LulzSec hackers jailed for cyber-attacks
Men get sentences of up to 32 months for causing millions in damages
Ryan Ackroyd, one of four men who had pleaded guilty for their involvement in a series of high-profile cyber attacks in 2011, puts out a cigarette before returning to Southwark Crown Court for sentencing in London. Photograph: Luke MacGregor/Reuters
Some of the longest ever jail sentences for hacking have been handed down to four British members of the international computer hackers’ gang LulzSec who masterminded a string of sophisticated cyber-attacks on major global institutions from their bedrooms.
The four bragged of being “gods” and caused millions of pounds of damage in a three-month spree in 2011.
The 32-month and 30-month sentences for, respectively, 21-year-old Ryan Cleary of Wickford in Essex and 26-year-old Iraq veteran Ryan Ackroyd of Mexborough in Yorkshire were among the most severe handed down by a British court for such offences. Jake Davis, 20, of Lerwick in Shetland, who acted as group spokesman, received a 24-month sentence in a young offenders’ institution - equal to the previous longest given in 2003 to virus-writer Simon Vallor. All will serve half their sentences.
Another member of the group, Mustafa Al-Bassam, 18, of Peckham in south London, received a 20-month sentence suspended for two years, and 300 hours’ community service.
Only James Jeffery, 27, a member of hacking collective Anonymous and an anti-abortion campaigner, has received a 32-month sentence before, for stealing the details of 10,000 women from Britain’s largest pregnancy advisory clinic.
Judge Deborah Taylor told the four, who had pleaded guilty, that “given your capabilities, the risk [of reoffending] is real and substantial. The name LulzSec encapsulates your desires to cause embarrassment and disruption, while keeping your own identities hidden. You each played your role during a seven-month online campaign ... using your technical abilities to cause catastrophic losses for amusement.”
The “Lulzsec” name is a compound of “lulz” - hacker slang for laughter at others’ discomfort - and “security”.
A fifth member of the group, Hector Xavier Monsegur of New York - who was ostensibly its leader - is facing sentencing in the US, where he could receive up to 124 years. He is due to be sentenced in August. The sixth member of the group, who went by the online handle of “Avunit”, has never been identified or arrested.
In a campaign that began in May 2011, the group - who never physically met while they were active - hacked into the websites of media companies including Sony, News International, PBS and Fox, and of games and pornography companies.
They also used “denial of service” attacks against the sites of the CIA and the UK’s Serious Organised Crime Agency (Soca), while taunting police and rival hackers who tried to identify them. Their exploits ended abruptly with the arrest in July 2011 of Davis in Shetland, and island off the north of Scotland.
The longest sentence was handed down to Cleary, who had always been thought of as peripheral to the group but provided a “botnet” of hundreds of thousands of PCs under his control to knock sites offline by flooding them with data.
Judge Taylor told Cleary that despite his diagnosis of Asperger’s syndrome, “it’s clear you did appreciate the harm being suffered by others” from attacks. “You suggested Soca [the UK’s Serious Organised Crime Agency] as a target.” Cleary will be sentenced separately for the possession of 172 indecent images of children, found on his computer when he was arrested in June 2011.
To Davis, Judge Taylor said: “I take into account that financial gain was not your motivation. You were aware of what you were doing.” He still faces the possibility of extradition to the US over offences committed while in LulzSec.
Of Al-Bassam, who was 16 at the time of the group’s exploits, the judge noted that “your role was to seek out vulnerabilities” but that “you played no role in the Soca attack.” She accepted that he had withdrawn from LulzSec.
Ackroyd, who joined the army at 19 and served for five years, played a higher-profile role in the attacks. Despite having only received a D grade in his computing GCSE - school esmas taken at about age 15 - he taught himself to program so that he could beat the online games he played. He became increasingly adept, and was regarded as the best hacker in LulzSec.
Judge Taylor called him “a very adept looter” who “cut through high levels of security”. She said, though: “Your motivation wasn’t financial. You abused your learning in computers and were flattered by the attention you got online.”
For more than two months, the group’s exploits - which sought to cause embarrassment rather than make financial gain - frustrated police and security companies. But the breakthrough came on June 7th, when Monsegur, known online as “Sabu”, was captured by the FBI. From that point, his communications were monitored, which is believed to have helped identify the locations of the others in the group.
The attack on the Soca website came on June 20th; Cleary was arrested at 3.30am on 21 June. Al-Bassam was arrested on July 19th, and Davis on July 27th - at which point the LulzSec Twitter account, with nearly 350,000 followers, went silent. Ackroyd was arrested in September.
Judge Taylor pointed out that the group published data including staff user names and passwords from News International, and that Davis wrote a story that was posted on the news organisation’s web page suggesting Rupert Murdoch had committed suicide in the latter hack. “The offences were planned and persistent,” she said. “The losses were substantial even if your motivation was not financial.”
But at least one of the group may benefit financially from its exploits. While it was active, it asked supporters to donate the virtual currency Bitcoin to an online address. At the time each Bitcoin was worth between $6 and $10, and Davis estimated that the group had about $18,000 donated by its supporters. If the coins were not spent, they would currently be worth hundreds of thousands of dollars.