The thrill of cracking security, and of striking a symbolic blow against the establishment, can seem irresistible to tech-savvy British youngsters – but it’s an addiction that can end in a prison sentence. Welcome to the risky world of hacktivism.

Hacktivism came to mainstream prominence three years ago, as the likes of Anonymous and spin-off LulzSec nabbed headlines with their “operations” against companies and government departments; “Operation Payback” targeted PayPal and MasterCard for not accepting payments for WikiLeaks, for example. Hackers with an axe to grind were 2011’s internet subculture stars.

Their moment in the spotlight was short, however. Attacks against the FBI and the UK’s Serious Organised Crime Agency (SOCA) provoked the authorities into action, and they clamped down on hacktivists with a series of arrests and punishing prison sentences.

Kicking down the door

It was 1am when the police burst into James Jeffery’s West Midlands home on a tip-off from fellow hacktivist (and now FBI informant) Sabu, more officially known as Hector Xavier Monsegur. They caught him red-handed – his laptop lay open with hacking programs running.

“They took the door off – it was surreal,” Jeffery said. “I was in bed watching Family Guy and doing some hacking. I was using my laptop without a hard drive and was hacking things at the time.

“From all the noise and banging, I thought someone was robbing the house, so I jumped out of bed and ran down the stairs, and there were the police pointing tasers at me. I didn’t have the sense to pull the plug on the laptop because I didn’t realise it was the police, so I was caught with all this stuff on my computer.”

Within days, Asperger’s sufferer Jeffery found himself in Wandsworth Prison; he was refused bail, to prevent him from covering his tracks or hacking further targets.

He was eventually sentenced to 32 months for hacking the website of the British Pregnancy Advisory Service (BPAS), defacing it and stealing sensitive patient details. Although he didn’t follow through on threats to release the data, Jeffery accepts that his choice of target resulted in unnecessary grief for innocent people.

“The abortion clinic was the only thing [they] charged me with and that was the big thing. I started the operation because I didn’t agree with abortion,” he said. “I know now it was wrong to do what I did. It could have caused a lot of problems for people, especially if I’d gone public.

“I did deserve to get punished for that. At the time I was suffering with depression and drinking too much; my actions were becoming more reckless. In a way, I was happy that I was stopped before it went on to bigger things and I ended up with a longer sentence.”

He added: “I didn’t expect such a harsh punishment, though.”

Collateral damage

He’s not the only former hacktivist to show remorse, or to realise that attacks targeting large corporations often hurt individuals, since it’s the individuals’ data that’s being posted online. “There are regrets, not over the actions, but for the collateral damage caused to innocent people, those whose passwords were leaked,” said former LulzSec member Ryan Cleary, speaking at a Royal Court Theatre event to promote a new play depicting hacktivism, Teh Internet is Serious Business.

“They trusted their personal data to companies with disgustingly bad security. When those companies [were] targeted their stuff got leaked, so they got hurt more than the company,” he said. “You have to feel sorry for them and the way their accounts were abused.”

However, at the time of the attacks, personal motivations overcame such concerns. “When you release something like ‘I defaced a US site’, it’s a nice feeling – a real adrenaline buzz that you’ve got the media attention,” said Jeffery. “You almost feel like you’re guarding the moment, because if you can access something you feel as if you could do anything you want.”

The acclaim and the buzz were what led Jeffery to more outrageous targets. “Towards the end, I was focusing more on how much I enjoyed the attention and I was doing bigger things to get more attention,” he said.

“It was still to do with my political feelings or causes, but the bigger the target – such as with government stuff – the bigger the thrill.”

Digital sit-in

While Jeffery’s final target may have been misguided, he shares the feelings of other hacker group members in that he doesn’t regret taking part in operations that promoted causes or exposed truths.

Participants in such online attacks feel the web and their skills give disaffected youngsters a platform to confront authorities, believing their actions can highlight issues and causes that aren’t covered in the mainstream media.

“I think hacktivism is a way for the public to have a voice. Anonymous was a global collaboration of hackers with the same interests, most of the time,” Jeffery said. “The only way to get the government to listen is to expose what it’s doing.

“Let the public see the truth. Edward Snowden, Julian Assange, Bradley Manning – they’re all heroes, risking their freedom and lives to expose the truth. Morally and ethically, that’s the correct thing to do. It’s in the public interest. If the government won’t tell you the truth, then take the truth.”

While that may sound naive, some of the “operations” run by LulzSec and Anonymous did have a positive impact on the wider world. At the Royal Court Theatre event, four other convicted former LulzSec members underlined the group’s intentions to do “good things”, seeing themselves as modern-day Robin Hoods.

One LulzSec operation that exemplifies more worthwhile goals was conducted in February 2011, when the team wrote code to disrupt international government attempts to restrict social media during civil unrest. “Countries such as Tunisia and Zimbabwe were censoring parts of the internet, especially activists on Facebook, and spying on them and taking their login details,” said Jake Davis (better known as Topiary).

“We wrote a piece of code that countered their governments’ codes so people could still access the web. It would override the censorship and give them free use of the web,” said Davis. “And we set up chatrooms, which they could use as a platform to share videos and thoughts.”

The team was most proud of that operation because it was a collaborative form of support for the protesters, and “nothing illegal happened – it wasn’t hacking; it was just code writing”.

For hacktivists, web-based attacks are a legitimate form of protest, comparable to real-world disruptive demonstrations. “If the computers carrying out the DDoS attack are controlled by voluntary users rather than a botnet, I really don’t see any difference between that and a real-life sit-in,” said Mustafa Al-Bassam, who was 16 when he was arrested for his part in the LulzSec hacks.

Not fun and games

The authorities disagreed, and took a hard line on hacking to make examples of those involved and to deter other potential hacktivists. Once the hackers started targeting government agencies and corporate giants, the establishment didn’t see the funny side of Lulz.

“The harm they caused was foreseeable, extensive and intended,” said Andrew Hadik of the Crown Prosecution Service at the sentencing of the LulzSec Four. “They set out to hack and publish hundreds of thousands of innocent individuals’ private details. Companies also suffered serious financial and reputational damage.

“To say it was all a bit of fun in no way reflects the reality of their actions,” he added. “They were in fact committing serious criminal offences.”

Heavy-handed approach?

Some in the security industry think the authorities came down too hard on those involved, questioning why the courts chose to throw the book at these young offenders when the cybercrime syndicates responsible for credit-card fraud and malware are arguably more damaging to the wider world.

“They seem to think ‘if we don’t stop these guys when they’re young, they’re going to get worse,’ but maybe if you left them alone they’d grow out of it like anyone else,” said Sean Sullivan, a security advisor with F-Secure. “Some of these actions are misdemeanours and we’re treating them like felonies, to use US-speak. We’re throwing the book at people that don’t deserve to have that book thrown at them.”

He gives the example of a British member of hacking group TeaMp0isoN, Junaid Hussain – who’s known online as Trick. In 2012, he was sentenced to six months in prison for his role in leaking Tony Blair’s personal details, alongside “phonebombing” the UK’s anti-terror hotline in a bid to disrupt the service.

Now released, Hussain is alleged to have reoffended; he was being investigated over non-hacking allegations when it’s believed he skipped bail and left the country to take part in political action in Syria in 2014.

“Trick’s in Syria. He’s probably doing campaign videos or other stuff – there’s no evidence that he’s in ISIS,” said Sullivan. “He’s one of these young Brits who, because he ran foul of the law, probably sees no future for himself in the UK, and so off he went to Syria. He seemed an intelligent guy; it’s a pity that we deal with hacking activists in a way that makes them feel that it’s impossible to do anything legitimate afterwards.”

Post-prison fallout

You may think that gaining notoriety as a hacker would attract interest from security companies eager to use those skills for penetration testing, but the reality is very different.

A criminal record rules out working in public-sector intelligence services, and corporate-security employers are equally sniffy about bringing hackers in from the cold. “In the past we’ve received applications from Asia that linked to a virus that they’ve claimed credit for; of course they go straight into the bin,” said Sean Sullivan, an analyst at security company F-Secure. “They may think you can switch from the dark side to the light side, but we draw a distinction between the two. Those involved in DDoSing or writing malware code are right out of the pool of candidates we’re willing to consider.”

Although former hacker James Jeffery has been contacted by a few people interested in exploiting his skills for purposes unknown, he hasn’t yet found full-time employment. “I have applied for a couple of jobs, for which I’ve been refused, mainly because I have a criminal record,” he said. “Having a criminal record isn’t beneficial to finding work.”

Instead, he’s working on several web-based projects for himself, while occasionally collecting payments from both Google and Facebook under their vulnerability reward programmes. “As a white hat, there’s no looking over your shoulder fearing there’s going to be a knock on the door,” he said.

Nervous brotherhood

As the four reacquainted LulzSec members talked at the Royal Court Theatre about the betrayal that led to their own arrests, they were remarkably sanguine about their former colleague Sabu’s defection to the FBI. At least on stage.

Hector Xavier Monsegur was a co-founder of the LulzSec movement, but turned informant after being arrested during the summer of 2011. He worked with the FBI for more than ten months, continuing his Sabu persona. It’s quite possible that Jeffery and others wouldn’t have been arrested without his help.

There is a certain sense of injustice: Jeffery was arrested before it was revealed Sabu was working for the FBI, so the police had to use another explanation as to how they found him. “They said they’d caught me through my IP address, but this isn’t possible because I’d been doing other things using the IP address, for which I wasn’t caught,” he said. “I used Tor and proxy changers, anonymous proxies in Russia, and VPN. It would have been impossible to trace that back to my address so quickly – there were only two people who were aware of what I was doing, and Sabu was one of them.”

LulzSec members say, in hindsight, that there were changes to Sabu’s online personality over the course of his time with the FBI. He’d be digging for more information about operations or asking about new members, presumably prompted by his FBI handler.

Above all, for someone like Jeffery – who didn’t have many close friends, but counted Sabu as one of them – there’s an ongoing sense of treachery that leaves a sour taste.

“It was shocking at first. When I found out he was an informant, I didn’t really believe it and I continued talking to him for a while,” says Jeffery. “When I was in prison, I was angry at his actions because I’d thought we were buddies. I knew a lot about him and he knew a lot about me. There was a sense of betrayal.”

Given the betrayal, the stress of going through prison and the ongoing difficulties posed by a criminal record, it’s easy to believe that convicted hackers would be disenchanted with the entire scene, but Jeffery still believes in the hacktivist movement – even if he chooses to steer clear of black-hat operations these days.

“Prison isn’t really an issue. I don’t fear that, or the law. But I did miss my girlfriend, my stepson and my parents. I can’t afford to put them through all this again,” he said. “I’m away from the whole Anonymous thing now.”

However, he warns that there are plenty of people ready to fill the hole left by LulzSec’s disintegration. Other groups are still going strong, and intelligent young people with a cause will continue to seek justice and prestige from behind their keyboards. “We need more people to take a stand and expose the truth. I’ve always said, ‘it’s power in numbers’. With a big enough force, you can make changes happen,” he said, adding a word of warning: “If you run a website, you can’t be completely secure from hacking.”

UK Hacktivist profiles

Ryan Cleary aka VIRAL LulzSec member, admitted hacking into CIA, SOCA and Pentagon sites. Sentenced to two years, eight months.

Ryan Ackroyd aka KAYLA Posing as a 16-year-old girl, the 24-year-old former soldier attacked Sony, among others. Two years, six months.

Junaid Hussain aka TRICK TeaMp0ison member, 18, served six months.

Jake Davis aka TOPIARY The publicity-savvy voice of LulzSec. Arrested in the Shetland Islands aged 18, sentenced to two years.

Mustafa Al-Bassa aka TFLOW LulzSec member and contributor. He was 16 at the time of arrest and seen as a coding whizz-kid. One year, eight months, suspended for two years.