LulzSec leader's digital trail led rival hackers and possibly FBI to him

Information uncovered about Sabu by rival hackers in the past proved to be fairly accurate

The disclosure Tuesday by U.S. authorities that Sabu, the former leader of prominent hacker group LulzSec, is a 28-year-old man from New York City named Hector Xavier Monsegur, corresponds with much of the information released about him by rival hackers in the past.

Sabu had been secretly arrested by the FBI last year and has since allegedly acted as an informant for the authorities, according to court papers in the case. The whole law enforcement operation resulted in the arrest of five more alleged hackers linked to LulzSec and Anonymous.

Back in June 2011, a few weeks before LulzSec decided to disband, several rival hacker crews like TeaMp0isoN (Team Poison), lone hacktivists like th3j35t3r (The Jester) and other Internet users unhappy with the group's actions, launched a virtual war against its members.

LulzSec's enemies engaged in an activity known in the hacker community as doxing, which consists of gathering personal information about an online user and publishing it online with the goal of exposing his real identity.

One of the first information dumps targeting LulzSec members was done by a group called the A-Team, and while the information later proved largely incomplete and bogus, the details about Sabu in particular appear spot on.

A-Team claimed that Sabu was a Puerto Rican man named Hector Xavier Montsegur who was living in New York. The group said that this information matched archived whois data for, a domain name believed to be owned by Sabu, that has since been anonymized.

According to the A-Team, some of the online aliases used by Sabu were 548U, hectic_les and leon, the last of which is mentioned by the authorities in Montsegur's unsealed indictment.

A separate Sabu dox report posted by an anonymous user on Pastebin on June 21 last year, traces Montsegur's alleged online activity to as far back as 2003. It claimed that he was involved in several software and security-related projects over the years under the aliases Xavier Kaotico and Xavier de Leon -- another fake identity mentioned in his indictment.

On August 17, around the time when Montsegur is said to have started working with the FBI as a cooperating witness, another Sabu doxing project was started on a blog. It listed the hacker's known email addresses, including many that contain Sabu, Xavier and Monsegur in their names.

The project concluded that Sabu lives in New York City, is a NY Giants fan and even includes a picture of him grabbed from a MySpace profile.

Information gathered with the help of Google search and other freely available services suggests that the LulzSec leader may have been careless at the beginning of his hacking career and failed to switch to another identity when things started to get more serious.

LulzSec members left electronic fingerprints behind that made their arrest inevitable, said Rob Rachwald, director of security strategy at security firm Imperva. In one incident, a LulzSec member changed his online identity, but left clues about it on a public forum, he said.

There is very much a trail of history on hacker forums, just as there is on Facebook, and if you are loud enough through your actions, like LulzSec was, you will determine law enforcement to search for it, Rachwald said.

The security expert drew a parallel between Sabu's case and that of famous mobster John Gotti, whose similar defiance of law enforcement eventually led to his downfall.

It's somewhat curious that Sabu's accomplices didn't wonder why the hacker never got arrested despite so much information about him being exposed online, even if he did try to deny its accuracy.

It was in June of 2011, at about the same time as Sabu's arrest, that Eric Corley, publisher of quarterly hacker magazine 2600, told The Guardian that, in his opinion, one in four U.S. hackers had been turned into FBI informants. Hackers are susceptible to intimidation because of the harsh penalties involved and their inexperience with the law, he said at the time.

Join the CSO newsletter!

Error: Please check your email address.

More about FacebookFBIGoogleImpervaTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place