The week of August 10, 2014

FBI informant led cyberattacks on Turkey’s government

By Dell Cameron

After Federal Bureau of Investigation agents raided Hector Xavier Monsegur’s Manhattan apartment in June 2011, the FBI gave him a choice: Help take down the international hacktivist collective Anonymous, or go to prison for the rest of your life. He promptly flipped.

What followed was a high-profile hacking spree that included attacks on Strategic Forecasting, Inc. (Stratfor), the Arizona Department of Public Safety, and the FBI’s own Virtual Academy, among others. Monsegur, better known by his alias Sabu, helped ensnare eight of the world’s top hackers in the process.

Monsegur’s exact role, however, and the FBI’s implicit involvement in the attacks have come under serious scrutiny in recent months.

The Daily Dot previously revealed that, contrary to official reports, Monsegur, 30, orchestrated the devastating attack on Stratfor in December 2011. The breach caused an estimated $3.78 million in damages and left thousands of customers vulnerable to fraud.

For the first time, The Kernel can now confirm Monsegur also led cyberattacks on Turkey’s government. The revelation further calls into question the role of federal investigators and their apparent willingness to exploit both hackers and major security flaws.

A cache of sealed court documents—roughly 3 gigabytes of chatroom logs and assorted surveillance records acquired by the Daily Dot and withheld from the public by order of a New York federal judge—show precisely how Monsegur orchestrated the campaign against Turkey, and how he engineered an alliance between his own group, AntiSec, and RedHack, an infamous team of politically motivated Turkish hackers.


As with the Stratfor attack, Monsegur recruited then-26-year-old Jeremy Hammond, a deft hacker who sat atop the FBI cyber unit’s list of most-wanted criminals.

While Hammond, now 29, performed a crucial role in the hacks, documents reveal Monsegur, who was under the FBI’s direct supervision, served as the operation’s ringleader.

On the orders of Monsegur, Hammond hacked into hundreds of websites outside the United States, court documents show. During an encrypted chat session on Jan. 25, 2012, less than two months before Hammond’s arrest, Monsegur instructed him to “pop off” several dozen foreign government websites from a list that Monsegur provided. Access to any hacked Turkish websites, Monsegur told Hammond, would be provided to the RedHack group.

“They have allegiance to us,” Monsegur said.

During the chat session (copied below), Monsegur used the alias “leondavidson” and Hammond went by “yohoho,” according to court records.


Each of the targets selected by Monsegur operated on Plesk, a common Web-publishing platform with an undisclosed software vulnerability, known to Hammond and few others. “Without his own independent access, Sabu continued to supply me with lists of vulnerable targets,” Hammond testified in court.

On the same day that Hammond obtained root access to nearly a dozen government servers in Turkey, he was invited by Monsegur into a private chatroom, along with a member of RedHack. Once in the room, unauthorized access to the servers was promptly handed over to a hacker named RedStar, a core member of RedHack’s team.

“We rooted these for you,” Monsegur told him. “Get into the boxes and do what you do.”

Hammond was also told that he would be provided with another list of government websites in Turkey. “I’ve got more .gov.tr targets as well,” Monsegur said in a private chat, copied below.


The exact number of websites breached or defaced by RedHack with the aid of Monsegur and Hammond remains unknown. The group, which has operated since 1997, compromised as many as 350 websites belonging to police agencies in Turkey, hacks the group said did not involve Hammond.

RedHack refused to break in or deface certain websites to which Monsegur provided access, the two pseudonymous members of Redhack responsible for the group’s public Twitter accounts, told The Kernel in a secure chatroom.

A few of the targets Monsegur suggested were hospitals, which were of little interest to RedHack, since they lacked political relevance. Regardless, some of the government domains Monsegur supplied access to were later defaced, and confidential emails belonging to Turkish officials were stolen.


A government website defaced by RedHack, with special thanks given to AntiSec, the hacking group led by Monsegur and Hammond.

“Sabu was always a question mark in our mind,” one of the RedHack members said. “When he introduced Hammond to us, we were extra careful because all of a sudden he was saying, ‘Take him in to your team, he is great.’ He offered to give Hammond to our team.”

The hacker added, “Hammond was used, like a soldier.”

Monsegur privately encouraged RedHack to use Hammond for more attacks twice during their initial meeting, according to the court documents analyzed by The Kernel. “He is a very good friend :) You might have to borrow him for your team,” the informant told them.


In a May 2014 court motion, Monsegur’s role as a “hacker” was characterized by U.S. Attorney James Pastore as that of an offender who analyzed “code for vulnerabilities which could then be exploited” by others. It’s evident that he continued to operate in this capacity following his arrest by providing Hammond and other hackers with viable targets, including Turkey’s government.

Court documents reveal that data stolen by AntiSec from international governments was stored on a server under the FBI’s control, including confidential emails, databases, and login credentials. As reported by the New York Times, Monsegur has been linked to cyberattacks on Iran, Syria, and Pakistan, among others, leading to allegations that the FBI, or perhaps some other U.S. government agency, used the hackers to gather foreign intelligence.

This new finding lends further credence to those claims and illustrates how the FBI allowed an informant to break the very same computer crime laws used in Hammond’s prosecution.

In a sentencing memorandum, filed two weeks before Hammond’s final court appearance, his attorneys raised this issue with the court. “Why was our government, which presumably controlled Mr. Monsegur during this period, using Jeremy Hammond to collect information regarding the vulnerabilities of foreign government websites and in some cases, disabling them,” they asked.

Just a week before the exchange with Redhack, Monsegur had obtained access to military police servers in Brazil’s Federal District. He shared the stolen credentials with no less than four other hackers, including Hammond, while the FBI watched on.

“I broke into numerous websites he supplied, uploaded the stolen email accounts and databases onto Sabu’s FBI server, and handed over passwords and backdoors that enabled Sabu and, by extension, his FBI handlers, to control these targets,” Hammond testified at his sentencing last fall.

A list of Turkish sites supplied by Monsegur to Hammond.

The FBI has refused to confirm whether investigators knew that Monsegur was ordering international attacks. It’s unlikely, however, that he was able to do so without the agency’s direct knowledge and implicit approval.

During an Aug. 2011 hearing, the government’s prosecutor, James Pastore, said, “We have installed software on a computer that tracks his online activity.” Federal investigators also had “around-the-clock cooperation” from Monsegur, according to Judge Loretta A. Preska. The government further testified that a surveillance camera had been installed in his residence.

An FBI spokesperson told the Daily Dot that the agency’s handling of informants is conducted strictly in accordance with the Attorney General’s guidelines. The spokesperson declined to comment further on Hammond’s case.

“I took responsibility for my actions by pleading guilty, but when will the government be made to answer for its crimes?” Hammond asked the court during his allocution last fall.

“The U.S. hypes the threat of hackers in order to justify the multi-billion dollar cyber security industrial complex,” he added, “but it is also responsible for the same conduct it aggressively prosecutes and claims to work to prevent.”

In May, Monsegur was released on time served, with a year of probation, by a federal judge for his cooperation.


Illustrations by J. Longo