‘Worst sort of vandals’: Lulzsec computer hackers go to jail

Ryan Ackroyd, Jake Davis, Mustafa Al-Bassam and Ryan Cleary considered themselves to be “latter-day pirates” when they masterminded sophisticated cyber attacks on major global institutions including the CIA, Sony, the FBI and Nintendo.

They were “hactivists” with the LulzSec collective behind attacks that stole sensitive personal data including emails, online passwords and credit card details belonging to millions of people.

News International, the NHS and the UK’s Serious Organised Crime Agency (Soca) were also victims of the group, who lived as far apart as London and the Shetland Islands and never met in person.

Sentencing them at Southwark Crown Court in London today, Judge Deborah Taylor said some of their taunting of their victims “makes chilling reading”.

What they considered a cyber game, she said, had in fact had real consequences.

“You cared nothing for the privacy of others but did everything you could through your computer activities to hide your own identities while seeking publicity,” she said.

Stolen information was posted unencrypted on their website and file-sharing sites like Pirate Bay in 2011, the court had previously heard.

They also carried out distributed denial of service (DDoS) attacks, using linked networks of up to one million computers to overpower and crash websites.

Their activity collectively cost their targets millions of dollars and potentially left millions of people at risk from criminals.

All had admitted offences under the Computer Misuse Act 1990.

Cleary, 21, of Wickford Essex, known as ViraL, pleaded guilty to six charges including hacking into US air force agency computers at the Pentagon.

He was jailed for a total of two years and eight months.

Ex-soldier Ackroyd, 26, from Mexborough, South Yorkshire, was jailed for 30 months having previously pleaded guilty to one charge of carrying out an unauthorised act to impair the operation of a computer.

The Iraq veteran used the online persona of a 16-year-old girl called Kayla.

Al-Bassam, 18, from Peckham, south London, used the alias tFlow. He was at school at the time and is currently sitting his A-levels, the court heard.

He was given a sentence of 20 months suspended for two years, plus 300 hours of community work.

Davis, 20, from Lerwick, Shetland, used the alias Topiary and was LulzSec’s main publicist. He was ordered to serve 24 months in a young offenders unit.

He and Al-Bassam had previously pleaded guilty to hacking and launching cyber attacks on a range of organisations, including the CIA and SOCA.

Detective Superintendent Charlie McMurdie, head of the Police Central E-Crime Unit, said the group were “the worst sort of vandals”.

Speaking outside court she said they were told about the group by the FBI.

When they raided Cleary’s home he was in the middle of attacking a website, she said.

She said LulzSec had been “running riot causing significant harm to businesses and people”.

“Theirs was an unusual campaign in that it was more about promoting their own criminal behaviour than any form of criminal financial profit,” she said.

“In essence they were the the worst sort of vandal, acting without care of cost or harm to those they affected, whether this was to cause a company to fold and so costing people their jobs, or to put at threat the thousands of innocent Internet users whose logins and passwords they made public.

“In the case of the (Arizona) police force whose employee details they revealed, the group’s reckless publication of confidential material could very well have threatened lives.

“They claims to be doing it for a laugh, but real people were affected by their actions.”

One director of a company targeted by LulzSec had to move his family after details leaked online lead to death threats against him, the court heard.

Al-Bassam left court without speaking to journalists.

Andrew Hadik, the Crown Prosecution Service London reviewing lawyer, said the group’s actions had been “cowardly and vindictive”.

“Co-ordinating and carrying out these attacks from the safety of their own bedrooms may have made the group feel detached from the consequences of their actions,” he said.

“But to say it was all a bit of fun in no way reflects the reality of their actions.

“They were in fact committing serious criminal offences for which they have been successfully prosecuted.

“This case should serve as a warning to other cyber-criminals that they are not invincible.”