A large part of the hacking community was shocked earlier this week to find out that one of the more vocal supporters of the Anonymous movement, Sabu, had been working with the FBI ever since the summer of 2011 when he was arrested.
Few internauts expected that Sabu, now known as Hector Xavier Montsegur from New York, would rat out so many hackers. However, there were some of them, such as the members of the respectedTeaMp0isoN group who suspected that something was out of place with the LulzSec crew and this Sabucharacter.
As a result, in June 2011, TeaMp0isoN made public the true identities of the members of the LulzSec gang. At the time no one gave the incident much attention, because there was a lot of doxing going on and due to the large quantity of incorrect information many of the releases were simply ignored.
While many ignored this release, federal authorities took it very seriously, which ultimately led to the arrest of Sabu and the rest of the story as we know it.
The FBI and other involved law enforcement agencies would have a hard time admitting to have used the data provided by the hackers, but a former TeaMp0isoN member came forward with details that prove how they were able to identify the LulzSecsand how the government got into the possession of that information.
Hex00010, one of the hackers actively involved in the doxing of the LulzSec collective, gave us an interview in which he details the detective work they did at the time, along with the interesting story that reveals how federal authorities obtained the documents and considered them to be from a trusted source.
Softpedia: At the time the details were released you were a member of TeaMp0isoN. What made you and your team doxLulzSec and, implicitly, Sabu?
Hex00010: During the time of our attacks in question, related to LulzSec, they would be deemed as a Challenge against them. Back then, of course, we would say “we attacked LulzSec in regards to their attack methods used to expose X”.
In theory they were considered Script Kiddies, using methods defined as very easy to anyone, and that anyone could do. The media attention was out of place.
Softpedia: So, they were getting undeserved attention and you decided to unveil their identities?
Hex00010: Well, it was pretty much, more or less, of a command given to me from Trick - When he told us that we will be focusing on LulzSec for a long time.
Softpedia: How did you manage to find their identities? Did they simply fail at covering their tracks or was there something else?
Hex00010: Well it's funny that you ask because how we were able to identify Sabu was just a matter of Luck.
We found this email address firstname.lastname@example.org with this IP 18.104.22.168. The email helped us identify Sabu. Funny thing is, when we were doing research, we checked Myspace, which brought us to this link myspace.com/intifadah. Then it was SUDDENLY deleted.
During the finding of that Myspace account, on the friends list to this Myspace, he had someone named “Brian Monsegur”. Notice that last name? Yes, it’s the last name from one of his “Fake dox”. Brian went to a school in New York, this school being: East Side Community High School.
We Googled East Side Community High School for Xavier and found this link which contained:
Name: Xavier Leon
Class of: 2001
Then we searched it on Pipl linking to the state NY, which then linked me to the following information: Xavier N Leon, Elmhurst, NY. Possible Relations: Javier Leon, Nelson Leon.
Then we checked the distance from Elmhurst to the school he studied at: 420 East 12th Street, New York, NY 10009. It's a 17 minute drive from Elmhurst or a 22 minute walk, which seems like a reasonable amount of time for daily travel to school and back.
Here’s a screenshot we’ve made at the time.
Note the ethnicity and language. Xavier N Leon, 5537 84th St, Elmhurst, NY 11373.
From this information it stated that Xavier's ethnicity was Latino/Hispanic and that he speaks English & Spanish which further links this information to the Myspace account, linking to his email address as it stated the following on his Myspace:
Hometown: New York City
Body type: 6' 2" / Body builder
Ethnicity: Latino / Hispanic
Zodiac Sign: Libra
Education: Some college
Occupation: System / Security Administrator
Income: $75,000 to $100,000
Softpedia: So what did you do with all this information?
Hex00010: I contacted Fox News and gave them all of this information. The Fox News rep that I was speaking with, Jeremy Kaplan, contacted the local authorities, which was in their case New York, the head place where they are doing the investigation in LulzSec.
They took our information and matched it against their database in New York. We were off Hector’s character name by 1. A couple days later they were able to identify the leader of Sabu connected to our dox.
In an email he sent to me, Kaplan told me he was going to pay Sabu a visit. If you remember during the articles on Sabu when he was arrested, Fox News noted they had one of their staff meet up with Sabu.
Moments later, the USA Government apparently had a meeting with Fox News. They took all of our data.
Jeremy tells me that we can’t talk anymore for a while, and that they are doing something big. He said he can’t talk about it and that I didn’t hear this from him. He said, “Hex00010, you need to stay low.”
I asked him “why?” He said the USA Government is doing something major very very soon and it’s going to be very big. He couldn’t tell me anything much. I tried to get as much as I could off him.
Days later, the USA Government arrested 14 international Anon's.
Initially I sent an email to Kaplan with a link to all the information I had on LulzSec, but soon after his meeting with the authorities took place, the link was removed. Funny eh?
Softpedia: During this time, did you have any suspicion that Sabu was arrested after you released the details on him?
Hex00010: Very much so. Remember the time when Sabu left and no one knew where he was? I told my friends he was probably arrested.
But then again, when I confronted Fox News with it, they were fishy to answer, but they denied to reply.
Softpedia: How many hackers do you think Sabu ratted out since his arrest?
Hex00010: God knows. A lot of people put their trust into Sabu and that was their downfall. All I can say is I hope those people that contacted him during that timeframe know how to back themselves up
Softpedia: Why are you coming forward with this information now?
Hex00010: Due to the fact that FoxNews lied to me and right now would be the best bet.
Sabu got arrested. Media hype is going crazy. I throw my two cents in that this changes everyone’s mindset now and brings into new questions and theories.
I would also like to add that the ones participating in the doxing were TriCk, aka say what, Luit, Mr ^ E, Hex00010, Phantomand F0rsaken.
Note. The hacker provided us with the emails to prove that the conversations with a Fox representative did take place, but their content was not published due to privacy reasons.