Four members of the LulzSec hacking group were sentenced in court on Thursday after pleading guilty to various computer hacking-related charges.
Ryan Ackroyd, 26, Jake Davis, 20, and Mustafa al-Bassam, 18, were all sentenced together with Ryan Cleary, 21, over a two-day hearing at Southwark Crown Court, London.
Each member of the LulzSec hacktivist group admitted to various hacking charges, including taking down corporate and government websites between February and September 2011.
Presiding Judge Deborah Taylor sentenced Ackroyd to 30 months — serving half — and Davis 24 months in a young offenders institution, serving at least 12 months. Bassam received a suspended sentence of 20 months, and Cleary was ordered to serve half of a 32-month sentence.
Judge Taylor commented:
You sought to amuse yourselves and wreaked destruction and havoc. You cared nothing about the privacy of others, but kept your own identities hidden.
Former soldier Ackroyd, who had used the alias of a 16-year-old girl named "Kayla", admitted to hacking into a number of websites in 2011, including those of Sony, Nintendo, News Corp and the Arizona State Police. The 26-year-old sat across from his lawyer with a pensive, wide-eyed look, as he was branded the "most sophisticated" defendant, and responsible for researching vulnerabilities and exploits as well as executing hacks.
The prosecution said that Sony suffered US$20 million in damages, and revenue loss due to the security breach is "incalculable". An estimated 24.6 million customer accounts were compromised.
Davis and Bassam pleaded guilty to counts of conspiring to access and impair a computer without authorization, including launching attacks against the CIA and the UK's Serious Organised Crime Agency (SOCA).
Dressed in a sweatshirt and jeans, he could not be more of a contrast to Bassam, who was suited and booted with a serious but resigned look on his face. Davis, the last to arrive, chewed gum and appeared relatively unconcerned.
As the day wore on, however, the strain showed in the eyes of each member of the hacktivist group as they sat behind a glass wall and watched their fates being bargained for.
According to the prosecution, Davis was responsible for releasing press statements, controlling the LulzSec Twitter feed and defacing website pages.
Bassam was said to have controlled the group's website, published stolen information to sites including Pastebin and helped with stolen data distribution — including through the use of BitTorrent technology and mirror websites. In addition, the LulzSec member allegedly researched computer system vulnerabilities ripe for exploitation.
The case against Cleary
Cleary, otherwise known by his internet alias "Viral", pleaded guilty to the same hacking charges, in addition to counts of supplying articles with intent to impair computer systems and breaking into US Air Force systems. Cleary spent over five years building a sophisticated botnet — with a minimum of 100,000 computers at its disposal at any one time — which in turn was used for both Anonymous and LulzSec campaigns.
Aside from hacking charges, an additional indictment against Ryan Cleary was delayed due to a court miscommunication. After the seizure of Cleary's computer and subsequent recovery of deleted files, the hacker was charged with downloading and possessing indecent images of children following a second arrest on 4 October 2012.
Under the UK COPINE scale — a measure of the severity of images — the images in question were classified as child "erotica" and deliberate sexual posing. Forty six images showed children aged between six and 18 months, whereas others included children aged between 10 and 15 years.
The defence team said that Cleary is not a "professional pervert" or sexually obsessed, but rather was obsessed with finding data and using his computer — a reason laid at the door of his client's Asperger's syndrome.
A lack of information in psychological reports and pre-hearing files meant that Cleary, who admitted to downloading the images, will not be sentenced this week.
A number of website intrusions were based on vulnerabilities found within the Internet Explorer browser, and websites with high traffic levels were targeted. The 21-year-old maintained that his botnet was only "rented out" 10 or so times for monetary gain — and raised only £2000 in total — whereas the prosecution stated that it did not believe this was truly the case.
In addition, Cleary's lawyers argued that although he gave botnet access to Anonymous, there is no evidence that he directed or controlled it — therefore, Cleary was guilty of supply rather than actual hacking.
Gideon Cammerman argued that using a botnet is "not brain surgery". Although the result was a sophisticated website take-down attack, the defence lawyer wanted the judge to keep in mind that in the case of the SOCA website, there was no evidence to suggest that the site was infiltrated — it was only taken offline for a short time.
Outside of the courtroom, Cammerman called the LulzSec hackers "a group of talented young boys who hacked particular things for particular reasons."
In contrast, prosecutor Sandip Patel accused the LulzSec members of launching "sophisticated, orchestrated attacks", which caused firms and individuals "millions of pounds' worth" of damage, coupled with the "dire, personal consequences" suffered by individual victims.
Cammerman said the hacktivists were "politically motivated and morally complicated", which made for a complex case. In this manner, both prosecution and defence agreed, as Patel stated in the hearing: "This is not about young, immature men behaving badly."
An indictment based on two counts of encouraging and assisting in an offence were "not in the public interest to pursue". However, as the US has also issued the same indictment, the prosecution had to confirm that currently, there has been "no formal request for extradition". Davis' defence team said that "there is an appetite for this type of prosecution in the United States", and it is not a risk the 20-year-old should be exposed to.
As they were individually led away, Bassam looked relieved, whereas the members of the Anonymous splinter group had resigned expressions.
Cammerman said outside of the courtroom that some of the victims were "thoroughly deserving" of what happened to them.
LulzSec exploded onto the hacking scene in 2011, after targeting Sony Pictures Entertainment, which led to PlayStation network being taken down. LulzSec member Cody Kretsinger, 25, was arrested in relation to the initial cyber attack, and was prosecuted in a Los Angeles court last month.
Kretsinger, also known as "Recursion", admitted to one count each of conspiracy and unauthorised impairment of a protected computer as part of a plea bargain, and was ordered to spend one year behind bars and perform 1000 hours of community service.
LulzSec was politically motivated in the beginning; launching the first "cyberwar" in tandem with Anonymous in retaliation to officials' attempts to shut down WikiLeaks. Target choices then began to move away from purely the political, and the Church of Scientology, Westboro Baptist Church and banking systems found themselves under attack.
However, the "hacktivisit" group was compromised when de facto former leader Hector Monsegur — otherwise known as "Sabu" — turned mole after his own arrest, and spent nine months passing information to US officials.
The hacker-turned-spy's information led to the arrests of alleged members of LulzSec and Anonymous in March 2012.
The ruling follows the arrest of the self-proclaimed "leader" of LulzSec in Australia. Matthew Flannery, 24, who allegedly used the name "Aush0k" in hacking activities, was charged for hacking into two computers after being apprehended in coastal town Point Clare. Flannery appeared briefly before a judge on Wednesday, 15 May, at Sydney Central local court, only to be told his case has been adjourned until 6 August, when it will be held at Woy Woy Local Court.
During the first day of the hearing, Ackroyd wanted closure. His lawyer, John Cooper, counselled that the issue probably wouldn't be over that day, to which the 26-year-old replied, "They won't be done with me for a long time."
No matter the age, the UK justice system is unlikely to be "done" with cybercriminals anytime soon.