LulzSec group sentenced; hacker combats child porn allegations

LulzSec group sentenced; hacker combats child porn allegations

Summary: Core members of LulzSec have been sentenced for their campaigns, but according to the defense, some of the victims were "thoroughly deserving" of what happened to them.

SHARE:
TOPICS: Security, Malware
13
lulzsec london court sentencing davis ackeroy bassim child sex allegations
(Image: Charlie Osborne/ZDNet)

SOUTHWARK, LONDON — Four members of the LulzSec hacking group were on Thursday sentenced in court after pleading guilty to various computer hacking-related charges.

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, were all sentenced together with Ryan Cleary, 21, over a two day hearing at Southwark Crown Court, London.

Each member of the LulzSec "hacktivist" group admitted to various hacking charges, including taking down corporate and government websites, between February and September 2011.

Presiding Judge Deborah Taylor, on Thursday, sentenced Ackroyd to 30 months, in which he must serve at least half. Davis to two years in a young offenders institution, in which he must serve at least twelve months. Bassam received a suspended sentence of 20 months, and Cleary was ordered to serve at least half of a 32-month sentence.

Judge Taylor commented: "You sought to amuse yourselves and wreaked destruction and havoc. You cared nothing about the privacy of others, but kept your own identities hidden."

Indecent images

Aside from hacking charges, an additional indictment against Ryan Cleary was delayed due to a court miscommunication.

After the seizure of Cleary's computer and and subsequent recovery of deleted files, the hacker was charged with downloading and possessing indecent images of children following a second arrest on October 4, 2012.

Under the U.K. COPINE scale — a measure of the severity of images  the images in question were classified as child "erotica" and deliberate sexual posing. A total of 46 images contained children aged between six and 18 months, whereas others included children aged between ten and 15 years.

The defense team said that Cleary is not a "professional pervert" or sexually obsessed, but rather was obsessed with finding data and using his computer — a reason laid at the door of his client's Asperger's syndrome. 

A lack of information in psychological reports and pre-hearing files resulted in a delayed sentencing. Cleary, who admitted to downloading the images, will not be sentenced this week.

Criminal computer activities 

Former soldier Ackroyd, under the alias of a 16-year-old girl named "Kayla," admitted hacking into a number of websites in 2011, including Sony, Nintendo, News Corp. and the Arizona State Police. The 26-year-old sat across from his lawyer with a pensive, wide-eyed look, as he was branded the "most sophisticated" defendant, and he was responsible for researching vulnerabilities and exploits as well as executing hacks.

The prosecution said that Sony suffered $20 million in damages, and revenue loss due to the security breach is "incalculable." An estimated 24.6 million customer accounts were compromised.

Davis and Bassam pleaded guilty to counts of conspiring to access and impair a computer without authorization, including launching attacks against the CIA and Serious Organised Crime Agency (SOCA).

Ackroyd was dressed in a sweatshirt and jeans, whereas Bassam was suited and booted with a serious but resigned look on his face. Davis, the last to arrive, chewed gum and appeared relatively unconcerned.

During later proceedings, however, the strain showed in the eyes of each member of the hacktivist group as they sat behind a glass wall and watched their fates being bargained for. 

According to the prosecution, Davis was responsible for releasing press statements; controlling the LulzSec Twitter feed, and defacing website pages.

Bassam allegedly controlled the group's website; published stolen information to sites including Pastebin, and helped with stolen data distribution — including through the use of BitTorrent technology and mirror websites. In addition, the LulzSec member allegedly researched computer system vulnerabilities ripe for exploitation.

Cleary, otherwise known by his Internet alias "Viral," pleaded guilty to the same hacking charges, in addition to counts of supplying articles with intent to impair computer systems and breaking into the Pentagon's Air Force systems. Cleary spent over five years building a sophisticated botnet — with a minimum of 100,000 computers at its disposal at any one time — which in turn was used for both Anonymous and LulzSec campaigns.

A number of website intrusions were based around vulnerabilities found within the Internet Explorer browser, and websites with high traffic levels were targeted. The 21-year-old maintained that his botnet was only "rented out" ten or so times for monetary gain — and raised only £2,000 in total — whereas the prosecution stated it did not believe this was truly the case.

In addition, Cleary's lawyers argued that although he gave botnet access to Anonymous, there is no evidence that he directed or controlled it — therefore Cleary was guilty of supply rather than actual hacking.

Criminal barrister Gideon Cammerman argued that using a botnet was "not brain surgery." Although the result was a sophisticated website takedown attack, the defense attorney wanted the judge to keep in mind that in the case of the Serious Organised Crime Agency website, there was no evidence to suggest the website was infiltrated — it was only taken offline for a short time.

The motivation

Outside of the courtroom, Cammerman called the LulzSec hackers "a group of talented young boys who hacked particular things for particular reasons."

In contrast, prosecutor Sandip Patel accused the LulzSec members of launching "sophisticated, orchestrated attacks," which caused firms and individuals "millions of pounds' worth" of damage, coupled with the "dire, personal consequences" suffered by individual victims.

Cammerman said the hackers were "politically motivated and morally complicated," which made for a complex case. In this manner, both prosecution and defense agreed, as Patel stated in the hearing: "This is not about young, immature men behaving badly."

U.S. extradition

An indictment based on two counts of encouraging and assisting in an offense were, "not in the public interest to pursue." However, as the U.S. has also issued the same indictment, prosecution had to confirm that currently there has been "no formal request for extradition." Davis' defense team said that "there is an appetite for this type of prosecution in the United States," and it is not a risk the 20-year-old should be exposed to.

As they were individually led away, Bassam looked relieved, whereas the other members of the Anonymous splinter group had resigned expressions. 

Cammerman said outside of the courtroom that some of the victims were "thoroughly deserving" of what happened to them, the Westboro Baptist Church as one example.

LulzSec exploded on the hacking scene in 2011 after targeting Sony Pictures Entertainment, which led to the taking down of the Playstation network. in a Los Angeles, California court last month, LulzSec member Cody Kretsinger, 25, was arrested and prosecuted in relation to the initial cyberattack.

Kretsinger, also known as "Recursion," admitted one count each of conspiracy and unauthorized impairment of a protected computer as part of a plea bargain, and was ordered to spend one year behind bars and perform 1,000 hours of community service.

LulzSec was politically motivated in the beginning; launching the first "cyber war" in tandem with Anonymous in retaliation to officials' attempts to shut down WikiLeaks. Target choices then began to move away from purely the political, and the Church of Scientology, Westboro Baptist Church and banking systems found themselves under attack.

However, the hacktivist group was compromised when de facto former leader Hector Monsegur — otherwise known as "Sabu" — turned mole after his own arrest and spent nine months passing information on to U.S. officials.

The hacker-turned-spy's information led to the arrests of alleged members of LulzSec and Anonymous in March 2012.

The ruling follows the arrest of the self-proclaimed "leader" of LulzSec in Australia. Matthew Flannery, 24, who allegedly used the name "Aush0k" in hacking activities, was charged for hacking into two computers after being apprehended in coastal town Point Clare.

During the first day of the hearing, Ackroyd wanted closure. His lawyer, John Cooper QC, counselled that the issue probably wouldn't be over that day. The 26-year-old replied: "They won't be done with me for a long time."

No matter the age, the U.K. justice system is unlikely to be "done" with cybercriminals any time soon.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Hypocrisy

    Lulzsec were foolish, exposing themselves to the corruption of the state with no political reasoning. As a result they the system will now deny them access to the quality of life of the corrupt officials it protects who have done much worse to society.

    W
    Minillulz
    • ???

      Bit of a chip on the shoulder?

      They were mere vandals and thrives that cost companies money and individuals a sense of security. That's my view. Truth is it's totally irrelevant what I think, they broke the law - they get punished.

      I happen to think their sentences are quite light. But then we do give just ASBOs to violent thefts these days...

      Is there a justification for their acts not being illegal?
      MarknWill
    • Who are you to say who was harmed and who was not?

      They hacked something that did not belong to them and hurt innocent people while doing it. Don't you understand, you are defending the governments actions by defending the hackers who hurt the same innocent people.

      You are the hypocrit too.
      Challenger R/T
    • Way too light of sentences

      I wish I had friends locked up in England? I would make sure they all had a full dance card while they are incarcerated.

      What's with the light sentences? Go rob a bank or jewelry store for $20 million and see what kind of sentence you get. That's effectively what they did to Sony alone. Why aren't they each doing 15 years or more?
      straybeat_z
  • each

    should be shot.
    timspublic1@...
    • I think that's a bit too serious.

      I think that 'privilege' should be held for child molesters and possibly murderers, not first-time 20-year olds that cause financial damage.
      hades_2100@...
    • You

      are a fool...
      btone-c5d11
  • "They deserved it"

    The standard excuse of lynchers and vigilantes for centuries. But it shouldn't wash with anyone who doesn't want to be subject to the same sort of treatment by whomever decides to take a disliking to him.
    John L. Ries
  • Slap on the wrist

    I don't get a couple of these comments. We are not supposed to punish members of LulzSec just because they are unlikeable. Why? Because what they attacked was more unlikeable??? It's simple: they broke the law. By what merits do they avoid the consequences of that?

    Then there's the fact that hacks like this are not as victimless as they seem. They have a domino effect and can disrupt the lives of people who are not even part of the nebulous targets the hackers are against. These are not heroes in any sense of the word. It's important to make it clear that others cannot follow in their footsteps with impunity.

    Finally the judge obviously took into account all the extenuating circumstances when imposing such light sentences.

    So please spare us the tired claptrap about the Man running roughshod over poor innocents. Not applicable here. The punishment fit the crime. Let them do the time then come back and offer their talents as technologists in service to building a better future, not tearing down what we have now.
    Technologist6
  • More than a slap on the wrist

    I agree with zdlella249. Although the victims of these sort of crimes maybe only companies and government authorities, the flow on effect can become very personal to clients, customers and employees. No matter what their intellect and technical knowledge, these childish vandals cannot possibly determine the likely effects of their actions. Same effect as randomly throwing a bomb into an office block - destroying knowledge and records and damaging people's lives. Who do these individuals think they are? Self-appointed monitors of our lives, guardians of our civilisation? I think not! They act selfishly and without concern for others. These criminals may be clever with the technology, but they are incredibly ignorant about most other aspects of life. The sentences should have been much harsher to reflect the potential damage they did or may have caused. If they behave like terrorists they should be treated like them.
    mrjsj
  • More than a slap on the wrist

    I agree with zdlella249. Although the victims of these sort of crimes maybe only companies and government authorities, the flow on effect can become very personal to clients, customers and employees. No matter what their intellect and technical knowledge, these childish vandals cannot possibly determine the likely effects of their actions. Same effect as randomly throwing a bomb into an office block - destroying knowledge and records and damaging people's lives. Who do these individuals think they are? Self-appointed monitors of our lives, guardians of our civilisation? I think not! They act selfishly and without concern for others. These criminals may be clever with the technology, but they are incredibly ignorant about most other aspects of life. The sentences should have been much harsher to reflect the potential damage they did or may have caused. If they behave like terrorists they should be treated like them.
    mrjsj
  • More than a slap on the wrist

    I agree with zdlella249. Although the victims of these sort of crimes maybe only companies and government authorities, the flow on effect can become very personal to clients, customers and employees. No matter what their intellect and technical knowledge, these childish vandals cannot possibly determine the likely effects of their actions. Same effect as randomly throwing a bomb into an office block - destroying knowledge and records and damaging people's lives. Who do these individuals think they are? Self-appointed monitors of our lives, guardians of our civilisation? I think not! They act selfishly and without concern for others. These criminals may be clever with the technology, but they are incredibly ignorant about most other aspects of life. The sentences should have been much harsher to reflect the potential damage they did or may have caused. If they behave like terrorists they should be treated like them.
    mrjsj
  • Derp much?

    "A number of website intrusions were based around vulnerabilities found within the Internet Explorer browser, and websites with high traffic levels were targeted."

    News flash. Internet Explorer doesn't allow for website exploitation. It's a totally unrelated vector and type of attack. IE could have been the vector by which an account was compromised or data exfiltrated.

    You don't hack a website by using RCE. That's how you make a zombie.

    Come on ZDnet/Charlie, learn the basics ¬_¬
    mradamdavies