ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Friday, January 13, 2012 9:13 AM To: SPRINGER, SCOTT A.. Cc: DRONE, WESLEY ANDREWS, GABRIEL F. (LA) (FBI) Subject: Summary of Matthew Keys lnvestigaiton Classification: UNCLASSIFIED ASSA Springer, Per your request, here is a summary of the Keys investigation and the plan with regard to executing a search warrant and interrogation. FOX40 News is a television station in Sacramento, CA. The station is owned by Tribune Media Company in Chicago, IL which also owns LA Times in Los Angeles, CA. All Tribune Media Company entities, including FOX40 and LA Times, use a computer to manage email and online content. The computer is located in Los Angeles, CA. On October 28, 2010, Matthew Keys an employee of FOX40 News, was fired. Our investigation determined that after he was fired, he hijacked the FOX40 News Facebook and Twitter accounts. He prevented FOX40 from accessing these accounts and sent communications from the accounts to the public which damaged the reputation of FOX40 News. He also deleted thousands of followers from the accounts. Investigation also determined that in December 2010, Keys accessed, without authorization, the computer in Los Angeles and stole the FOX40 News customer e-mail list. He sent harassing emails to FOX40 News employees and customers. On December 8, 2010, Keys contacted the hacking group called "Anonymous." He gave some Anonymous group members the password to the computer in Los Angeles. The hackers used this access to access the website for the LA Times and deface the website. The damages incurred by The Tribune Media Company due to the website defacement exceeded $1.5 million. In April 2011, Sacramento FBI contacted Keys who was still believed to be unemployed. Keys advised that he had records relating to his interaction with the group Anonymous. He refused to turn them over citing his journalistic privilege. (It appears he had found a job at a television station in San Francisco) In June 2011, Sacramento recommended that the case be transferred to Los Angeles. (At the time, there was not sufficient evidence to support that Keys was involved in the above intrusions. Instead, there was only 1 evidence about the subject to whom Keys gave the password. So, Keys was removed from the case and the new subject, Unsub aka Sharpie, was added.) In September 2011, Los Angeles opened the case on Unsub aka Sharpie. The old case Sacramento was transferred to Los Angeles. In December 2011, Sacramento, while working on the HBGary computer intrusion case, located the evidence showing Keys had turned the password to the Los Angeles computer over to Unsub aka Sharpie, and others. In January 2012, Sacramento opened a new case on Matthew Keys for trafficking in passwords. Sacramento and Los Angeles agreed to work the matter jointly. The case will be prosecuted in Sacramento against Keys. Los Angeles will prosecute the case against Unsub aka Sharpie, and others. Keys has recently been hired by Reuters in New York City. He currently resides in Vacaville, CA. He begins work in New York on 1/19/2012. He is expected to depart Sacramento on 1/17/2012. ?Sacramento and Los Angeles have probable cause that evidence is on Keys' computer containing logs regarding the trafficking in passwords and other crimes. A search warrant affidavit to seize his computer media has been prepared. When serving the search warrant, Sacramento and Los Angeles desire to interrogate Keys about his involvement with Anonymous members and his involvement in the disruption of business at FOX4O News. Interrogation of a journalist requires Attorney General consent. The AUSA in Sacramento is seeking to obtain this consent. Once obtained, the search warrant for whatever district Keys is in will be obtained. The search/interrogation will take place in that district. It will probably be in New York City. Sacramento Case Agent: Wesley S. Drone Los Angeles Case Agent: Garbriel F. Andrews AUSA in Sacramento prosecuting Keys: Matthew Segal AUSA in New York: Thomas Brown AUSA in Los Angeles prosecuting "Sharpie": Los Angeles Case: Pending Old Sacramento Case on Sharpie/Keys: Closed New Sacramento Case on Keys: SAJohn M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 Classification: UNCLASSIFIED ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Thursday, January 12, 2012 10:30 AM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Q's for Cauthen re: Af?davit Follow Up Flag: Follow up Flag Status: Flagged Classification: UNCLASSIFIED 1. Rodriguez works at The Tribune Company in Chicago. 2. In about June 2011, Keys wrote on an article on his website Producermatthew.com. The article was called a statement on the exposure of lulzsec anonymous member. In the article, Keys wrote that the logs he collected while on intranetfeds had been published by the guardian newspaper in England, Keys also wrote that the large have been requested by law-enforcement. Finally, Keyes wrote that he intended to cooperate with providing these locks to law enforcement. Therefore, he must of still have possessed the logs at the time he made the statement. That is why I believe we have probable cause evidence as was in his possession as ofJune 2001. 3. I would leave Schmidt on as the forensic Examiner. That is the policy in our office. Before you swear to the affidavit, you will talk with Schmidt who will repeat that information back to you. Don?t forget to retain copies of all your email correspondence. You will have to place this in the case file at some point. if you have any further questions feel free to write or call me at the number below. SA John M. Cauthen Of?ce: 916-874?6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Thursday, January 12, 2012 10:09 AM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Q's for Cauthen re: Af?davit Classification: UNCLASSIFIED Good morning John. Af?davit is nearly done, though I have a few ?nal touches I was hoping you could address for me: 1. At which company does "Mr. Rodriguez, Information Technology Security Principal? work? He?s the one who provided the damage quote. 2. Remind me: What was the evidence behind have probable cause to believe that this evidence was retained on Matthew Keys? computer as late as June 2011?? 3. As you are on CART, I?m going to refer to you as opposed to "Alan Russell Schmidt?. a. How long have you been a Forensic Examiner? b. How long have you been a member of c. Do you of?cially agree with the information that ?Schmidt? gave in the template? Travel is approved, I can be there tomorrow. Will call to get a ticket on the first available ?ight. Classification: UNCLASSIFIED ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Thursday, January 12, 2012 10:57 AM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Q's for Cauthen re: Af?davit Classification: UNCLASSIFIED Keys also wrote that the large "Should be Keys also wrote that the logs providing these locks.. Should be "providing these logs? (I dictated this email and it sounds like the software didn?t understand me fully!) SA John M. Cauthen Office: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Thursday, January 12, 2012 10:44 AM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: RE: Q's for Cauthen re: Af?davit Classification: UNCLASSIFIED Much obliged. From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Thursday, January 12, 2012 10:30 AM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Q's for Cauthen re: Af?davit Classification: UNCLASSIFIED 1. Rodriguez works at The Tribune Company in Chicago. 2. In about June 2011, Keys wrote on an article on his website Producermatthew.com. The article was called a statement on the exposure of lulzsec anonymous member. In the article, Keys wrote that the logs he collected while on intranetfeds had been published by the guardian newspaper in England, Keys also wrote that the large have been requested by law-enforcement. Finally, Keyes wrote that he intended to cooperate with providing these locks to law enforcement. Therefore, he must of still have possessed the logs at the time he made the statement. That is why I believe we have probable cause evidence as was in his possession as ofJune 2001. 3. I would leave Schmidt on as the forensic Examiner. That is the policy in our of?ce. Before you swear to the af?davit, you will talk with Schmidt who will repeat that information back to you. Don't forget to retain copies of all your email correspondence. You will have to place this in the case ?le at some point. If you have any further questions feel free to write or call me at the number below. SA John M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Thursday, January 12, 2012 10:09 AM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Q's for Cauthen re: Af?davit Classification: UNCLASSIFIED Good morning John. Af?davit is nearly done, though I have a few final touches was hoping you could address for me: 1. At which company does "Mr. Rodriguez, Information Technology Security Principal? work? He?s the one who provided the damage quote. 2. Remind me: What was the evidence behind have probable cause to believe that this evidence was retained on Matthew Keys? computer as late as June 2011?? 3. As you are on CART, I?m going to refer to you as opposed to "Alan Russell Schmidt". a. How long have you been a Forensic Examiner? b. How long have you been a member of c. Do you of?cially agree with the information that ?Schmidt? gave in the template? Travel is approved, I can be there tomorrow. Will call to get a ticket on the ?rst available flight. Classification: UNCLASSIFIED Classification: UNCLASSIFIED ANDREWS, GABRIEL F. (LA) (FBJ) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Monday, January 09, 2012 4:32 PM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 3639fa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED The package was sent today. Fedex tracking 972319147910. It was sent to 'Boeg Shih." It will be in LA tomorrow at 10am. SA John M. Cauthen Office: 916-874?6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 09, 2012 3:54 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Emailing: 363gfa91.11.302AnonLogs.wpd Classification: UNCLASSIFIED Good referential documents ?3 The message is ready to be sent with the following file or link attachments: 363gfa61.11.302AnonLogs.wpd Note: To protect against computer viruses, e?mail programs may prevent sending or receiving certain types of file attachments. Check your e?mail security settings to determine how attachments are handled. Classification: UNCLASSIFIED ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Tuesday, January 10, 2012 10:50 AM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 3639fa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED 0110jmc01.wpd Draft EC SA John M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 09, 2012 5:36 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.Wpd Classification: UNCLASSIFIED Thanks. Will check for it when I head in to the main office tomorrow. Regarding the Subpoena: ?For any and all customer accounts utilizing the IP address 75.53.171.204 on the following dates and times: 0 January 19, 2011 (at any time) 0 January 5, 2011 17:18 PST 0 December 8, 2010 18:00 PST to 22:00 PST and for the customer Matthew Keys, from December 08, 2010 to January 5, 2011? ?For each such account, the infOrmation shall include the subscriber's: Name; . Address; Records of session times and durations; Length of service (including start date) and types of service utilized; . Telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address such as an Internet Protocol Address; and 9 6. Means and source of payment for such service (including any credit card or bank account number)." Feel free to modify as you wish. ~Gabriel From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Monday, January 09, 2012 4:32 PM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED The package was sent today. Fedex tracking 972316147910. It was sent to 'Boeg Shih." It will be in LA tomorrow at 10am. SA John M. Cauthen Office: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 09, 2912 3:54 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED Good referential documents "8 The message is ready to be sent with the following file or link attachments: 363gfa01.11.302AnonLogs.wpd Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. 10 ANDREWS, GABRIEL F. (LA) From: Sent To: SuMem: CAUTHEN, JOHN M. (SC) Tuesday, January 10, 2012 3:37 PM ANDREWS, GABRIEL F. (LA) RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED Call me at 916 874 6492 to discuss SAJohn M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Tuesday, January 10, 2012 3:36 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED Minor suggested edit: bottom of page 7 appears to duplicate chat text lines? Otherwise, yeah, there?s a wealth of great stuffthere. BEGIN TEXT: 17:33 kayla> 17:33 <&fubar> database <&fubar> kayla> kayla> kayla> kayla> <&fubar> database <&fubar> kayla> kayla> kayla> kayla> kayla> kayla> kayla> he's pritty prO i'll post a damaging profile of him in my activex dox angelfile page or post some mean comments on his myspace this is another whois for one of his sites Administrative Contact: Keys7:32 <&fubar> lol he's pritty pro i'll post a damaging profile of him in my activex dox angelfile page or post some mean comments on his myspace this is another whois for one of his sites Administrative Contact: Keys, Matthew matthew.keys?gmai1.com 148 Arcadia Vacaville, California 95687 United States (415) 374-9007 12 From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Tuesday, January 10, 2012 10:50 AM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED Draft EC File: 0110jmc01.wpd SA John M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 09, 2012 5:36 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED Thanks. Will check for it when I head in to the main office tomorrow. . Regarding the Subpoena: ?For any and all customer accounts utilizing the IP address 75.53.171.204 on the following dates and times: 0 January 19, 2011 (at any time) 0 January 5, 2011 17:18 PST 0 December 8, 2010 18:00 PST to 22:00 PST and for the customer Matthew Keys, from December 08, 2010 to January 5, 2011? ?For each such account, the information shall include the subscriber's: 1. Name; 2. Address; 3. Records of session times and durations; 4. Length of service (including start date) and types of service utilized; 5. Telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address such as an Internet Protocol Address; and 13 6. Means and source of payment for such service (including any credit card or bank account number)." Feel free to modify as you wish. ~Gabriel From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Monday, January 69, 2612 4:32 PM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED The package was sent today. Fedex tracking 972310147916. It was sent to 'Boeg Shih.? It will be in LA tomorrow at 10am. SA John M. Cauthen Office: 916-874-6492 Cell: 916?416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 69, 2912 3:54 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Emailing: 363gfa01.11.362AnonLogs.wpd Classification: UNCLASSIFIED Good referential documents "8 The message is ready to be sent with the following file or link attachments: 363gfa01.11.302AnonLogs.wpd Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. 14 ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Wednesday, January 11, 2012 3:15 PM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 3639faO1.11.302AnonLogs.wpd Classification: UNCLASSIFIED AFFADAVIT IN JPPORT OF AN APP. SA John M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 09, 2012 5:36 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED Thanks. Will check for it when I head in to the main office tomorrow. Regarding the Subpoena: ?For any and all customer accounts utilizing the IP address 75.53.171.204 on the following dates and times: 0 January 19, 2011 (at any time) 0 January 5, 2011 17:18 PST 0 December 8, 2010 18:00 PST to 22:00 PST and for the customer Matthew Keys, from December 08, 2010 to January 5, 2011? ?For each such account, the information shall include the subscriber's: Name; . Address; Records of session times and durations; Length of service (including start date) and types of service utilized; . Telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address such as an Internet Protocol Address; and 16 6. Means and source of payment for such service (including any credit card or bank account number)." Feel free to modify as you wish. ~Gabriel From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Monday, January 69, 2612 4:32 PM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Emailing: 363gfa01.11.302AnonLogs.wpd Classification: UNCLASSIFIED The package was sent today. Fedex tracking 972310147916. It was sent to 'Boeg Shih." It will be in LA tomorrow at 10am. SA John M. Cauthen Office: 916-874-6492 Cell: 916-416?6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Monday, January 69, 2012 3:54 PM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Emailing: 363gfa91.11.302AnonLogs.wpd Classification: UNCLASSIFIED Good referential documents "8 The message is ready to be sent with the following file or link attachments: 363gfa01.11.302AnonLogs.wpd Note: To protect against computer viruses, e-mail programs may prevent sending or receiving certain types of file attachments. Check your e-mail security settings to determine how attachments are handled. 17 ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Wednesday, January 04, 2012 3:53 PM To: ANDREWS. GABRIEL F. (LA) (FBI) Subject: RE: Good afternoon Follow Up Flag: Follow up Flag Status: Completed Classification: UNCLASSIFIED Gab?eL Everything is in the case file. lam pretty sure all the emails are on a disk in a 1A envelope. (At least I sure hOpe that?s the case!) I might have some backups of the threatening emails to Fox40 on our CART Storage Area Network drive. But check the 1A?s for On a related note, I got a call from our CYBER AUSA, his name is Matt Segal. (We only have one in Sacramento!) I briefed him on the status and what we discussed. He was the original AUSA on the case. (He is also the same AUSA who is handling the HB Gary case which has all the IRC logs including the one where Kayla tells Laurelai that AESCracked is Matt Keys and Matt Keys gave them all the passwords. In any case AUSA Segal is quite upset with me for sending the case to LA. He really wants to indict Keys. (Even though at the time, I was unaware that Keys had provided the passwords to Anonymous). He wants to call your AUSA and see if he can charge Keys and let you guys charge Kayla/Sharpie et al. It seems that all the involved in Anonymous are going to have a conference call tomorrow to discuss. He wants to bring this issue up during that call. Is it your thought that your case has now shifted to Matt Keys as your primary target? Or, do you still plan on going after Kayla/Sharpie? In any case, can the AUSA in Sacramento contact your AUSA to discuss? Or your AUSA can call Matt directly. Matt?s number is 916-554-2708. Feel free to call me if you like. I am trying to keep our AUSA happy, but understand that we have already sent the case to you and therefore not in a position to make any demands; Regards SA John M. Cauthen Of?ce: 916-874-6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Wednesday, January 04, 2012 2:42 PM 19 To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Good afternoon Classification: UNCLASSIFIED Hi John, I?ve been reviewing the Tribune Media case ?le today, and wondered if you wouldn?t mind forwarding me some of the victim emails you?d mentioned in your summary Namely: The various emails obtained from Mercer (threatening/ Keys/ etc) Armando Caro, Tribune Media employee, Managing Director, Technology Architect, Tribune Technology, 435 N. Michigan Ave Chicago, IL 60611 (312)222-2708 armandoCaro@Tribune.com sent writer an email detailing the investigation performed by their organization regarding a computer intrusion performed against the Los Angeles Times on 12/14/2010. The computer intrusion resulted in a webpage defacement wherein the defacer used the tag, "chippy1337." As we discussed before, I'm hoping to have a sit-down with my AUSA soon to discuss charging Keys. I?m happy to keep you in the loop. Respectfully yours, ?Gabriel Classification: UNCLASSIFIED 20 ANDREWS, GABRIEL F. (LA) (FBI) From: CAUTHEN, JOHN M. (SC) (FBI) Sent: Tuesday, October 18, 2011 8:47 AM To: ANDREWS, GABRIEL F. (LA) (FBI) Subject: RE: Possible to chat today? Follow Up Flag: Follow up Flag Status: Completed Classification: UNCLASSIFIED Sure, anytime is pretty good for me. I am here now, and if you want me to conference in on the call I can. From my viewpoint, the key thing you need to put this case over the top is to tie sharpie the 1P 188.165.6.178 which was used to do the hack. It would be perfect to get something on sharpie?s computer showing he was acting as chippy1337 or used lP 188.165.6178 on 12/14/2010. According to Tribune Media staff it was noted that userID's ?Anon1234? and ?arseface? were unauthorized users on the system. So, these would be good key words for them to look for. Also, one of the Tribune Media employees, accessed an IRC channel called #thegibson,after the hack hosted at a server called skidsr.us. According to the chats on this channel, a person using the moniker, sharpie, claimed to be involved in the hack. Other persons involved in hack appeared to include a person called Nikon. The hackers apparently used an email account called chippyl337?gmail.com. Call anytime, my numbers are below: SA John M. Cauthen Office: 916-874?6492 Cell: 916-416-6714 From: ANDREWS, GABRIEL F. (LA) (FBI) Sent: Tuesday, October 18, 2011 8:35 AM To: CAUTHEN, JOHN M. (SC) (FBI) Subject: Possible to chat today? Classification: UNCLASSIFIED Morning John, Regarding the Tribune Media/Sharpie case, I?ve received the phone number of an officer in the UK who has a position on the identity of Sharpie. Was planning to speak to him shortly, but wanted to touch base with you again to be sure I have the key points of the case work you?ve done straight in my mind. 21