Malicious Life Podcast: Hackers vs. Spies - The Stratfor Leaks Part 2

In June 2011, a Con Edison truck was parked outside of Hector Monsegur's New York apartment every day for over a week. But Hector - better known as Sabu, the ringleader of the LulzSec hacking group - wasn't fooled. He guessed, correctly, that the FBI was on to him. But it turned out that of all the people who broke or disregarded the law in this particular story, only one man had a reason to be worried: Jeremy Hammond - check it out…


About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast


It’s early June, 2011. A Con Edison truck is parked outside the Jacob Riis housing projects — a quarter-mile park of tall and uniform low-income apartment buildings on Manhattan’s Lower East Side. 

Con Edison is the power company for over a million residents of New York City, so seeing them around shouldn’t have been immediately suspicious. But Hector Monsegur — a heavyset, amiable 28 year-old Puerto Rican man with a shaved head and goatee — had a feeling that they weren’t there for routine maintenance.

The truck was parking outside of his building every day, for over a week already. In an interview with Charlie Rose for CBS This Morning, he laughed about it. Quote:

“You know what was the greatest indication? The mailman was hanging out with the Con Edison guy in front of my building. It’s kind of random. So I knew something was off.”

As Hector tells it, June 7th began like any other morning. He woke up and walked his two young cousins — whom he has sole guardianship over, and refers to as his “daughters” — to school. Quote:

“And, on my way back, I’m noticing there’s random people parked in random cars, and just nothing makes any sense. I’ve never seen these people before, never seen these cars before.”

As he walked towards his home, a man in one of the cars was holding a newspaper. But instead of reading the paper, the man was staring at him. Hector got inside, went up to his sixth floor apartment, cleaned it up a bit, then took a nap.

The afternoon was extra hot — almost 90 degrees — when he picked up his daughters from school. But, knowing it might be their last memory together for a while, he grabbed some cash and took them on a shopping spree. Quote:

“I took them to buy, like, 200 dollars worth of comic books and toys. And I dropped them off at church with a family friend and I said “hey guys, I’ll catch you later, I’ll be right back.” I already knew what was happening.”

On his way home, he picked up a six-pack of beer from the store. He rarely ever drank, but he wanted a final moment with his brother. They celebrated, and Hector gave him a warning. Quote: “They’re coming. Just be prepared. Stay in the room, and don’t say nothing, and don’t move. I don’t want you to get shot because they think you’re a threat.”

After nightfall, there was a knock on the door.

“Police!” they shouted.

Hector — known in online chatrooms as “Sabu” — knew these weren’t ordinary cops. But he had no choice. He calmly walked over and opened the door.

Sabu — Hector — was at the top of his game.

From May 7th to June 26th, 2011, his hacker collective — called Lulz Security, or “LulzSec” — had been conducting its “50 days of lulz” campaign. Rarely has any group been so prolific. Sabu — co-founder and generally understood leader of the group — directed his five fellow LulzSec members in hacking gaming companies — like Sony and Bethesda — media companies — Fox News and PBS — and law enforcement agencies — including the websites of the U.S. Senate, and the CIA. They had new breaches to announce almost every day.

Perhaps it was just too busy, so nobody seemed to mind that Sabu was offline all day on June 8th. Or maybe it’s because he was back on within 24 hours. His grandmother died, he told the group, as they moved on to their next targets.

According to the FBI, June 7th was not simply the arbitrary date they chose to complete their stakeout and arrest the ringleader of LulzSec. Late that evening, they claim, they received word that Hector had been doxed. Somebody leaked his real name, and they feared he would respond by wiping evidence of his crimes from his computers and drives, so they moved. From Fox News, quote:

“[E]vening temperatures were still sweltering when two FBI agents wearing bulletproof vests under their dark suits climbed the stairs of the Jacob Riis housing complex [. . .] Drenched in sweat, they knocked on the steel door of a sixth-floor unit. It swung open to reveal a man in his late twenties wearing jeans and a white T-shirt.”

In Hector’s telling, the agents were prepared to smash down his door, and, when he opened up, at least 14 or 15 of them immediately swarmed his apartment. In the FBI’s account, it was just two, and the situation was quite tame. 

In Hector’s telling, he answered them cooly: “‘Alright, so what’s the problem?’” According to the FBI, he was less suave. Quote: 

““It’s not me, you got the wrong guy,” Monsegur said, according to sources who witnessed the interaction. “I don’t have a computer.” Behind Monsegur, the agents saw the Ethernet cable snaking to his DSL modem, green lights blinking on and off.”

According to Hector, he was calm and compliant. According to the FBI, they got him with a classic good cop-bad cop routine. However it went down, though, the end result was the same. Hector recalled the agents explaining to him, quote:

“We know who you are, we know what you’re doing, and we also know you have two kids in the house. So, to keep it simple, you could either cooperate with us — come downtown with us, you’ll be back in the morning — or we’re going to call [child services] and we’ll take your kids away. It’s your call.”

It was posed as a question, but the FBI knew exactly what decision Hector had to make. “It was because of his kids,” one of the two agents told Fox. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

Hector freely admits it — he turned on his buddies faster than a helicopter rotor. “They basically put me in a situation where I had to choose between my family and an idea,” he told CNET. “Now, the idea is beautiful. I love the idea. But I’m not gonna choose [. . .] the movement over two kids.”

Within a day, Hector was back home, sleeping in his nice, comfy bed alongside the kids. He’d even gotten a nice parting gift from his new friends at the FBI: a Windows laptop with an automatic keylogger and screen grabber. “They just simply said, well, keep doing what it is that you’re doing,” Hector recalled. “And we’re just gonna sit back and watch.”

50 Days of Lulz

He wasn’t gone for long, but something about his grandmother’s death had, seemingly, affected Sabu in a deep way.

He didn’t quit 50 days of lulz — in fact, he only dove in deeper. He was always a charismatic leader, always had a penchant for grandiose talk about “the system” and dirty cops, but now he went even further with it. One LulzSec member recalled how, quote: 

“We immediately saw a change in his attitude. He started really pushing the revolutionary rhetoric, trying to band everyone together by calling us ‘brothers’ and saying we were ‘all in this together’ and we were ‘family.’”

Sabu’s new intensity came to a head on June 19th when, coming into the last week of 50 Days of Lulz, he announced a brand new project called “Operation Anti Security.” 

AntiSec would be an even bigger operation against even bigger targets — no more gaming and media companies, this time banks and law enforcement. Sabu gathered together a group of 10 like-minded Anonymous and LulzSec hackers and, together, they breached dozens of corporations and individuals, and over 70 law enforcement agencies all told. 

Some in Sabu’s crew did grow suspicious. He was choosing their targets, handing them zero-day vulnerabilities, providing them servers for stolen data, and talking his usual big talk, but he never actually participated in the attacks themselves. “We got tired of seeing Sabu never get his hands dirty,” one member told Rolling Stone. “At some point a few of us sat together in an IRC chat room and asked, ‘Who has ever seen Sabu hack anything?’”

They hadn’t, because he wasn’t, because he couldn’t, as an FBI rat, go so far. Still, nobody put all the pieces together, probably because Sabu was such an effective social engineer.

In fact, he wasn’t the most talented hacker; speaking had always been his strength. In some prior attacks, he convinced his targets to hand over the authentication information he needed to breach their systems. Now he was using that silver tongue against his own team members, egging them on and espousing friendship while, secretly, plotting against them. Like, for example, during AntiSec’s most high-profile act: a data leak against the firm known as Strategic Forecasting Inc.

The day after his top man successfully breached one of America’s shadiest companies, Sabu sent him a message. “Yo yo,” he wrote. “Hey, homboii,” Jeremy Hammond replied. “I been going hard all night.” Hector pretended to worry about law enforcement backlash. “I heard we’re all over the newspapers,” he wrote. “You motherfuckers are going to get me raided. [. . .] If I get raided, your job is to cause havoc in my honor.” Jeremy had no clue. “It shall be so,” he replied to the person he considered a friend and mentor.

A Perfect Honypot

AntiSec was the perfect honeypot for somebody like Jeremy.

The big, bombastic rhetoric — “now or never,” the announcement read, “history begins today.” The Anonymous and LulzSec links, particularly having a big name like Sabu behind the project. The promise of hacking the biggest banks and law enforcement agencies. This honey was just too tempting for an idealistic and reckless young hacker.

Hammond was the most productive member of the group. As one fellow activist told Rolling Stone, he was, quote, “basically the perfect storm of know-how, drive and ideology. He was by far the most knowledgeable hacker in Antisec, and he wasn’t afraid to get his hands dirty.” 

Between Jeremy’s skill and Hector’s leadership, AntiSec was a nearly unstoppable force, exploiting backdoors and stealing data and trying to cause as much ruckus as possible in the media. 

But here’s the million dollar question: if AntiSec was under FBI oversight, why would they have been allowed to attack the targets they did? Hammond had a theory. In a post to Pastebin years after the fact, he gave the example of arguably AntiSec’s most prolific period — a series of intrusions that, quote:

“[T]ook place in January/February of 2012 and affected over 2000 domains, including numerous foreign government websites in Brazil, Turkey, Syria, Puerto Rico, Colombia, Nigeria, Iran, Slovenia, Greece, Pakistan, and others. Sabu also infiltrated a group of hackers that had access to hundreds of Syrian systems including government institutions, banks, and ISPs. He logged several relevant IRC channels persistently asking for live access to mail systems and bank transfer details. The FBI took advantage of hackers who wanted to help support the Syrian people against the Assad regime, who instead unwittingly provided the U.S. government access to Syrian systems, undoubtedly supplying useful intelligence to the military and their buildup for war.”

If Hammond is to be believed, Operation AntiSec wasn’t just a honeypot designed to snag hackers like him. It was a group of anti-establishment cybercriminals who, without knowing it, were in fact carrying out cyber attacks on behalf of the FBI. That they were also targeting U.S. law enforcement? That was, perhaps, just an unfortunate byproduct. A trade-off the FBI was willing to let slide, in exchange for Syria, Kuwait, and all the rest. As Jeremy concluded, quote:

“All of this happened under the control and supervision of the FBI and can be easily confirmed by chat logs [. . .] the government’s actions go way beyond catching hackers and stopping computer crimes.”

Maybe Jeremy was an FBI pawn but, at the time, AntiSec felt like a calling. What he had been building up to for all those years. It was, perhaps, a bit blinding.

“There was a point there where he started to just feel really proud about what he was doing,” another AntiSec hacker told reporters. “Many times I said to him, ‘Stay hidden. Don’t show up too much on public channels.’”

But Jeremy was proud, and he liked talking about what he had accomplished. For example, there was the time a digital rights activist named Peter Fein visited an Occupy Wall Street protest in Chicago. He remembered, quote:

“I went down to Occupy one day, and I got to talking to people and mentioned that I did stuff with Anonymous. And this guy blurted out, ‘Oh, yeah, I’m in Lulzsec’. I thought, OK, either you’re lying or an idiot.”

Jeremy was showing off — a classic hacker’s mistake. “I got the sense,” Fein concluded, “that he expected to go back to jail.” 

Every so often, in online chats, Jeremy would switch up his aliases as a security measure. But for someone claiming to be “Anonymous,” he’d been far less careful about revealing personal information. With Sabu’s entire chat history on file, the FBI began finding crumb after crumb leading them to their number one target.

In August, 2011, for example, Hammond wrote in a chat that some of his friends had been arrested in a protest in St. Louis. The FBI obtained arrest records from that protest, which included Jeremy’s twin brother. 

In another instance, Hammond claimed that he’d been arrested at the 2004 Republican National Convention in New York City. At multiple points he’d referenced his prior arrests, and the time he’d spent in jail and on probation. In case after case, the references matched his criminal record. By the end, Ars Technica noted, the FBI had more than enough to go on. Quote:

“The FBI was so thorough that it even followed up on a “POW” comment saying “dumpster diving is all good, I’m a freegan goddess.” (“Freegans” scavenge unspoiled, wasted food from the trash of grocery stores and restaurants.) The FBI went to Chicago authorities, who had put Hammond under surveillance when they were investigating him back in 2005. As part of that earlier surveillance, “agents have seen Hammond going into dumpsters to get food.””

In the venn diagram of hacker savants, repeat felons, and dumpster-diving Freegans, there really is just one name that goes in the middle. 

Hammond’s Arrest

On February 29th, 2012, an FBI vehicle staked itself outside of a two-story, multi-family home in the Bridgeport neighborhood of Chicago. The building was short but long, with an unassuming front door that their suspect never used, because he always entered into the rear apartment. 

The inside of the stakeout vehicle must’ve looked like a movie set. With directional antennae and a signal strength meter, agents located the WiFi signal coming from the rear apartment. Most of the time, only a single Macbook connected to the network. Next, they set up a pen register — a wiretapping device — which sent the IP addresses Jeremy connected to to the agents in the van, as well as agents watching from other, remote locations. Together, they watched as he connected to known TOR addresses.

The agents staked out Jeremy’s home for five days, monitoring his online movements. And his movements IRL — any time they spotted him leaving his house, they rang up Hector Monsegur. In FBI logs obtained by Ars Technica, Hector was referred to by the codename “CW-1.” Quote:

On March 1, 2012, at approximately 5:03 PM CST, Hammond was seen leaving the Chicago Residence. Almost immediately after, CW-1 (in New York) contacted me to report that the defendant was off-line. Pen/Trap data also reflected that Tor network activity and Internet activity from the Chicago Residence stopped at approximately the same time.

Later, also on March 1, 2012, at approximately 6:23 PM CST, Hammond was observed returning to the Chicago Residence. Tor Network traffic resumed from the Chicago Residence approximately a minute or so later. Moreover, CW-1 reported to me that the defendant, using the online alias “yohoho,” was back online at approximately the same time as physical surveillance in Chicago showed Hammond had returned to the Chicago Residence.”

On March 5th, the Bureau filed for an arrest warrant. At around 8:00 at night, a big, white truck pulled up in front of his house. A group of men clad in bulletproof vests with “FBI” written on the front gathered together, holding what one passerby called, quote, “some huge guns.” By 11:00, 16 FBI vehicles were gathered together on that sleepy South Side street.

The following day, two stories broke: that Jeremy Hammond had been arrested in connection with the Stratfor leaks, and that Hector Monsegur had been working as an FBI informant. One Anonymous hacker summed up the general feeling to Rolling Stone. Quote:

“[A]ll I can say is that they goddamn better put the fucker in witness protection. What really makes me want to kill him is that he did all of it so he could send these poor kids to prison.”

Not every hacker felt the same, though. “I just can’t bring myself to hate him,” one member of AntiSec said. Another hacker recalled how Sabu tried to keep him safe, warning them and others not to join his group.

In this, we see something of the dichotomy that is Hector Monsegur. On one hand, as Sabu, he wrote endlessly about his hatred for law enforcement and the powers that be. Then, within hours of his arrest, he became a model informant for the FBI. On one hand he was, seemingly, just a good guy — a foster dad to two young girls, and, generally, a mild-mannered kind of person. In some interviews that really comes across, and in others he seems rather cold. Like, for all the hackers he might have saved from the AntiSec roundup, he certainly saved no love for Jeremy Hammond.

In a T.V. spot for Al Jazeera, the interviewer hardly had to bring up the name “Jeremy” before Hector interrupted. “He’s not another top hacker — he’s just a random person that got caught,” Hector said, shifting anxiously in his chair. 

The anchor asked: “Did you put him away?”

“No,” Hector replied.

The anchor followed up. “You had nothing to do with it?” he asked.

You can find the interview on YouTube — Hector gives a long-winded answer that makes a strawman out of the anchor’s question. Then, rather than describe his participation in the sting, he moralizes. Quote:

“You know, we come into a situation where, in my case, I admitted to my crimes. I admitted to 12 charges. I dealt with the situation. I dealt with the drama. I think it’s time that some people man up and accept that he committed crimes, and they probably have to do that time.”

Actions and Consequences

We left our last episode on an idea that, frankly, isn’t so original: that the law is something some people can evade, and some people can’t, based on their proximity to and relationship with the entities that enforce those laws. George Friedman was the first one to prove it. The founder and CEO of Stratfor hasn’t even come up in this Part 2 episode, simply because he’s not relevant any longer. Stratfor’s data leaks became a PR write off, even after evidence of their immoral and potentially illegal business dealings surfaced. 

Of course, for Jeremy Hammond, participating in the Stratfor breach was grounds for potentially many years in prison.

And then, as if he needed one more reason to distrust the system, there was the judge presiding over his case, Loretta Preska.

Preska took an immediate dislike to Hammond. After he’d spent eight months in jail, awaiting trial, his lawyer pleaded to the judge. “There is no way I can prepare for this trial while this man is in prison,” she said, citing the severely technical details of his case. He’d stay under house arrest, with no access to computers. Preska denied the request, calling the 27 year-old “a very substantial danger to the community.”

You could say she was just a tough judge, except for what happened next. 

In response to the denial of bail, Anonymous hackers doxed Judge Preska. Even they could probably hardly believe what they found. Preska’s husband worked for a law firm which was a customer of Stratfor. Among other details, his personal email and encrypted password were included in the leaks. Preska herself also once belonged to the same firm, which, on top of that, represented over 20 victims of Stratfor’s leak.

In a hearing to determine whether Preska was fit to remain on the case, Heidi Boghosian, executive director of the National Lawyers Guild, made the point — quote:

“The test for the appearance of impropriety is whether a judge’s conduct would create in reasonable minds a perception that the judge’s ability to carry out judicial responsibilities with integrity, impartiality and competence is impaired. No reasonable person would say that a judge whose husband was the victim of the crime she is presiding over could do so with integrity or impartiality, much less competence. If Judge Preska stays on this case it goes against everything she is sworn to do as chief judge and degrades the integrity of the court.”

It seems obvious, right? And it would’ve been no problem to swap judges. The problem was that the judge who decided whether Preska could be objective, about a case she was implicated in, was Preska herself.

It’s as we said: the law is something some people can use, and other people get used by. Judge Preska was the law, so she got to decide. She felt she could stay on the case, and so she did. In fact, she got to preside over both Jeremy’s case, and the case against his nemesis, Hector Monsegur.

As noted in The New York Times, “the advisory federal sentencing guidelines had called for a term of roughly 21 to 26 years,” for Monsegur’s crimes. Preska put that aside. She praised his quote, “obviously great skill,” and told him, quote: “You have done as much as any human being can do, in terms of helping the government to make up for your past wrongs and to avert other damage to probably millions of people. So, I salute you for that.” In May, 2014, she sentenced Sabu to time served.

In November, it was time to hand down a ruling for Hammond.

In two episodes, we’ve met four main characters. They’re rich and poor, criminals and a judge, good people and not so good people, where our conventional associations — like bad criminal, and good judge — don’t necessarily apply. Each one of these characters disregarded the law when they felt like it, yet only one faced the consequences fitting their acts.

On November 15th, 2013, in order to, quote, “promote respect for the rule of law,” Judge Preska handed Jeremy Hammond the maximum possible sentence for his crimes: ten years in prison.

Now, to be clear: nobody — not even his friends — could argue that Jeremy Hammond should’ve received no punishment. Even Jeremy himself was well aware that he broke the law, loudly, and quite often. But if we, as a society, want to convince young radical young people that our system is fair and equal to everyone, his story certainly doesn’t help.