Showing posts with label Lulzsec. Show all posts

Topiary Vanned

Topiary is identified as 18 year old Jake Davis by MET police

Source - @Tim

http://blogs.forbes.com/parmyolson/2011/08/01/lulzsec-frontman-topiary-appears-calm-in-court/

http://www.telegraph.co.uk/technology/news/8674891/LulzSec-hacking-Shetland-teenager-bailed.html

http://www.foxnews.com/scitech/2011/08/01/lulzsec-unmasked-leading-member-in-uk-court-on-hacking-charge/

We could n't find the real Topiary because of disinformation and Kudos to MET police for a Job Well Done.

We have tried our best with minimal resources we had and at the end it is cops who will nab these kids with evidence.

We sincerely apologize Daniel Akerman for doxing him as Topiary.

Game Over page updated with Topiary arrest.

Caught Naked

Previous Episode

We have identified Sabu as Visigod aka Hugo Carvalho from Portugal but Visigod claimed on our blog that he got nothing to do with LulzSec hacker Sabu. Visigod also said he sold the domain "prvt.org" to a guy called Xavier in November 2009 and sent us the email conversations as proof.

Our conversations with Visigod here - http://lulzsecexposed.blogspot.com/2011/07/job-done.html

Present Episode

We have analysed the emails and here is the "Kick-Ass Special Report"

Reference 1

http://office.microsoft.com/en-us/outlook-help/view-e-mail-message-headers-HA001230300.aspx

1. The practice of providing false information in message headers is a growing problem. This is also known as spoofing.

2. X-Mailer: Microsoft Office Outlook, Build 12.0.4210

This information indicates that the message was sent by using Microsoft Office Outlook with a build version of 12.0.4210.

Reference 2

http://www.slipstick.com/exs/versions.htm

Outlook 2010

14.0.4760.1000 - Released to Manufacturing April 16 2010

Outlook 2007

12.0.6341.5000 - February 24, 2009 pre-SP2 Cumulative Update
12.0.6504.5000 - SP2
12.0.6510.5000 - June 30 2009 hotfix - see KB 970944

Based on the above references

1. Email headers can be spoofed

2. One can identify the mail program and time period of the build by checking the X-mailer of email headers.

The emails sent by visigod are dated from June 25, 2009 till Nov 16, 2009. According to visigod, this is the time period he owned prvt.org domain.

First email sent by Xavier to Visigod after winning GoDaddy Auction is dated on Thu 2009-10-29 04:00 PM

The X-Mailer is Microsoft Outlook 14.0

Visigod sent reply to the email on Thu 2009-10-29 11:17 PM

Even here the X-Mailer is Microsoft Outlook 14.0

- Whether GoDaddy sends email to Visigod or Xavier sends email to Visigod or Visigod sends email to Xavier, all X-mailers are Microsoft Outlook 14.0

- IP headers are missing in the emails sent by Visigod. When you save the emails, you get complete headers including IP's.

FACT - X-mailer build "Microsoft Outlook 14.0" was released on April 15, 2010.

Source

http://en.wikipedia.org/wiki/Microsoft_Outlook

http://www.slipstick.com/exs/versions.htm

All the emails sent by Visigod aka Hugo aka Sabu are FAKE and SPOOFED

Thank you for playing with Ninjas and confirming that our DOX are 100 percent correct.

You could fool the world and reporters with your stories but not NINJA'S. Daniel aka Topiary also tried to fool us two weeks back in a similar fashion but miserably failed and now We caught you BUTT NAKED.

Hugo - You challenged some one on twitter to extradite you from Portugal. Take our word, It won't be a BIG DEAL for the Law Enforcement.

Having said that, Get ready for the Party Van. Our "Game Over" list is waiting for you. .....ROFL....

Hugo Carvalho aka Sabu

Bio

Past - Anonymous and Captain of LulzSec Boat

Present - Leader of Antisec

Age : 36 years old
Birthday : June 15, 1975
Gender : Male
Location : Portugal
Interests : Metallica and Network security

Occupation - Webmaster, Coder and Network Admin
--------------------------------------------------------------------------------------------
Emails sent by Visigod

http://www.visigod.com/prvt.zip

Archive - http://www.sendspace.com/file/um7uhy

From GoDaddy support to Visigod

Thu 2009-06-25 03:21 PM

Return-Path: <bounced@godaddy.com>
Reply-To: <support@godaddy.com>
From: <support@godaddy.com>
To: <visigod@gmail.com>
Subject: DOMAIN CONTACT UPDATE
Date: Thu, 25 Jun 2009 12:20:52 +0100
Message-ID: <709901cb6cc5$4d0c25f0$e72471d0$@godaddy.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGTAanTnJP3U+cKZfyowaJpzgnOJg==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 25 Jun 2009 11:20:52.0804 (UTC) FILETIME=[001CB040:01C9F587]
content-class: urn:content-classes:message

Dear Hugo Carvalho,

Changes to your registrant and/or administrative contact information have been initiated for the domain name(s) listed below:

PRVT.ORG

You *do not* need to respond to this email.

If, however, you think these changes may have been made in error or fraudulently, please contact
us within 15 days at mailto:support@godaddy.com.

Sincerely,
GoDaddy.com, Inc.
-----------------------------------------------------------------------------------
From GoDaddy Auctions to Visigod

Wed 2009-10-28 03:23 AM

Return-Path: <bounced@godaddy.com>
Reply-To: <auctions@godaddy.com>
From: <auctions@godaddy.com>
To: <visigod@gmail.com>
Subject: Your Domain, prvt.org, Has Sold
Date: Wed, 28 Oct 2009 01:23:11 +0100
Message-ID: <70f101cb6cc5$4d719e80$e854db80$@godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_70F2_01CB6CCD.AF36F0E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKtZC1lnQOQtyuAp1r1XK7DORRYpQ==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 28 Oct 2009 00:23:11.0439 (UTC) FILETIME=[D4F0FDF0:01CA5764]
content-class: urn:content-classes:message
x-mid: fac7778a-3b57-4f02-b501-8d7e0f07dfda

Domain sold
--------------------------------------------------------------------------
From Xavier to Visigod

Thu 2009-10-29 04:00 PM

Return-Path: <xavier@openplans.org>
From: <xavier@openplans.org>
To: <visigod@gmail.com>
Subject: Important information regarding PRVT.org
Date: Thu, 29 Oct 2009 13:59:37 +0100
Message-ID: <70f601cb6cc5$4d78f180$e86ad480$@openplans.org>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQN6p4ks+42PEgxZ2GDsSvzE1aK94Q==

hey there. money was paid. how long do authorizations usually take? its already been 3 days.

regards,
~xavier
----------------------------------------------------------------------------------------------------------
From Visigod to Xavier

Thu 2009-10-29 11:17 PM

From: "VisiGod" <visigod@gmail.com>
To: <xavier@openplans.org>
References: <4ae991ba.1c67f10a.5c14.fffffba7SMTPIN_ADDED@mx.google.com>
In-Reply-To: <4ae991ba.1c67f10a.5c14.fffffba7SMTPIN_ADDED@mx.google.com>
Subject: RE: Important information regarding PRVT.org
Date: Thu, 29 Oct 2009 21:17:04 +0100
Message-ID: <209601cb6cc4$c89bbab0$59d33010$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL6zXAV2iO9+NOO+jVMZL/6Q3q0KwIGNz/9
Content-Language: pt

Hello Xavier,

We now must wait until godaddy allows me to transfer the domain to you. The domain is locked and I cannot do anything with it. Usually this takes about 10 days. In the meanwhile if you want I can redirect the domain to you, just tell me which nameservers you would like to use.

Best regards,
Hugo Carvalho

-----Original Message-----
From: xavier@openplans.org [mailto:xavier@openplans.org]
Sent: quinta-feira, 29 de Outubro de 2009 13:00
To: visigod@gmail.com
Subject: Important information regarding PRVT.org

hey there. money was paid. how long do authorizations usually take? its already been 3 days.

regards,
~xavier
---------------------------------------------------------------------------------------------------
From Xavier to Visigod

Sun 2009-11-01 08:52 AM

Return-Path: <xavier@openplans.org>
From: <xavier@openplans.org>
To: <visigod@gmail.com>
Subject: Important information regarding PRVT.org
Date: Sun, 1 Nov 2009 06:52:03 +0100
Message-ID: <70f701cb6cc5$4d7b1460$e8713d20$@openplans.org>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJIabja2SpYQv8js+f2LkAsfzIXjw==

hi. I'd like to take ownership of the domain.

if you're not giving it up then refund my money.
---------------------------------------------------------------------------------------------------
From Visigod to Xavier

Sun 2009-11-01 02:42 PM

From: "VisiGod" <visigod@gmail.com>
To: <xavier@openplans.org>
References: <4aed2204.1367f10a.2645.ffff9063SMTPIN_ADDED@mx.google.com>
In-Reply-To: <4aed2204.1367f10a.2645.ffff9063SMTPIN_ADDED@mx.google.com>
Subject: RE: Important information regarding PRVT.org
Date: Sun, 1 Nov 2009 12:42:11 +0100
Message-ID: <209c01cb6cc4$c8a53090$59ef91b0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQI8Irvx8vl8aNyFgf7edaaHJu2DPwHaACqc
Content-Language: pt

Hello Xavier,

We now must wait until godaddy allows me to transfer the domain to you. The domain is locked and I cannot do anything with it. Usually this takes about 10 days. In the meanwhile if you want I can redirect the domain to you, just tell me which nameservers you would like to use.

Best regards,
Hugo Carvalho

-----Original Message-----
From: xavier@openplans.org [mailto:xavier@openplans.org]
Sent: domingo, 1 de Novembro de 2009 05:52
To: visigod@gmail.com
Subject: Important information regarding PRVT.org

hi. I'd like to take ownership of the domain.

if you're not giving it up then refund my money.
-----------------------------------------------------------------------------------------------
From Xavier to Visigod

Wed 2009-11-04 08:05 AM

Return-Path: <xavier@openplans.org>
From: <xavier@openplans.org>
To: <visigod@gmail.com>
Subject: Important information regarding PRVT.org
Date: Wed, 4 Nov 2009 06:04:41 +0100
Message-ID: <70f801cb6cc5$4d82b580$e8882080$@openplans.org>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQI3KS/fVSxvLdX6uy6dRhbRG6S3VQ==

Thank you.

Can you please point the domain to:

ns1.afraid.org
ns2.afraid.org
ns3.afraid.org
ns4.afraid.org
ns5.afraid.org

Thank you!
------------------------------------------------------------------------------------
From GoDaddy support to Visigod

Wed 2009-11-04 02:36 PM

Return-Path: <bounced@godaddy.com>
Reply-To: <support@godaddy.com>
From: <support@godaddy.com>
To: <visigod@gmail.com>
Subject: Status Alert: Domain Change Notification
Date: Wed, 4 Nov 2009 12:36:00 +0100
Message-ID: <70f901cb6cc5$4d865f00$e8931d00$@godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_70FA_01CB6CCD.AF4CE9E0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHApFtJa23gQwdHaIVPgcAwcPLwuw==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 04 Nov 2009 11:36:00.0810 (UTC) FILETIME=[FBDA68A0:01CA5D42]
content-class: urn:content-classes:message
x-mid: e8dfe037-2c32-432f-bd96-c418f9703cad

Name Servers changed
----------------------------------------------------------------------------------------
From GoDaddy Auctions to Visigod

Wed 2009-11-04 10:55 PM

Return-Path: <bounced@godaddy.com>
Reply-To: <auctions@godaddy.com>
From: <auctions@godaddy.com>
To: <visigod@gmail.com>
Subject: Domain Transfer Authorization
Date: Wed, 4 Nov 2009 20:54:33 +0100
Message-ID: <70fd01cb6cc5$4d891e20$e89b5a60$@godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_70FE_01CB6CCD.AF4EBEA0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMmNYzkyt3CeDa4hm3a7Ur42qWf3A==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 04 Nov 2009 19:54:33.0889 (UTC) FILETIME=[A1700910:01CA5D88]
content-class: urn:content-classes:message
x-mid: 5187f0dd-ea2a-44c6-9cfb-7d4fa7e6e104

Domain Transfer Authorization
-------------------------------------------------------------------------------------------------
From GoDaddy Support to Visigod

Wed 2009-11-04 11:30 PM

Return-Path: <bounced@godaddy.com>
Reply-To: <support@godaddy.com>
From: <support@godaddy.com>
To: <visigod@gmail.com>
Subject: DOMAIN OWNERSHIP TRANSFER
Date: Wed, 4 Nov 2009 21:30:26 +0100
Message-ID: <710101cb6cc5$4d8acbd0$e8a06370$@godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_7102_01CB6CCD.AF4F81F0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHiMXNWYZctGL90kJmwW6SAGitcbw==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 04 Nov 2009 20:30:26.0540 (UTC) FILETIME=[A48482C0:01CA5D8D]
content-class: urn:content-classes:message
x-mid: eba73ffe-c634-45df-b249-07b202a01665

This email is to confirm the recent change of registrant of the following domain name(s):

PRVT.ORG

The change has been completed and the available information has been recorded in our system.

If you feel this change is incorrect, please immediately contact undo@godaddy.com, and provide any information you may have that will assist in reviewing your issue.

Sincerely,
GoDaddy.com, Inc.
-----------------------------------------------------------------------------------------------------------
From Godaddy Auctions to Visigod

Fri 2009-11-06 03:04 PM

Return-Path: <bounced@godaddy.com>
Reply-To: <auctions@godaddy.com>
From: <auctions@godaddy.com>
To: <visigod@gmail.com>
Subject: Domain Transaction Status
Date: Fri, 6 Nov 2009 13:04:21 +0100
Message-ID: <710501cb6cc5$4d8c0450$e8a40cf0$@godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_7106_01CB6CCD.AF512FA0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKmrkspRn5RzLTS1p2EfjGLB8Zg/g==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 06 Nov 2009 12:04:21.0040 (UTC) FILETIME=[46186B00:01CA5ED9]
content-class: urn:content-classes:message
x-mid: 3ecf5472-3ad1-4cd5-8c9e-4efd85a04745

Customer No. 13436062

Dear Hugo Carvalho,

This is a courtesy notice to let you know that the transaction for prvt.org will be completed on 11/16/2009. At this point, the domain has been paid for and the domain can be transferred. If you have not negotiated the details for the domain transfer, please contact us.

> Search domain listings expiring soon
> See today's featured domain listings

If you have any questions, Customer Support is available 24 hours a day, 7 days a week:

– Email: auctions@godaddy.com
– Phone: (480) 505-8892
– Online Support

Sincerely,
Go Daddy Auctions Team
--------------------------------------------------------------------------------------------------------
From Godaddy Auctions to visigod

Wed 2009-11-11 03:05 PM

Return-Path: <bounced@godaddy.com>
Reply-To: <auctions@godaddy.com>
From: <auctions@godaddy.com>
To: <visigod@gmail.com>
Subject: Domain Transaction Status
Date: Wed, 11 Nov 2009 13:04:31 +0100
Message-ID: <710901cb6cc5$4d8e0020$e8aa0060$@godaddy.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_710A_01CB6CCD.AF532B70"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG7dWxgyY/uB98hulWLaj0zrTRSBA==
x-mimeole: Produced By Microsoft MimeOLE V6.00.3790.2826
x-originalarrivaltime: 11 Nov 2009 12:04:31.0810 (UTC) FILETIME=[20948A20:01CA62C7]
content-class: urn:content-classes:message
x-mid: 000f28cf-3503-4e51-bc05-d386f29f4cc3

Customer No. 13436062

Dear Hugo Carvalho,

This is a courtesy notice to let you know that the transaction for prvt.org will be completed on 11/16/2009. At this point, the domain has been paid for and the domain can be transferred. If you have not negotiated the details for the domain transfer, please contact us.

> Search domain listings expiring soon
> See today's featured domain listings

If you have any questions, Customer Support is available 24 hours a day, 7 days a week:

– Email: auctions@godaddy.com
– Phone: (480) 505-8892
– Online Support

Sincerely,
Go Daddy Auctions Team
------------------------------------------------------------------------------------------------
From Godaddy Auctions to visigod

Mon 2009-11-16 03:08 PM

Customer No. 13436062

Dear Hugo Carvalho,

The following transaction(s) is now complete:

Item number 26978043 for prvt.org

Thank you for selling your domain through Go Daddy Auctions! We appreciate your business and hope to be of service to you again in the future.

If you have any questions, Customer Support is available 24 hours a day, 7 days a week:

– Email: auctions@godaddy.com
– Phone: (480) 505-8892
– Online Support

Sincerely,
Go Daddy Auctions Team
---------------------------------------------------------------------------
From GoDaddy Paypal to visigod

Tue 2009-11-17 04:31 AM

Return-Path: <payment@paypal.com>
From: <paypal@tdnam.com>
Sender: <sendmail@paypal.com>
To: "Hugo Carvalho" <visigod@gmail.com>
Subject: Domain Sale Proceeds
Date: Tue, 17 Nov 2009 02:30:54 +0100
Message-ID: <711101cb6cc5$4d94ddf0$e8be99d0$@tdnam.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHBboKWG7SdcRnIzrxdYu1NAGkQiQ==
x-xpt-xsl-name: email_pimp/default/en_US/transaction/seller/TransactionCounterparty.xsl
x-email-type-id: PP274
x-maxcode-template: email-transaction-counterparty

Hello Hugo Carvalho,

Go Daddy - TDNAM just sent you money with PayPal.

-----------------------------------
Payment details
-----------------------------------

Amount: $45.00 USD

Transaction Date: Nov 16, 2009

Transaction ID: 5RA79242AH255245T

Subject: Domain Sale Proceeds

Custom note: Payment for PRVT.ORG to member 26978043.

You can view the details for this transaction by logging in to your PayPal account and clicking the "History" tab.

https://www.paypal.com/pt/vst/id=5RA79242AH255245T

Go Daddy - TDNAM is a Verified buyer.

Go Daddy - TDNAM has completed the PayPal Verification process to help confirm their identity, and

they have a confirmed bank account, or been approved for a PayPal Plus Credit Card.
The PayPal Verification process is a security measure to confirm that a user is the owner of the bank account or credit card they are using in PayPal. Confirming each user's identity helps prevent fraud, such as identity theft, and increases the security of payments in PayPal.

Job done

You all know we doxed Sabu a month back and identified him as 34 year old webmaster from Portugal.

We couldn't reveal much information considering it as sensitive but "Indiana Jones" and "Jester" have published complete dox on Sabu aka Hugo Carvalho.

Props to Indiana Jones, Jester, Gr4ss H0pp3r, Miss Mary

Indiana Jones - http://therealsabu.blogspot.com/

The Jester - http://th3j35t3r.wordpress.com/2011/07/13/softly-softly-catch-a-monkey/

------------------------------------------------------------------------------------------------------------

Update July 15, 2011

VisiGod said...

This is a complete lie. You guys are stating that I'm this Sabu guy based on some information about a domain that I had.

I've sold the domain prvt.org via GoDaddy to a guy with the email xavier@openplans.org in November 2009.

If you want to really find the true please contact me and I will give you all the proof you need that I'm not related to anything LulzSec or hacking.

July 14, 2011 11:54 AM

Web Ninjas said...

Thank you for contacting us Hugo. We appreciate it. If you have some proof like email conversations or financial statements or GoDaddy auction links with xavier from Nov 2009 please send us via comment.

Make sure you send us screen shots along text. In case if you are sending emails, make sure you send with headers, you are a webmaster and it shouldn't be a problem for you.

If they are genuine, we will apologize on our blog and remove your dox.

One more thing, can you please tell us your full name? HRS Carvalho was listed on your Linkedin. H stands for Hugo, what does R and S stand for?

We are waiting....

Thank you for your time and patience :)

----------------------------------------------------
Update July 17

VisiGod said...

I have all the emails about the domain, when I bought it, from whom and when I sold it.

Just tell me where do you want me to forward them. I can also post the message files on one of my sites and you can get them from there.

Regarding my name, R stands for Rogado and S for Sousa.

July 17, 2011 2:55 PM

Web Ninjas said...

@visigod Thank you very much. Please post the emails with headers and screenshots on visigod.com. Please send us the link via comment.

--------------------------------------------------------------
Update July 19

VisiGod said...

I've saved all the emails as outlook msg since I can only see the headers. Feel free to download them from www.visigod.com/prvt.zip

If you still need any more information regard this matter, feel free to contact me. You can email me to visigod@visigod.com

July 19, 2011 5:59 AM

Web Ninjas said..

@Visigod - Thank you for the emails.We will get back to you once we verify the emails.

We also encourage blog visitors to check them.

www.visigod.com/prvt.zip

Who's Who?

Based on LulzSec chat logs, we can conclude the roles of LulzSec members during the 50 days of mayhem.

(Image - Security News Daily)

Sabu - Captain of the Ship, organizing the team and planning strategies.

Topiary - Basically PR, updating Twitter and interviews with media.

Kayla - Mostly focused on RFI / LFI / SQLi and coordinating with the rest.

Tflow - Maintenance of LulzSec website and torrents.

Storm - DDOS and also involved in PBS hack.

Pwnsauce - Coding required tools for the team and involved in Infragard hack.

Neuron - Coding and also involved in Sownage.

M_nerva - Deus Ex Game hack.

TrollPoll - Involved in Fox hack and seems to be the most paranoid of all.

JoePie - Updating the team with news related to LulzSec and other channels of interest.

Avunit - Seems focused on XSS and SQLi

Kl0ps, io, Palladium and Devrandom - Hackers supporting the team

Bitcoin Donations handled by Tflow, Topiary and Joepie

Team Strength - 13 or 15. It could be possible that some handles are used by same person.

LulzSec mentioned there are six members at the time of disbanding. They are Sabu, Topiary, Kayla, Tflow, Avunit and Storm. Some left after the FBI hack and the rest after the release of chat logs.

Interesting Facts

- One of the important strategies of LulzSec was to collect exploits and security holes from their followers on the IRC channel which we believe was successful. For e.g Senate.gov and AT&T.

- They randomly check websites for known vulnerabilities to hack them. If given a specific target which is fully patched, they would fail.

Pro-tip: If you want to win over AntiSec, make sure you patch your servers for all known exploits and never use the same password for all your logins.

Happy Independence Day

Peace,
Web Ninjas

Laurelai Update - Scroll down to last update on Laurelai

Topiary Gone

It seems Topiary - No 2 of LulzSec has learnt the lesson, deleted all his old tweets and left a farewell message for fellow Anon's.

"Topiary was right about one thing - Watch your backs because Ninjas are watching you in Shadows."

As said earlier, We would see more posts and tweets like this in coming days.

Sabu Doxed

The Leader of LulzSec is Doxed. Game Over for you Guys !!!

We are just posting his pic, We do have his Name, Address, location and work details but we are not publishing.

Profession - Webmaster, Designer and Coder - Age - 36

--------------------------------------------

Kayla

Kayla is not a 16 year old girl but a Guy from Canada. We also have complete info on him, He is an old Anon.

Neuron and Redacted

Due to the sensitivity of information, we are directly sending the information to FBI now but still will publish some info on the BLOG

Neuron - Engineering Student, US

M_nerva aka [Redacted] - Engineering Student, US

LulzSec Bitcoins

LulzSec Bitcoin Donations - See who handles this, their PR Guys Topiary and Joepie

Jun 04 09:50:21 <Topiary> 2011-06-04 13:40:07 Bitcoin P2P Network coingobbler 0.05
Jun 04 09:50:21 <Topiary> 2011-06-04 12:38:23 Bitcoin P2P Network coingobbler 0.52
Jun 04 09:50:21 <Topiary> 2011-06-04 05:19:14 Bitcoin P2P Network coingobbler 13.40
Jun 04 09:50:21 <Topiary> 2011-06-04 04:16:58 Bitcoin P2P Network coingobbler 0.01
Jun 04 09:50:21 <Topiary> 2011-06-04 02:19:00 Bitcoin P2P Network coingobbler 1.90
Jun 04 09:50:22 <Topiary> 2011-06-04 01:15:16 Bitcoin P2P Network coingobbler 1.00
Jun 04 09:50:24 <Topiary> 2011-06-03 18:03:53 Bitcoin P2P Network coingobbler 0.99
Jun 04 09:50:26 <Topiary> 2011-06-03 15:11:17 coingobbler 1PPVupRRz7tH... -0.30
Jun 04 09:50:28 <Topiary> 2011-06-03 10:49:24 Bitcoin P2P Network coingobbler 2.01
Jun 04 09:50:30 <Topiary> 2011-06-03 08:50:34 Bitcoin P2P Network coingobbler 0.02
Jun 04 09:50:32 <Topiary> 2011-06-03 07:51:23 Bitcoin P2P Network coingobbler 1.00
Jun 04 09:50:34 <Topiary> 2011-06-03 05:57:29 Bitcoin P2P Network coingobbler 0.06
Jun 04 09:50:38 <Topiary> 2011-06-03 05:02:08 Bitcoin P2P Network coingobbler 0.55
Jun 04 09:50:39 <joepie91> just curious... why are you using a web wallet?
Jun 04 09:50:40 <Topiary> 2011-06-03 03:02:08 Bitcoin P2P Network coingobbler 0.01
Jun 04 09:50:42 <Topiary> 2011-06-03 02:06:34 Bitcoin P2P Network coingobbler 0.12
Jun 04 09:50:44 <Topiary> 2011-06-02 22:13:15 Bitcoin P2P Network coingobbler 3.26
Jun 04 09:50:46 <Topiary> 2011-06-02 22:13:14 Bitcoin P2P Network coingobbler 0.04
Jun 04 09:50:48 <Topiary> 2011-05-31 04:11:41 Bitcoin P2P Network CoinGobbler 0.05
Jun 04 09:50:50 <Topiary> 2011-05-31 02:46:10 Bitcoin P2P Network CoinGobbler 0.03
Jun 04 09:50:52 <Topiary> 2011-05-30 23:22:21 Bitcoin P2P Network CoinGobbler 0.02
Jun 04 09:50:54 <Topiary> 2011-05-28 22:34:45 Bitcoin P2P Network CoinGobbler 0.05
Jun 04 09:50:56 <Topiary> 2011-05-28 22:06:44 1NFEkB8NYkLS... CoinGobbler 0.26
Jun 04 09:50:58 <Topiary> 2011-05-13 19:30:28 Bitcoin P2P Network CoinGobbler 0.02
Jun 04 09:51:00 <Topiary> 2011-05-04 04:43:20 Bitcoin P2P Network CoinGobbler 0.02
Jun 04 09:51:02 <Topiary> om nom nom nom goins
Jun 04 09:51:04 <Topiary> because client = IP
Jun 04 09:51:09 <joepie91> true

---------------------------------------------------------------------------------------

Jun 04 11:11:31 <joepie91> can you generate a new bitcoin address?\
Jun 04 11:11:34 <joepie91> someone wants to donate
Jun 04 11:11:39 <joepie91> but doesn't want his transaction to show up
Jun 04 11:11:42 <joepie91> on the "normal" address
Jun 04 11:11:43 <Sabu> trueeeee
Jun 04 11:11:53 <Topiary> joepie91: can you take the donation and then forward it to me?
Jun 04 11:11:56 <joepie91> idk if the wallet you use allows multiple addresses
Jun 04 11:11:57 <joepie91> and yes
Jun 04 11:12:03 <joepie91> but it will still be sort of traceable
Jun 04 11:12:12 <joepie91> there's just an extra hop
Jun 04 11:12:15 <Topiary> I don't want to change my one as it's on like 150K viewing pastebins
Jun 04 11:12:19 <joepie91> nono
Jun 04 11:12:21 <joepie91> just make an extra one
Jun 04 11:12:25 <joepie91> just for this transaction
Jun 04 11:12:27 <Topiary> don't think you can do that
Jun 04 11:12:28 <joepie91> idk if your wallet allows it
Jun 04 11:12:35 <Topiary> hmm nope
Jun 04 11:12:39 <joepie91> in the normal client you can.. in fact it's recommended to make a new address for every transaction
Jun 04 11:12:40 <Topiary> how much is he donating?
Jun 04 11:12:40 <tflow> why not just use the bitcoin client?
Jun 04 11:12:41 <joepie91> well derp
Jun 04 11:12:42 <joepie91> idk
Jun 04 11:13:04 <Topiary> okay well get him to donate to you, then you send to tflow, then tflow send to the lulzsec address
Jun 04 11:13:04 <tflow> i can make one on the bitcoin client if you want
Jun 04 11:13:08 <tflow> ok
Jun 04 11:13:20 <tflow> but if i send to lulzsec address
Jun 04 11:13:26 <tflow> it will be traced back to him
Jun 04 11:13:33 <joepie91> don't send to lulzsec address
Jun 04 11:13:36 <joepie91> keep it apart
Jun 04 11:13:54 <Topiary> okay sure then
Jun 04 11:13:58 <Topiary> whatever he wants
Jun 04 11:14:06 <Topiary> if it's 0.01 I will raeg
Jun 04 11:14:36 <joepie91> lol
Jun 04 11:14:44 <joepie91> I don't think it will be 0.01 :P
Jun 04 11:14:56 <tflow> 1F7Y5uktm2DofQfMBLfL6cg2TWDmuTkZKU
Jun 04 11:16:12 <joepie91> okay
Jun 04 11:16:14 <joepie91> 1 sec
Jun 04 11:16:27 <joepie91> I will probably leave a delay in sending it
Jun 04 11:16:32 <joepie91> so that he can send it to the anonnews address
Jun 04 11:16:41 <joepie91> and 1 or 2 days later I can forward it plus a little bit extra to that address
Jun 04 11:16:48 <joepie91> so that it looks as if I just wanted to "share the wealth"
Jun 04 11:16:49 <joepie91> etc etc

----------------------------------------------------------------------------------------------------------

Jun 04 12:24:28 <neuron> hey Sabu o/
Jun 04 12:24:35 <Topiary> Account Balance is: 26.100001 BTC (449.44 USD @ 17.22)
Jun 04 12:24:38 <Topiary> FFFFFUUUU someone sent us 0.000001
Jun 04 12:24:41 <Sabu> it was the ed irc, hes changing whole network to lulzco net
Jun 04 12:24:45 <Sabu> hahahahhah ytou serious?
Jun 04 12:24:51 <Sabu> thats awesome
Jun 04 12:24:55 <lol> xD
Jun 04 12:25:05 <lol> neuron: yeh :D?
Jun 04 12:25:06 <Sabu> wait what the FUCK bitcoins are at 17 dollars?????????????????????????
Jun 04 12:25:13 <neuron> AWW YEAH
Jun 04 12:25:14 <Topiary> yeah we have 450USD LOL
Jun 04 12:25:15 <Topiary> in donations
Jun 04 12:25:16 <neuron> they keep going up
Jun 04 12:25:20 <Sabu> topiary are we going to start buying servers?
Jun 04 12:25:20 <lol> yeh they're going up all the time :D
Jun 04 12:25:21 <Sabu> and vpns?
Jun 04 12:25:25 <Sabu> or are we gonna sit on it
Jun 04 12:25:29 <neuron> i say buy now
Jun 04 12:25:35 <neuron> its gonna go down soon
Jun 04 12:25:42 <Topiary> joepie says it's gonna go up soon
Jun 04 12:25:47 <Topiary> like at least to 20
Jun 04 12:25:50 <neuron> :E
Jun 04 12:25:53 <Sabu> topiary generate me a new donation key so I put on topic of lulzsec chan on lulzco network
Jun 04 12:26:05 <Topiary> let's just use the same one bro

--------------------------------------------------------------------------------------------------------------

Jun 04 17:38:58 <joepie91> I read a blog post yesterday
Jun 04 17:39:05 <joepie91> that basically said LulzSec was a very good test to see
Jun 04 17:39:09 <joepie91> how anonymous Bitcoin really is
Jun 04 17:39:15 <neuron> 0-0\ good point haha
Jun 04 17:39:31 <joepie91> tl;dr we are now lab rats
Jun 04 17:39:32 <tflow> link?
Jun 04 17:39:39 <joepie91> lemme see if I can find it in my history
Jun 04 17:39:45 * joepie91 opens way too many pages every day
Jun 04 17:40:06 <io> yeah i read that too
Jun 04 17:40:30 <io> http://techliberation.com/2011/06/03/bitcoin-silk-road-and-lulzsec-oh-my/
Jun 04 17:40:35 * lol has quit (Ping timeout: 121 seconds)
Jun 04 17:40:42 <tflow> ah nice
Jun 04 17:41:47 <joepie91> fff
Jun 04 17:41:54 <joepie91> beat me to it

Lulzsec Chat Stats

Wanna see the stats of LULZSEC chat sessions? Here you go

(Credits - @Nonynews)

Save the below images for better analysis

Cache

http://webcache.googleusercontent.com/search?q=cache:UzqmyoNmizoJ:nonynews.webs.com/lulzlog_page_2.html+&cd=2&hl=en&ct=clnk&source=encrypted.google.com

LulzSec is Ex-Anonymous

Some guys out there still have some doubts about this. Let's make this clear

Chat Log of Anonymous on Feb 7, 2011 - Penny of HBgary chats with Anonymous

http://pastebin.com/embed_iframe.php?i=x69Akp5L

You could find the same guys on LulzSec chat

Sabu, Topiary, Tflow, Kayla, Joepie, Barret Brown, Avunit and few others

Chat Log of Lulzsec on May 31, June 1st and 2nd

http://pastebin.com/QZXBCBYt

Kids Love their Nicks, Are n't they?

Kids getting excited

Jun 02 17:14:11 <Recursion_> Mitnick commented on the twitters
Jun 02 17:14:18 <Recursion_> lawllawlllawllawllawl
Jun 02 17:14:23 <Recursion_> WUR FAMOUZ
Jun 02 17:14:55 <Neuron> i just looked at this guys source for "sonydev.net"
Jun 02 17:14:57 <trollpoll> 144 users and growing
Jun 02 17:15:16 <Recursion_> moreso than the 2pac update
Jun 02 17:15:24 <trollpoll> everyone in sec world is commenting right now about lulzsec...
Jun 02 17:15:44 <Recursion_> yup
Jun 02 17:15:44 <Neuron> we are 9k in \o/

Scared Puppies

Jun 03 22:29:54 <Sabu> hi
Jun 03 22:29:56 <Sabu> well guys
Jun 03 22:30:07 <Sabu> those of you that are still with us through this
Jun 03 22:30:22 <Sabu> maintain alert, make sure you're behind vpns dont matter what
Jun 03 22:30:32 <Sabu> and dont fear
Jun 03 22:30:33 <Sabu> we're ok
Jun 03 22:30:34 <Sabu> w/i n2
Jun 03 22:43:27 <Neuron> back
Jun 03 22:43:37 <Sabu> sup neuron
Jun 03 22:44:15 <Neuron> Sabu: did we lose people?
Jun 03 23:28:15 <storm> agreed
Jun 03 23:28:16 <storm> did we?
Jun 03 23:31:10 <Sabu> yeah
Jun 03 23:31:18 <storm> who?
Jun 03 23:31:23 <Sabu> recursion and devurandom quit respectfully
Jun 03 23:31:27 <Sabu> saying they are not up for the heat
Jun 03 23:31:32 <Sabu> you realize we smacked the fbi today
Jun 03 23:31:36 <Sabu> this means everyone in here
Jun 03 23:31:42 <Sabu> must remain extremely secure
Jun 03 23:31:49 <storm> Sabu
Jun 03 23:31:55 <storm> did you wipe the pbs bd logs?
Jun 03 23:31:58 <Sabu> yes
Jun 03 23:31:59 <storm> k
Jun 03 23:32:01 <Sabu> all pbs logs are clean
Jun 03 23:32:04 <storm> then i'm game for some more
Jun 03 23:32:06 <Sabu> ;)
Jun 03 23:32:08 <Sabu> we're good
Jun 03 23:32:14 <Sabu> we got a good team here
Jun 03 23:33:53 <storm> hehe
Jun 03 23:33:53 <storm> orly
Jun 03 23:34:06 <Sabu> ;]
Jun 03 23:34:12 <storm> so
Jun 03 23:34:16 <storm> what did we do to the fbi
Jun 03 23:34:24 <Sabu> you dont know?
Jun 03 23:34:25 <Sabu> ROFL
Jun 03 23:34:28 <storm> nope
Jun 03 23:34:30 <Sabu> twitter.com/lulzsec
Jun 03 23:34:33 <storm> i was gone all day
Jun 03 23:34:34 <Sabu> ravaged them tonight
Jun 03 23:34:37 <storm> lmao
Jun 03 23:40:06 <storm> After doing so, we contacted Karim and told him what we did. After a few discussions, he offered to
Jun 03 23:40:06 <storm> pay us to eliminate his competitors through illegal hacking means in return for our silence. Karim,
Jun 03 23:40:06 <storm> a member of an FBI-related website, was willing to give us money and inside info in order to destroy
Jun 03 23:40:07 <storm> his opponents in the whitehat world. We even discussed plans for him to give us insider botnet information.
Jun 03 23:40:09 <storm> ROFLMFAO
Jun 03 23:40:10 <storm> ROFLMFAO
Jun 03 23:40:11 <storm> wow
Jun 03 23:40:16 <storm> epic reading
Jun 03 23:40:32 <Neuron> Yo anyone have any extra tips for staying safe?
Jun 03 23:43:08 <Sabu> clean your box out, make sure any sensitive info you have encrypted on a usb stick
Jun 03 23:43:12 <Sabu> stay behind your vpn
Jun 03 23:43:16 <Sabu> from now on your vpn is your weapon
Jun 03 23:43:23 <Sabu> without your weapon you are nothing
Jun 03 23:43:30 <Sabu> without you it is notihng blah blah blah
Jun 03 23:43:34 <Neuron> haha
Jun 03 23:43:39 <Sabu> and dont do nothing we dont approve of :D
Jun 03 23:44:04 <Neuron> Alright right now.. My "hackbox" has 512 aes encryption on the entire harddrive
Jun 03 23:44:18 <Neuron> two passwords and truecrypt on info concerning anything hacking related
Jun 03 23:44:24 <Neuron> and my vpn is HideMyAss
Jun 03 23:44:43 <storm> sabu
Jun 03 23:44:55 <storm> my netbook will be here win only a matter of days
Jun 03 23:45:01 <storm> and ill be wiping my entire system
Jun 03 23:45:05 <storm> desktop
Jun 03 23:45:14 <storm> and just encrypting the entire drive
Jun 03 23:45:16 <Neuron> im already wiping my enitre desktop
Jun 03 23:45:16 <storm> after i scrub it
Jun 03 23:45:58 <Sabu> yeah
Jun 03 23:46:01 <Sabu> wipe it all
Jun 03 23:46:04 <Sabu> im wiping all my shit now

Joepie Doxed

Joepie91 aka Joepie92

Chat Logs

Jun 02 17:06:25 <joepie91> I'm in europe lol

Jun 02 17:06:29 <Neuron> so i ping google from it.. 17.2ms

Jun 02 17:06:30 <Neuron> :P

Jun 02 17:06:31 <Neuron> so good

Jun 02 17:06:35 <joepie91> netherlands, more exactly

Jun 03 21:06:53 <joepie91_laptop> or similar tools

Jun 03 21:07:02 <joepie91_laptop> http://www.sven-slootweg.nl/downloads

Jun 03 21:07:05 <joepie91_laptop> I have a really crappy one

Jun 03 21:07:09 <joepie91_laptop> that I made for someone a long time ago

His personal website - http://www.sven-slootweg.nl

Based on the address of his website

Sven Slootweg

Wijnstraat
211. 3311BV Dordrecht
Netherlands
(+31) 06 - 26 51 99 55
info@sven-slootweg.nl

Twitter - @joepie91

Linked In - http://nl.linkedin.com/pub/sven-slootweg/18/753/116

His Pics - http://svenslootweg.hyves.nl/photos/608601856/0/fdKU/?ga_campaign=profile

Watch Joepie Live

Update

k2m1ru said...
# Joepie91

Joepie is the dutch word for yay...

This is his youtube, anonymous/anonop vids, also dutch comments. So it's probably the same guy.

http://www.youtube.com/user/joepie91

post about him on a dutch forum. ('hack' related).

http://forum.fok.nl/topic/1603665

His twitter: http://twitter.com/joepie91

AnonOps related tweets, also his real name: Sven Slootweg.

Account on gay.nl: http://www.gay.nl/joepie91

with picture of his face.

his hyves(dutch facebook): http://svenslootweg.hyves.nl/

same picture...

His NU(dutch newsite) account comments about Julian assange, cyberattacks and piracy.

http://www.nujij.nl/joepie91.131727.lynkx?tab=Reacties

His reddit account: http://www.reddit.com/user/joepie91

Again, anonops related stuff.

His blog/download thing: http://www.sven-slootweg.nl/

downloads: email crawlers and other stuff...

also 'YuNicc' at the homepage, look at his hyves, he is member of the 'YuNicc hyve'.

This is also pretty interesting... http://anonymousjoepie91.wordpress.com/2011/04/09/joepie-anonymous/

June 19, 2011 2:33 AM

Topiary tweets

Topiary accepts he is part of LulzSec and tweets from offical Twitter