The vigilante hacker who made a name for himself harassing Anonymous, disrupting WikiLeaks, and stalking “jihadist” sites is apparently laying low after threats to expose his real identity were made via Twitter on May 11. The person claiming to have details of The Jester’s identity plans to publish that information—after he passes the hat for Bitcoins first, allegedly in part to raise funds for WikiLeaks.

On May 14, The Jester's Twitter account was deleted. Later that day, another one sprung up with posts claiming to be The Jester—and announcing DoS attacks on some of his favorite targets.

It’s not clear if any of this is legitimate—whether it involves someone who has dirt on The Jester, someone who managed to hack The Jester’s Twitter account, or whether it is yet another master troll by The Jester himself (or by one of the many people who would like him to go hide for a while.)

Plenty of people would like to see The Jester, who has in the past claimed to be “an ex-soldier with a rather famous unit,” taken down a peg. He has a long history of going after people seen as being on the wrong side of an issue, and he has angered former colleagues with his alleged credit-stealing, ego-tripping, and general grandstanding. A group of former operators from The Jester’s IRC channel on 2600, who now make up the group ReaperSec, are particularly disillusioned with what they see as The Jester's constant self-promotion, and with the whole “patriotic hacker” mythology.

While he has demonstrated the ability to DoS sites in the name of patriotic duty, some have called his actual technical skills into doubt. Just where skill ends and showmanship begins remains up for debate. But here's what we do know.

Patriot games

As Donald Rumsfeld would say, let’s start with the "known knowns" and the "known unknowns." Starting in early 2010, The Jester (or "th3j35t3r") began attacking “jihadist” websites—the “official” site of the Taliban, alemarah.info, being a frequent early target before it was shut down. He also used some social engineering to make it look like he had done more—for example, he used faked shortened links to make it look as if he had planted faked articles into the website of the Malta Independent Online and Tripoli Post.

In the US, he has attacked religious extremists of another ilk—DDoSing the website of Westboro Baptist Church (godhatesfags.com) in response to their picketing the funerals of US servicemen killed in Iraq and Afghanistan. Westboro’s site has been under frequent attack by The Jester over the last two years.

Then came WikiLeaks. In November 2010, The Jester claimed responsibility for the attack that briefly cut off access to the WikiLeaks website, just as the site was preparing to publish a digital trove of US embassy cables allegedly revealed by Bradley Manning. The Jester claimed to have staged the attack using his own attack tool, which he called XerXes. According to an analysis by US Army Major TJ O’Connor and published by SANS Institute, the XerXes tool, based on SlowLoris and RUDY (“R-U-Dead-Yet”) attacks, could cycle through a set of TOR network connections to launch its attacks—making it a quasi-distributed denial of service attack. The tool also could automatically post the results of an attack to Twitter.

The DDoS attack generated 10 gigabits per second of traffic against WikiLeaks’ Swedish servers—forcing the organization to move its services to Amazon’s cloud. (Amazon later booted WikiLeaks, claiming it had violated the terms of service.) But it’s not clear that XerXes’ “slow” attacks were what was used in the DDoS, or whether others were involved as well.

Last year, The Jester upgraded his attack tools as he continued to take on militant sites—using tools he calls Saladin and Leonidis. In a recent post to his blog (since removed, but pasted here), The Jester promised “full disclosure” on Saladin, but with “Leonidis [sic] not so much.” He has used these tools to continuously take down Islamic militant and other sites since last November.

For his Lulz only

Anonymous and LulzSec sit in a special place of (dis)honor in the darkest parts of The Jester’s heart, and the feeling is mutual. Perhaps it was Anonymous’ support of WikiLeaks that triggered The Jester’s animosity. But regardless of who talked the first trash, The Jester became engaged in hostile activities against Anonymous almost before the WikiLeaks attack had cooled off, targeting Anonymous’ IRC servers.

After that, The Jester claimed to have gone after Anonymous’ own attack tools. In December 2010, he claims to have altered Anonymous’ Low Orbit Ion Cannon (LOIC) DDoS tool. He advertised the patched tool to Anons as one that could make “your DDOS attacks up to 70x as effective. By combining IP and MAC source address spoofing, and trackers over TOR, anonymity is guaranteed.” In reality, he added a backdoor that broadcast in the clear the IP addresses of systems using the tool—and tailored the code to avoid detection by anti-virus utilities. Then he posted a blog informing Anonymous that their tool had been corrupted.

The story has a few gaps in it; for one, the LOIC tool never included any anonymization. Members of ReaperSec claim The Jester really just made the claims and got a friend to support them. So the whole story of the LOIC hack could be another case of "Jester Psychological Operations Theater."

Since then, Anonymous members and The Jester have continuously tried to find ways to “dox” each other, exposing identities. Anons have fingered a number of people as allegedly being The Jester, while he has engaged in some attempted exposé of his own.

Last June, The Jester tried to expose the LulzSec hacker Hector Xavier “Sabu” Monsegur, identifying him as “Xavier de Leon”—and getting Monsegur’s location (New York City) correct. He also identified e-mails and websites associated with Monsegur based on the IP address he left exposed in chat. But Backtrace Security had already successfully doxed Sabu, and the FBI used similar information to uncover Monsegur’s identity (to somewhat greater effect; they turned Monsegur into an informant).

Followers of The Jester have gotten in on the act, especially during sometime-Anon-spokesperson Barrett Brown’s involvement with OpCartel, the Anonymous efforts against the Mexican drug cartel the Zetas. After Brown accused a North Carolina district attorney of being connected with the Zetas, Brown's former address and phone numbers were “doxed. ” Brown accused Robin Jackson, a Helena, Montana computer forensics consultant, of “promoting addresses of innocents for #Zetas” and labeling him ex-military, a “fascist” (in a post later deleted), and—most damning of all—“friends w/@th3j35t3r.” (Previously, some Anons had accused Jackson of actually being The Jester.)

In March, The Jester tried to exploit all his enemies at once with bait placed on his Twitter feed: a QR code that he claimed exploited a weakness in the WebKit mobile browser framework to collect Twitter credentials and other information from people on an “enemies list." The list included the Twitter accounts of members of Anonymous (including Barrett Brown), WikiLeaks, and Rhode Island Rep. Dan Gordon—who The Jester felt had made comments supportive of WikiLeaks. Once again, though, there's debate about whether this hack actually did anything other than create more uncertainty.

The enemy of my enemy

On May 10, someone set up a Twitter account, @cubespherical, under the name “Smedley Manning”—an allusion to presumed WikiLeaks leaker Bradley Manning. Through that account, the person started trying to get The Jester’s attention, requesting direct messages. About the same time, The Jester was posting to his blog, alluding to a big reveal on his Saladin tool. But he also alluded to potential trouble:

‘The worst enemy a person can acquire, is the enemy he once considered a friend.’ – Me – 2012 additionally….. and in complete back to back contradiction as we all know… I never double dip my quotes. ‘The enemy of my enemy is my friend’ – Unknown. So the usual suspects… the boys at reapersec (lowercase intentional) are co-ordinating and finding themselves allies. Its funny because I was informed of an organized attempt to discredit me that would require a prescribed reaction from me over 18 hours ago.

So, like Babe Ruth pointing to the fence, The Jester appears to have pointed out the members of ReaperSec as the source for the doxing. On May 13, “Smedley Manning” publicly tweeted again, asking to talk in direct messages, posting The Jester’s alleged initials (RCD), wishing him a “Happy Birthday for next week,” and dropping other hints of personal knowledge. Those included allusions to a physical altercation in the past: “10 words for you. Dallas Cowboys. Scruffy Murphys GA, Shiner, Ft Benning, 2003. You.”

Later, “Smedley” posted screen shots of an alleged direct message conversation between him and The Jester, in which he told The Jester what he had on him. The conversation shows him telling The Jester that Smedley knows his name (blacked out), what unit he was with at Fort Benning (apparently the 75th Ranger Regiment), and the fact that he had moved on to a position at the Special Operations Command (SOCOM). And Smedley said that he would be dropping all The Jester’s personal information—including his résumé—once he had raised 20,000 BitCoins—partly to donate to WikiLeaks and partly for himself (“I am soon done here, and need a little settlement”).

But some of the details posted by @cubespherical were a bit off. He posted a link to a photo he claimed came off of The Jester’s personal Facebook profile; that photo, as an image search showed, wasn’t from Facebook but from a Georgia used car dealer’s website.

On the morning of May 14, The Jester’s Twitter account was deleted and the contents of his blog disappeared. But that evening, a new Twitter account, @th3j35tr, popped up claiming to be The Jester. Some familiar with him say it’s not him. Some, including Barrett Brown, believe “Smedley” is The Jester himself or another associate. Whoever is behind “Smedley” claims the new account is just a friend of The Jester’s trying to save face, while the “new” Jester congratulated @cubespherical on hacking his Twitter account and then announced, “The rumors of my death have been greatly exaggerated."

The new Jester account then announced that The Jester was bringing down WikiLeaks.org and Westboro Baptist Church’s sites. Again. If “he” is really him... but that’s a known unknown.