By Charlie Osborne
SOUTHWARK - Four members of the LulzSec hacking group were on Thursday sentenced in court after pleading guilty to various computer hacking-related charges.
Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, were all sentenced together with Ryan Cleary, 21, over a two day hearing at Southwark Crown Court, London.
Each member of the LulzSec "hacktivist" group admitted to various hacking charges, including taking down corporate and government websites, between February and September 2011.
Presiding Judge Deborah Taylor, on Thursday, sentenced Ackroyd to 30 months, in which he must serve at least half. Davis to two years in a young offenders institution, in which he must serve at least twelve months. Bassam received a suspended sentence of 20 months, and Cleary was ordered to serve at least half of a 32-month sentence.
Judge Taylor commented: "You sought to amuse yourselves and wreaked destruction and havoc. You cared nothing about the privacy of others, but kept your own identities hidden."
Indecent imagesAside from hacking charges, an additional indictment against Ryan Cleary was delayed due to a court miscommunication.
After the seizure of Cleary's computer and and subsequent recovery of deleted files, the hacker was charged with downloading and possessing indecent images of children following a second arrest on October 4, 2012.
Under the U.K. COPINE scale — a measure of the severity of images the images in question were classified as child "erotica" and deliberate sexual posing. A total of 46 images contained children aged between six and 18 months, whereas others included children aged between ten and 15 years.
The defense team said that Cleary is not a "professional pervert" or sexually obsessed, but rather was obsessed with finding data and using his computer — a reason laid at the door of his client's Asperger's syndrome.
A lack of information in psychological reports and pre-hearing files resulted in a delayed sentencing. Cleary, who admitted to downloading the images, will not be sentenced this week.
Criminal computer activitiesFormer soldier Ackroyd, under the alias of a 16-year-old girl named "Kayla," admitted hacking into a number of websites in 2011, including Sony, Nintendo, News Corp. and the Arizona State Police. The 26-year-old sat across from his lawyer with a pensive, wide-eyed look, as he was branded the "most sophisticated" defendant, and he was responsible for researching vulnerabilities and exploits as well as executing hacks.
The prosecution said that Sony suffered $20 million in damages, and revenue loss due to the security breach is "incalculable." An estimated 24.6 million customer accounts were compromised.
Davis and Bassam pleaded guilty to counts of conspiring to access and impair a computer without authorization, including launching attacks against the CIA and Serious Organised Crime Agency (SOCA).
Ackroyd was dressed in a sweatshirt and jeans, whereas Bassam was suited and booted with a serious but resigned look on his face. Davis, the last to arrive, chewed gum and appeared relatively unconcerned.
During later proceedings, however, the strain showed in the eyes of each member of the hacktivist group as they sat behind a glass wall and watched their fates being bargained for.
According to the prosecution, Davis was responsible for releasing press statements; controlling the LulzSec Twitter feed, and defacing website pages.
Bassam allegedly controlled the group's website; published stolen information to sites including Pastebin, and helped with stolen data distribution — including through the use of BitTorrent technology and mirror websites. In addition, the LulzSec member allegedly researched computer system vulnerabilities ripe for exploitation.
Cleary, otherwise known by his Internet alias "Viral," pleaded guilty to the same hacking charges, in addition to counts of supplying articles with intent to impair computer systems and breaking into the Pentagon's Air Force systems. Cleary spent over five years building a sophisticated botnet — with a minimum of 100,000 computers at its disposal at any one time — which in turn was used for both Anonymous and LulzSec campaigns.
A number of website intrusions were based around vulnerabilities found within the Internet Explorer browser, and websites with high traffic levels were targeted. The 21-year-old maintained that his botnet was only "rented out" ten or so times for monetary gain — and raised only £2,000 in total — whereas the prosecution stated it did not believe this was truly the case.
In addition, Cleary's lawyers argued that although he gave botnet access to Anonymous, there is no evidence that he directed or controlled it — therefore Cleary was guilty of supply rather than actual hacking.
Criminal barrister Gideon Cammerman argued that using a botnet was "not brain surgery." Although the result was a sophisticated website takedown attack, the defense attorney wanted the judge to keep in mind that in the case of the Serious Organised Crime Agency website, there was no evidence to suggest the website was infiltrated — it was only taken offline for a short time.
The motivationOutside of the courtroom, Cammerman called the LulzSec hackers "a group of talented young boys who hacked particular things for particular reasons."
In contrast, prosecutor Sandip Patel accused the LulzSec members of launching "sophisticated, orchestrated attacks," which caused firms and individuals "millions of pounds' worth" of damage, coupled with the "dire, personal consequences" suffered by individual victims.
Cammerman said the hackers were "politically motivated and morally complicated," which made for a complex case. In this manner, both prosecution and defense agreed, as Patel stated in the hearing: "This is not about young, immature men behaving badly."
U.S. extraditionAn indictment based on two counts of encouraging and assisting in an offense were, "not in the public interest to pursue." However, as the U.S. has also issued the same indictment, prosecution had to confirm that currently there has been "no formal request for extradition." Davis' defense team said that "there is an appetite for this type of prosecution in the United States," and it is not a risk the 20-year-old should be exposed to.
As they were individually led away, Bassam looked relieved, whereas the other members of the Anonymous splinter group had resigned expressions.
Cammerman said outside of the courtroom that some of the victims were "thoroughly deserving" of what happened to them, the Westboro Baptist Church as one example.
LulzSec exploded on the hacking scene in 2011 after targeting Sony Pictures Entertainment, which led to the taking down of the Playstation network. in a Los Angeles, California court last month, LulzSec member Cody Kretsinger, 25, was arrested and prosecuted in relation to the initial cyberattack.
Kretsinger, also known as "Recursion," admitted one count each of conspiracy and unauthorized impairment of a protected computer as part of a plea bargain, and was ordered to spend one year behind bars and perform 1,000 hours of community service.
LulzSec was politically motivated in the beginning; launching the first "cyber war" in tandem with Anonymous in retaliation to officials' attempts to shut down WikiLeaks. Target choices then began to move away from purely the political, and the Church of Scientology, Westboro Baptist Church and banking systems found themselves under attack.
However, the hacktivist group was compromised when de facto former leader Hector Monsegur — otherwise known as "Sabu" — turned mole after his own arrest and spent nine months passing information on to U.S. officials.
The hacker-turned-spy's information led to the arrests of alleged members of LulzSec and Anonymous in March 2012.
The ruling follows the arrest of the self-proclaimed "leader" of LulzSec in Australia. Matthew Flannery, 24, who allegedly used the name "Aush0k" in hacking activities, was charged for hacking into two computers after being apprehended in coastal town Point Clare.
During the first day of the hearing, Ackroyd wanted closure. His lawyer, John Cooper QC, counselled that the issue probably wouldn't be over that day. The 26-year-old replied: "They won't be done with me for a long time."
No matter the age, the U.K. justice system is unlikely to be "done" with cybercriminals any time soon.