The FBI sat back and watched a hacker they’d compromised instigate and commit a host of cyber-crimes in an operation that netted eight more arrests, according to newly leaked documents. But the revelations raise questions about where law enforcement ends and law-breaking inducement begins.
Hector Xavier Monsegur, known online as Sabu, facilitated some of the biggest hacking exploits of recent years. And his FBI handlers were watching over his virtual and physical shoulders the whole time. In the process, the hackers damaged targets that included foreign governments and American companies.
We’ve seen the FBI let informants it deems valuable break the law in the past, in the name of catching bigger fish. In extremis, that’s led to murder: Take the case of Boston mobster James “Whitey” Bulger, an FBI snitch who was indicted for the murder of 19 people and even turned his handler into a confederate.
Better Than 30 Pieces of Silver
Sabu was a valuable snitch as far as the FBI was concerned. The bureau arrested him on June 7, 2011, for his involvement in a series of cyber-attacks conducted by a hacking crew called LulzSec. After Sabu agreed to work as a snitch, he built a team for his new job that he dubbed AntiSec.
Monsegur’s cooperation proved pivotal in the arrest and prosecution of eight other LulzSec/AntiSec members, a fact that’s long been known. But leaked chat logs and other documents detail how he provided critical information and direction for cyber-attacks against foreign and domestic targets—all while “meet[ing] with law enforcement” regularly, according to a sealed 2011 transcript of court proceedings.
The FBI kept Monsegur working hard after his arrest. He faced more than 26 years in prison but prosecutors postponed his sentencing repeatedly until they were done with him. In May, Sabu walked out a free man.
Jeremy Hammond Was Right
The chat logs reveal a crucial fact: Monsegur set up the hack of U.S. private intelligence firm Strategic Forecasting, Inc. (Stratfor).
If this sounds familiar, it’s because convicted hacker Jeremy Hammond, 29, earlier accused Monsegur of directing a series of the cyber-attacks carried out by AntiSec. Hammond is now serving a 10-year sentence for hacking Stratfor, and in a June 2 internet posting, he said the FBI had “full knowledge” of his attacks but never stopped him.
Internet chat logs obtained by The Daily Dot show that Hammond was right. In late 2011, Hammond broke into the network of Stratfor and pilfered an estimated 60,000 credit card numbers and millions of emails. He later put that data into the hands of WikiLeaks and other associates of the hacking collective known as Anonymous.
Entrapment 101
Moreover, the FBI didn’t tell the truth about when it first became aware of the Stratfor hack. The agency’s story is that Monsegur first let agents know about it on Dec. 6, 2011, at which time they informed Stratfor. But since the hack had started two days before, it was too late.
Why didn’t the FBI act earlier, since it was monitoring Sabu’s every keystroke?
In light of the new evidence, Jeremy Hammond’s assertion that Sabu set him up appears to be true. At trial, Hammond argued that he didn’t start the Stratfor hack, and that the FBI had misrepresented his role in it. Instead, he said Monsegur put him in contact with a mysterious hacker known as “Hyrriiya,” who then gave him the electronic keys to break into Stratfor’s systems.
The most recent document release supports Hammond’s story, raising questions about why he received the full 10-year sentence for one violation of the Computer Fraud and Abuse Act (CFAA). Critics say the law is vague and overbroad—it even outlaws violating a website’s terms of service.
***
All of this raises the question of entrapment in the Hammond case —an accusation the FBI often faces, especially in post-9/11 America. Furthermore, after the initial Stratfor data was stolen, Monsegur attempted to sell it to WikiLeaks’ editor-in-chief Julian Assange, long a target of the U.S. government.
(Assange remains holed up in the Ecuadorian embassy in London after refusing extradition to Sweden for police questioning in a sexual misconduct case. Assange claims he is doing so to avoid being taken into American custody in relation to a sealed grand jury investigation of WikiLeaks that is reportedly ongoing.)
Assange rebuffed Monsegur’s offer, however, and Hammond made it accessible to WikiLeaks by posting the Stratfor information online. WikiLeaks eventually published it as part of its Global Intelligence Files series. Had the data been sold for money, it would’ve strengthened the case for Assange’s extradition and prosecution by linking him to criminal hacks conducted on U.S. soil.
The Bureau Goes Abroad
During his sentencing, Hammond claimed that Monsegur had been deeply involved in a series of hacks conducted by AntiSec against foreign entities, including thousands of government and private website domains.
This connection was confirmed at Monsegur’s sentencing, when Judge Loretta Preska of New York’s Southern District commended his “extraordinary cooperation” with investigators. And in their pre-sentencing memorandum, federal prosecutors stated that “at law enforcement direction,” Monsegur attempted to uncover software vulnerabilities in foreign government websites.
In describing his services to law enforcement, the memo goes on: “Monsegur was able to learn of many hacks, including hacks of foreign government computer servers… enabling the government to notify the victims, wherever feasible.”
But Monsegur’s role in the operation was far more active, according to chat logs obtained by Motherboard. Instead of just eliciting hack-worthy information from others, Monsegur was giving hackers the information they needed to compromise targeted servers.
In one series of FBI-monitored chats, starting on Jan. 6, 2012, Monsegur shared information about websites in several European countries and Brazil. In subsequent days, the FBI stood by and watched as dozens of Brazilian sites, including federal military police servers, were assailed by hackers.
Sabu drew up battle plans for the attacks, and sometimes barked orders like a gangster: “Hit these bitches for our Brazilian squad,” he wrote Hammond on Jan. 23, 2012.
Federal Bureau of Instigation
Given the clear discrepancy between the information in the leaked chat logs and that provided by federal prosecutors in court filings, serious questions remain about the veracity of the government’s statements in related cases and of Monsegur’s involvement in other investigations – like that of satirist and journalist Barrett Brown.
On March 6, 2012, the FBI raided Brown’s house as part of a roundup of LulzSec/AntiSec hackers, including Hammond. That day, the bureau announced that six people had been charged in connection to the Stratfor hack, one of whom was the government’s star collaborator, Monsegur. Brown wouldn’t be charged until several months later.
Brown’s 2012 arrest and subsequent prosecution for trafficking in stolen information was widely seen as an attempt to halt his investigations into various cybersecurity contractors and high-tech dirty tricksters. He recently pleaded guilty to reduced charges after initially facing a 100-year sentence for sharing a link to the Stratfor cache between internet chat rooms. (Take a look here, here, here, here, here and here for WhoWhatWhy’s series of investigations on Brown’s case)
***
In August 2013, then-FBI Director Robert Mueller first divulged the details about Sabu’s help to the bureau in a speech at Fordham University in New York. “[Sabu’s] cooperation helped us to build cases that led to the arrest of six other hackers linked to groups such as Anonymous,” Mueller stated.
Remember, the FBI announced the arrest of six hackers including Monsegur. Did Mueller—and the FBI agents on the case—incorrectly identify Brown as the sixth “other” hacker caught with the help of Sabu, presuming that the director’s remarks were accurate?
Brown’s supporters think that’s what happened.
Kevin Gallagher, the head of Brown’s legal defense fund, told WhoWhatWhy that Sabu may have given his handlers an incomplete picture of what Brown was doing. Therefore, the FBI agents may have drawn the wrong conclusions and suspected Brown of crimes he didn’t commit, Gallagher said.
But we don’t know yet, because the Justice Department doesn’t want us to know—Brown’s search warrant affidavit remains under seal. The government has already denied using evidence from a confidential informant to obtain the warrant.
A Bigger Net?
After intense scrutiny by the media including WhoWhatWhy, the government dropped its most punitive charges against Brown on March 7, 2014. Brown later signed a plea deal that cut his charges to three counts. His sentencing is scheduled for August 18.
In light of the new revelations about Monsegur’s snitch work, and the timeline of events in Brown’s case, is it possible that Brown was collateral damage in a large-scale FBI entrapment operation?
“To the extent that Sabu’s information got [Brown] raided, then he’s also responsible for everything that happened after as a result,” Gallagher said. “Without Sabu’s inside baseball, it would have been harder to target Brown or get a warrant.”
However, Jeremy Hammond thinks he, Brown and other like-minded people are the collateral of a much bigger government operation.
“What is clear is that the U.S. cyber security agenda is less interested in preventing attacks on our own soil than (it is) using the skills of rogue hackers to spy on valuable intelligence targets,” he wrote.