The Rise and Fall of Sabu: From Hacker Hero to FBI Informant

by | Apr 1, 2023 | Articles, Hacking Stories

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 5 Minutes

Introduction

Hector Xavier Monsegur, also known as Sabu, was a prominent member of the hacking collective LulzSec, which gained notoriety in 2011 for a series of high-profile cyber-attacks on government agencies and major corporations. Sabu was known for his technical skills and leadership within the group, but he also played a pivotal role in its downfall.

“He went from being the most beloved figure in the hacktivist group, Anonymous, to being it’s most hated.”

 

Early Life

Born in New York City in 1983, Sabu was raised in the Lower East Side neighborhood of Manhattan. He first became interested in hacking as a teenager and quickly gained a reputation within the hacking community for his technical abilities. In the early 2000s, he became involved with the hacking group Anonymous, which he later described as “a loose collective of activists, hacktivists, and hackers who are united by their hatred of authority and their desire for freedom of expression.”

 

Hacking activities and a key member of LulzSec and Anonymous

Monsegur had been involved in computer and hacking communities since the late 1990s and founded a group for local programmers in 2002.
As time passed, Monsegur developed strong antigovernment and anticapitalist beliefs that drew him further into the hacking world.

In an interview, he revealed becoming a hacktivist at 16, being disturbed by the Navy’s use of Vieques Island, and later joining Anonymous in 2010. Monsegur’s outrage over Julian Assange’s arrest was the catalyst for his involvement with the group.

From 2011 to 2012, Monsegur led Anonymous, becoming the group’s charismatic spokesman, adept at handling the media. Under his leadership, Anonymous claimed victories using Twitter by posting screenshots of “taken down” websites and appeared invincible.

See Also: So you want to be a hacker?
Offensive Security Courses

To increase Anonymous’ glory, Sabu formed LulzSec, a smaller group of hackers that quickly gained fame for a series of high-profile hacks. Lulz Security, or LulzSec, claimed to attack computer security companies for laughs, or lulz, rather than for financial gain. Like Anonymous, LulzSec was loosely organized and lacked a formal hierarchy. Members communicated using online chat rooms and forums and used aliases to conceal their identities.
However, the collateral damage inflicted on innocent citizens caused many to lose support for LulzSec.

For example, As part of a marketing campaign, Sony Pictures was running several prize giveaways, but LulzSec hacked into SonyPictures.com using a basic SQL injection and obtained the personal information of more than one million registered users, including usernames, passwords, and profiles. LulzSec’s reason for the breach was that Sony Pictures’ security was “disgraceful and insecure,” but many viewed it as just boasting. When questioned about compromising innocent television watchers’ credentials, LulzSec’s response was simply “we do it for lulz” (the laughs).

 

 

Timeline of some of the most notable attacks by LulSec:

 

A screen grab of the PBS website, showing how it looked following LulzSec’s hack-attack

 

  • April – June 2011: LulzSec gains notoriety with a series of attacks, including hacking PBS and releasing a fake news story claiming that rapper Tupac Shakur was still alive.

 

  • June 2, 2011: LulzSec hacks into the website of the US Senate and steals confidential data, including email addresses and passwords.

 

  • June 10, 2011: LulzSec targets Sony Pictures and leaks sensitive data including employee personal information, email exchanges, and even unreleased movies.

 

  • June 14, 2011: LulzSec attacks the website of the CIA and takes it offline.

 

  • June 16, 2011: LulzSec claims responsibility for an attack on the website of the UK’s Serious Organised Crime Agency (SOCA).

 

  • June 19, 2011: LulzSec attacks the website of the Arizona State Police and releases sensitive information including emails, training manuals, and other documents.

 

  • July 18, 2011: LulzSec targets News International, a subsidiary of News Corp, and hacks into the email accounts of staff members, as well as the website of The Sun newspaper.

At that point, Sabu had gained a massive following within Anonymous, and his Twitter handle, @anonymouSabu, had amassed hundreds of thousands of followers. He topped the FBI’s list of most wanted cybercriminals.

However, Sabu had also attracted the attention of another famous hacker, The Jester, who was known for his distributed denial-of-service attacks on jihadist websites. The Jester and Sabu had opposing views on almost every topic, except their shared hatred of the Westboro Baptist Church. At DEF CON 19, both hackers claimed to be in attendance, but Sabu refused to meet The Jester face-to-face, fearing exposure by the authorities.

 

Beginning of the end – Arrest and FBI informant

The FBI caught Hector Xavier Monsegur after he made an embarrassing security mistake. He had always been careful to hide his Internet protocol address using proxy servers, but one time he logged into an internet relay chatroom without masking his IP address. This mistake enabled the FBI to locate him. The FBI managed to trace the proxy server to Sabu’s apartment in New York City, and they arrested him in June 2011.

Facing a possible sentence of up to 124 years in prison, he was forced to agree to work as an informant against his former hacktivist colleagues, but neither his family nor his colleagues in Anonymous and LulzSec were aware of this.

Monsegur was monitored by his federal handlers while spending between eight and 16 hours a day on his computer. He worked with the FBI to inform 300 government, financial and corporate entities in the US and elsewhere of problems in their systems that had come to the attention of hackers.

His cooperation with the FBI was kept secret for several months. This allowed him to continue to communicate with other hackers and gather information for the authorities without arousing suspicion.

Monsegur’s cooperation led to the arrest of several other members of LulzSec and related hacking groups. He provided the FBI with information about their activities, identities, and locations. He also helped the FBI to identify vulnerabilities in various computer systems and networks that could be exploited by hackers.

While working as an FBI informant, Sabu continued to participate in hacking activities, including attacks on various websites and networks. He did this with the FBI’s knowledge and approval, in order to maintain his cover and gather more intelligence.

Ironically, Monsegur was cheering on attacks against law enforcement systems from behind an FBI desk while working to minimize the damage caused by them.

 

The revelation FBI’s cooperation with Sabu

In March 2012, several individuals in the UK and the US were arrested in connection with various hacking activities. These arrests were part of a joint operation between the FBI and other law enforcement agencies, and they were widely reported in the media.

As part of the announcement about the arrests, it was revealed that Monsegur had been working as an FBI informant for several months. This came as a shock to many in the hacker community, who had viewed Sabu as a key member of LulzSec and a vocal advocate for online activism.

The news of Monsegur’s cooperation with the FBI was met with mixed reactions. Some praised him for turning his back on illegal hacking activities and helping law enforcement to bring down other hackers. Others, however, accused him of betrayal and selling out his fellow hackers.

Monsegur himself later spoke publicly about his cooperation with the FBI. In interviews with various media outlets, he explained that he had decided to cooperate because he was facing a long prison sentence and wanted to protect his family. He also claimed that he had been motivated by a desire to make amends for his past actions and to help prevent future cyber-attacks.

Despite the controversy surrounding Monsegur’s cooperation with the FBI, it is widely acknowledged that his actions helped to bring down several hacking groups and disrupt numerous illegal activities. The case also highlighted the
growing role of law enforcement in combating cybercrime and the challenges that they face in working with individuals who have a history of criminal activity in the online world.

Monsegur was imprisoned for 7 months after being arrested but was released while awaiting sentencing. On May 27, 2014, during his sentencing, he was credited with “time served” due to his cooperation with the FBI, and he was subsequently released under a one-year probationary period.

 

Hector Xavier Monsegur arrives at court in New York for a sentencing hearing Tuesday, May 27, 2014.

Life after being an FBI informant

After his release, he was prohibited from using a computer and could only work for his family’s tow truck business in Queens, New York for three years. Even after the restriction was lifted, he faced difficulty finding employment due to cybersecurity companies’ reluctance to hire a former hacker. To make ends meet, he participated in “bug bounty” programs offered by companies like Yahoo! and United Airlines. He identified several bugs and was rewarded with thousands of dollars and a million frequent flier miles.

In 2016, Monsegur quietly worked as the lead penetration tester for Seattle-based Rhino Security Labs almost three years after his release from prison in 2014.

Monsegur claims he’s not ex-LulzSec, ex-FBI, but a security researcher. He says he’s all about business, taking care of his family, and paying bills.
So far, companies have been surprisingly eager to have Monsegur test their security, according to Monsegur’s boss, Rhino founder Ben Caudill. Only one client has balked at the notion of an ex-criminal hacker probing their servers for hackable flaws. Caudill says clients see Monsegur’s involvement as extra assurance that Rhino’s security audits are legitimate, that he’s helping them patch the sort of security vulnerabilities that real black hat hackers would use.

“I’m not ex-LulzSec, I’m not ex-FBI, I’m a security researcher.”
HECTOR MONSEGUR

Caudill says Monsegur has performed dozens of client penetration tests and successfully compromised the target network in every case. For instance, Monsegur hacked a major retailer’s page for uploading timesheets by embedding malicious XML code into an Excel spreadsheet. In another attack on a financial company, Monsegur dug up old credentials that had been posted online. He had Caudill go to an open floor below the company’s headquarters in the same building and, using a laptop and an antenna, try each credential until Caudill found one that let him access the company’s Wifi network and ultimately its servers.

 

Last thoughts

Despite his cooperation with the authorities, Sabu remains a controversial figure within the hacking community. Some see him as a traitor who betrayed his fellow hackers, while others view him as a necessary sacrifice who helped to expose the illegal activities of a dangerous group.

His hacking activities were some of the most notorious and impactful in recent history. However, his cooperation with the FBI and subsequent turn to cybersecurity work have shown that even the most skilled and infamous hackers can reform and use their talents for good. Monsegur’s story highlights the complex and often murky world of hacking and cybersecurity, where criminal hackers and security researchers coexist and sometimes even cross over. As the threat of cyberattacks continues to grow, it’s important to recognize the potential for redemption and rehabilitation in those who once used their skills for nefarious purposes.

 

 

If you enjoyed this article, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedInTwitterYouTube.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Merch

Recent Articles

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This