Case Document 25 Filed 01/03/14 Page 1 of 26
Exhibit A
(Rev. 05-01-2008) Case Document 25 Filed 01/03/14 Page 2 of 26
UNCLASSIFIED
FEDERAL BUREAU OF INVESTIGATION
Precedence: ROUTINE Date: 01/09/2012
To: L05 Angeles Attn: SA Gabriel F. Andrews CY-1
From: Sacramento
CY-1
Contact: SAJohn M. Cauthen
Approved By: Brown Herbert
Alvarez Manual Jr
Callihan Brian
Springer Scott A
Drafted By: Cauthen John 0110]mc01.ec
Case ID 288A-SC-45485
288A-SC-44767 (Pending)
(Pending)
Title: MATTHEW KEYS
aka
FOX40 NEWS -
LOS ANGELES TIMES -
Synopsis: Open Sensitive Investigative Matter (SIM - Journalist) and assign to SA Wesley Drone.
Reference: Serial 22
Serial 794
Serial 26
Administrative: from Sacramento ASSA Scott S, Springer to Los Angeles SSA Ramyar Tabatabaian on 01/06/2012.
from Sacramento SA John M. Cauthen and Los Angeles SA Gabriel F.Andrews to AUSA Matthew
Segal on 01/09/2012
Details: On about 12/01/2010, a server called P2P in Los Angeles, used by the local Sacramento television station FOX40, was
compromised. It appears the server was used to send harassing
emails to Sacramento FOX40 employees and disrupt business operations. An investigation was opened by Sacramento FBI
on about 12/03/2010. Initially, the primary suspect was Matthew Keys, a former employee of At the time
UNCLASSIFIED
MK035935
MKP-OO35840
Case mew 25 Filed 01/03/14 Page 3 of 26
To: LosAngeles From: Sacramento
Re:
this investigation was opened, Keys was unemployed. The investigation did not find any evidence against Keys, but did identify
another hacker named "Sharpie." The case against Keys was closed and the case was transferred to Los Angeles due to venue.
Recent information has arisen implicating Keys in the original intrusion, and it is anticipated he will be
indicted in the next few weeks. However, Keys is now employed by Reuters as the Deputy Social Media Editor.
By way of background, shortly after the harassing emails began, on 12/12/2010, Mathews Keys, using
e-mail address of matthew@sactownmedia.com, sent an e-mail to the FOX40 News Director Brandon Mercer. Keys told
Mercer he had infiltrated the group "Anonymous." Keys sent Mercer a list of user names and passwords he claimed he
"obtained by a high authority within the 'conscious' hactivist organization Anonymous." Keys also stated he had access to
future operations, including operations against Paypal, Amazon, the Los Angeles Times, Fox News, and others.
Also on 12/12/2010, Mercer engaged Keys in a
consensually recorded telephone conversation. They discussed a hack into a website called Gawker wherein many email
account passwords were compromised. Keys said he entered a chat room with 2,000 plus members. In this chat room, Keys
said he met someone who invited him into a private chat room populated by 15 highly skilled hackers. Keys denied any
involvement in the hacked P2P server. Keys said he had computer records of his interaction with the group. In
communicating the hackers, Keys said he discussed his past journalism experience. It was not clear in these discussions
whether Keys was acting as a journalist to collect this information. In any case, it was clear in the call he was sharing the
information he obtained in the chats with a journalist from the Public Broadcasting Station (PBS)
On about 12/14/2010, writer received a report from Tribune media that the P2P server affecting the Los
Angeles Times had been compromised by a web page defacement. The compromise had occurred via an account called
Anon1234. Tribune media suspected the intrusion was related to the Matthew Keys investigation.The investigation in
Sacramento determined that the likely source of the intrusion was an individual in England using the name "Sharpie."
On April 27, 2011, writer contacted Matthew Keys telephonically. Keys stated that he had computer data
pertaining to "Anonymous," but that he was a journalist and was unsure about turning it over to the FBI.
Re serial 22, on about 09/02/2011, the investigation was transferred to Los Angeles, based on lack of
evidence to implicate Keys and additional evidence that the actual hack at the LA Times was caused by Unsub aka Sharpie. At
the same time, Matthew Keys was removed as a case subject and replaced by Unsub aka Sharpie.
On about 12/16/2011, writer was reviewing evidence item 1 B63 from case 1863 was
an image of a laptop computer owned by Laurelai, aka Wesley Bailey who was involved in a hack by Sabu and Kayla against a
computer in Sacramento owned by a company named HBGary. In this image, writer located the following snippet which
was an exchange bewteen "Potatoes" aka "Kayla" aka Ryan Ackroyd, and "Laurelai" aka Wesley Baily. Pertinent quotes are in
bold:
BEGIN TEXT WITH CODING REDACTED AND EDITED:
(04:46:43 PM) where did you get that from
(04:47:59 PM) potatoes@jabber.org: it does mention him
(04:48:10 PM) potatoes@jabber.org: as keys
(04:48:15 PM) potatoes@jabber.org: but the thing is he's not innocent
(04:48:25 PM) potatoes@jabber.org: the logs we have of him are just as damaging
(04:48:50 PM) potatoes@jabber.org: the only differenc is we know his real identity, he doesn't know ours
(04:48:50 PM) potatoes@jabber.org:
MK035936
MKP-0035841
Case mew 25 Filed 01/03/14 Page 4 of 26
To: LosAngeles From: Sacramento
Re:
(04:48:57 PM) they all still seriously thinki am this Corey faggot
(04:49:07 PM) thats some serious fail right there
(04:49:11 PM) they honestly do
(04:50:50 PM) its very telling that the logs i gave of barrett are not in that story
(04:51:16 PM) where he admits to being part of marblecake and knew who they are ect
(04:51 :30 PM) would think that part would have made it in
(04:52:49 just somethingforyou to think about
(04:54:10 PM) The logs are from an invite?only IRC chat channel called
populated by people calling themselves Sabu, Kayla, Laurelai, Avunit, Entropy,
Topialy, Tflow, and Marduk.
(04:54:26 PM) were the only person to leak logs
(04:54:43 PM) potatoes@jabber.org: ever since, no one has even used HQ
(04:54:46 PM) lau yeah but those logs in the article have stuffi never saw
(04:55:09 PM) potatoes@jabber.org: because they are from other channels where this AESCracked was
(04:55:21 he's the socalled jurno who "infiltrated"
(04:55:26 PM) aka Matt Keys
(04:55:40 well he must have grabbed the linkwhen it went public then
(04:55:51 PM) like alot of people did
(04:57:24 PM) lau i gave them to fake gregg who then gve them to the entire fucking world
(04:57:27 PM) we know this already
In addition, other snippets relating to Matthew Keys were located on the image of 1B63.The time frame of
these exchanges appears to be in March 2011. A sample of these, with pertinent quotes in bold, is as follows:
BEGIN TEXT:
16:27 kayla> this "keys" faggot we think is AESCracked who was an ex journalist
16:27 <&Eekdacat> AEScracked
16:27 <&Eekdacat> wat
16:27 kay a> he was in some of our chans and threw a fit trying to to media when we kicked him out
16:28 <&fubar> kayla is actually a highly advanced Al whose entire range of speech consists of things that were posted on
many moons ago
16:28 <&Eekdacat> has someone been leaking my research
16:29 kayla> but in that gawker article it says his name is "Matt Keys" Iol he's not so innocent and we have logs of him
too, he was the one who gave us passwords for LA times, fox40 and some others, he had superuser on alot of media
16:29 <&Eekdacat> well he's a butt for picking the name aescracked
16:29 kay a> also, it speaks of #hq logs getting leaked?
16:30 kayla> i don't suposeyou know who leaked those?
16:34 <&fubar> it says in the article
16:34 <&fubar> wat
16:35 kay a> no no fubar i know who leaked them
16:35 kay a> but i want to know what the fuck is going on
END TEXT:
BEGIN TEXT:
16:58 kay a> Registrant:
MK035937
MKP-OO35842
Case mew 25 Filed 01/03/14 Page 5 of 26
To: LosAngeles From: Sacramento
Re:
16:58 kay a> Matthew Keys
16:58 kayla> 4655 Fruitridge Road
16:58 kay a> Sacramento, California 95834
16:58 kayla> United States
16:58 kay a> Registered through: GoDaddy.com, Inc.
16:58 kayla> Domain Name: RADIOMATTHEWCOM
16:58 kay a> Created on: 08-Apr-07
16:58 kay a> Expires on: 08-Apr?11
16:58 kayla> Last Updated on: 27-Jan-10
16:58 kay a> Administrative Contact:
16:58 kayla> Keys, Matthew
16:58 kay a> 4655 Fruitridge Road
16:58 kayla> Sacramento, California 95834
16:58 kay a> United States
16:58 kayla> +1.9162650941
16:58 kay a> Technical Contact:
16:58 kay a> Keys, Matthew matthew.keys@gmail.com
16:59 kayla> 4655 Fruitridge Road
16:59 Sacramento, California 95834
16:59 kayla> United States
16:59 kay a> +1.9162650941
16:59 kayla> Domain servers in listed order:
16:59 kay a> N51 .JUSTHOST.COM
16:59 kayla> NSZJUSTHOSTCOM
16:59 kayla> NS3.JUSTHOST.COM
16:59 <&Eekdacat> hey
16:59 kayla> setting up a intelius now to rape his SSN and his family
16:59 <&Eekdacat> he has his full resume on his site
16:59 <&Eekdacat>
16:59 <&Eekdacat> old tricks are the best tricks
16:59 dimanov> im sure he doesnt care
16:59 dimanov> about his dox
16:59 kayla has quit [Quitz Lost terminal]
16:59 dimanov> since he has his resume on site
16:59 <&fubar> kayla was murdered
16:59 dimanov> buti guess anon prides themselves in obtaining public information
16:59 mysq 2 has joined #trOll
17:00 <&Eekdacat> typing average of 80
17:00 <&Eekdacat> scrub
17:00 <&insid> back
17:00 mysq 2> he worked for LA Times and handed us password for LATimes and fox40 he's not so "innocent"
END TEXT:
BEGIN TEXT:
17:03 <&Eekdacat> notify fox40 and whatever other station that he was giving out passwords
17:03 <&Eekdacat> see if they do job recommendations for him now
UNCLACESIFIED
MK035938
MKP-OO35843
Case mew 25 Filed 01/03/14 Page 6 of 26
To: LosAngeles From: Sacramento
Re:
17:03 kay a>you should try talking to some of my friends from school on MSN it's all pics and stuffxD
17:04 <&Eekdacat> idk i don't get out much
17:04 kay a> he forget we have logs of him doing illegal things too
17:04 kay a> but only we know his REAL name/addr
17:05 diman ov> nd Kayla was one of them. "Kayla was one of two hackers who broke into the Gawker database," Keys
told Gawker. "It was her idea. She coordinated the attack. She carried it out with another hacker.A third was involved in the
distribution of the torrent, but the brainchild of the Gawker hack attack was Kayla.
17:05 <&insid>
17:05 TEXT:
END TEXT:
BEGIN TEXT:
17:20 kay a> re-of?anonymous-hackers-by
17:20 kay a> this guy is just asking for it
17:20 kay a> xD
17:20 kay a> is him
17:20 kay a> also
17:20 kay a> hahah
17:20 kayla> he honestly think we not going to rock him?
17:20 kay a> lols
17:21 <&insid> meh
17:25 bus> Familiar with video and photography concepts, including lighting, audio, white balance, color balance and
in-camera editing
17:25 bus> "can take pictures"
17:26 bus> Knowledge of media software including Final Cut Pro and Adobe
5 ImageReady and PhotoShop CS
END TEXT:
BEGIN TEXT:
17:33 kay a> he's pritty prO
17:33 <&fubar> i'll post a damaging profile of him in my activex dox database on my angelfile page
17:33 <&fubar> or post some mean comments on his myspace
17:33 kay a> this is another whois for one of his sites
17:33 kayla> Administrative Contact:
17:33 kay a> Keys7z32 <&fubar>
17:33 kay a> he's pritty pr0
17:33 <&fubar> i'll post a damaging profile of him in my activex dox database on my angelfile page
17:33 <&fubar> or post some mean comments on his myspace
17:33 kay a> this is another whois for one of his sites
17:33 kayla> Administrative Contact:
17:33 kay a> Keys, Matthew
17:33 kay a> 148 Arcadia
17:33 kayla> Vacaville, California 95687
17:33 kay a> United States
17:33 kayla> (415) 374?9007
17:36 bus> lol he must make like 30k/yr
17:36 bus> to live in vacaville
MK035939
MKP-OO35844
Case mew 25 Filed 01/03/14 Page 7 of 26
To: LosAngeles From: Sacramento
Re:
17:36 bus> and work in sac
17:37 <&Eekdacat>
17:40 kayla
17:40 TOOT IT AND BOOT IT
17:40 hey
17:41 selling google roots for $20
17:43 <&fubar> hi bro can iframe it to my fud java Oday driveby shooter
17:46 bus> not far drive. i fuk dog of matthew ok
17:50 kayla> i want his SSN so i can canel his utilities, gas, electric
17:50 kay a> cancel
END TEXT:
Given the above information, 288A-WF-242710 Serial 794, which referenced AESCracked, was examined.
This serial was an examination of log files contained in computer equipment and or electronic media seized by order of a court
authorized warrant executed at 6039 Douglas Road, Toledo, Ohio 43613.
An examination of the log files from this computer was documented further in Serial
26. In this log, some pertinent quotes were as follows:
#Target
Dec 08 20:53:13 AESCracked
ifyou want to attack fox news, pm me. i have a
user/password for their
Dec 08 20:53:35 AESCracked
*pm meforfox news password into their cms*
#OperationPayback
Dec 08 20:43:15 AESCracked If
you're interested in hacking at FOX News site, I have a user/pass to the backend CMS for FOX40.com
Dec 08 20:44:47 sharpie
AESCracked: srs?
Dec 09 07:54:1 7 AESCracked
I've already given Ops the user/pass to several FOX websites.
#internetfeds
Dec 08 20:55:12 Sabu that would
be nice to get access to fox. let me know if I can get access. I want to see if I can get further in.
MK035940
MKP-OO35845
Case mew 25 Filed 01/03/14 Page 8 of 26
To: LosAngeles From: Sacramento
Re:
Dec 08 20:56:23 sharpie asked him
not to mention it in main again
Dec 08 20:56:53 sharpie
I was already talking to him
Dec 08 20:59:20 AESCracked
i'm not a hacker.
Dec 08 20:59:23 AESCracked
i'm an ex-employee
Dec 08 21:00:47 AESCracked
user: anon1234
Dec 08 21:00:50 AESCracked
pass: c0mm0n2
Dec 08 21 :01 :23 AESCracked
go fuck some shit up!
Dec 08 21:01:29 sharpie
thanks very much
Dec 08 21:01:32 sabu
AESCracked: thankyou.
On 01/09/2012, writer accessed
Gawker as
referenced by Kayla above. This was a website by Producer Matthew which stated" I provided Gawker with just one of
dozens of logs that were taken during my two-month access to top level hackers within Anonymous. In addition to
providing Gawker with one log, proved the PBS NewsHourwith a record back in December. The site also read, am a
journalist best known for aggregating content on social media sites like Twitter and Tumblr. work at Reuters in New York.
In light of the above exchange wherein Matthew Keys also known as AESCracked admitted to being a
former FOX40 employee, and turned over the usernames and password to Sharpie and others, Sacramento to open captioned
matter.
Re telcall, Sacramento will work the case against Keys jointly with Los Angeles. Re telcall with AUSA
Segal, the case will be prosecuted in the Eastern District of California.
MK035941
MKP-OO35846
Case mew 25
To: LosAngeles From: Sacramento
Re:
Set Lead 1: (Info)
LOS ANGELES
AT LOS ANGELES, CA
Read and clear.
Filed 01/03/14 Page 9 of 26
MK035942
MKP-OO35847
Case Document 25 Filed 01/03/14 Page 10 of 26
Exhibit
Case Document 25 Filed 01/03/14 Pa
UNCLASSIFIED
FEDERAL BUREAU OF INVESTIGATION
Electronic Communication
Title: (U) Initial Review of Computer Evidence Date: 02/20/2013
To: Gabriel F. Andrews
From: SACRAMENTO
Contact: CAUTHEN JOHN M, 916-874-6492
Approved By: SSA SPRINGER SCOTT A
Drafted By: CAUTHEN JOHN
Case ID 288A-SC-45485 (U) KEYS, MATTHEW TELEVISION STATION
FOX4O NEWS
LOS ANGELES
SENSITIVE INVESTIGATIVE MATTER
288A-LA-258500 (U) MATTHEW
TRIBUNE MEDIA -
COMPUTER INTRUSION
Synopsis: (U) Some files were noted on computer evidence. These files
were printed and emailed to AUSA.
Full Investigation Initiated: 01/17/2012
Enclosure(s): Enclosed are the following items:
1. (U) Computer File Printouts
Details:
On 1/16/2013, writer viewed some files from a computer seized pursuant
search warrant at the residence of Matthew Keys. Some of the files were
printed and emailed to AUSA Matthew Segal. A copy of the files are
included herein as 1A evidence. Note: The files do not represent the
full scope of files germane to the case. This communication does not
purport to be a full report of examination of the computer media seized
and merely represents a cursory "first glance" of the evidence.
UNCLASSIFIED
MK036096
MKP-OO35994
Case Document 25 Filed 01/03/14 Page 12 of 26
UNCLASSIFIED
Title: (U) Initial Review of Computer Evidence
Re: 02/20/20l3
The files include:Resignation letter of Matthew Keys from KTXL FOX40,
Logs showing computer connection of user with identity AESCracked to
IRC channel, IRC chats between sharpie and AESCracked discussing LA
Times hack, Results of hacking Los Angeles Times, Check between Matthew
Keys and Adrian Lamo, Timeline of Events created by Matthew Keys
entitled "Inside Internet Feds."
90
UNCLASSIFIED
2
MK036097
MKP-OO35995
Case Document 25
October 12, 2010
To: Brandon Mercer
News Director, KTXL FOX40
4655 ruitridge Road
Sacramento, CA 95820
Mr. Brandon Mercer,
After some consideration, I have decided to resign my position as online news
producer effective two weeks from the start of the next business day (October
27,2010)
I appreciate the opportunity I?ve been given to work for KTXL FOX40 over the
past two years. I remain committed to bringing our product excellence during
my final two weeks.
I ask that this letter be kept personal and confidential.
Warmest regards,
Matthew Keys
916?769?4493 - matthew@radiomatthew.com
Filed 01/03/14 Page 13 of 26
MK036098
MKP-OO35996
Case Document 25 Filed 01/03/14 Page 14 of 26
5
?rmnevemet. net
lm?llf?. 193
Erchiddenacegmet
Nickname
Matth ew?CA
AESCraci-Led
AEECracked
AES?Cracked
AES-Cracked
MK036099
MKP-OO35997
Case Document 25 Filed 01/03/14 Page 15 of 26
- Hg
. chat Sewer:
5E mar" Fart:
?Eggnamer iAQESEraike?
Same: Famwm?: .
Nickname: ?mESEr?astke-d
PEESWU 5 run Illin-
AIL Nicknam?:
saw Name: @155: Famed
g: Hnimda {min
MKP-OO35998
MK036101
MKP-OO35999
0. Search Messages
htt: 1
. 364 members I
A - . taught myself the dystem usmg ngarcla
Intertwinde r.
1D mem?heqs' . s?zem
. j, AESCracked: EDI.
Chrmom
5mm
AESCradmil
Await
glome-xmway
Shiva
i and had :1 whole from page layout made Eur the ch?
AESCracked: [5 I1: live?
I but dam there sysadmins were good
nah they killed me
that was Up For N2 hr
AESCracked: Screenshat?
. - no
AESCratked: Sucks
the menat the LATimes was up For I12 hr
AESCracked: I: can grant Wu access again
that wuuld be great
ho to use it now
AESCracked: Standby
Have to VPM to cover my tracks. 34:34am
AESCracl-ced: 0h 1 already mm mm Wigwam
3 and I see that you can do a bunch of different layouts on different papers 04:34am
AESCracked: damn they cut off my account {34:34am
and have them all go live at the same time - 94:34am
AESCracked: hang on. 04:34am:
AESCracked: Nope, i'm locked out for good. 04:34am
3 04:35am.
AESCracked: 94:35am
Case 2
Document 25 Filed 01/03/14 Page 16 of 26
a; I. Operatitm Payback.
h: 364 membm and have them go live at the same time .
I . AECracked: hang on. My?? I
mternetfeds, . a
members i AESCracim-d: Hope. Em locked out for good.
Chmnum fuck
. .W'Siteaot If
AESCranked I -3 V9315
Await AESCrackcd: Let me see iE I can Find some other usersi'pass
Dwain I 3105:: other accounts were dead in miniutes and ey
I gm g'me props to the sisadm-ins
glomexiaway
shiva AESCracked: BBL
I 'Einyjuy??
ed while there.
found ngarcia damn qu'ck
AESCracked: Nat vet
kit? hm
AESCracked: Will check a little later Eur smre
?a?c 5 min: anyway as?:
cm .534 3$am
. - :0 '?4g33am
AESCracked: have a hard drive ?uil of Tribune crap, but it?s another location.
. 1 thanks ?air-333m
AESCracked: Sure thing - 0439M
mm: was such a buzz having my edit 1141:3541?
i . on me LAT?mes 0-1393?:
EAESCracked:Nict 0435mm
icqu have done :0 much mane if I'd known Interface at the star: - 84:393?14
I if; hath easy and campiicmzed
[16133311
A
Case 2
MKP-OO36000
MK036102
Document 25 Filed 01/03/14 Page 17 of 26
I NATION
THE EEWS: RICHARD H-DLERDEIKE I mum ASSANGE I meow: I TAX CUTS I
Pressure. builds in House to elect CHIPPY 1337
Henge Democratic leader Steny Hoyer SEES ?very gamed things? in the deail cut Which will see
uber Chippy 133? take his right?? place, as head of ?le Senate, reluctant Home
Demecrats talc! to SEEK IT UP
share By CHI PFYS ND 1 FAN, Tribune Washington Bureau
?e-cember 14; 2010 I 10:04 mm.
RELATEB EFL?mail a Print ?in Text
Tax cute will pass despite .511 Like
. . . Sign Up to see what 3mm friends like.
Demanra?c uprising, {mama
MKP-0036001
MK036103
Case Document 25 Filed 01/03/14 Page 18 of 26
Case Document 25 Filed 01/03/14 Page 19 of 26
October 12, 2010
To: Brandon Mercer
News Director, KTXL FOX40
4655 Fruitridge Road
Sacramento, CA 95820
Mr. Brandon Mercer,
After some consideration, I have decided to resign my position as online news
producer effective two weeks from the start of the next business day (October
27,2010)
I appreciate the opportunity We been given to work for KTXL FOX40 over the
past two years. I remain committed to bringing our product excellence during
my final two weeks.
I ask that this letter be kept personal and confidential.
Warmest regards,
Matthew Keys
916-769-4493 - matthew@radiomatthew.com
MK036104
MKP-OO36002
Case Document 25 Filed 01/03/14 Page 20 of 26
mm 15 PAPER 7 no NOT ACCEPT wnmom NOTING . HOLD new to vamp: wntEnmaK
I PLIAEE THE PAYMENT POI OUR IIUTUAL CUSTOMER
Account: gem $0.25 I
tease Direct Any Questions
O: 2 1
533m? - BILL PAYMENT 35'? a .010
CARMICHML. CK-
amx or AMERICAHERO: And m. in mud
WW DOLLARS
. ,4
I a
I 1h: MATTHEW KEYS (DEPOSIT Wad mm. mm
om, Signature On We
ca? This cheek has been authorized
of ml?
mm 1 man-uh
_a as?-
MK036105
MKP-OO36003
Case Document 25 Filed 01/03/14 Page 21 of 26
INSIDE INTERNET FEDS
Overview: Internet Feds (#internetfeds) is a secret channel on the Anonymous
server. There were 30+ members of Internet Feds as of December 2010.
The members of Internet Feds occasionally mingle in public rooms on the
Anonymous server, but they do not disclose their activities outside of the
channeL
INTERNET FEDS LEADERS:
Chronom (t?ow) Internet Feds channel operator. Paypal scammer.
Possibly from the United Kingdom (could not corroborate). ?Traced? by
Backtrace Security in March.
0 Kayla Claims to be a 16 year old blonde girl from France. Is not a French
citizen, does not speak French, lives with her father. Some claim Kayla is
really a male from New Jersey and goes by other names (could not
corroborate).
- Sabu Single, lives in New York City. Has adopted children. Works in
information security.
OTHERS:
- Endika: An ?Anonops? (Anonymous operator), or operator on the
Anonymous server. Heads ?Operation on #operationboa. Lives in
Spain, works as a financial advisor for a bank(A. flag/x(7 54 (as
I, r/rc a
(?re :3
MK036106
MKP-OO36004
Case Document 25 Filed 01/03/14 Page 22 oi 26
TIMELINE OF EVENTS
December 8, 2010:
Government username/passwords linked from the ?topic? of
#internetfeds. Link goes to an Etherpad containing a list of government
usernames and passwords obtained from the Gawker userlist.
December 11, 2010:
Passwords for various gaming websites released. The FTP accounts
for THQ, Square Enix, Rockstar Games, Lucas Arts, SEGA and 2K
Gamers were published in the #internetfeds chat room. The user/pass
for these FTP accounts were retrieved from the Gawker database.
Anonymous users ?snowycloud? and ?s?kg? announce their resignation.
?Operation Overload" announced.
(database) for art.colorado.edu is posted in #internetfeds.
Kayla announces she can obtain ?root access? for the servers at
Harvard University.
Survey information from a website associated with the British Liberal
Democrats political group is released. The hack was not performed by
members of internet Feds but was highly praised and publicized within
the group.
December 12, 2010:
At 12:08pm Pacific (20:08 GMT) Kayla announces the release of the
Gawker database files, including 1.5 million usernames and passwords
belonging to registered commenters of Gawkercom and related
websites (Gizmodo, etc). The initial dump was 1GB, but was trimmed
to 400MB after Kayla removed ?the useless shit.?
At 12:49pm Pacific (20:49 GMT), Gawkercom acknowledges a breach
had occurred. The group #gnosis claims responsibility for the attack.
Kayla claims she is a member of #gnosis and takes responsibility in
#internetfeds.
#internetfeds member Commissar announces he will draft a press
release and a message specifically for 4chan.org announcing the
Gawker data dump.
#internetfeds member Switch goes rogue, screws with the settings of
the chat room, bans member Kayla which results in her absence for
several days. Chronom (tflow) bans Switch, but doesn?t discover the
ban on Kayla?s username until a few days later.
Kayla releases the usernames and passwords of several Amazoncom
employees after a attack on the website fails. (unfortunately, a
record of this conversation was not created).
MK036107
MKP-OO36005
Case Document 25 Filed 01/03/14 Page 23 oat. 26
December 18, 2010:
Operation Overload is clarified as a mass defacement of Irish .edu
(educational) and .gov (government) websites. A ?defacement?
involves replacing the content of a website (usually the homepage)
with a message by Anonymous.
December 19, 2010:
Chronom (tflow) reveals the Internet Protocol (lP) addresses for
AMEDD, a communications management system used by the
Pentagon.
December 20, 2010:
Kayla says she could possibly acquire the Social Security Number of
Switch (assuming he?s American).
#internetfeds member ?root? says he has ties with the Canadian
government.
Kayla says she could ?make their lives hell? if she could acquire the
proper ?dox? on certain people. ?Dox? is short for ?documents,? relating
to an individual?s personal information, including name, address, phone
numbers, social security or NHS number, etc.
Kayla claims to have access to a ?social media website,? but does not
say which site (speculation: Tumblr. Members of 4chan attempted to
launch a attack on Tumblr in 2010. #internetfeds members
speculate Digg)
Kayla says she lives in France, but is not a French citizen and doesn?t
speak French.
Kayla drops root:admin passwords for several ?busyboxes?
Kayla releases the administrative username and password for the main
blog hosted by the Green Party of the United States. The owner of the
website is the mayor of Greenwich, New York.
Message floats around #internetfeds stemming from a conversation
Chronom (tflow) had with Paypal. Chronom (tflow) used a false name
while executing a scam against Paypal.
December 30, 2010:
#internetfeds member ?root? announced missing. Speculation among
members that ?root? was (?vanned,? or arrested by the authorities).
#internetfeds members suspect ?root? was identified as a link in a
Paypal scam under investigation by the FBI.
Sabu accuses hacker Adrian Lamo (the man who turned in Wikileaker
Bradley Manning) of ?forcing himself on kids,? expresses interest in
DOXing Lamo.
MK036108
MKP-OO36006
Case Document 25 Filed 01/03/14 Page 24 of; 26
December 31, 2010:
Chronom (tflow) lists the stats of a created identity. The fake person
will be the front for a Facebook profile Chronom (tflow) and other
members of the #internetfeds will use to entrap a suspected rogue
Anonymous member.
0 Conversation with Anonymous member and Anonymous Operative
?Endika? reveals he is a financial assessor for a bank in Spain. Endika
is the leader of OperationBOA, an operation targeting Bank of America.
January 1, 2011:
0 Mass paranoia in #OperationPayback over the identity of a hacker
named "The Jester.?
Kayla reveals she has blonde hair.
January 2,2011:
- Sabu shows off root usernames and passwords for jailbroken iPhone
obtained through a security flaw. The passwords give access to a
person?s contact list, photos and other ?les stored on the iPhone (note:
iPhones that are not jailbroken are not susceptible to the security flaw)
January 3, 2011:
OpTunisia begins. Chronom (tflow) announces defacement of Tunisian
government websites. Anonymous later claims responsibility of the
defacement.
January 3,2011:
0 Chronom (tflow) posts a conversation with a reporter who goes by the
username "SteveD3.? Chronom (t?ow) converses about a security flaw
found within iPhones. Unknown if this is related to the security flaw
discovered by Sabu.
January 5,2011:
0 Tred reveals stolen credit card numbers used to charge small
donations to the Red Cross. Some of the credit card numbers are
expired or have been canceled (a record of this exists but it?s floating
around my computer to find it).
0 Garrett confirms he and Kayla are two of the leading members of
#gnosis, a group that claimed responsibility for the Gawker database
dump.
- Garrett says ex-gnosis members Toblerone and were suspected
of giving interviews to the media as #gnosis shortly after the Gawker
database dump. Garrett says those two members are not involved in
#gnosis operations.
MK036109
MKP-OO36007
Case Document 25 Filed 01/03/14 Page 25 0g 26
- Garrett says he is from Ohio
0 Chronom (tflow) boots several members from #internetfeds in an
attempt to secure the room.
MK036110
MKP-OO36008
Case Document 25 Filed 01/03/14 Page 26 05 26
INTERNET FEDS TARGETS
- Gawker (attacked)
Gaming FTP accounts of THQ, Square Enix, Rockstar Games, Lucas
Arts, SEGA and 2K Gamers (attacked)
- art.co orado.edu (access, not attacked yet)
a Harvard University (access, not attacked yet)
0 Command Management System (Pentagon) (access, not
attacked yet)
0 An unnamed ?major social media website" (access, attack pending)
Green Party biog/website (defaced)
- Jailbroken iPhones (access, unknown if attacked)
0 Amazon.com (access to employee accounts, attack pending)
Tunisian government websites (defaced)
- lrish .gov websites (access, attack pending)
0 Irish .edu websites (access, attack pending)
MK036111
MKP-OO36009