(Rev.05-01-2008) Case Document 149-2 Filed 03/10/16 Page lof8
UNCLASSIFIED
FEDERAL BUREAU OF INVESTIGATION
Precedence: ROUTINE Date: 01/09/2012
To: L05 Angeles Attn: SA Gabriel F. Andrews CY-1
From: Sacramento
CY-1
Contact: SAJohn M. Cauthen
Approved By: Brown Herbert
Alvarez Manual Jr
Callihan Brian
Springer Scott A
Drafted By: Cauthen John 0110]mc01.ec
Case ID 288A-SC-45485
288A-SC-44767 (Pending)
(Pending)
Title: MATTHEW KEYS
aka
FOX40 NEWS -
LOS ANGELES TIMES -
Synopsis: Open Sensitive Investigative Matter (SIM - Journalist) and assign to SA Wesley Drone.
Reference: Serial 22
Serial 794
Serial 26
Administrative: from Sacramento ASSA Scott S, Springer to Los Angeles SSA Ramyar Tabatabaian on 01/06/2012.
from Sacramento SA John M. Cauthen and Los Angeles SA Gabriel F.Andrews t0 AUSA Matthew
Segal on 01/09/2012
Details: On about 12/01/2010, a server called P2P in Los Angeles, used by the local Sacramento television station FOX40, was
compromised. It appears the server was used to send harassing
emails to Sacramento FOX40 employees and disrupt business operations. An investigation was opened by Sacramento FBI
on about 12/03/2010. Initially, the primary suspect was Matthew Keys, a former employee of At the time
UNCLASSIFIED
MK035935
MKP-OO35840
Case Filed 03/10/16 Page 2 of 8
To: LosAngeles From: Sacramento
Re:
this investigation was opened, Keys was unemployed. The investigation did not find any evidence against Keys, but did identify
another hacker named "Sharpie." The case against Keys was closed and the case was transferred to Los Angeles due to venue.
Recent information has arisen implicating Keys in the original intrusion, and it is anticipated he will be
indicted in the next few weeks. However, Keys is now employed by Reuters as the Deputy Social Media Editor.
By way of background, shortly after the harassing emails began, on 12/12/2010, Mathews Keys, using
e-mail address of matthew@sactownmedia.com, sent an e-mail to the FOX40 News Director Brandon Mercer. Keys told
Mercer he had infiltrated the group "Anonymous." Keys sent Mercer a list of user names and passwords he claimed he
"obtained by a high authority within the 'conscious' hactivist organization Anonymous." Keys also stated he had access to
future operations, including operations against Paypal, Amazon, the Los Angeles Times, Fox News, and others.
Also on 12/12/2010, Mercer engaged Keys in a
consensually recorded telephone conversation. They discussed a hack into a website called Gawker wherein many email
account passwords were compromised. Keys said he entered a chat room with 2,000 plus members. In this chat room, Keys
said he met someone who invited him into a private chat room populated by 15 highly skilled hackers. Keys denied any
involvement in the hacked P2P server. Keys said he had computer records of his interaction with the group. In
communicating the hackers, Keys said he discussed his past journalism experience. It was not clear in these discussions
whether Keys was acting as a journalist to collect this information. In any case, it was clear in the call he was sharing the
information he obtained in the chats with a journalist from the Public Broadcasting Station (PBS)
On about 12/14/2010, writer received a report from Tribune media that the P2P server affecting the Los
Angeles Times had been compromised by a web page defacement. The compromise had occurred via an account called
Anon1234. Tribune media suspected the intrusion was related to the Matthew Keys investigation.The investigation in
Sacramento determined that the likely source of the intrusion was an individual in England using the name "Sharpie."
On April 27, 2011, writer contacted Matthew Keys telephonically. Keys stated that he had computer data
pertaining to "Anonymous," but that he was a journalist and was unsure about turning it over to the FBI.
Re serial 22, on about 09/02/2011, the investigation was transferred to Los Angeles, based on lack of
evidence to implicate Keys and additional evidence that the actual hack at the LA Times was caused by Unsub aka Sharpie. At
the same time, Matthew Keys was removed as a case subject and replaced by Unsub aka Sharpie.
On about 12/16/2011, writer was reviewing evidence item 1 B63 from case 1863 was
an image of a laptop computer owned by Laurelai, aka Wesley Bailey who was involved in a hack by Sabu and Kayla against a
computer in Sacramento owned by a company named HBGary. In this image, writer located the following snippet which
was an exchange bewteen "Potatoes" aka "Kayla" aka Ryan Ackroyd, and "Laurelai" aka Wesley Baily. Pertinent quotes are in
bold:
BEGIN TEXT WITH CODING REDACTED AND EDITED:
(04:46:43 PM) where did you get that from
(04:47:59 PM) potatoes@jabber.org: it does mention him
(04:48:10 PM) potatoes@jabber.org: as keys
(04:48:15 PM) potatoes@jabber.org: but the thing is he's not innocent
(04:48:25 PM) potatoes@jabber.org: the logs we have of him are just as damaging
(04:48:50 PM) potatoes@jabber.org: the only differenc is we know his real identity, he doesn't know ours
(04:48:50 PM) potatoes@jabber.org:
MK035936
MKP-0035841
Case Filed 03/10/16 Page 3 of 8
To: LosAngeles From: Sacramento
Re:
(04:48:57 PM) they all still seriously thinki am this Corey faggot
(04:49:07 PM) thats some serious fail right there
(04:49:11 PM) they honestly do
(04:50:50 PM) its very telling that the logs i gave of barrett are not in that story
(04:51:16 PM) where he admits to being part of marblecake and knew who they are ect
(04:51 :30 PM) would think that part would have made it in
(04:52:49 just somethingforyou to think about
(04:54:10 PM) The logs are from an invite?only IRC chat channel called
populated by people calling themselves Sabu, Kayla, Laurelai, Avunit, Entropy,
Topialy, Tflow, and Marduk.
(04:54:26 PM) were the only person to leak logs
(04:54:43 PM) potatoes@jabber.org: ever since, no one has even used HQ
(04:54:46 PM) lau yeah but those logs in the article have stuffi never saw
(04:55:09 PM) potatoes@jabber.org: because they are from other channels where this AESCracked was
(04:55:21 he's the socalled jurno who "infiltrated"
(04:55:26 PM) aka Matt Keys
(04:55:40 well he must have grabbed the linkwhen it went public then
(04:55:51 PM) like alot of people did
(04:57:24 PM) lau i gave them to fake gregg who then gve them to the entire fucking world
(04:57:27 PM) we know this already
In addition, other snippets relating to Matthew Keys were located on the image of 1B63.The time frame of
these exchanges appears to be in March 2011. A sample of these, with pertinent quotes in bold, is as follows:
BEGIN TEXT:
16:27 kayla> this "keys" faggot we think is AESCracked who was an ex journalist
16:27 <&Eekdacat> AEScracked
16:27 <&Eekdacat> wat
16:27 kay a> he was in some of our chans and threw a fit trying to to media when we kicked him out
16:28 <&fubar> kayla is actually a highly advanced Al whose entire range of speech consists of things that were posted on
many moons ago
16:28 <&Eekdacat> has someone been leaking my research
16:29 kayla> but in that gawker article it says his name is "Matt Keys" Iol he's not so innocent and we have logs of him
too, he was the one who gave us passwords for LA times, fox40 and some others, he had superuser on alot of media
16:29 <&Eekdacat> well he's a butt for picking the name aescracked
16:29 kay a> also, it speaks of #hq logs getting leaked?
16:30 kayla> i don't suposeyou know who leaked those?
16:34 <&fubar> it says in the article
16:34 <&fubar> wat
16:35 kay a> no no fubar i know who leaked them
16:35 kay a> but i want to know what the fuck is going on
END TEXT:
BEGIN TEXT:
16:58 kay a> Registrant:
MK035937
MKP-OO35842
Case Filed 03/10/16 Page 4 of 8
To: LosAngeles From: Sacramento
Re:
16:58 kay a> Matthew Keys
16:58 kay a>?
16:58 kay a> Sacramento, California 95834
16:58 kayla> United States
16:58 kay a> Registered through: GoDaddy.com, Inc.
16:58 kayla> Domain Name: RADIOMATTHEWCOM
16:58 kay a> Created on: 08-Apr-07
16:58 kay a> Expires on: 08-Apr?11
16:58 kayla> Last Updated on: 27-Jan-10
16:58 kay a> Administrative Contact:
16:58 kayla> Keys, Matthew
16:58 kay a>
16:58 kayla> Sacramento, California 95834
16:58 kay a> United States
16158 kayla>
16:58 kay a> Technical Contact:
16:58 kay a> Keys, Matthew matthew.keys@gmail.com
16:59 kayla>
16:59 Sacramento, California 95834
16:59 kayla> United States
16:59 kay a> 1
16:59 kayla> Domain servers in listed order:
16:59 kay a> N51.JU5THOST.COM
16:59 kayla> NSZJUSTHOSTCOM
16:59 kayla> NS3.JUSTHOST.COM
16:59 <&Eekdacat> hey
16:59 kayla> setting up a intelius now to rape his SSN and his family
16:59 <&Eekdacat> he has his full resume on his site
16:59 <&Eekdacat>
16:59 <&Eekdacat> old tricks are the best tricks
16:59 dimanov> im sure he doesnt care
16:59 dimanov> about his dox
16:59 kayla has quit [Quitz Lost terminal]
16:59 dimanov> since he has his resume on site
16:59 <&fubar> kayla was murdered
16:59 dimanov> buti guess anon prides themselves in obtaining public information
16:59 mysq 2 has joined #tr0ll
17:00 <&Eekdacat> typing average of 80
17:00 <&Eekdacat> scrub
17:00 <&insid> back
17:00 mysq 2> he worked for LA Times and handed us password for LATimes and fox40 he's not so "innocent"
END TEXT:
BEGIN TEXT:
17:03 <&Eekdacat> notify fox40 and whatever other station that he was giving out passwords
17:03 <&Eekdacat> see if they do job recommendations for him now
UNCLACESIFIED
MK035938
MKP-OO35843
Case Filed 03/10/16 Page 5 of 8
To: LosAngeles From: Sacramento
Re:
17:03 kay a>you should try talking to some of my friends from school on MSN it's all pics and stuffxD
17:04 <&Eekdacat> idk i don't get out much
17:04 kayla> he forget we have logs of him doing illegal things too
17:04 kayla> but only we know his REAL name/addr
17:05 diman ov> nd Kayla was one of them. "Kayla was one of two hackers who broke into the Gawker database," Keys
told Gawker. "It was her idea. She coordinated the attack. She carried it out with another hacker.A third was involved in the
distribution of the torrent, but the brainchild of the Gawker hack attack was Kayla.
17:05 <&insid>
17:05 TEXT:
END TEXT:
BEGIN TEXT:
17:20 kay a> re-of?anonymous-hackers-by
17:20 kay a> this guy is just asking for it lol
17:20 kay a> xD
17:20 kay a> is him
17:20 kay a> also
17:20 kayla> hahah
17:20 kayla> he honestly think we not going to rock him?
17:20 kayla> lols
17:21 <&insid> meh
17:25 bus> Familiar with video and photography concepts, including lighting, audio, white balance, color balance and
in-camera editing
17:25 bus> "can take pictures"
17:26 bus> Knowledge of media software including Final Cut Pro and Adobe
5 ImageReady and PhotoShop CS
END TEXT:
BEGIN TEXT:
17:33 kay a> he's pritty pr0
17:33 <&fubar> i'll post a damaging profile of him in my activex dox database on my angelfile page
17:33 <&fubar> or post some mean comments on his myspace
17:33 kay a> this is another whois for one of his sites
17:33 kayla> Administrative Contact:
17:33 kay a> Keys7z32 <&fubar> lol
17:33 kayla> he's pritty pr0
17:33 <&fubar> i'll post a damaging profile of him in my activex dox database on my angelfile page
17:33 <&fubar> or post some mean comments on his myspace
17:33 kay a> this is another whois for one of his sites
17:33 kayla> Administrative Contact:
17:33 kay a> Keys, Matthew matthew.keys@gmail.com
17:33 kay a>
17:33 kayla> Vacaville, California 95687
17:33 kay a> United States
17:33 kayla>
17:36 bus> lol he must make like 30k/yr
17:36 bus> to live in vacaville
MK035939
MKP-OO35844
Case Filed 03/10/16 Page 6 of 8
To: LosAngeles From: Sacramento
Re:
17:36 bus> and work in sac
17:37 <&Eekdacat>
17:40 kayla
17:40 TOOT IT AND BOOT IT
17:40 hey
17:41 selling google roots for $20
17:43 <&fubar> hi bro can iframe it to my fud java Oday driveby shooter
17:46 bus> not far drive.. i fuk dog of matthew ok
17:50 kayla> i want his SSN so i can canel his utilities, gas, electric
17:50 kay a> cancel
END TEXT:
Given the above information, 288A-WF-242710 Serial 794, which referenced AESCracked, was examined.
This serial was an examination of log files contained in computer equipment and or electronic media seized by order of a court
authorized warrant executed at ?T0 edo, Ohio 43613.
An examination of the log files from this computer was documented further in Serial
26. In this log, some pertinent quotes were as follows:
#Target
Dec 08 20:53:13 AESCracked
ifyou want to attack fox news, pm me. i have a
user/password for their
Dec 08 20:53:35 AESCracked
*pm meforfox news password into their cms*
#OperationPayback
Dec 08 20:43:15 AESCracked If
you're interested in hacking at FOX News site, I have a user/pass to the backend CMS for FOX40.com
Dec 08 20:44:47 sharpie
AESCracked: srs?
Dec 09 07:54:1 7 AESCracked
I've already given Ops the user/pass to several FOX websites.
#internetfeds
Dec 08 20:55:12 Sabu that would
be nice to get access to fox. let me know if I can get access. I want to see if I can get further in.
MK035940
MKP-OO35845
Case Filed 03/10/16 Page 7 of 8
To: LosAngeles From: Sacramento
Re:
Dec 08 20:56:23 sharpie asked him
not to mention it in main again
Dec 08 20:56:53 sharpie
I was already talking to him
Dec 08 20:59:20 AESCracked
i'm not a hacker.
Dec 08 20:59:23 AESCracked
i'm an ex-employee
Dec 08 21:00:47 AESCracked
user: anon1234
Dec 08 21:00:50 AESCracked
pass: c0mm0n2
Dec 08 21 :01 :23 AESCracked
go fuck some shit up!
Dec 08 21:01:29 sharpie
thanks very much
Dec 08 21:01:32 sabu
AESCracked: thankyou.
On 01/09/2012, writer accessed
Gawker as
referenced by Kayla above. This was a website by Producer Matthew which stated" I provided Gawker with just one of
dozens of logs that were taken during my two-month access to top level hackers within Anonymous. In addition to
providing Gawker with one log, proved the PBS NewsHourwith a record back in December. The site also read, am a
journalist best known for aggregating content on social media sites like Twitter and Tumblr. work at Reuters in New York.
In light of the above exchange wherein Matthew Keys also known as AESCracked admitted to being a
former FOX40 employee, and turned over the usernames and password to Sharpie and others, Sacramento to open captioned
matter.
Re telcall, Sacramento will work the case against Keys jointly with Los Angeles. Re telcall with AUSA
Segal, the case will be prosecuted in the Eastern District of California.
MK035941
MKP-OO35846
Case Filed 03/10/16 Page 8 of 8
To: LosAngeles From: Sacramento
Re:
Set Lead 1: (Info)
LOS ANGELES
AT LOS ANGELES, CA
Read and clear.
MK035942
MKP-OO35847