(Rev.05-01-2008) Case Document 149-2 Filed 03/10/16 Page lof8

UNCLASSIFIED

FEDERAL BUREAU OF INVESTIGATION

Precedence: ROUTINE Date: 01/09/2012
To: L05 Angeles Attn: SA Gabriel F. Andrews CY-1

From: Sacramento
CY-1
Contact: SAJohn M. Cauthen

Approved By: Brown Herbert 
Alvarez Manual Jr
Callihan Brian
Springer Scott A

Drafted By: Cauthen John 0110]mc01.ec

Case ID 288A-SC-45485
288A-SC-44767 (Pending)
(Pending)

Title: MATTHEW KEYS
aka 
FOX40 NEWS - 
LOS ANGELES TIMES - 

Synopsis: Open Sensitive Investigative Matter (SIM - Journalist) and assign to SA Wesley Drone.
Reference: Serial 22
Serial 794
Serial 26
Administrative: from Sacramento ASSA Scott S, Springer to Los Angeles SSA Ramyar Tabatabaian on 01/06/2012.

from Sacramento SA John M. Cauthen and Los Angeles SA Gabriel F.Andrews t0 AUSA Matthew
Segal on 01/09/2012

Details: On about 12/01/2010, a server called P2P in Los Angeles, used by the local Sacramento television station FOX40, was
compromised. It appears the server was used to send harassing

emails to Sacramento FOX40 employees and disrupt business operations. An investigation was opened by Sacramento FBI
on about 12/03/2010. Initially, the primary suspect was Matthew Keys, a former employee of At the time

UNCLASSIFIED

MK035935

MKP-OO35840

Case Filed 03/10/16 Page 2 of 8

To: LosAngeles From: Sacramento
Re: 

this investigation was opened, Keys was unemployed. The investigation did not find any evidence against Keys, but did identify
another hacker named "Sharpie." The case against Keys was closed and the case was transferred to Los Angeles due to venue.

Recent information has arisen implicating Keys in the original intrusion, and it is anticipated he will be
indicted in the next few weeks. However, Keys is now employed by Reuters as the Deputy Social Media Editor.

By way of background, shortly after the harassing emails began, on 12/12/2010, Mathews Keys, using
e-mail address of matthew@sactownmedia.com, sent an e-mail to the FOX40 News Director Brandon Mercer. Keys told
Mercer he had infiltrated the group "Anonymous." Keys sent Mercer a list of user names and passwords he claimed he
"obtained by a high authority within the 'conscious' hactivist organization Anonymous." Keys also stated he had access to
future operations, including operations against Paypal, Amazon, the Los Angeles Times, Fox News, and others.

Also on 12/12/2010, Mercer engaged Keys in a
consensually recorded telephone conversation. They discussed a hack into a website called Gawker wherein many email
account passwords were compromised. Keys said he entered a chat room with 2,000 plus members. In this chat room, Keys
said he met someone who invited him into a private chat room populated by 15 highly skilled hackers. Keys denied any
involvement in the hacked P2P server. Keys said he had computer records of his interaction with the group. In
communicating the hackers, Keys said he discussed his past journalism experience. It was not clear in these discussions
whether Keys was acting as a journalist to collect this information. In any case, it was clear in the call he was sharing the
information he obtained in the chats with a journalist from the Public Broadcasting Station (PBS)

On about 12/14/2010, writer received a report from Tribune media that the P2P server affecting the Los
Angeles Times had been compromised by a web page defacement. The compromise had occurred via an account called
Anon1234. Tribune media suspected the intrusion was related to the Matthew Keys investigation.The investigation in
Sacramento determined that the likely source of the intrusion was an individual in England using the name "Sharpie."

On April 27, 2011, writer contacted Matthew Keys telephonically. Keys stated that he had computer data
pertaining to "Anonymous," but that he was a journalist and was unsure about turning it over to the FBI.

Re serial 22, on about 09/02/2011, the investigation was transferred to Los Angeles, based on lack of
evidence to implicate Keys and additional evidence that the actual hack at the LA Times was caused by Unsub aka Sharpie. At
the same time, Matthew Keys was removed as a case subject and replaced by Unsub aka Sharpie.

On about 12/16/2011, writer was reviewing evidence item 1 B63 from case 1863 was
an image of a laptop computer owned by Laurelai, aka Wesley Bailey who was involved in a hack by Sabu and Kayla against a
computer in Sacramento owned by a company named HBGary. In this image, writer located the following snippet which
was an exchange bewteen "Potatoes" aka "Kayla" aka Ryan Ackroyd, and "Laurelai" aka Wesley Baily. Pertinent quotes are in

bold:

BEGIN TEXT WITH CODING REDACTED AND EDITED:

(04:46:43 PM) where did you get that from

(04:47:59 PM) potatoes@jabber.org: it does mention him

(04:48:10 PM) potatoes@jabber.org: as keys

(04:48:15 PM) potatoes@jabber.org: but the thing is he's not innocent

(04:48:25 PM) potatoes@jabber.org: the logs we have of him are just as damaging

(04:48:50 PM) potatoes@jabber.org: the only differenc is we know his real identity, he doesn't know ours
(04:48:50 PM) potatoes@jabber.org: 



MK035936

MKP-0035841

Case Filed 03/10/16 Page 3 of 8

To: LosAngeles From: Sacramento
Re: 

(04:48:57 PM) they all still seriously thinki am this Corey faggot

(04:49:07 PM) thats some serious fail right there

(04:49:11 PM) they honestly do

(04:50:50 PM) its very telling that the logs i gave of barrett are not in that story

(04:51:16 PM) where he admits to being part of marblecake and knew who they are ect
(04:51 :30 PM) would think that part would have made it in

(04:52:49 just somethingforyou to think about

(04:54:10 PM) The logs are from an invite?only IRC chat channel called
populated by people calling themselves Sabu, Kayla, Laurelai, Avunit, Entropy,
Topialy, Tflow, and Marduk.

(04:54:26 PM) were the only person to leak logs

(04:54:43 PM) potatoes@jabber.org: ever since, no one has even used HQ

(04:54:46 PM) lau yeah but those logs in the article have stuffi never saw

(04:55:09 PM) potatoes@jabber.org: because they are from other channels where this AESCracked was
(04:55:21 he's the socalled jurno who "infiltrated"

(04:55:26 PM) aka Matt Keys

(04:55:40 well he must have grabbed the linkwhen it went public then

(04:55:51 PM) like alot of people did

(04:57:24 PM) lau i gave them to fake gregg who then gve them to the entire fucking world
(04:57:27 PM) we know this already<br/>

In addition, other snippets relating to Matthew Keys were located on the image of 1B63.The time frame of
these exchanges appears to be in March 2011. A sample of these, with pertinent quotes in bold, is as follows:

BEGIN TEXT:

16:27 kayla> this "keys" faggot we think is AESCracked who was an ex journalist

16:27 <&Eekdacat> AEScracked

16:27 <&Eekdacat> wat

16:27 kay a> he was in some of our chans and threw a fit trying to to media when we kicked him out

16:28 <&fubar> kayla is actually a highly advanced Al whose entire range of speech consists of things that were posted on 
many moons ago

16:28 <&Eekdacat> has someone been leaking my research

16:29 kayla> but in that gawker article it says his name is "Matt Keys" Iol he's not so innocent and we have logs of him
too, he was the one who gave us passwords for LA times, fox40 and some others, he had superuser on alot of media
16:29 <&Eekdacat> well he's a butt for picking the name aescracked

16:29 kay a> also, it speaks of #hq logs getting leaked?

16:30 kayla> i don't suposeyou know who leaked those?

16:34 <&fubar> it says in the article

16:34 <&fubar> wat

16:35 kay a> no no fubar i know who leaked them

16:35 kay a> but i want to know what the fuck is going on

END TEXT:

BEGIN TEXT:
16:58 kay a> Registrant:



MK035937

MKP-OO35842

Case Filed 03/10/16 Page 4 of 8

To: LosAngeles From: Sacramento
Re: 

16:58 kay a> Matthew Keys

16:58 kay a>?

16:58 kay a> Sacramento, California 95834

16:58 kayla> United States

16:58 kay a> Registered through: GoDaddy.com, Inc. 

16:58 kayla> Domain Name: RADIOMATTHEWCOM

16:58 kay a> Created on: 08-Apr-07

16:58 kay a> Expires on: 08-Apr?11

16:58 kayla> Last Updated on: 27-Jan-10

16:58 kay a> Administrative Contact:

16:58 kayla> Keys, Matthew 

16:58 kay a> 

16:58 kayla> Sacramento, California 95834

16:58 kay a> United States

16158 kayla> 

16:58 kay a> Technical Contact:

16:58 kay a> Keys, Matthew matthew.keys@gmail.com

16:59 kayla>

16:59 <kayla> Sacramento, California 95834

16:59 kayla> United States

16:59 kay a> 1

16:59 kayla> Domain servers in listed order:

16:59 kay a> N51.JU5THOST.COM

16:59 kayla> NSZJUSTHOSTCOM

16:59 kayla> NS3.JUSTHOST.COM

16:59 <&Eekdacat> hey

16:59 kayla> setting up a intelius now to rape his SSN and his family 

16:59 <&Eekdacat> he has his full resume on his site

16:59 <&Eekdacat> 

16:59 <&Eekdacat> old tricks are the best tricks

16:59 dimanov> im sure he doesnt care

16:59 dimanov> about his dox

16:59 kayla has quit [Quitz Lost terminal]

16:59 dimanov> since he has his resume on site

16:59 <&fubar> kayla was murdered

16:59 dimanov> buti guess anon prides themselves in obtaining public information

16:59 mysq 2 has joined #tr0ll

17:00 <&Eekdacat> typing average of 80 

17:00 <&Eekdacat> scrub

17:00 <&insid> back

17:00 mysq 2> he worked for LA Times and handed us password for LATimes and fox40 he's not so "innocent"
END TEXT:

BEGIN TEXT:
17:03 <&Eekdacat> notify fox40 and whatever other station that he was giving out passwords
17:03 <&Eekdacat> see if they do job recommendations for him now

UNCLACESIFIED

MK035938

MKP-OO35843

Case Filed 03/10/16 Page 5 of 8

To: LosAngeles From: Sacramento
Re: 

17:03 kay a>you should try talking to some of my friends from school on MSN it's all pics and stuffxD

17:04 <&Eekdacat> idk i don't get out much

17:04 kayla> he forget we have logs of him doing illegal things too

17:04 kayla> but only we know his REAL name/addr

17:05 diman ov> nd Kayla was one of them. "Kayla was one of two hackers who broke into the Gawker database," Keys
told Gawker. "It was her idea. She coordinated the attack. She carried it out with another hacker.A third was involved in the
distribution of the torrent, but the brainchild of the Gawker hack attack was Kayla.

17:05 <&insid> 

17:05 TEXT:

END TEXT:

BEGIN TEXT:

17:20 kay a> re-of?anonymous-hackers-by
17:20 kay a> this guy is just asking for it lol

17:20 kay a> xD

17:20 kay a> is him

17:20 kay a> also

17:20 kayla> hahah

17:20 kayla> he honestly think we not going to rock him?

17:20 kayla> lols

17:21 <&insid> meh

17:25 bus> Familiar with video and photography concepts, including lighting, audio, white balance, color balance and
in-camera editing

17:25 bus> "can take pictures"

17:26 bus> Knowledge of media software including Final Cut Pro and Adobe

5 ImageReady and PhotoShop CS

END TEXT:

BEGIN TEXT:

17:33 kay a> he's pritty pr0

17:33 <&fubar> i'll post a damaging profile of him in my activex dox database on my angelfile page
17:33 <&fubar> or post some mean comments on his myspace

17:33 kay a> this is another whois for one of his sites

17:33 kayla> Administrative Contact:

17:33 kay a> Keys7z32 <&fubar> lol

17:33 kayla> he's pritty pr0

17:33 <&fubar> i'll post a damaging profile of him in my activex dox database on my angelfile page
17:33 <&fubar> or post some mean comments on his myspace

17:33 kay a> this is another whois for one of his sites

17:33 kayla> Administrative Contact:

17:33 kay a> Keys, Matthew matthew.keys@gmail.com

17:33 kay a>

17:33 kayla> Vacaville, California 95687

17:33 kay a> United States

17:33 kayla> 

17:36 bus> lol he must make like 30k/yr

17:36 bus> to live in vacaville



MK035939

MKP-OO35844

Case Filed 03/10/16 Page 6 of 8

To: LosAngeles From: Sacramento
Re: 

17:36 bus> and work in sac

17:37 <&Eekdacat> 
17:40 kayla

17:40 TOOT IT AND BOOT IT

17:40 hey

17:41 selling google roots for $20

17:43 <&fubar> hi bro can iframe it to my fud java Oday driveby shooter
17:46 bus> not far drive.. i fuk dog of matthew ok

17:50 kayla> i want his SSN so i can canel his utilities, gas, electric 
17:50 kay a> cancel

END TEXT:

Given the above information, 288A-WF-242710 Serial 794, which referenced AESCracked, was examined.
This serial was an examination of log files contained in computer equipment and or electronic media seized by order of a court

authorized warrant executed at ?T0 edo, Ohio 43613.

An examination of the log files from this computer was documented further in Serial

26. In this log, some pertinent quotes were as follows:
#Target

Dec 08 20:53:13 AESCracked

ifyou want to attack fox news, pm me. i have a
user/password for their 

Dec 08 20:53:35 AESCracked

*pm meforfox news password into their cms*
#OperationPayback

Dec 08 20:43:15 AESCracked If

you're interested in hacking at FOX News site, I have a user/pass to the backend CMS for FOX40.com

Dec 08 20:44:47 sharpie
AESCracked: srs?

Dec 09 07:54:1 7 AESCracked
I've already given Ops the user/pass to several FOX websites.

#internetfeds

Dec 08 20:55:12 Sabu that would
be nice to get access to fox. let me know if I can get access. I want to see if I can get further in.



MK035940

MKP-OO35845

Case Filed 03/10/16 Page 7 of 8

To: LosAngeles From: Sacramento
Re: 

Dec 08 20:56:23 sharpie asked him
not to mention it in main again

Dec 08 20:56:53 sharpie
I was already talking to him

Dec 08 20:59:20 AESCracked
i'm not a hacker.

Dec 08 20:59:23 AESCracked
i'm an ex-employee

Dec 08 21:00:47 AESCracked

user: anon1234

Dec 08 21:00:50 AESCracked

pass: c0mm0n2

Dec 08 21 :01 :23 AESCracked
go fuck some shit up!

Dec 08 21:01:29 sharpie
thanks very much

Dec 08 21:01:32 sabu
AESCracked: thankyou.

On 01/09/2012, writer accessed
Gawker as
referenced by Kayla above. This was a website by Producer Matthew which stated" I provided Gawker with just one of
dozens of logs that were taken during my two-month access to top level hackers within Anonymous. In addition to
providing Gawker with one log, proved the PBS NewsHourwith a record back in December. The site also read, am a
journalist best known for aggregating content on social media sites like Twitter and Tumblr. work at Reuters in New York.

In light of the above exchange wherein Matthew Keys also known as AESCracked admitted to being a
former FOX40 employee, and turned over the usernames and password to Sharpie and others, Sacramento to open captioned

matter.

Re telcall, Sacramento will work the case against Keys jointly with Los Angeles. Re telcall with AUSA
Segal, the case will be prosecuted in the Eastern District of California.



MK035941

MKP-OO35846

Case Filed 03/10/16 Page 8 of 8

To: LosAngeles From: Sacramento
Re: 


Set Lead 1: (Info)
LOS ANGELES
AT LOS ANGELES, CA

Read and clear.





MK035942

MKP-OO35847