LONDON, UK—The four British Lulzsec hackers—Mustafa "tflow" al-Bassam, Ryan "kayla" Ackroyd, Jake "topiary" Davis, and Ryan "ViraL" Cleary—were sentenced today to between 20 and 32 months in jail for crimes committed during Lulzsec's 50 day hacking spree in 2011. Prosecutors described the men as being at the "cutting edge of contemporary and emerging criminal offending known as cybercrime" and as "latter-day pirates."

At previous hearings, al-Bassam, 18, of Peckham, London, and Davis, 20, of the Shetland Islands, entered guilty pleas to charges of conspiracy to commit DDoS attacks against targets including Westboro Baptist Church, Sony, Bethesda, and EVE Online. They also pled to conspiracy to hack targets including Nintendo, Sony (again), PBS, and HBGary. Ackroyd, 26, of Yorkshire, pled guilty only to the hacking charge.

For these crimes, al-Bassam was sentenced to 20 months, suspended for two years and received 300 hours of community service. Davis was sentenced to 24 months in a young offender's institute, of which 12 months must be served. Time served on bail with an electronic tag counts towards this, leaving Davis with 38 days remaining on his sentence. Ackroyd was sentenced to 30 months.

Cleary, 21, of Wickford, Essex, pled guilty to both of these charges and a further four: constructing a massive botnet, making that botnet available to others, hacking into a Pentagon system, and performing DDoS attacks against DreamHost. Cleary also entered a guilty plea against three counts of possession of indecent images of children. (After his arrest, forensic examination of his PC revealed a deleted directory containing 172 sexual images of children as young as six months.)

For building the botnet Cleary was sentenced to 18 months, which will run concurrent with an eight month sentence for making the botnet available to Anonymous. For the charges shared with al-Bassam and Davis he was sentenced to 20 months. That sentence will also run concurrent with the botnet charges. For the Pentagon and Dreamhost attacks he was sentenced to 12 and eight months respectively. These sentences will run concurrent with each other—but consecutive to the other four sentences.

This yields a total of 32 months of which 16 need to be served. Due to the time spent on remand, these 16 months count as already served. However, he was not released today, as sentencing for the child pornography charges was adjourned until June pending further psychiatric evaluation.

Two further charges of conspiracy to commit fraud were brought against all four. The prosecution declined to present evidence for these charges, and accordingly verdicts of not guilty were entered.

The handling of these charges was an important issue. The Crown wanted to leave them on file (which may have proven useful if the other charges had gone to trial and resulted in not guilty verdicts, as it would have offered a second chance to go after the four). The court was concerned however that if the charges were not conclusively handled there was risk of extradition to the US since the four have also been indicted in America for the Lulzsec crimes. The not guilty verdicts should substantially preclude any extradition as all charges related to Lulzsec have been handled by the UK courts. Similarly, Ryan Ackroyd has a not guilty verdict entered against the DDoS charge.

The crimes committed were deemed "serious crimes," and all four hackers will receive Serious Crime Prevention Orders that will impose various restrictions on their behavior. (Restrictions include requiring the police to be notified of the whereabouts of all Internet-connected computers they possess subsequent to their release from prison.) This is due to what the judge called a "substantial" risk of reoffending.

Summing up, judge Deborah Taylor said that the four "cared nothing about the privacy of others" even as they used various technical measures to protect their own identities. Though not motivated by financial gain the four were aware that their behavior could, and did, lead to substantial or catastrophic losses for others. In particular the taunting of Penny Leavy and Greg Hoglund of HBGary made "chilling reading," yet this behavior was described by Jake Davis as the "most fun" thing that Lulzsec did.

The sentences were more severe than those given to hackers involved in DDoS attacks earlier this year due to the widespread dissemination of personal information that caused losses claimed to run into the tens of millions of dollars.

Speaking after the sentences were handed down Detective Superintendent Charlie McMurdie, head of the Police Central e-Crime Unit that investigated the crimes after being tipped off by the FBI, said that the four were the "worst kind of vandal," and that they acted "without care of cost or harm to those they affected." She said that "cybercrime" is a "Tier 1 threat" against the UK and that these sentences should "serve as a deterrent to others who use the Internet to commit cyber attacks." McMurdie added that the successful prosecution should be a "warning to other cybercriminals that they are not invincible."

A history of lulz

With all four members entering guilty pleas, the court had not previously heard the major evidence against them or the specifics of their involvement. The prosecution gave an outline of the charges and recounted a chronological history of Lulzsec's exploits.

The court heard that HBGary was the group's first major attack—with the hackers still using the name Internet Feds—with the Lulzsec name created in the aftermath. The prosecution claimed that the four core members of Lulzsec were tflow, kayla, topiary, and American FBI informant Hector "Sabu" Monsegur. Ryan Cleary was not a core member, though he wanted to be one, and IRC chat records indicate that he was heavily involved with the group's operations.

Each of the five had a clear role. Sabu and Kayla were the hackers, responsible for both exploiting vulnerable software and vulnerable people, socially engineering access to privileged accounts. The pair was described as the "rooters," a term that the Crown Prosecution Service defined as the ability to access the "root directory" of the systems they attacked. For example, said the prosecution—if you put a DVD into your PC, then the "D drive" is the root directory. (The term "rooter" has, of course, nothing to do with root directories and everything to do with Unix's root account. The pair was versed in using exploits to escalate privileges and gain access to user id zero.)

Topiary ran the group's Twitter account and, for lack of a better description, was a PR agent. tflow ran the Lulzsec website, helped disseminate information, and recruited hackers to the cause in addition to identifying vulnerable target systems.

Cleary provided extensive material support. The prosecution described his botnet, which was constructed using Python software that, it claims, Cleary himself developed. The court heard that at its peak, this botnet could call on the bandwidth and resources of 100,000 systems. This figured represented perhaps 10 percent of the machines infected with Cleary's malware.

This botnet used a common structure: the malware on each infected PC connected to an IRC command and control server that Cleary operated to pick up new instructions. The prosecution was quite unclear on how technically adept Cleary was. On the one hand, it claimed that he wrote the botnet software himself, using Stackless Python, and that he took advantage of Internet Explorer flaws to recruit machines. On the other hand, it also said that he used the well-known Zeus malware to infect systems.

Though the antecedent Anonymous organization was (in a broad sense) sociopolitically motivated, Lulzsec initially eschewed such rationalizations for its actions, acting only to amuse its members and promote itself. Demonstrating this through chat transcripts read in court, Davis wrote that his "only goal is to cause absolute chaos." In response, Cleary said that they should "go after the cunts that are going after me and you" and take out the UK's Serious Organized Crime Agency (SOCA) website in a DDoS attack.

In addition to using this botnet to perform DDoS attacks at Lulzsec-chosen targets, Cleary also provided access to compromised servers that were used for hosting IRC services, storage, and hosting for data purloined from Lulzsec's various victims.

Davis described Cleary in logs as being "trigger happy." Cleary, for his part, acknowledged that "sure, [hacking] is a crime, obviously, but it's not like it's fucking serious."

Cleary's outsider status was reinforced in early June, 2011 when chat logs from IRC channel #pure-elite were leaked to Pastebin. Ackroyd initially blamed Cleary for this transgression.

Patel said that the Lulzsec crew, seeing themselves as "latter-day pirates," was primarily motivated by "anarchic self-amusement." However, they were not blind to the repercussions that publishing sensitive personal information could have. To preclude any mitigating claims that the hackers were interested only in embarrassing the victims, Patel pointed out that on numerous occasions, other hackers were encouraged to download the considerable amounts of personal information that Lulzsec published—including 74,000 users who'd registered at fox.com to find out about X Factor auditions and 20 million users of Sony's PlayStation Network. Lulzsec used this information for phishing and other attacks. As he put it, the four were "not naive to the risk that confidential data might be misused" for fraud.

Caught

The prosecution also gave brief details of the four men's arrests. Cleary was picked up first, arrested in his bedroom on the evening of June 20, 2011. At the time of his arrest his PC (using Windows) was up and running with no encryption and only a password for security. He immediately cooperated with officers, disclosing passwords and the necessary commands to tell the botnet to stop the DDoS attack on SOCA that was ongoing at the time.

It was during forensic examination of Cleary's PC that the police found and subsequently recovered a number of deleted images of child pornography. Cleary was re-arrested on October 4 and admitted to having downloaded the images from a member-only child porn site. In total 58 images were classified as level four ("penetrative sexual activity involving a child or children, or both children and adults"), 44 were level three ("non-penetrative sexual activity between adults and children"), 10 level two ("non-penetrative sexual activities between children, or solo masturbation by a child"), and 60 level one ("images of erotic posing, with no sexual activity").

Mustafa al-Bassam was second to be taken into custody. He was arrested on the afternoon of July 9, 2011—again in his bedroom. He provided police with passwords to his PC. During the search of his property a hand-written note was found in his anorak. This note contained extensive information about past Lulzsec activity and it also named Ackroyd and Monsegur as the key hackers.

Next to fall was Jake Davis. The police arrested him on the afternoon of July 27. His computer was running at the time and he provided encryption keys and passwords necessary to access information on it. After being cautioned he told police about Lulzsec's organization and responsibilities: Ryan Cleary was responsible for DDoS attacks, including the one on SOCA, and that Ryan Ackroyd and Hector Monsegur were responsible for the HBGary hacks.

Police found copies of many of the Lulzsec data dumps on Davis' computer along with credit card numbers, passwords, and other information. Davis used Truecrypt to protect this information.

Ackroyd was the last to be brought in. He was arrested on September 1, 2011. His computer was turned on and opened to his Twitter account. Unlike the other three however Ackroyd was consistently uncooperative. He claimed that he knew nothing about computers and that it was his brother who was the computer expert and that Kayla was his sister. He said he had never heard of Lulzsec and had no knowledge of what IRC was. He even claimed that the Twitter account he had open at the time of his arrest was not his own. Ackroyd also took measures to protect his security, using software to delete incriminating log files each time his computer was booted.

While the other three entered guilty pleas at the earliest opportunity, in June 2012, Ackroyd insisted that he was not guilty right up until the day his trial was due to start. On April 9, 2013 he pled guilty to the hacking charge (but not the DDoS charge).

Difficult childhoods

In mitigation Cleary's lawyer John Cooper told the court that his client had a difficult childhood and retreated to the online world. Cleary has been diagnosed with Asperger's syndrome and due to this affliction tended to become obsessed and compulsive. He had difficulty socializing but found an outlet in the online world. Cooper insisted his downloading of child pornography was not the work of a "career sexual pervert." Rather, according to Cleary's lawyer, it was a result of his obsession with his computer and "what he could find on his computer."

Cooper also emphasized that DDoS attacks were highly unsophisticated and that although Cleary made his botnet available to Lulzsec and Anonymous, he did not direct its usage except in the case of the SOCA attack. As a Lulzsec outsider he was also not involved in core decision-making. Her Honor Judge Taylor did not appear immediately impressed by the claims of a lack of sophistication, remarking that a botnet of 100,000 PCs was "not unsophisticated."

Davis too had childhood difficulties according to his lawyer, Simon Mayo. He preferred reading to sports, found it difficult to socialize, and was bullied at school. The trauma of the death of his stepfather when he was 12 led to diagnoses of depression. The 2010 suicide of his biological father, who had sought to make contact with him after several years in which he did not contact his family, led Davis to himself attempt suicide.

As with Ryan Cleary Mayo described how Davis found a refuge of sorts online. He found "companionship in cyberspace" but was subsequently "sucked into a chain of events" that ultimately led to his arrest.

A similar tale was less convincingly described for Mustafa al-Bassam. An Iraqi immigrant who came to the UK at age six, al-Bassam was described by defense lawyer Anthony Orchard as a shy kid who found it difficult to make friends, leading him to the online world. He felt isolated and had a need to belong and this is what the Internet provided. The judge questioned some aspects of this description, however, as statements from his school tutors appeared to contradict the claims of social isolation.

Ryan Ackroyd was unusual. He demonstrated no great aptitude for computers when young—he achieved only a D grade in the IT GCSE exam—but taught himself to program in his late teens after becoming interested in online gaming. After a five-year stint in the UK Army, during which he served in Iraq, he became aware of Anonymous after its "Operation Payback" activity opposed anti-piracy organizations. He learned that he could acquire status and reputation with his knowledge of hacking and from there things "spiraled out of control."