How the FBI used computer MAC addresses against Lulzsec hackers

Five people connected with LulzSec (Lulz Security), a hacking group loosely affiliated with Anonymous responsible for defacing websites and stealing credit card details from numerous companies have been arrested today thanks to one of their leaders turning FBI informant.

Their ringleader, Hector Xavier Monsegur, aka “Sabu“, was raided by the police last year and has been working for them since then. According to Fox news Monsegur was tracked down after he logged into an IRC chat server using his home IP by mistake (he normally used tor), it just happened once, enough for the FBI to track him down get a court order and convince him to work for law enforcement gathering evidence against the other members of his malicious hacking group.

LulzSec had security mechanisms to detect if a member’s identity was being usurped by law enforcement after arrest, they would ask personal questions over Jabber or IRC from past activities only known by them, not of much use when one of your own is voluntarily working for the FBI.

According to the complaint against Jeremy Hammond, aka “sup_g” his physical residence in Chicago (US), was under continuous surveillance after being identified as a LulzSec member, FBI agents measured his wireless router signal strength and determined that it was located towards the rear of his home.They then applied for a court order to monitor all traffic coming in and out of that router with a trap and trace device identifying all unique MAC addresses connected to the router, an FBI expert then linked the suspect’s computer MAC address with an IP connected to the tor network (first node).

Although the FBI was unable to read traffic over tor, e.g. visited sites, thanks to physically surveillance of the suspect home they observed that activity in between the MAC address belonging to the suspect’s computer and the tor network only occurred while Jeremy Hammond was inside the house. The FBI used connection times to link him with IRC online chats conducted behind a tor proxy with their informant, “Sabu“, on IRC channels at that very same time.

Combined with personal information the suspect willingly gave away on the chat, the FBI managed to establish that a bunch different aliases like “yohoho“, “credibethreat“, “POW“, “burn“, “tylerknowsthis” or “Anarchaos” all belonged to the same person.

Leave a Reply

Your email address will not be published. Required fields are marked *