The fall of the FBI’s most-wanted cybercriminal

By Kevin Collier on August 9th, 2014

On an unseasonably cold Saturday afternoon in March 2012, Jeremy Hammond, one of the most destructive hackers in American history, logged into his computer in his squalid Chicago duplex for the second-to-last time.

His friend Sabu, a notorious hacker who had often encouraged him to attack more ambitious targets, was playfully giving him a hard time over his period offline.

“I mean you disappered all day. I’m lways used to you online haha,” Sabu hammered out in a hastily typed chat on March 4. “missed you <3. no homo.”

Hammond, typing from the username “yohoho,” responded sharply: “yeah I have been putting in nearly full time work here. weekdns I usually go out partying.”

Under the banner of the faceless hacker collective Anonymous, the two had close been cohorts for the past eight months. Sabu usually picked the targets—namely foreign government sites like that of the Brazilian military police—while Hammond, a longstanding political activist, did the heavy lifting. It’s not that he didn’t trust his partner, but Hammond, a veteran hacker at 27, took precautions. He only talked with Sabu over encrypted chat, and while they spoke multiple times a day, he never gave his actual name and made only oblique references to his personal life.

They were, after all, Anonymous.

Their conversation moved to their next target, an online security firm called Panda. Hammond wasn’t quite ready to strike. He said he wanted help getting the company’s full email services.

For the FBI, not even the most technically adept member of Anonymous can stay anonymous forever.

Panda had become personal: Hammond was particularly peeved at the company’s technical director, Luis Corrons, for allegedly helping police bust some of their compatriots. Corrons would later tell me that he never specifically helped cops with Hammond and Sabu’s hacking crew, LulzSec (meaning “LOL Security”), though he’s worked with law enforcement to stop hackers plenty of times before and since.

That’s not how Hammond saw it.

“Luis himself says he cooperated with the police to bust hackers,” he wrote.

The painful irony was that Sabu, whose real name is now known to be Hector Monsegur, was operating at the time as an informant for the Federal Bureau of Investigation. Sabu’s New York City apartment had been raided by the FBI in June 2011, not long after Hammond first reached out to him to partner up, and he quickly flipped to avoid a long prison sentence away from his two nieces, whom he raised like daughters.

This chat and hundreds of others with Hammond—detailing every intended and executed criminal hack—went straight to federal authorities.

Hammond didn’t know that when he logged off and left his house a few hours later, the FBI was posted outside, watching. Agents were tracking him as he went out with friends, playing a show with his ska-punk band and dumpster-diving for food in the wee hours of the morning. It was his last free night before his arrest and eventual 10-year sentence, the maximum for violating the Computer Fraud and Abuse Act (CFAA).

Jeremy Hammond never left explicit traces of his identity to even his most trusted online confidant—”yohoho” was hardly his only regular username—and he took all the necessary technical steps to hide his tracks online. However, sealed court documents from his trial—a cache of thousands of chat logs, surveillance photos, and court orders, obtained by the Daily Dot—offer a rare look at the extreme detective work the FBI put into nabbing a coveted hacker target.

For the FBI, not even the most technically adept member of Anonymous can stay anonymous forever.

hammond-breaker
 

Sitting alone in the lunch hall of Manchester Federal Correctional Institution, the Kentucky federal prison where he’s serving out his sentence, Hammond’s still baffled as to how he got caught. He’s bulked up some in prison, but his khaki uniform is still baggy on his wiry frame. His wispy mustache and goatee look like an unintentional nod to the Guy Fawkes mask, the symbol of Anonymous.

“I mean, were there 100 FBI agents sitting around brainstorming?” he asked me.

Hammond knew from the evidence presented to him before he went to trial that the feds didn’t track his computer through cyberspace. They found him by piecing together his identity so skillfully, the agency convinced a court to let them bust down his door.

“Once they got that warrant, they got my hard drive. Even though it was encrypted, it was all over.”

The FBI pinned its case on one piece of glaring evidence: A hacker, who chatted with Sabu under the alias “sup_g,” was the primary actor in the attack on the American intelligence firm Stratfor in December 2011. An elite intelligence-gathering firm, Stratfor was a perfect target for Hammond: a glaring example of the military industrial complex, boasting pathetically weak security. And with customers as prominent in the American political system as Dan Quayle and Henry Kissinger, messing with Stratfor “pissed off a lot of people,” Hammond said.

Stratfor was one of the largest hacks in American history, left in a smoldering ruin by the time AntiSec was done with it. The group deleted several of the company’s databases, exfiltrated an estimated 60,000 credit card numbers and related data, and through the whistleblower organization WikiLeaks, leaked 5 million internal office emails. The hack caused an estimated $3.78 million worth of damage. Sup_g not only bragged about each step in the chat, he detailed the technical knowledge necessary to have pulled it off.

For the FBI, there was one big question: Who was sup_g in real life? The answer came not in the form of a singular revelation, but in a series of seemingly distant dots, between Hammond’s oblique online references and his real-world actions, connected through on-the-ground surveillance, starting that fateful Saturday in March.

That evening, after yohoho wrapped up his chat with Sabu, Hammond left his house for a show with his band, Dirty Surgeon Insurgency, at the Ball Hall, a grungy music-and-art space in Chicago’s Humboldt Park neighborhood. According to FBI surveillance logs, Hammond and two compatriots loaded up their instruments into a Jeep Patriot SUV at 2:28am that morning. Agents followed the van a mile and a half to a Shell gas station. There, Hammond hopped out and started rifling through a trash can. The FBI captured the moment with a series of photos.

 

 

From there, a photographer captured him crossing the street. “Jeremy Hammond is at a dumpster behind Pizza Hut,” one agent’s report bluntly states.

 

He returned, got back in the Jeep, and traveled home, but not before making one other stop. The agent’s report reads, “Jeremy Hammond is at a dumpster near Burger King. Jeremy Hammond hands a bag from the dumpster to” a close associate.

This is the sort of non-exclusive evidence the FBI brought to the table in March, when the Department of Justice charged him with the CFAA, a law that prohibits “unauthorized access” to another’s computer. Critics say its broad language allows it to be selectively enforced whenever the government wants to make an example of a hacker. Andrew “weev” Auernheimer spent more than a year in prison for breaking the law before a judge threw out the case, and Internet freedom activist Aaron Swartz‘s CFAA charges loomed heavily on him when he took his own life in January 2013.

The FBI already suspected Hammond enough to put a surveillance detail on him, of course, and slowly hazy clues started coming into focus. As one agent would later testify, “Hammond is a ‘freegan.’ In conducting surveillance, agents have seen Hammond going into dumpsters to get food.”

That observation was paired with an online exchange from seven months before—a needle in a haystack of countless chat logs.

Around 3:30am on July 31, 2011, as the FBI would later tell the court, a user known as POW had written that “dumpster diving is all good i’m a freegan goddess.” POW had dropped an identifying clue 10 days before as well. In an IRC chat, Sabu asked, “who is POW,” requesting “your old nick.” POW replied, “something anarchist related maybe.” Agents took that to refer to the user “Anarchaos,” who frequented those same Anonymous chat rooms.

And who was Anarchaos? Sabu told the FBI that before he was caught and turned informant, Anarchaos had alluded to being detained during the Republican National Convention in 2004, held in New York City. And on June 10, 2011—after Sabu turned, putting all his chats on the record—yohoho made a similar claim. Referring to Sabu’s native New York City, which was an open secret in the Anonymous circles, yohoho said, “I haven’t been there since the RNC.”

That’s where the breadth of the FBI’s system of tracking potential troublemakers came into play: They’d had tabs on Hammond, simply as an activist who knew computers, since at least 2004. That’s when he was truly coming into his own as an activist.

“Growing up in the Bush years, the war in Iraq, the passage of laws like the Patriot Act is what got me involved [as an activist],” he told me in the prison.

Hammond was filled with a righteous indignation at the Bush administration, and the Republican Party in general, and made his foray into relative fame. He even gave a talk that year at the DEFCON hacking conference in Las Vegas, Nev., called “Electronic Civil Disobedience and the Republican National Convention.” At its conclusion, a DEFCON employee joined Hammond onstage to stress that the conference wasn’t sanctioning anyone to “blow up a Republican bus!” At this point, Hammond glibly remarked, “Please do.”

 

That was the first time Hammond met the FBI. “Agents came to my home and said, ‘You said in your speech you wanted to blow stuff up?'” Hammond recalled. “I said no to everything, of course.”

A month after that talk, Hammond traveled to New York City to protest the Republican National Convention. It was held barely a year after the U.S.’s invasion of Iraq, and the GOP was seen by many as crassly exploiting 9/11 to drum up support for an unrelated, illegal war. Hammond was among the hundreds detained at those protests, a group that later won the largest protest settlement in American history.

“The biggest thing that sunk me was being at the RNC,” Hammond told me. There, he was among the many activists who arrived to protest the convention but were detained in paddywagons. An FBI agent questioned him and took down his name. Being there was a badge of honor he carried for years.

“Sabu was never that important. I was doing the hacking. I was writing the press releases. He was just a mouth, bragging on Twitter.” —Jeremy Hammond

Anarchaos, Sabu later recalled to the FBI, had referenced being detained at that convention. So when yohoho made a similar reference, the FBI had a thread. And on Nov. 6, in a private encrypted chat on messaging platform Jabber, sup_g—the same user who a month later outed himself as the main actor in the Stratfor hack—bluntly told Sabu, “k im sup g.”

The FBI concluded its most-wanted cybercriminal went by Anarchaos, yohoho, and POW. It knew he was a freegan activist who had been detained at the 2004 GOP convention. Those accounts, as well as others the FBI traced to Hammond, also echoed his political sentiments: anarchism, vicious anti-racism. One alias referenced prison time, and Hammond had previously done a stint for hacking a right-wing, pro–Iraq War site called Protest Warrior.

That was enough for a judge to grant the FBI a warrant and permission to secretly install what’s known as a pen/trap device, which allowed for the monitoring of Hammond’s Internet activity at the end of February 2012. That, coupled with the physical surveillance, allowed the agency to see when he was home. What they found correlated with his Tor usage—which allowed him to hide his IP address—and when “yohoho” was online, talking to Sabu.

Screen Shot 2014-08-08 at 2.58.50 PM
 

“I did use all of those,” he admitted to me. “And a few of them I used they didn’t find.”

hammond-breaker
 

Here’s how the actual bust went down.

On March 5, 2012, the night after agents spied Hammond dumpster-diving, the FBI prepared to move in. From multiple stakeouts, agents created a rough floor plan and decided to enter his home from the rear door.

Hammondfloorplan1
 

Hammond was chatting with Sabu again, using “yohoho” as usual. At 8:43pm, Sabu claimed he’d found some new exploits. Someone had figured out a way to hack OkCupid, he said. At 8:46, Hammond responded he wasn’t that interested.

At 8:47, Sabu said, “wow this bug is weird.” Hammond didn’t respond, and never would again. The FBI had obtained a no-knock warrant, meaning it could bust in without warning. Agents found him shocked, standing in the doorway to his bedroom. They ordered him down on the ground and cuffed him.

At 9:19, Hammond arrived at FBI offices in Chicago. At 9:30, the FBI’s Evidence Response Team arrived at Hammond’s house and got to work. At 9:41, Hammond requested to speak with his lawyer, so the FBI gave up on trying to interview him and took him to a Chicago Police Department jail for the night.

The ERT began its search for evidence at 10:05. They counted 15 phones, 165 CDs, and two laptops. Just before midnight, members of the Regional Computer Forensics Lab (RCFL) and the Computer Analysis Response Team (CART) removed one white Apple MacBook and power cord containing a “Prisons Are for Burning” decal, and transported it to the RCFL for further analysis.

 

At first, Hammond considered trying to fight his charges. When the FBI showed him logs of his chats with Sabu, he gave up and pled guilty.

“I didn’t know he was an informant until the day after I was arrested,” Hammond told me. In group chats, he was always a little worried that someone was an informant, but not in his one-on-ones with Sabu. “It was surprising, but, you know, hindsight.”

Hammond paused. “Sabu was never that important. I was doing the hacking. I was writing the press releases. He was just a mouth, bragging on Twitter. He talked, but he’s not that skilled. We were already cutting him out.”

In the days after his arrest, in solidarity, the remaining members of LulzSec hacked Panda security without Hammond, defacing its pages with videos proclaiming their exploits. But those didn’t stay up long, and the remaining members of LulzSec were either arrested or have faded into the obscurity offered by the Internet. The Dirty Surgeon Insurgency, Hammond’s band, went on tour in his absence and advocated for his release, but the group has since disbanded.

In December, Hammond was sentenced to maximum charges under the CFAA: 10 years minus time served. He’s scheduled for release on Christmas Day, 2020.

His partner-in-cybercrime, Hector “Sabu” Monsegur, wasn’t sentenced until May 27, 2014. Judge Loretta Preska praised his “extraordinary” efforts in aiding law enforcement and spoke of “virtual around-the-clock cooperation where Mr. Monsegur was sitting with agents.” He was granted just one year of probation.

Questions still linger, however, about the nature of the relationship between Hammond and Sabu.

Other FBI documents provided to Hammond’s defense team, obtained by the Daily Dot, show that Sabu not only explicitly directed Hammond to hack Stratfor but gave him the tools to do so. Sabu appears to have also instructed other members of LulzSec to hack a multitude of high-level targets, including Arizona’s Department of Public Safety, the Federal Trade Commission’s own anti-hacking advisory site, at least 10 Brazilian targets, and others in Iran, Syria, and Turkey.

Peggy Cross-Goldenberg, one of Sabu’s attorneys, told the court during his sentencing hearing that the FBI “tracked everything he typed with a key-logging program” and installed a camera in his house. As such, it appears the FBI was explicitly involved in orchestrating the very same computer crimes that hackers are routinely charged for.

“It sure sounds like the FBI didn’t have any regard for international law,” Hammond wryly noted to me.

The agency declined to comment for the story.

At the end of our chat, which went on about 10 minutes past our two-hour limit, a guard interrupted Hammond mid-sentence and told us our time was up. I shook his hand, and looked him in the eye, and he headed back—his head still held high.

 Correction: A previous version misidentified the hacking crew responsible for the attack on Stratfor. It was AntiSec. We regret the error. 

Illustration by Jason Reed