During an interview with the network, the New Hampshire teen who uses the nickname Coolio on the Net admitted breaking into perhaps 100 computers and defacing the DARE.org Web site. He also admitted to two other defacements - RSA.com in February and CWC.gov in November.
But he flatly denied any involvement in the Web site attacks that toppled Yahoo, Amazon, eBay and several other major Internet sites.
And a federal investigator has told NBC's Pete Williams that government agents are not close to an arrest in those larger Web site attacks and that they are "losing interest" in Moran as a suspect.
The nickname Coolio has circulated in connection with those Web attacks for several weeks, in part because investigators reportedly hold transcripts of chat room conversations that they say are incriminating. Federal investigators searched his home last month and took Moran's computers as part of their investigation, according to several MSNBC sources.
The conversations were observed by a security expert from Stanford University who sent logs to the FBI, and then he became a suspect, the youth said.
Detective Michael Brausam of the LAPD, who investigated the DARE.org defacement, told MSNBC that Moran admitted to investigators last month that he defaced three Web sites, including RSA.com. Moran repeated that admission in his interview with NBC.
The RSA site was hijacked in the middle of the furious denial-of-service attacks that rendered useless Yahoo, eBay, Amazon and several other major Web sites. But Moran denied being a part of those massive denial-of-service attacks.
Moran is not the only suspect in those attacks; investigators believe there were at least one and perhaps several copycats involved in the flurry of vandalism which started Feb. 7 when Yahoo.com went down for about three hours.
MSNBC has learned that investigators executed a search warrant at Coolio's home last month and confiscated all his computers in connection with their investigation of the crime.
With regards to the DARE.org defacement, Brausam said Moran would be charged with unauthorized access to a computer and vandalism and would be charged as a juvenile. That means he faces at least $18,000 in restitution and possible time in a juvenile facility.
"He did say he had done denial-of-service attacks before and said he had compromised hundreds of computers," Brausam said.
The detective began investigating Coolio after the Dare.org attack. Dare.org was hosted by a Los Angeles ISP at the time of the defacement. Brausam traced the attacks to a Web site hosted by an Arizona ISP and said he found there a Web page that hosted the same images used to deface Dare.org.
That Web site also hosted programs that enabled "smurf" attacks, the same kind of attack used on Yahoo, Brausam said.
MSNBC has identified two denial-of-service programs Coolio adjusted to allow IP "spoofing" capabilities.
The first, called kox, is a modified version of the "Kiss of Death" denial of service program. Coolio took credit for the work by signing it and sending it to security mailing lists. The e-mail address used on the program maps to the server in Arizona where other Coolio files were discovered by Brausam. The e-mail also matches an e-mail address provided to MSNBC by several Coolio Internet associates.
The second program, Targa, was described to MSNBC by a school-aged friend of Coolio's who said he'd used it once. A member of the #goonies said Coolio's Targa was a modified version of the Targa written by Mixter, a German programmer who has taken credit for writing denial-of-service tools.
After Brausam executed the search warrant at the Arizona ISP, he was able to uncover Coolio's identity and residence in New Hampshire.
But his investigation stalled there while attempting to get the local New Hampshire police department to execute a search warrant.
The same day as the Dare.org defacement, a government-run Web site, CWC.gov, was also defaced by Coolio, he said in the interview with NBC. That defacement included a death threat to the president, so the Secret Service became involved in the investigation.
The Web site was defaced with the message: "If prayers do not become mandatory throughout the United States, we will detonate our nuclear bombs and your President Clinton and his interns will die," according to an archive of the attack on attrition.org.
While Brausam waited for his search warrant, the Web site attacks on Yahoo, eBay and the other major Internet companies began. Then, on Feb. 12, the RSA.com home page was hijacked.
Brausam described Coolio as a "genius" who told authorities he'd been using computers since he was 3 years old and had taken to using the Internet 16 hours a day since dropping out of school last year.
That's consistent with the image of Coolio that's been shared by friends and associates MSNBC has interviewed during the past few weeks. He's been described by both high school friends and Internet associates as a smart high school dropout who regularly gets high by drinking cough syrup. MSNBC has also learned that several of his Internet associates are cooperating with investigators and have fingered Coolio as the culprit in the larger Web page attacks. Some of the logged chat room conversations - which Coolio now says are part of an elaborate joke and should not be taken seriously - were viewed independently by MSNBC.
Almost immediately after the first attack, MSNBC was alerted to the #goonies chat room that the suspect frequented and told that Moran was responsible. "I think it's childish and I think he should be stopped," the anonymous writer said.
MSNBC entered the chat anonymously. Coolio, unaware he was being observed by a journalist, made several comments suggesting he had special knowledge of the attacks.
In the first excerpt of the chat reproduced below, participants are watching CNN's coverage of the hacker attacks, often commenting on the report's accuracy and inaccuracy. When discussing the attack, far from the false boasts typical of hackers trying to take credit for attacks they did not perform, Coolio is deliberately coy. He takes pains, for example, to refer to the attackers in the third person.
In the log excerpts that follow, all nicknames other than Coolio's have been altered, but the rest of the statements, including typos, are published as they appeared:
[17:33][Coolio] i don't think the same hackers that did yahoo had anything to do with cnn
[17:33][person2] they heard what happened to yahoo yesterday
[17:33] [person2] so they decided to copy it
[17:34] [person3] did they have anything to do with amazon.com?
[17:34] [Coolio] person3, yes they did
[17:34] [Coolio] since 45 minutes ago
[17:34] [person3] alright.
[17:34] [Coolio] tehye switched from ebay to amazon.
But there are several references to Coolio "making the news," even though that nickname didn't appear in news reports until one week later.
[18:24] [person1] hahaha, coolio made ABC world news tonight, jesus f*ing christ.
[18:24] [person1] how the f...
[18:24] [Dr_Coolio] person1, what's ABC world news tonight?
[18:24] [person1] Dr_Coolio, ABC's world news television show, every night.
[18:24] [person3] haha its their network news show coolio
[18:24] [Dr_Coolio] cool what'd they say
[18:24] [person2] Coolio what did you do that is getting so much attention
[18:24] [Dr_Coolio] and did they only talk about yahoo, or buy.com and ebay and amazon too?
[18:29] [person3] haha the zdtv just acknowledged that amazon was down
[18:29] [Dr_Coolio] on TV?
[18:29] [Dr_Coolio] awesome!
In this segment, one of Coolio's associates begins to cross the line, suggesting directly that Coolio is responsible. Coolio reacts sharply:
[18:32] [person1] oh, my god, coolio is way famous.
[18:33] [person1] dude, coolio, sitting at his computer ... disabled yahoo, and fooled people thinking he was a group of f*ing hackers
[18:33] [person2] ya no sH**..don't
[18:33] [person2] heh..
[18:33] [person1] how the f... coolio shouldn't be allowed to have this kind of power.
[18:33] [Dr_Coolio] SHUT THE F*** UP PERSON1
[18:33] [Dr_Coolio] SHUT THE F*** UP PERSON1
[18:33] [person1] hahahahah
The next day, Coolio was still fielding questions in #goonies about what he did and didn't do:
[11:58] [person1] did you do all the other ones or were they copycats?
[11:58] [person2] neck hurts bad
[11:58] [Dr_Coolio] cnn znd zdnet were copycats
And in this passage, the goonies chuckle about what what seems to be an accidentally accurate description of Coolio. No reason for real alarm, though, they indicate - the newscaster is wrong when he describes the suspect as a current student:
[12:15] [person1] ahahhahahaha he said "17 year old kid"
[12:15] [Dr_Coolio] person1, WHO DID?
[12:15] [person2] HAHAHA "i wouldn't be suprised if it was a 17 year old kid"
[12:15] [person1] this guy on cnn
[12:16] [Dr_Coolio] f***
[12:16] [person3] Dr_Coolio: TURN ON CNN
[12:16] [Dr_Coolio] kill him
[12:16] [Dr_Coolio] shut his face up
[12:16] [person3] a former hacker guy who now works in security
[12:16] [person2] he said that he goes to school, though
And finally, Coolio corrects the goonies when one slips up and forgets to use the third person when referring to the hackers as he discusses a television program describing the denial of service attacks as a trivial programming feat:
[12:18] [person1] ahahah this guy on cnn..
[12:19] [person2] man these dudes are sayin you got no skillz
[12:19] [Dr_Coolio] not me, you mean the hackers