LulzSec didn’t invent hacktivism, let alone hacking. But the small crew of publicity-hungry digital pirates may have ushered in a new era for both as they merrily sailed the cyber-seas for 50 days of mayhem that became perhaps the biggest tech story of the first half of 2011.
LulzSec now says that it’s put the Lulz Boat in permanent dry dock. Taking the group at its word, what did these six individuals (the membership number LulzSec now cops to) accomplish in their brief but explosive time in the spotlight?
Brand Name Hacktivism
More important than the digital scalps LulzSec took—Sony, PBS, Infragard, the CIA, Arizona’s Department of Public Saftey, to name a few—was the group’s canny use of social media and clever manipulation of a pliant press that may have redefined hacktivism forever.
LulzSec, short for Lulz Security, seems to have coalesced some months ago from the core group of hackers in the Anonymous collective which raided the computer systems of security firm HBGary Federal in February. Many of the handles used by purported Anonymous members in leaked Internet Relay Chat (IRC) logs where the HPGary Federal hit is discussed extensively have been linked to LulzSec’s core group of six members.
At some point, it seems, this group came up with a remarkably effective strategy for branding itself and publicizing its exploits. That campaign involved adopting a name based on the “in it for the lulz” (or laughs) Internet meme that straddles the line between being recognizable to a good chunk of the mainstream audience and still insider-y enough to seem young and hip.
Next, LulzSec used Twitter and its own Web site to great effect in scoring media coverage of its latest adventures in hacktivism. The LulzSec Twitter feed had more than 283,000 followers by the time the group called it quits. Following LulzSec’s first major attacks, including a hack of Fox.com and the publication of thousands of transaction logs from ATMs in the U.K., scores of mainstream and tech journalists began following “The Lulz Boat” religiously on Twitter.
A LulzSec core member called Topiary is believed to have been the group’s mouthpiece and PR specialist. His taunting, witty tweets entertained LulzSec followers in between the gleefully transmitted news that another prominent site had been taken down or defaced, or that documents had been uploaded to public forums with gigabytes full of sensitive data purloined from a network intrustion.
The final ingredient in the group’s success was simple. LulzSec delivered. During its 50-day run, LulzSec alerted the public to a high-profile hack, Web page defacement, or site takedown about once every three to four days.
More than the funny ASCII drawings of boats or the colorful operational names (“F*** FBI Friday,” “Chinga La Migre”), this is what kept everybody coming back for more “lulz.”
This is Why We Can Have Nice Things
LulzSec may also have paved the way for a new method of doing things within the loose online collective known as Anonymous. That anarchic movement has been fairly successful in its various cyber-pranks and site takedowns since getting serious about such operations in recent months. The bumbling, opportunistic raid on Sarah Palin’s Yahoo email account back in 2008 by anonymous members of 4Chan’s /b/ board seems like ages ago.
But the arrests of dozens of suspected Anonymous members in recent weeks demonstrates that such a large, flowing membership base is probably detrimental to keeping secrets. Whether or not authorities are now closing in on LulzSec’s members, the group did manage to pull off their 50-day lulz spree without getting caught.
Instead of operating within the sprawling, “leaderless” climate of Anonymous, LulzSec formed itself as a small cadre of talented individuals, each with a key skill to offer (despite being derided as “script kiddies” by some rival hacking groups, LulzSec had skills). The group was reportedly comprised of hackers (like Sabu) who handled the network intrusions, coders who built software tools, botnet owners who launched DDoS attacks, and even a frontman in Topiary.
LulzSec almost certainly emerged from Anonymous and likely has simply melted back into its ranks since disbanding. The group may have distanced itself from Anonymous at first, but with the launch of Operation Anti-Security in concert with Anonymous, LulzSec indicated it had never really strayed too far from its roots.
With reportedly strong ties to other senior members of Anonymous, LulzSec’s members may be in a very good position to instruct others on the strategy and tactics that made them such a success. The group already has copycats like Canada’s LulzRaft. Would it be all that surprising to see more tight-knit hacking cells emerge from Anonymous and elsewhere?
When—not if—that happens, those next-gen LulzSecs would be wise to heed a final lesson from the originals: Know when to quit. And when you do, know how to bow out with some panache. LulzSec’s stated motivation for disbanding was “boredom”—a game effort at laughing in the face of the real reason—that authorities were closing in.