On January 17, 2012, a hacker affiliated with the group Anonymous managed to infiltrate and record an international conference call between members of the FBI and UK police on the topic of Anonymous. The conference call revealed a plan by UK investigators to intentionally delay several current court cases against accused Anonymous members for up to eight weeks in order to help the New York FBI execute on some major action.

After today's major raids against top Anonymous and LulzSec operatives, we now know just what the FBI was planning—and how the call was recorded in the first place.

Cybersecurity and Gmail



The leak wasn't due to any lax security on the part of the Bureau; instead, it originated in Ireland. At some point in December 2011 or January 2012, two officers from the Irish national police An Garda Síochána (the "Garda") had their personal Gmail accounts compromised by a hacker. No big deal from a security perspective—except that one of the officers “routinely sent e-mail messages from an official Garda e-mail account to one of the Compromised Gmail Accounts," according to an FBI warrant request unveiled today.

The hacker monitored the Gmail account for weeks. During the month of January alone, Google's records show that he accessed the compromised accounts 146 times through a VPN called Perfect Privacy. At some point, he saw an e-mailed invitation for a conference call related to Anonymous, and he pounced.

Using the name "anonsacco," the hacker then entered a private Anonymous IRC chatroom called "#sunnydays" and spoke to the government source tagged only as "CW" in the FBI affidavit today. (CW appears to have been "Sabu," a notorious Anonymous/LulzSec hacker who had in fact been arrested in June 2011 and then turned into an FBI informant. Sabu had an FBI agent watching him 24 hours a day, monitoring and even directing all of his online interactions.)

Anonsacco opened the dialogue with CW by saying, "Hi mate. Could I ask you for help? I need to intercept the conference call which would be a very good leak. I have acquired info about the time, phone number, and pin number for the conference call. I just don't have a good VOIP setup for actually calling in to record it... If you could help me, I am happy to leak the call to you solely. I guarantee it will be of interest!!!"

On January 17, using login details in the e-mail, anonsacco joined and recorded the conference call.

On January 28, anonsacco was back in IRC with an offer to share the recording he had made. "I think we need to hype it up,” he wrote. “Let the feds think we've been recording the calls. They will be paranoid that none of their communications methods are safe or secure from Anon." (The Twitter account "AnonymousIRC" took the advice to heart, tweeting, "The #FBI might be curious how we're able to continuously read their internal comms for some time now. #OpInfiltration")

Anonsacco then used an online file-sharing service to send a copy of the recording to CW. It was later uploaded to YouTube by someone else, where it was viewable by the public.

Endgame

Was the whole thing a setup? Probably not. All the way back in August 2011, the FBI had pressed its confidential source to trick anonsacco into linking himself to other IRC handles like "palladium." CW asked palladium to prove his identity, in part by commenting on his use of Perfect Privacy and by asking about a specific IP address from which he sometimes connected. Given that knowledge, the FBI must have known that a conference call hack was pending. Yet it's not clear from the affidavit that the FBI recognized anonsacco's initial comments as referring to an FBI conference call at all; considering the frank conversation and apparent accuracy of the call's participants, foreknowledge seems unlikely.

Perhaps the most surprising revelation in the affidavit is that anonsacco/palladium had a history with the police. He had actually been picked up by the Garda on September 1, 2011 in conjunction with another hack. (He later told CW that he had been "v&" or "vanned" by the police, and he expressed surprise that the police showed him detailed transcripts of his conversations.)

He was released after his arrest, however, and promptly went back out and infiltrated Garda e-mail accounts. On January 9, 2012, he even boasted to CW that he had "just got into the iCloud [account] for the head of a national police cyber crime unit. I have all his contacts and can track his location 24/7."

The FBI and the Garda have identified anonsacco/palladium as 19-year old Donncha O'Cearrbhail, a resident of the 6,000 person city of Birr, Ireland. (He appears to be this Donncha O'Cearrbhail from Birr, though the last name is spelled slightly differently in the FBI complaint. His Twitter account describes him as an "infosec enthusiast." He describes himself as a member of the Pirate Party at Trinity College, Dublin.) His father is a councillor who sits on the Offaly County Council; he declined comment today on his son's activities.

The FBI this morning requested and received an arrest warrant from US Magistrate Judge Ronald Ellis in lower Manhattan. For his conference call recording, O'Cearrbhail might now face the possibility of extradition to the US—and of federal jail time.