By hacker logic, to be unmasked is to be put out of business.
The hackers, calling themselves the A-Team, assembled a trove of private information and put it online for all to see: names, aliases, addresses, phone numbers, even details about family members and girlfriends.
But their targets were not corporate executives, government officials or even clueless bank customers. They were other hackers.
And in trying to unmask the identities of the members of a group known as Lulz Security, the A-Team was aiming to take them down a peg and, indirectly, to help law enforcement officials lock them up.
The core members of Lulz Security “lack the skill to do anything more than go after the low-hanging fruit,” the A-Team sneered in its posting.
In recent weeks, attacks on big companies like Sony and government sites like senate.gov have raised concerns about increasingly organised and brazen hackers.
On Monday, a Fox News account on Twitter was hijacked and used to announce, falsely, that the President had been assassinated. And a day before, a group said it had stolen passwords and user names from an internal computer system at Apple.
But much of the hacking scene is a fractious free-for-all, with rival groups and lone wolves engaged in tit-for-tat attacks on each other, often on political or ideological grounds but sometimes for no better reason than to outwit or out-hack the other guy.
The members of Lulz Security, or LulzSec, have been at the centre of the sniping lately. The group won global attention through attacks on the CIA, Sony, the Arizona State police and other organisations, putting at risk the personal information of tens of thousands of people in the process. Even as they attacked, the LulzSec members craftily concealed their own identities, all the while articulating an ever-changing menu of grievances, from government corruption to consumer rights.
LulzSec's provocative attacks and flamboyant style made it a tempting target. Other hackers, equally adept at maintaining their anonymity, have been seeking to penetrate the online aliases of the group's members.
Late last month, LulzSec announced that it was disbanding, and that its members would continue their activities under other banners. But the FBI and other agencies are continuing their pursuit, aided by information unearthed by other hackers. In fact, the Lulz Security members face the very real possibility that if they are caught, it will be their fellow hackers who led the authorities to their doorsteps.
“This unfortunately represents one of few ways law enforcement gets good inroads into this community,” said Bill Woodcock, research director at the Packet Clearing House, a nonprofit group in Berkeley, California, that tracks Internet traffic.
In hacker parlance, to be unmasked is to be dox'd, as in documented. And by hacker logic, to be dox'd is to be put out of business. An online alias is an essential weapon: It conceals a person's name and whereabouts, while allowing the creation of an alternate identity.
Despite the detailed profiling by the A-Team and other hacker groups including Team Poison and Web Ninjas, no self-described Lulz Security member has admitted to being dox'd, and some have merrily denied it. But the campaign seems to have had some effect.
The A-Team's supposed outing of seven of Lulz Security's members coincided with the group's announcement that it was disbanding. And a spokesman for the group, using the alias Topiary, bid a public farewell in typically impish language: “Sailing off watch your backs and follow the north wind, brazen sailors of the 'verse.”
The A-Team posting about LulzSec included mundane personal details. The sister of one purported LulzSec member, it said, was a bartender in a bowling alley in a small English town. Another member was described as “very ugly.” A third, the group railed, cannot hack at all: “He doesn't actually do anything except give interviews.”
Part of the posting, complete with misspellings, went to the heart of the hackers' paradox: “If your anonymous no one can find you. No one can hurt you, so your invincible,” it said. “The problem with this idealogy, is it's on the internet. The internet by definition is not anonymous. Computers have to have attribution. If you trace something back far enough you can find its origins.” Lulz Security was sssnot above outing one of its own. A member known as m(USCORE)nerva leaked some of its chat room discussions to the media. In retaliation the group posted what it said was m(USCORE)nerva's personal information, including an address in Hamilton, Ohio.
Last week the FBI raided a home in Hamilton but made no arrests, according to local media reports. An FBI spokeswoman, Jenny Shearer, would not comment on what she said was a continuing investigation.
Topiary's fellows do not seem to be in a mood to venture off into the north wind forever. Since announcing its dissolution, LulzSec has melted into a broader movement called AntiSec, which potentially has thousands of hackers on its side, including those associated with Anonymous. The group has continued to torment the Arizona police because of their role in a State crackdown on illegal immigrants, leaking officers' personal email last week.
Security companies and government agencies have a long history of relying on current or former hackers in the fight against computer crimes. One new wrinkle is the way that attacks on government targets have given rise to a small but loud faction of patriotic, presumably U.S. hackers who are fighting back on their own, said Gabriella Coleman, an assistant professor at New York University who is researching a book on Anonymous. The fights have also become more public and spectacular, thanks in part to platforms like Twitter.
“Warring becomes an art form itself,” Ms Coleman said. “There is that game quality to it. They're claiming they can't be found. It's a huge trophy if you can.” — New York Times News Service