As a reward for his extensive cooperation helping prosecutors hunt down his fellow hackers, the government is seeking time served for the long-awaited sentencing of top LulzSec leader Hector Xavier Monsegur, also known as "Sabu."
After delaying his sentencing for nearly three years, the government has asked a federal court to sentence Monsegur to time served -- just seven months -- calling him an "extremely valuable and productive cooperator" in a document that details for the first time his extensive cooperation providing "unprecedented access to LulzSec."
Monsegur, who has long been despised by members of LulzSec for his reported snitching, faced a possible sentence of between 259 and 317 months imprisonment under U.S. sentencing guidelines. But the U.S. Probation Office and prosecutors have asked for a reduced sentence "without regard to the otherwise applicable mandatory minimum sentence in this case" in a motion submitted to the U.S. District Court (.pdf) in the Southern District of New York on Friday.
A top leader of the hacking group LulzSec, Monsegur turned informant after he was secretly approached by authorities in June 2011, providing information that led to the subsequent arrest of other top members of LuzSec and Anonymous, including Jeremy Hammond, aka "Anarchaos"of Chicago, who was sentenced last year for his role in the hack of private intelligence firm, Stratfor.
The court document provides a timeline of events around Monsegur's cooperation with authorities that many have suspected for years, including his efforts to draw fellow hackers into incriminating conversations.
Calling his cooperation "complex and sophisticated" the document describes, for example, his close involvement with law enforcement agencies in several jurisdictions to investigate Hammond in Chicago, while coordinating with FBI agents in New York, physical surveillance teams deployed in Chicago, and an electronic surveillance unit in Washington, D.C.
Hammond was sentenced last year to ten years in prison.
Monsegur, an unemployed father of two, formed LulzSec in the spring of 2011 with about five other core members, who went on a rampage over the next couple of months, targeting about 250 victims, including media outlets, government agencies and contractors, and private companies during their crime spree. Monsegur led the loosely organized group of hackers from his apartment in a public housing project in New York, working as a key player to analyzed victim web sites for vulnerabilities that could be exploited and providing other technical assistance.
The group, which also operated under the name Internet Feds, hacked a number of high-profile victims including HB Gary -- a private intelligence firm that bragged it had identified members of Anonymous -- the reality TV show "X-Factor," PBS, Sony Pictures, Senate.gov, Nintendo, and a Georgia-based affiliate of the FBI's Infragard organization.
Monsegur, as Sabu, was one of the most outspoken and brazen of the LulzSec crew before falling silent that summer, leaving behind a parting Tweet that quoted the The Usual Suspects film.
When he reappeared in September, many members of the anonymous hacking group suspected that Sabu had been arrested, since fellow hackers had outed him by publishing information about his identity online. Sabu denied at the time that he'd been snagged by the feds. But according to the government's motion, his demise as leader of LulzSec was swift and painless and within hours after being interviewed by authorities, "he was back online cooperating proactively."
According to the document, authorities approached Monsegur at his New York home on June 7, 2011 at which point he needed little convincing to cooperate. He quickly admitted guilt to criminal conduct before he was even charged with any crime and even spilled the beans to authorities about past crimes he had committed for which they had no knowledge of his role.
He admitted, for example, to participating in DDoS attacks against PayPal, MasterCard, and Visa, which were targeted after the companies blocked donations to WikiLeaks. Monsegur also admitted to hacking thousands of computers between 1999 and 2004, engaging in various hacktivism activities as well as carding activity -- stealing and selling credit card information for financial gain or to pay off his own bills. He also admitting to selling marijuana, illegally possessing an unlicensed firearm, and purchasing stolen electronics and jewelry.
"Monsegur admitted his criminal conduct and immediately agreed to cooperate with law enforcement," the document notes. "That night, Monsegur reviewed his computer files with FBI agents and provided actionable information to law enforcement. The next morning, Monsegur appeared in court on a criminal complaint charging him with credit card fraud and identity theft, and was released on bail, whereupon he immediately continued his cooperation with the Government, as described further below."
Monsegur entered a guilty plea to the court on August 15, 2011, for an indictment charging him with twelve counts in New York, including nine counts related to computer hacking; one count related to credit card fraud; one count of conspiring to commit bank fraud; and one count of aggravated identity theft. The plea resolved four other cases filed against him in the Eastern and Central Districts of California, the Northern District of Georgia, and the Eastern District of Virginia).
But Monsegur apparently violated the terms of his agreement in 2012. According to the document, in May 2012, his bail was revoked over "unauthorized online postings" he made, and he was arrested on May 25th, before being released on a revised bail December 18, 2012. Monsegur has been free since that time, while cooperating with authorities, and has spent only a total of seven months in prison since 2011.
In court records, Monsegur was generally identified only as CW-1 and was praised extensively (.pdf) for "actively cooperating with the government." Authorities in fact petitioned the court several times to delay Monsegur's sentencing during his continued cooperation.
According to authorities, part of Monsegur's post-arrest cooperation included providing information to help repair hacked systems belonging to PBS and Senate.gov. He also provided authorities with information about hacks involving servers belonging to the Irish political party Fine Gael and the Sony Playstation Network.
But his most extensive assistance led to the arrest of fellow LulzSec members, including Ryan Ackroyd, aka "Kayla" of Doncaster, United Kingdom; Jake Davis, aka "Topiary" of London; Darren Martyn, aka “pwnsauce" of Ireland; Donncha O’Cearrbhail, aka "palladium" of Ireland; Mustafa Al-Bassam, aka "T-Flow" in the UK; as well as Hammond, Ryan Cleary and Matthew Keys, a former Reuters employee accused of inciting members of Anonymous to hack one of his former employers.
Monsegur provided "crucial, detailed information regarding computer intrusions committed by these groups, including how the attacks occurred, which members were involved, and how the computer systems were exploited once breached," the government reveals.
This assistance "contributed directly to the identification, prosecution and conviction of eight of his major co-conspirators, including Hammond, who at the time of his arrest was the FBI’s number one cybercriminal target in the world. On top of that, Monsegur engaged in additional, substantial proactive cooperation that enabled the FBI to prevent a substantial number of planned cyber attacks," the government noted.
Working at the direction of law enforcement for three years, sometimes into the late evening and early morning, Monsegur drew his fellow hackers into online chats designed to confirming their identities and whereabouts.
"During some of the online chats, at the direction of law enforcement, Monsegur convinced LulzSec members to provide him digital evidence of the hacking activities they claimed to have previously engaged in, such as logs regarding particular criminal hacks," the government notes. "When law enforcement later searched the computers of particular LulzSec members, they discovered copies of the same electronic evidence on the individuals’ computers. In this way, the online nicknames of LulzSec members were definitively linked to their true identities, providing powerful proof of their guilt.
"Other times, at the direction of law enforcement, Monsegur asked seemingly innocuous questions designed to elicit information from his co-conspirators that, when coupled with other information obtained during the investigation, could be used to pinpoint their exact locations and identities," the document reveals.
Ackroyd has been sentenced to 30 months in prison; Davis was sentenced to two years in a juvenile detention facility; Al-Bassam was sentenced to 20 months, which was suspended for two years; Martyn and O’Cearrbhail received probation and a fine; Cleary was sentenced to 32 months in prison; the case of Keys is pending.
Monsegur also helped "disrupt or prevent at least 300 separate computer hacks" that authorities say targeted U.S. Armed Forces, Congress, unidentified U.S. courts, NASA, and a number of private companies.
"Although difficult to quantify, it is likely that Monsegur’s actions prevented at least millions of dollars in loss to these victims," the government states effusively. "Monsegur also provided information about vulnerabilities in critical infrastructure, including at a water utility for an American city, and a foreign energy company. Law enforcement used the information Monsegur provided to secure the water utility, and the information about the energy company was shared with appropriate government personnel."
The government notes that because Monsegur's cooperation was publicly exposed shortly after his arrest, he and his family faced severe threats, causing authorities to relocate him and some of his family members.
"Monsegur repeatedly was approached on the street and threatened or menaced about his cooperation once it became publicly known," prosecutors note. "Monsegur was also harassed by individuals who incorrectly concluded that he participated in the Government’s prosecution of the operators of the Silk Road website."
In one case, a reporter had to be removed from the school where the journalist had sought to interview children for whom Monsegur served as guardian.
Monsegur's sentencing is set for May 27.