monsegur's help led to the prosecutions of eight other individuals, including residents of Ireland, the UK, and an American journalist, Matthew Keys, who worked as a social media editor at Reuters. Other hackers, who played less significant roles, have yet to be charged. Keys, 27, is the only one to have not pleaded guilty.
It's not clear what the FBI's precise role was in the attacks, whether handlers had made direct requests of Monsegur or had simply neglected the informant's conduct. But, according to Pastore, Monsegur would regularly "meet with law enforcement" after chatting with hacktivists, "...to do a full debrief on exactly who each of those individuals were, what he knew about them, and how they fit into the overall picture of LulzSec and the other cyber crimes that he provided information about."
When reached for comment earlier this week, an FBI spokesperson said the agency needed more time to prepare a response. After his sentencing last week, Monsegur declined to further discuss his case.
Update 6/5/14: FBI spokespeople told Motherboard that the bureau stands by the government's prosecution regarding Monsegur, and added, “Frankly, this case got adjudicated. We’re kind of done talking about it. We point you to the court documents. We’ve been involved in cyber crimes for a while now so we’ve been in the forefront of that, so I think the FBI is well positioned to conduct cyber investigations. Anytime we handle a source, we handle the source in accordance with Attorney General guidelines."
Ask and you shall receive
"You owned any cyber-security firms or cybercrime units?" Monsegur asked another hacker in an encrpyted chat on January 16th, 2012, as the FBI listened. "we like those."
"which country?" the hacker asked. "I'll show you some stuff."
The hacker proceeded to discuss his recent exploits. His curiosity piqued, Monsegur then offered the hacker access to powerful zero-day exploit (a previously unknown software vulnerability) found by his AntiSec crew, "so we can both take advantage of this."
Next, Monsegur requested targets including Germany, Austria, and Brazil. In response, the hacker pasted dozens of .gov.br subdomains into their private chat, along with logins for personnel.
The two signed off, but about an hour and a half later, the hacker returned to tell Monsegur some exciting news:
"They work for Intranet on the webside," he explained, "and if you wana read mail from mail client use pop server — [REDACTED]."
"It's beautiful, my brother," Monsegur said. "Our friendship will be a good one for sure."
Last week, at Monsegur's long-delayed sentencing hearing, Judge Loretta Preska of New York's Southern District handed Monsegur a sentence of time served—seven months—to be followed by one year of supervised release in response to the dozen counts of criminal hacking he pleaded guilty to nearly three years earlier.
Monsegur (center) with his defense attorneys, Peggy Cross-Goldenberg (left), and Philip Weinstein (right).
Monsegur's defense, federal prosecutors, and Judge Preska all commended his "extraordinary cooperation" with investigators. "His assistance allowed the government to pierce the secrecy surrounding the group," said Preska at Mosegur's sentencing, "to identify and locate its core members and, successfully, to prosecute them."
"I will not be in this courtroom ever again," the hacker-turned-informant assured Judge Preska in a brief statement before leaving the courthouse.
In its pre-sentencing memorandum, the government stated, “at law enforcement direction," Monsegur tried but failed to obtain details about a software vulnerability in foreign government websites. "At the same time," the memo continued, "Monsegur was able to learn of many hacks, including hacks of foreign government computer servers, committed by these targets and other hackers, enabling the government to notify the victims, wherever feasible." The memo did not specify which of the foreign governments the United States might have alerted.
The chat logs tell a different story. They show that Monsegur largely supplied vulnerable targets to hackers who compromised them at later dates.
One of the first instances of Monsegur assigning targets came the following day, on January 17th, 2012, when he entered an IRC room affiliated with a Brazilian faction of Anonymous, AntiSecBr, started by Monsegur.
Monsegur, as Sabu, asked a member of AntiSec Brazil if they had "good hackers," before proceeding to hand out the targets he had acquired the previous day:
Five days after he obtained credentials to military police (Polícia Militar do Distrito Federal) servers, Monsegur relayed the details to no fewer than four other hackers, including Jeremy Hammond.
Within days, AntiSec and other offshoots of Anonymous had successfully assaulted dozens of Brazilian websites as the FBI watched.
That week, The Hacker News reported that Anonymous had managed to strike the websites of Brazil's federal district and Tangará da Serra, among others, in the midst of multiple international campaigns.
"What we are doing is so massive," Monsegur wrote to Hammond a few days later, on January 23rd, 2012. Under the leadership of Monsegur, the group's global cyberassaults were bringing power back to the people, he insisted, and making Anonymous a global force to be reckoned with.
The Brazil operation and others targeting foreign sites, Monsegur told Hammond, was "something WikiLeaks couldn't have done."
In one arena of the web, hackers in the Middle East were "striking at Israel for the first time en masse [and] together as one," Monsegur wrote, while anti-government activists in Brazil were expressing their anger at the government in Brasilia with the glowing support and endorsement of Anonymous. Once a ruthless, degenerate hate-machine born on 4chan, Anonymous was growing up, evolving its focus toward political activism.
Yet even as Anonymous and its assorted factions set its sights on Brazil in early 2012, the operation polarized hacktivists of various stripes who had struck the same targets for different reasons.
While Monsegur and AntiSec were facilitating an anti-corruption campaign against the Brazilian government, other hackers in Brazil responded to the shutdown of file-sharing site Megaupload by launching assaults on the pages of entertainment industry entities accused of aiding in that takedown.
At this time, the FBI even recorded chat room discussions, via Monsegur, regarding the takedown of its own website, and the Justice Department's website as well. Outraged over the US government's shutdown of Megaupload and the prosecution of its founder, Kim Dotcom, hackers plotted the offending DDoS attacks as part of #OpMegaupload.
“If Megaupload is down, you are down too," the homepage of Brazilian singer Paula Fernandes was defaced to read at one point. Though loose-knit, schizophrenic, and scattered, the operations were nevertheless seen as a success.
These campaigns, against no fewer than 10 foreign targets, were committed even as Monsegur was being monitored by the FBI, along with the additional AntiSec operation that ravaged Stratfor, an American geopolitical publishing firm. Amid a perfect storm of hackers, the bureau had front row seats.
As AntiSec and other Anons continued to wage attacks that January, Monsegur spread word of vulnerable Brazilian websites and passed along details to others.
At the center of AntiSec's arsenal was a crucial vulnerability that pointed the way toward open backdoors.
"We had this Plesk [a commonly-used web publishing platform] vulnerability," Hammond said in a recent prison interview at a medium-level security facility in Manchester, Kentucky. "You could just search 'Brazil Plesk police' and see a list of targets, like the internal affairs of military police in Brazil. It would contain a hundred other domain names. They’d also have access to whatever was on that site."
One chat log reveals that Monsegur directly ordered Hammond to "work on the gov," while he personally gathered additional Brazilian targets during a days-long span in late January 2012.
"Sabu would say he wanted so-and-so, that another hacking team wanted this particular target," Hammond said. "Some Brazilian was looking for people to hack them once I gave him the keys."
At times, Monsegur's instructions resembled orders. "Hit these bitches for our Brazilian squad," he ordered Hammond in a private chat on the afternoon of January 23rd, 2012.
"He’d give me domains, and I could see subdomains, emails," Hammond said. According to their chats, one of the targets was hacked by Hammond, who then provided Monsegur with access to 287 domains and 1330 different email accounts.
That evening, Monsegur continued to assign vulnerable sites to Hammond. A "big target," Monsegur wrote, was a server used by Globo, a Brazilian media company, and one of the largest in the world. Monsegur had learned it was susceptible to the Plesk zero-day, and told Hammond that AntiSec should infiltrate.
A private chat log between Monsegur (leondavidson) and Hammond (yohoho).
"Try to hit that first one if possible," Monsegur messaged him at 9:30 that night.
A minute later, Hammond was in. "Niiice," he wrote. "On edglobo.com.br."
"SEX," Monsegur answered. "This is big. Globo. Brazils biggest media comany [sic]."
With that server breached, among many others, private messages reveal that Monsegur pointed hackers like havittaja and others keen on attacking Brazil toward the targets. On February 2nd, Monsegur told Hammond, "I'm about to get brazillians to go in [sic] a rampage."
In one private chat between Monsegur and another hacktivist, the informant brags about the exploits he'd conveyed to other hackers. (The hacker in question has corroborated the details of the chat logs he appeared in, but asked not to be identified by his former handle.)
03:45 <&Sabu> they doing another 4 gov.br defacements
03:45 <&Sabu> that we at #antisec gave them
03:45 <&Sabu> so wait for those
03:45 <&Sabu> and
03:45 <&Sabu> we gave them root on brazils biggest media site globo
03:45 <&Sabu> so lets see how they handle it
03:45 <&Sabu> yup
03:45 <&Sabu> ;P
03:46 <&Sabu> they might not deface it but study it, get passes etc
03:46 <&Sabu> yup
03:47 <&Sabu> they will throw #antisec in it
03:47 <&Sabu> yeah when we gave him access
03:47 <&Sabu> he was like
03:47 <&Sabu> O_O hUEHuehUEHhueUEHuheUEHuehUEHuheuHhueUHEUheuHEUhehUEHuheh
Monsegur was not economical in handing out targets to strike. Hours before Monsegur told Hammond to strike Globo, he'd passed a handful of Brazillian government targets to another hacker.
On 6:17 on the evening of January 23rd, a hacker named "hard366" messaged Sabu to say he had "nothing to attack." Twenty minutes later, Monsegur responded by sending the hacker a lengthy list of commercial domains and root access to a .gov.br domain.
The hacker was taken aback, and told Monsegur he wasn't sure what to do with the trove of websites.
"do whatever you want," wrote Monsegur. "its yours brother."
"whats u mean is mine?" hard366 wrote back. "this is real testing for what[?]"
"this is a real server," he wrote, "ready for defacement."
The unsolicited present Monsegur gave hard366 opened backdoors to hundreds of Brazilian websites, allowing an attack that was part of a wider campaign of hacks against a number of foreign companies, and government servers—all under the auspices of the FBI.
Two years later, a Brazilian web forum remains vandalized with the calling card of "hard366." A mirrored version confirms the defacement happened on February 4th, just days after the above exchange. Later that week, Softpedia reported that Anonymous defaced "more than 100 commercial and government sites to reveal their protest messages against the government."
“We launched many DDOS attacks and defaced Brazilian sites because of the corruption in the capital of the country,” havittaja, one of the hackers handed exploits by Monsegur, told Softpedia.
The still-defaced homepage of formasbrasil.com.br. GIF by Daniel Stuckey.
Parmy Olson, a Forbes reporter and author of We Are Anonymous, acknowledged that Monsegur facilitated many of these attacks. "He acted as the mediator, talking to the Brazilian hacktivists, then telling his crew of hackers what the Brazilians wanted to deface. His crew rooted the Brazilian servers and then sent Sabu the login credentials to pass on to the Brazilian hackers," Olson wrote in her 2012 book.
The chat logs affirm that the FBI's informant not only harvested targets but drew up battle plans for cyber attacks.
On January 24th 2012, the day after handing over the list of exploited Brazilian domains, Monsegur wrote to hard366:
On Twitter, @hard366's Twitter activity in the last week of January contains a collection of his achievements: Dozens of federal and local government websites defaced and downed, after Monsegur had handed them over.
Follow my brother @hard366 for doing big things en Brasil— The Real Sabu (@anonymouSabu) January 30, 2012
"Follow my brother @hard366 for doing big things en Brasil," Monsegur tweeted on January 30th.
At the height of AntiSec's reign, many within the hacktivism community sought Monsegur’s validation as a badge of honor. Even as he faced more than 124 years in prison for his hacks, Monsegur, working as an informant, publicly hailed others who continued to carry out attacks under the AntiSec umbrella.
"Follow @Havittaja as he is on a rampage!" Monsegur exclaimed on Twitter:January 24, 2012
"Rally up .br hackers," Monsegur tweeted in early February:February 3, 2012
At the time, Brazil was emerging as a hotbed for cyberattacks. "Why is hacktivism hitting Brazil with such intensity?" security researchers at Silicon Valley-based Imperva asked in their 2012 report. "Short answer: Twitter. Today, Brazil ranks second after the US in Twitter usage."
Hacking quickly attracted the attention of many Brazilians, in whose minds, the report noted, "the cyber mayhem was no crime. Anonymous Brazil touched a populist nerve. The main innovation? They made DDoS accessible to the masses. Anyone with a browser—even a mobile browser—could participate in an attack. You could see the fruits of your labor as target sites went down with a populist cyber riot. No pitchfork required."
Eyewitnesses to the operations aren't certain if Monsegur meant to make an example of Brazil in particular, though. "At the time," one hacker involved in the Brazil operations said, "many Brazilian sites were vulnerable." And even before his June 2011 arrest and his subsequent cooperation, "Sabu was pushing for foreign targets even before Hammond."
Before Jeremy Hammond's sentencing in November, when he was charged with stealing Strafor subscriber credit cards and wreaking havoc on the firm's servers, his defense submitted an argument to Judge Preska. Hammond's additional hacks of foreign governments, the attorneys wrote, were perpetrated under the supervision of "the government's agent Hector Monsegur."
"...it has become clear that the Stratfor hack and the relevant conduct to which Mr. Hammond pled guilty are only part of the story...Following the Stratfor hack, Mr. Hammond, through the government's agent Hector Monsegur, aka 'Sabu,' was asked to hack a number of websites and computer servers outside of the United States. Mr. Monsegur supplied lists of targets, which included numerous foreign government websites and affected over 1,000 domains."
“All of this happened under the control and supervision of the FBI…” Hammond insisted in a three-paragraph statement that appeared online just hours after Preska handed down her sentencing decision.
The statement revealed additional names of foreign countries that were targeted with the help of Monsegur while the FBI supervised him: Syria, Colombia, Nigeria, Slovenia, Greece, Iran, and Pakistan. Puerto Rico was also mentioned.
"We will hold you accountable"
Five months after top-secret NSA documents started to surface, Brazilian President Dilma Rousseff responded with outrage that the US government had bugged Brazil's embassies, a state oil company, and even Rousseff's own cell phone. The actions, she said, exhibited a "breach of international law."
Rousseff's administration considered creating a Brazil-specific internet, which would exist to bypass US internet companies. Most recently, Brazil has praised a bill in the US Congress that would relax NSA's abilities to engage in such activity.
Allegations that the FBI oversaw hundreds of cyberattacks on foreign websites during its investigation of Anonymous have been described in a handful of recent reports. The details about the operation have been excluded from court proceedings, and the US attorney's office for the Southern District of New York has declined to comment further on the case.
The operation sheds light on how the FBI conducts cyber surveillance, an effort the agency has sought to expand domestically and to international venues like Russia and China, in some cases with help from other agencies and private security firms.
Two weeks ago, the FBI announced charges against five Chinese military hackers for hacking into American companies. On Monday, after a secret 72-hour raid, it announced it had helped to dismantle a massive Russian botnet run by a 30-year-old hacker that was commandeering private computers and siphoning tens of millions of dollars from American bank accounts. The operation was "the largest fusion of law enforcement and industry partner cooperation ever undertaken in support of an FBI cyber operation,” said Robert Anderson, Jr., the FBI's new assistant executive director of the Lead Criminal, Cyber, Response, and Services Branch.
"If we can reach out and touch you, we are going to reach out and touch you," Anderson told Reuters at a recent security conference. "If you are going to attack Americans—whether for criminal or national security purposes—we are going to hold you accountable, no matter what country you live in."
It remains unclear how many cybercrime cases the FBI has conducted with the help of hackers like Monsegur, and what damages, collateral or otherwise, have been caused in the process.
"The fact that they're nailing these young hacktivists rather than reforming themselves I find to be outrageous, completely hypocritical, and practically, really criminal," said Michael Ratner, an attorney for WikiLeaks. In 2012, WikiLeaks began publishing a trove of sensitive internal correspondence from Stratfor that was hacked by Hammond after Monsegur assigned him the target.
"It's completely outrageous that they made Sabu into this informant and then, it appears, requested him to then get other hackers to invade sites and look for vulnerabilities in those sites," Ratner said. "What that tells you is that this federal government is really—it's really the major cybercriminal out there."
Monsegur leaves court a free man.
Hammond pleaded guilty to crimes for which Monsegur acted as an informant, rather than risking 39-years-to-life in federal prison if he were to unsuccessfully fight those charges in court. In the end, he received a decade of prison time. Barrett Brown, a Texan journalist whose Dallas home was raided in March 2012 during an investigation into LulzSec, faced 105 years before he pleaded earlier this year to charges related to Hammond's Stratfor hack.
In previously leaked chat logs dated May 2012, after Monsegur's role as an informant had become known, he acknowledged to another hacker that that federal computer laws were too draconian to risk challenging.
"[A] lot of these laws are arbitrary and dumb. written and pushed...to oppress hackers with outrageous sentences," Monsegur privately messaged an acquaintance known as Sanguinarious, weeks after his informant status was revealed. "124 years? Come on." (Sanguinarious has confirmed the authenticity of the chat log.)
(5:38:17 AM) Sabu: hadn't I ignored my gut instincts and stayed away from anonymous circles-but did hacks from the backgroujnd
(5:38:21 AM) Sabu: things would be very different right now
(5:38:28 AM) Sabu: lets be real, I ain't trying to sound like an arrogant fuck
(5:38:41 AM) Sabu: but I did almost all of the hacks - I didn't even need anyone at all
(5:38:47 AM) Sabu: so its like
(5:38:53 AM) Sabu: I dicked myself for no reason
At the hearing last week, Judge Preska explained the rationale behind Monsegur's sentencing. "I certainly take to heart the thought that a lengthy sentence of incarceration would deter others," she said. "However, in this instance, in light of Mr. Monsegur's cooperation, which is truly extraordinary, a lengthy sentence is much more than what is required to fulfill the sentencing guidelines."
"These niggas don't care if they stop Anonymous at the end of the day," Monsegur told Sanguinarious. "Their priority is to make the FBI look good at the end of the day."