FEDERAL BUREAU OF INVESTIGATION FOI/PA DELETED PAGE INFORMATION SHEET FOI/PA# 1204913-0 Total Deleted Page(s) = 15 Page 2 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 3 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 4 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 5 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 6 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 7 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 8 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 9 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 10 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 11 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 12 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 13 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 14 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 15 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; Page 16 - b6; b7C; OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER; XXXXXXXXXXXXXXXXXXXXXXXX X Deleted Page(s) X X No Duplication Fee X X For this Page X XXXXXXXXXXXXXXXXXXXXXXXX
This FBI FOIA release contains 137 pages of documents the FBI released on Anti-Sect/Anti-Security Movement. It consists of three investigations from 2009-2012. The three FBI investigations consist of a 2009 hack of Imageshack, a 2011 FuckFBIFriday V on the CA DOJ agent Fred Baclagan and a 2011 "computer intrusion" on the Texas Commission on Jail Standards.
The documents are heavily redacted though they include mentions of grand juries and informants. The FBI even redacted portions of the pastebin and youtube releases from #FuckFBIFriday
Another interesting find - the FBI informant Sabu tweeted the FFF V release. Is he one of the informants hinted at in these documents? https://twitter.com/anonymouSabu/status/137623622008324096
More background: #FuckFBIFriday releases: (they are redacted in the FBI FOIA):
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1204913-0
Total Deleted Page(s) = 15Page 2 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 3 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 4 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 5 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 6 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 7 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 8 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 9 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 10 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 11 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 12 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 13 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 14 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 15 - OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;Page 16 - b6; b7C; OTHER - OBTAINED PERSUANT TO SEALED COURT ORDER;
XXXXXXXXXXXXXXXXXXXXXXXXX Deleted Page(s) XX No Duplication Fee XX For this Page XXXXXXXXXXXXXXXXXXXXXXXXX
FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1204913-0
XXXXXXXXXXXXXXXXXXXXXXXXX Deleted Page(s) XX No Duplication Fee XX For this Page XXXXXXXXXXXXXXXXXXXXXXXXX
UNCLASSIFIED
b6b7C
As part of our ongoing effort to expose and humiliate our white hat enemies, we targeted a Special Agent Supervisorof the CADepartment of Justice in charge of We are leaking over 38,000 privateemails which contain detailed computer forensics techniques, investigation protocols as well as highly embarrassingpersonal information.We are confident these gifts will bring smiles to the faces of our black hat brothers and sisters(especially those who have been targeted by these scurvy dogs) while also making a mockery of "securityprofessionals" who whore their "skills" to law enforcement to protect tyrannical corporativism and the status quo weaim to destroy.
"GreetingsPirates, and welcome to another exciting #FuckFBIFriday release.
b6b7C
On 11/18/2011, a YouTube video was posted with thetitle "#AntiSec Fuck FBI Friday V - Cybercrime Investigatorcom:m; :ati ons" from the YouTube user accountI __ ~ I. The video was 6:03 long and stated thefollowing information, which was also posted as text below thevideo:
Details: On 11/18/2011, retired California Department of JusticeSpecial Agent Supervisor I Iadvised that hereceived text messages from his own Google telephone numberindicating that he had been "owned".
Synopsis: Request case e opened on captioned investigation.
UNSUB (S);#ANTISEC;
I d-COMPUTER INTRUSI N
Title:
Case ID #: 288A-SD-NEW
Drafted By:
Approved By:
From: San DiegoCY1Contact: SA
b6b7C
To: San Diego
~~
12/01/2011 9' /::::r ~Date:Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED
(Rev. 05-01-2008)
b6b7C
b7E
b6b7Cb7E
2
UNCLASSIFIED
We are Anti-Security,We are the 99%We do not forgive.We do not forget.Expect Us!"
Hackers, join us and rise up against our common oppressors - the white hats, the 1%'s 'private' police, the corruptbanks and corporations and make 2011 the year of leaks and revolutions!
We often hear these "professionals" preach about "full-disclosure," but we are sure these people are angrily sendingout DMCA takedown notices and serving subpoenas as we speak. They call us criminals, script kiddies, andterrorists, but their entire livelihood depends on us, trying desperately to study our techniques and failing miserablyat preventing future attacks. See we're cut from an entirely different kind of cloth. Corporate security professionalslike Thomas Ryan and Aaron Barr think they're doing something noble by "leaking" the public email discussion listsof OccupyWall Street and profiling the "leaders" of Anonymous.Wannabe player haters drop shitty dox and leakpartial chat logs about other hackers, doing free work for law enforcement. Then you got people like Peiter "Mudge"Zatko who back in the day used to be old schoollOphtlcDc only now to sell out to DARPA going around to hackerconventions encouraging others to work for the feds. Let this be a warning to aspiring white hat "hacker" sellouts andpolice collaborators: stay out the game or get owned and exposed. You want to keep mass arresting and brutalizingthe 99%? We'll have to keep owning your boxes and torrenting your mail spools, plastering your personalinformation all over teh internets.
These cybercrime investigators are supposed to be the cream of the crop, but we reveal the totality of their ignoranceof all matters related to computer security. For months, we have owned several dozen white hat and law enforcementtargets-- getting in and out of whichever high profile government and corporate system we please and despite all theactive FBI investigations and several billion dollars of funding, they have not been able to stop us or get anywherenearus. Even worse, they bust a few dozen people who are alleged!} part of an "anonymous computer hackingconspiracy" but who have only used kindergarten-level I -this isn't even hacking, but a form of electroniccivil disobedience.
I 1I ITheinformation in these emails will prove essential tothose who want to protect themselves from the techniques and procedures cyber crime investigators use to buildcases. If you have ever been busted for computer crimes, you should check to see if your case is being discussedhere. There are discussions aboud
Mre turned on his !!oo!!leweb history and watched himlL...- ---I--.,...._...Jr1We also abused his google voice account, making surd'1.r-_.....Lrfl;l;r.:.::ie::lon~d~s
L..a-n~d~f~am~il~yk-n-e-w-h~o-w.....,.h-a-rd.,...,..he-w-a-s-o-w-n-e...,d,.... ...Ipossiblythe most interesting content in his emails are thd I
We hijacked two gmail accounts belonging tol ~ho has been a cop for[],ears, dumping h~ orivalemail correspondence as well as several dozen voicemails and SMS text message logs. While just yesterdawas having a private BBQ with hisl high computer crime task force friends, we were reviewing theirdetailed internal operation plans and proc_~documents. We also couldn't overlook the boatloads of embarrassingpersonal information about our cop friendl IWe lulzed as we listened tol I
I
To: San Diego From: San DiegoRe: 288A-SD-NEW, 12/01/2011
UNCLASSIFIED
b6b7Cb7E
3
UNCLASSIFIED
••
fdditionallY, some of The information contained within
L...- ~_account was posted atl 1
On 11/30/2011, California Department of Justicepr?vided the FiI with a CD-ROM disc containing the files locatedatl . These files are contained in a 1-A envelope tothjs fjle and are password protected with the following password:
1 I·
A link was also provided on the YouTube page to thedocuments that were taken from I recount. TheI;nforma tj on Wi3S J oca t ed at L...- ---I
To: San Diego From: San DiegoRe: 288A-SD-NEW, 12/01/2011
UNCLASSIFIED
," . -
_ ...-'-----
,,,-... --.,.~~~
)UNCLASSIFIED
••
The zipped file was placed on a CD-ROM disc and placedin the 1-A file .
and downloaded the torrentL.c-o-n""7t-a-l:"'"'=rn-g-':""t";""h-e-c-o-n-:t-e-n-t:-"s--o""f---=-tTh_jeGmail files exfiltrated from
I Iaccounts. The contents included one zipped file
- I
Details: On 12/01/2011, following a determination that the CD-ROM disc obtained from the California Department of Justice had b6become corru ted, SA visited the website b7C
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
Date dictatedFile # 288A-SD-73148 ;...2by SAl
12/06/2011 at San Diego, CA---~~--------Investigation on
Shortly after receiving the text messages from theindividuals claiming they had compromised his accounts, ....I__~ ~began receiving telephone calls from friends and family members whoadvised him that they were receiving suspicious messages ff~m himon Facebook. The individuals also advised that there were_ II I and other out of character posts on his Facebook feed.
By noonl I had recovered and locked down all of hisaccounts. Text messages continued arriving on his cellulartelephone that appeared to be from his Google Voice telephonePllmber Fearing that his Google account was still compromised,.__ ...........Ideleted the Google account ..
Following the recovery of his accounts, I receiveda text message that stated ·that it wasn't over and a text messagethat made a reference to the tough economic times and financial
12/07/2011Date of transcription
- 1-
FEDERAL BUREAU OF INVESTIGATION
FD-302 (Rev. 10-6-95) •date of birth I L social
securi ty a....c-c-o-u-n-t-n-u-mb-=-e-r"""T"1....L....., was intervi ewed at the SanDiego Division of the Federal Bureau of Investigation. Alsoattending the interview were ITCFEI land IA I b6After being advised of the identity of the interviewing Agent and b7Cthe nature of the interview, I Ivolunteered the followinginformation:
I Ireferred to the written statement he hadpreviously submitted and advised that the information providedwithin was accurate. A copy of the written statement is containedin a 1-A envelope in the file.
On 11/18/2011, at approximately 7:00 am PST, I Ibegan receiving text messages on his cellular telephone from thetelephone number associated with his Google Voice account, I
I I The text messages were statements similar to "We'='"""I:h~a:"'::'v=-:e=--'you" and "IoTe ox:m vpu". Additional text messages were received thatdirected I . ~o enter an IRC chat rqom to disCllSS the matterwith the indivlduals that had taken overt Iaccounts.I I advised that he did not reply to these messages and doesnot recall the exact context of the messages or the name of the IRCchat room that they were directing him to. I I stated that hehas deleted the text messages and has no record of them.
b6b7C
b6b7C
b6b7C
b6b7C
I ladvised that he has wiped the hard drives ofboth his laptop and desktop computers. He also stated that he hasdeleted his Google account that was compromised and reset his
that
L.:-----,;----::---......,..-"........"......---r---------I was unaware 1f t e Gmaihe had create~~~-~~~-~-~had been compromised.Additionally, did not remember the exact name ofaccount or the password for it.
account
AlthOllgh #AntiSec claimed to compromise two Gmailaccounts, I believed that the second account compromised mayhave been his Yahoo! account,! I since he had to! Istated that he wasunsure how the would have determined that he was the owner of theYahoo! account
issues. I Ichecked his credit crrds and discovered that afraudulent charge had been made on hisL Icard from R~i~t~z~__ ~camera. The item was set t~to his old address. The Icard that was used ended inL_____j ~---~
I I believed that the compromise could be related tohis Android cellular telephone, which he had "rooted". One of theconsequences of rooting the telephone was that other programs thatnormally would not have access to the files "Shared Preferences"and "Accounts.db" could now access those files. The files containinformation such as from thetelephone. A few days prior to the individuals advising I 1that he had been compromisedl Ihad downloaded and installeda program called "atorrent" from the Android store. This programallowed a ufer to dOjN;nlOadtorrent files onto your cellulartelephone. _ _stated that he used the program several timesto test it, downloading music and a movie.
I lalso stated that his laptop could have been apotential source of the compromise, but did not believe that itcould have been his desktop computer.
_ ........ .....L ,On 12/06/2011 ,Page __ 2;;;...._.._Continuation of FD-302 of
288A-SD-73148
•FD-302a (Rev. 10-6-95)
~-,- -
b6b7C
Android cellular telephone ......."._.."....-__ .....,...._.."....-----'all of the text messages he had received.
which removed
--L __j--------- ,On 12/06/2011 ,Page _J_Continuation of FD-302 of
288A-SD-73148
•FD-302a (Rev. 10-6-95)
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is 10a~our agency; ~e!it and its contents are not to be distributed outside your agency. ,;;z2394,-",SD _Y]31V[3/ ~ v
b6b7C
by SAl----~.~------------------~-------------------------------------------------
Date dictated
Investigation on 01(05(2012 at San Diego, CA----~~--------, 5.~F~# 288A-SD-73148 .I
b6b7C
On 12(31(2011, an individual posted information regarding'the compromise of the California State Law Enforcement Association(www.cslea.com) on www.pastebin.com. The information provided anexplanation for the attack, e-mail communications from CSLEApersonnel discussing the security of their website, as well asname, address, password, and credit card information forindividuals related to CSLEA. Additionally, the message statedthat the compromise of CSLEA was "how Special Agent I Iat the California DOJI IUnit got humiliated last month".
The referenced information has been printed out andattached to this document.
01(05(2012Date of transcription
- 1-
FEDERAL BUREAU OF INVESTIGATION
FD-302 (Rev. 10-6-95)
b6b7C•
1/25pastebin.com/MSaBvt9R
SHARE PAS'b6b7C
40. (CSLEA.COM), defacing their website and giving out live backdoors. We dumped a
41. few of their mail spools and forum databases, and we did get a few laughs out of
42. reading years of their private email correspondence (sucrras CSLEA's Legislative
43. and policel I44.1 I· But what we weze really after was their membership rosters, ~/hich
39. So we wenc ahead and owned the California State Law Enforcement Association
-,
27. Most everybody already knows that we don't like police very much. Shit, just
28. about everybody hates them, everybody except for the rich and powerful who
29. depend on their protection. But which state got the most blood on their hands?
30. Well we already owned pigs in Texas and Arizona, and many many others; guess its
31. time to ride on the California police.
32.
33. From the murder of Oscar Grant, the repression of the occupation movement, the
34. assassination of George Jackson in San Quinten prison, the prosecution of our
35. anonymous comrades in San Jose, and the dehumanizing conditions in California
36. jails and prisons today, California police have a notorious history of brutality
37. and therefore have been on our hitlist for a good minute now.
38.
21. I'm from the land where the Panthers grew
22. You know the city and the avenue
23. If you the boss we be smabbin through
24. And we'll be grabbin' you
25. To say "What's up with the revenue?"
26.
http://Wl-IW.youtube.comll~atch?v=lJotps9V4as19.
20.
17.
18. Soundtrack to the Rev Track: The Coup - Five Million Ways to Kill a CEO
1. Hello comrades and thanks for joining us for the final phase of our cross
2. country hacker crime spree, our contribution to prOj3kt m4yh3m. We're still
3. preparing the torrents, mail spools, as well as our final txt zine release which
4. will surely bring humiliation and embarrassment to many white hats and
5. sysadmins. But this New Years Eve, we bringing yall some party favors to keep
6. you raging all night. Did you remember a month ago when the mayors and piggies
7. across the US conspired to attack protesters in public parks? We sure do, so we
8. have been planning a retaliatory raid of our own. Bring it, NOAA. Bring it,
9. SOPA. We are snipers with one hell of a scope! Takin out a cop or two, they
10. can't cope with us!
11.
UntitledBY: A GUEST I DEC31ST, 2011 I SYNTAX:NONE I SIZE: 71.51 KB I HITS: 2,862 I EXPIRES:NEVER
COPY TO CLIPBOARD I DOWNLOAD I RAW I EMBED I REPORTABUSE
TOOLS API AR01IVf
search••.
SIGNUP '_OGIN MY SETT
MY PASTES ,PUBLIC PAS
Lou Reee9 secage
Untitled23 secal
Database34seca~
inserting54 secal
Untitled1minag
Untitled1min ag
Untitled2 minag
Selecting3 minag
LAYOUT WI
Follow@pastebin
Hello comrades and thanlr joining us for the final phase of our cross count - Pastebin.com~ ~ e.'; "ASI' IOOl SINer' 21)0] CREATF.NEW PAST!:PASTEBIN
1/5/12
,
Fire Marshal and Emergency Services Association (FMESA)
Hospital Police Association of California (HPAC)
(COLRE)California Organization of Licensing Registration Examiners
California Association of Law Enforcement Employees (CALEE)
California Highway Patrol Public Safety Dispatchers Association (CHP-PSDA)
california Association of criminal Investigators (CACI)California Association of Food and Drug Investigators (CAFDI)California Association of Fraud Investigators (CAFI)California Association of Regulatory Investigators and Inspectors (CARlI)California Association of State Investigators (CASI)
Association of Conservation Employees (ACE)
Association of Criminalists-DOJ (AC-DOJ)
Association of Deputy Commissioners (ADC)
Association of Motor Carrier Operations Specialists (AMCOS)
Association of Motor Vehicle Investigators of California (AMVIC)
// THATS ALL FOR NOW KIDDIESI EXPECT A BADASS ZINE AND TORRENT COMING SOONl!I!I!
There were also many parolee/probationers but the thought of betraying our
comrades under the gun of the prison industrial complex never crossed our minds •
But how about sum moar private police documents?? We dropped these on Bradley
Manning's birthday:
Hello comradesand thanks for joining us for the final phase of our crosscount - Pastebin.com• . e1....--- -----11 .
1/5/12
.343 •
.344.
345.
.346 •
•347.
.348.
.349 •
.350.
.351.
.352 •
.353 •
.354 •
.355 •
.356 •
.357 •
.358.
359.
.360.
25/25
,
Hello comradesand thanks for joining us for the final phase of our crosscount - Pastebin.com
CREATE NEW PASTE I APIINOS I USERS I FAQ I tOOLS I P~IVACY I CONTACT IAD.SE I STATS I GO PRO ::!JDOMAINS CENTER I PASTEBIN ON FACEBOOK I PASTEBIN ON TWinER I PASTEBIN IN THE NEWS
~"tOUR SITES: HOSTLOGR I TINYSUBS I URLSPY I FILESHUT IMORE... TIME: 0.01265
pastebin.com/MSaBvt9R
PASTEBIN.COM
1/5/12
b6b7C
b3b6b7C
This documentcontainsneitherrecommendationsnor conclusionsof the FBI. It is the propertyof the FBI and is lo~nd to youragency;it and its contentsare not to be distributedoutsideyour agency. :;<_,f!3f!3 F)-sO _7 3/l{ r .
, ~ /
Investigationon 01/11/2012 at San Diego, CAFil,' 28 8A-SD-7 314 8 t ce _.:.:__:_.;:_::....::..:...:....::::....:.....:..___:_----D-a-te-d-ic-ta-te-d------------.
by SA I
The results have been printed out and are attached tothis document for the file.
subpoena:The following is a summary of the results of the
01/11/2012 __Dateof transcription
- 1-
FEDERAL BUREAU OF INVESTIGATION
FD-302 (Rev.10-6-95)
b6b7C
UNCLASSIFIED
As part of our ongoing effort to expose and humiliate our white hat enemies, we targeted a Special Agent Supervisorof the CA Department of Justice in charge od IWe are leaking over 38,000 private b6emails which contain detailed computer forensics techniques, investigation protocols as well as highly embarrassing b7Cpersonal information.We are confident these gifts will bring smiles to the faces of our black hat brothers and sisters(especially those who have been targeted by these scurvy dogs) while also making a mockery of "securityprofessionals" who whore their "skills" to law enforcement to protect tyrannical corporativism and the status quo weaim to destroy. \ p
~\~\ \
"Greetings Pirates, and welcome to another exciting #FuckFBIFriday release.
On November 18, 2011, a YouTube video was posted with b7Cthe title "#AntiSec Fuck FBI Friday V - Cybercrime InvestigatorCormnunications"from the YouTube user account
The video was 6:03 long and stated thefollowing information, which was also posted as text below thevideo:
Details: On November 18, 2011, ~etired California Department ofJustice Special Agent Supervisor IL- .....II advisedthat he received text messages from his own Google telephonenumber indicating that he had been "owned".
Synopsis: Close captioned investigation.
COMPUTER INTRUSIONVICTIM;
b6b7C
(Pending)
Drafted By: L-I -J
Case ID #: 288A-SD-73148
Title: UNSUB{S);#ANTISEC;
From: San DiegoCYlContact: SA L...- ____J
Approved By: 11....- ____1
...,
To: San Diego
Date: 01/26/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED
b6
b6b7C••(Rev. 05-01-2008)
b7E
b6b7Cb7E
2
UNCLASSIFIED
We are Anti-Security,We are the 99%We do not forgive.We do not forget.Expect Us!"
Hackers, join us and rise up against our common oppressors - the white hats, the 1%'s 'private' police, the corruptbanks and corporations and make 2011 the year of leaks and revolutions!
We often hear these "professionals" preach about "full-disclosure,"but we are sure these people are angrily sendingout DMCA takedown notices and serving subpoenas as we speak. They call us criminals, script kiddies, andterrorists, but their entire livelihood depends on us, trying desperately to study our techniques and failing miserablyat preventing future attacks. See we're cut from an entirely different kind of cloth. Corporate security professionalslike Thomas Ryan and Aaron Barr think they're doing something noble by "leaking" the public email discussion listsof OccupyWall Street and profiling the "leaders" of Anonymous.Wannabe player haters drop shitty dox and leakpartial chat logs about other hackers, doing free work for law enforcement. Then you got people like Peiter "Mudge"Zatko whoback in the day used to be old schoollOphtlcDc only now to sell out to DARPA going around to hackerconventions encouraging others to work for the feds. Let this be a warning to aspiring white hat "hacker" sellouts andpolice collaborators: stay out the game or get owned and exposed. You want to keep mass arresting and brutalizingthe 99%?We'll have to keep owning your boxes and torrenting your mail spools, plastering your personalinformation all over teh internets.
These cybercrime investigators are supposed to be the cream of the crop, but we reveal the totality of their ignoranceof all matters related to computer security. For months, we have owned several dozen white hat and law enforcementtargets-- getting in and out of whichever high profile government and corporate system we please and despite all theactive FBI investigations and several billion dollars of funding, they have not been able to stop us or get anywherenear us. Even worse, they bust a few dozen people whl are a!1egedly ~art of an "anonymous computer hackingconspiracy" but who have only used kindergarten-Ieve this isn't even hacking, but a form of electroniccivil disobedience.
L...;-__ -:-- -:--_-:-_-:-_-:-_-:--:- __ .JThe information in these emails will prove essential tothose who want to protect themselves from the techniques and procedures cyber crime investigators use to buildcases. If you have ever been busted for com uter crimes, ou should check to see if our case is being discussedhere. There are discussions abou
We turned on his 00 Ie web history and watched him look UpL- ,--,. _ ___,J
L- ---IWe also abused his google voice account, making sureL.r-_...&.l..l=,and family knew how hard he was owned. Possibl the most interestin content in his emails are theinternal email list archives (2005-2011) which
We hijacked two gmail accounts belonging td Iwhohas been a cop fonyears, dumping hislprivaremail correspondence as well as several dozen voicemails and SMS text message lo~~hile just yesterdaywas having a private BBQ with hisl Ifriends, we were reviewing theirdetailed internal operation plans and procedure documents. We also couldn't overlook the boatloads of embarrassingersonal information about our co friend e lulzed as we listened to an r voicemails fro
To: San Diego From: San DiegoRe: 288A-SD-73148, 01/26/2012
UNCLASSIFIED
b3
b3b6b7C
b6b7Cb7E
3
UNCLASSIFIED
••
~~ __~ ~San Diego requests that captioned investigation beclosed.
Due to all victim information beinlack of
On I Iresponded to a Grand Juryc"h ......nc,.,'" ; CC' ICr'l ;,., Y"c1"'~; r.T1 rr.1 I
r~dditionallY' some of ~he jnformation contained within1....- ...1. account was posted at l I
On November 30, 2011, California Department of Justicepr1:i:~~ t:: ~BI with a CD-ROM disc containing the files locatedatr These files are contained in a 1-A envelope tothed are password protected with the following password:
A link was also provided on the YouTube page to thedocuments that were taken from I Iaccount. Thejnformatjon was located at
To: San Diego From: San DiegoRe: 288A-SD-73148, 01/26/2012
UNCLASSIFIED•
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loan~ your agency;it and its contents are not to be distributed outside your agency. ~eBA --SaD _I) '?J 14 6 i (J
Date dictated
Investigation on (telephonically)01/24/2012 at San Diego, CA----~--~---=~-File # 288A-SD-73148 I rby~S=A~I ~ _
contacted the writer and advised
b3b6b7C
was ~ terviewed telephonicall~terthe identity of the interviewing Agent, L____j
Followingmy recovery of the accounts, the perpetrators texted me and said it was notover yet. They made a comment about how tough economic times were and I shouldbeware of my financial status. I made a check of my assorted banking and credit
I received a phone call from a Huffington Post reporter (didn't get his name but seemedlegitimate,I b at approximately 1400 hours the same day. He was excitedwhen he initially called, like he was at the forefront of a big breaking story. He asked ifI wanted to comment on the compromise that happened to me and told me he learnedof it from people in a chat room. It appears he thought I was going to be some highranking manager of a computer crimes unit and there were going to be damning thingsin the data they stole. I quickly deflated his enthusiasm as I told himl I....._ __~and that whatever they got was personal, but notembarrassing and I was not going to give in to their threats and intimidation bycontacting them. I further told him that in the overall scheme of things, I was reallynobody and it was insignificant to terrorize me for their cause.
They logged into my Facebook account anddeleted most of my photos, changed configuration settings, posted numerous offensivecomments and personal messages to various friends, as well as impersonated me invarious chats. .
When I arrived home at approximately 0730 hours, I went onto the Internet from what Ibelieved to be a secure computer and via the specific providers websites followed theironline protocols for recovering compromised accounts. It took approximately 1 hour,but I was successful in gaining access to all the compromised accounts and changedthe passwords several times to prevent the intruders from following the same protocols.In the Google account, they harassed many of the contacts contained in my phone bookwith a variety of text messages. They posted personal emails from the email accountsaround the In erne and m d Id s atements about compromising a Department ofJustic Some ofthe email in m sent folder included
On Friday 11-18-2011, at approximately 0700 hours I was getting in my car and beganreceivina text ressages on my phone from my own Gooale telephone number ofI This number is associatedwith myI bccount ofI , The messages stated that in essence, the senders hadtaken over my account and hat they "owned" me. The messages were also directingme to a specific chat room (I already deleted the text) to contact them, otherwise theywere going to post my email and personal information all over the Internet. I ignoredthem and they continued to harass me with incoming text messages. I checked via mysmart Android based cell phone, and immediately noticed I no longer had access to myGoogle account, my Facebook account that was assotated with the same emailaddress, and the yahoo account that was linked to my I Theperpetrators continued to prod me to go to the chat room with threats of releasing theinformation, but I continued to ignore them.
Statement regarding the hijacking of my personal accounts:
b6b7C
b6b7C
I desire prosecution.
I received only a few additional phone calls from mysterious numbers and harassmenttexts over the weekend.
I believethis tactic, along with not acknowledging them in the text or chat rooms frustrated themand kept them from calling or texting too much. There were a couple of texts fromI khat appeared to be sympathetic to me, wishing me well and hoping thehackers would be brought to justice. I ignored them as well, suspicious that theperpetrators were just testing to see if I was receiving their other harassment texts.
They continued to harass me via text and said they were releasing my telephonenumber to 150,000 followers on twitter, and hoped I wasn't busy. I received a few calls,but did only answered a few just to see what the callers had to say. 'Most just madeignorant comments and hun u . I disabled the mail account, to avoid a backlo ofvoicemail as m hone i
account that I deal with online and discovered a fraudulent charge made th~ toRiIz camera for app~XimatelY $896.95. The purchase was made with myI and was sc~eduled to ship to an old mailing address a[ I contacted Iand they are cancelling the transactionand the account. There are no other know discrepancies at this time and have sinceplace a credit block on my personal information.
X Deleted Page(s) XX No Duplication Fee XX For this Page XXXXXXXXXXXXXXXXXXXXXXXXX
FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1204913-0
b6
eintet:net which claims the ANTI-SEC.is a ,movement ded.lcated to theer-adic-at-ion of full disclosure. Their mess-age _further explainedthey plan to achiev-e tbis "t,hrough t,he fulJ and unrele,nting,unmerciful elimination of all supporters of fulJ-disclosu-re andt,be security industr-y in its 'present form."
o b7Eb7C
-Details:- on October 8, 20 9, Special Agent A) I Imet b6w"ith employee_s of IMAG - at 23 rtfi Sant-a Cru-z b7CAvenue, Los Gatos, California, 95030, to Lscuss two rec _c-omputer i,ntrusions of IMAGESHACKsezvexs , -IMAGES'HACKis acompany which provldes i,oternet "image host,i_ng.
IMAGE_SHACKadvis-ed s'AI I t.hat the f_i,r-st compute r dintr"tlsion occur-red on July 10, 2009 at approxima_te_ly 7 pm Paci_ficSt'andard 'rime (PST)._ A group by the n_ameof ANtI-SEC gai_nedaccess to one of the companydatabase server s , The server the ~
b6
.hack-er (s) access-ed contafned I I
l The hacker 1s1 w-ere alsable to I 1
I In addition, t,he hacker (s) posted a mess-age on th- -
S_y:nopsis:- To Open Case and s f_i_les.,
Approved ;By:: b6b7C
Drafted.By} ~ __ ~__ ~~~~
Case -lD #:- 288A-SF-i!t~f~ending) /t288A-SF-NtW-G'J (Pending) .....'
Title:- ANT-I-SEC;UNSU-B(S), et al;-IMAGESHAC-K:-:--VICT'IM;COMPUTERI:NTROS'ION
From:- San Fr-ancisc-oSqu-ad CY-2/Sa',U-~~~I.L- __Contact:- SA
ATTN:- Computer Intrusion' Unit #2SSAI ITo:- Cyber Division
It is .requested that the new casy and subf_i:lesbeopened and a.ssigned to SA ...1 __.J
SUS GJGrand Jury
:It is requested that t.he folJowlng subfiles be opened e
$26,000.IMAGESHACK estimates their losses at approximately
On August 2, 2009, :IMAGESHACK believes the samehacke_r(s) came back and gained access ·to their servers again.IMAGESHACK has -full and complete logs. 'It.is apparent thehackerls)1 I
IMAGESHACK advised ·this computer intrusion affectedapproximately 50 million images and every user that was on theirsite at the time viewing :images. IMAGESHACK .Ls steill ot su e~ ....,got into t~eir database but believe.""=."......,,,,.,,,...,,...,....,,.,,.....-----I
•San Francisc. From:· San Francisco288A-SF-NEW, 10/08/2009
To:·Re:·
Case Number:· 288A-SF-145486Owning Off.ic'e:· SAN FAANCISCO
Case ~gent:Anticipated Disp.osit-i.on:- Acquired By:·I
Date Pr.operty Acqui_red:-
~tI SEC
'ritle and chaxaceex of case s
'FD-192ICMt~ROlPage l••10/21/09
-12:08:07
b6b7C
Source from which Property Acgui_red:-IMAGE'SHACK, c/ol l 26-3 N. SANtA CRUZ26-3 N SAN'rACRUZ AVE '#100 ' ,"~OS GArOS CA 9S030
10/08/2009
·mY~k-'"ot8~ t\ - Sf - '461~'-10. 2.
Case Number:- 288~-SF-~4_5486-Owning Office:- S~ FRANCISCO
08/19/2010'PRESS3_Loe-ation:- S_JECRBaz'code s E4189947
Date Enee_redDescription of Prope_rty:l_B 2
·ONE(1) CD LABELED5'0'-·09-016'2 (DE,R:IVAtIVE-EVI:DENCEOF 181)
08/19/2010
Date Property Aequi_red:: Source f_rom wb,ich Property Ae_qui_red:SV-~CJ"L
T,itle and Character of Case:-
-FD-_1_92ICMI:IiROlPage 1•,
08/1_9/1019:29: ss,
b6b7C
Case Agent:--Anticipated Disposition: Acquired BYi. ~I ~
b6b7C
b6b7Cb7E
b6b7Cb7E
This doo.nn~nt contains f1cith« fe¢Omme~ions fIOI' con?tusions of th~ fBI. It is t~ ptop¢rty of the FBI a.n4 is ~e4 to your ~gen¢y:itw its CQfItentsar~ I\Ot to be dlstriblolte4 outMe your ~ency.
lov~stigation on 09/08/2009 ?t ....;;;.L.;.o.::.s_G.;;..-:;;,a.;.to.;..::.s~,_C.;.a=l;;;;,i·;;;;,fo.;..::.rn;.;;,;;.ia;;__
I IIOn August 2, 2009,1 1indicated the hacker (s) came
back. He advised ,the staff at IMAGESHACK believes it was the same
IhhaaCckkeerr({'ss))wb::;l;se they L• 0 h~yised that at the time it appeared theI The technical teamwas able tol 1I I ' .
~~_~advised this affected every~~~O~-,o:"Tl~:"""'TlIT'7C~-.,.;~'=""I:'7C,~ and approximately 50 million images.He -indicated IMAGESHbCK user images were replaced with thispropaganda message for several hours. I I said this causedquite a stir on the internet as it affected many websitebackgrounds as well. I ladvised a group named ANTI-SEC c Latmedresponsibil.ity for ,the hack of IMbGESHACK on the internet.
1 1said the technical team at IMAGESHACK believed thehack was a result of an I I He~~ifi~p~ that after 'the hack. the technical team at IMAGESHACK I
L-----:,---:-I indicated 'IMAGESHACK does not~~~~formation~~~~~~-~~~~~~~----~~~~~~
ave athat from that server, the
Ultimatel
Date of tratlSCription 1QLQ ~ L2 0Q9
On October 8, 2009,~1--------------~Iwas interviewed athis place of employment, ,IMAGESHbCK, located at '236 North San CruzAvenue, Suite ,100, Los Gatos, California, 95030, telephone number40S-836'-8579. Afte~ advised of the identity of theinterviewing agent, L______j provided the fOl_lowing information:·
On July 10, 2009 at approximately 7:00 p.m., U1AGESHACKservers were hacked. The hacker(s) ,we:e able 'to qet into the~~~~~~~~~~~~~~~~~~lnslL- .....-__ ....-----------___.....,I I-indicated the user
This sever also contained
• 1•
FEDERAL BUREAU OF INVESTIGATION
FD·302 (R~v.10-6-95).. ••) ..
b6b7C
b6b7Cb7E
b6b7Cb7E
L...- ---....II'provided 'six, hard, drlv'es to S,~ I andsigned 'an FD-941 Consent to Syarc,h Corciputer(s ) form for t,hese sixhard drives. I Jwas al so 'provided and si9ned an FD-597 On,ited St'ates Depart,Inent of Justice, Feder'al Bur-eau of ,Investig'at:ion, Rece,ipt For Prope r ty Received. 'I'be, fd-941 and FD-'597 and CDhave been placed Ln a lA .enve'Iope and, sent 'to the ,file.
!--:-.......-- ...........I provided one compucer Di,sk (CD) -LabeLed IMAGESHAC~'ANtISECwhich he did not want .recurned that cont-ained copies of anovezvdew of the hac~';, th; 'Mitt-S'EC jpg. ,image posted to t,heserver's, email ',froml'reg'ardi,ng tbe identity of tbehacker t s), ana chat ' o9srqm : t1AGE:S'HACKst'aff dur.in_g the bugust 2,,2009 at t'ack ,
$26',450.
During tb~ second ,attAyk, tb,e bac~went througb theJ tben I J 'and tben :through tbere."'__---;::::::==::::::;---'
ContinuationotfD·3'0201 :~L ---"---------' On Q9/0B 120 09 .Page Z
From: San FranciscoOakl_and ~, 1-2 -and CY-3Contact: !
Attn:SS~A-l ~~Y-2_ ~ CY--3
San Fr-anciscoTo:
Date: 1_1/03/2009Precedence: ROUT-INE
FEDERAL BUREAU OF INVESTIGATION~
blb3
•(Rev.OS"()1.ZOO8)
, .
(5)(U)
(U)
(5) ·············l.___ ------ll+S)
W) J:s<
b7E
b7E
b6b7Cb7E
b7E
\
/
blb3
blb3
(S)
(800A-HQ-C1591622-NOADMIN, Serial 20010)
II
1
1 Ifurther stated.tnat Ant 1.-sec IaOrl.Ca~e--crthe claim ofl.~~ ~ ~ ~ ~lWhite-Hat Hacker and Cyber Security Communities. Open sourcerese~rch r~yealed that several -largeweb hosting companiesconsl.deredl~. ~ ~ ~I(800A-HQ-C1591622-NOADMIN, Serial : 20010).
11An identified II.1Anti--Sec claimed that a r
The hackerschanged the server settings to redirect every image to ahacker logo. The hackers posted a message claiming that theAnti-Sec group is dedicated to the eradication of fulldisclosure by eliminating the cyber security industry.(288A-SF-145486-,Ser:ial : 1)
(U)
San Francisco division
(U) Open jource searches provide no information thatAnti-Sec hacked. I
• S~/INOFORN~
To: San Francisco From; San FranciscoRe:1 L.. ....J(5)
(3)
blb3~/ /NOFORN~L....-----I
3
(5)
blb3Possible Identification of a founding member
FranciscoTo:Re:
(3)S~IINOFOl!N~
FroID; San Francisco•- .
blb3
++
,LEAD (8) :
Set, Le'ad 1: (Info)
SAN FRANCISCO
AT SAN JOSE
(U) R¢ad 'and Clear.
Franei seQTo:·~e:
(3) blb3
~lINOFORN~
FrOm·- San Francjsco•• •
"
-UNCLASSIFIED
'..
'Synopsis:- ,to 'Report US ,Attprn~¥ Of<flce concurxence ,for' new caseoperii_ng .'
:Details:: On October ,9, 2009, Special }J.gent (SA) ~I=-:---:-_~_~e~a,i:le,d Chief, A~'s,ist,-ant, _Un_i~edSt-~t'e,y Attorney ,(AOS'A);,fo,r,-t.,heComputer Int,rusl.on and ,ij,ackl.ng Un,l.t"L Ire,gardl.,ngconcur renee ,for new capt.Lcned :investigation. ,rbe e-mail ccncafneda surn.rnarY'-oi'the case informat,ion., ~AI lwas ccntact ed b6t'elephonica11y and g,ran:ted ,~oncu'r_'rence regarding cC'aptioned b7Ci,nvestigation -and advised ,that !.AusAI jt;tould beas'sLqned t,he -case ,
-Attached and-made a,'part of t_h,is document 'i,s the -emailto ,AUSAI I
Detai_ls:- On September -16', 2009, Special Ag-e~t (S]J.)Ite_lephonic-ally spoke to ,the vict_im company, Imag-esh.....a-c"""k-,-------,.re,g-arding c-aptioned rnatter and set a date to meet in per~son.
On October 8, 2009, SAlimet wit.ol lofImage_shack and obta med the de~:i_nfoI:mation about thecapt Lcned comput er i,nt:rusions. ,Possible s'ubj ect (s) have been:identified.
On Noyember 13, 2009, SAl
Title: ~NTJ-SEC;UNS-UB(S), et ali.IH~GES.HAC}{- VICT-I~;COM£iOTERINTJ~USION
Number:- 2-Type:- CI? 2703 (f) ORDER SERVEDITU:- crs-tTU:- :LIAISON WtTH OTHER AGENCY'Claimed ~y :-1
SSN.-Name:-Squad :-~C=Y=2O:-----___'
Accomplishment Information:-
To: San Fr-ancisco From:- San FranciscoRe:- 288A-SF-145486-, 11/13/2009
UNCLASSIFIED
'Thi$ ~t.m'lent oontains neither recomrnendatiol:ls flOf «>n~I\lsiOtl$of the FBI. 11i$ the property of the fBI aM is Ioatle~ to Yout ~gen¢y;"it an~ its ¢ontcnU are t.IOC to be distribute4 ou'tsi~ yOUtage~y. . -
This d«urnent cootains nej~r r~ndations not con¢lI,lSionsof the FBI. It is the property of the FBI an4 is lQaned to your .ge~y;II ~ its contents are not to be 4istri~ted OIortSideyour agelXy.
Investigation on 01/23/2010 at CamEbell, California (via .facsimile)
File /I 288A-SF-145486 ~ ,?- Date d ietated NA
SAl I b6 Z2b~ ID~ tf }J/ f};,by b7C
The abov~ referenced letter had been attached and 1s madea part of thi~sdocument.
Date of tr~s«iption 0 3/ 0Z /2 0 1 0
. 1·
FEDERAL BUREAU OF INVESTIGATION
,. ." ••f'D·)02 (Rev. 10>-6·95)
UNCLASSIFIED
'Or),October 8, 200.9, :Ima_geshac,kprovided sA !-ol_ ___.I, w:it,b sh('hard drtves and consent; 'to search t,bose hard drives.
-Titie:· AN'T~I:-SEC;'ON'S'UB(S), et al;'.1MAGtSHACK - V'ICT~tM;,COM:PUTER :IN'tRUSION
b6b7C
To:· .san Fr'ancJsco
;From:· San Francis'coSquad.Ci'z/sa1 Jose .RA''Contact: ,SA,
~----~------------------~
::::::~ B::: ....I---------------'---,..I~Case ID #:. 288A-S-F-145486: (pendingvY
-To:- San tranc1sco From:- San Fr-anc1s-co.Re:: 288A';'SF':';1~5486:" 01/14/2010
-UNCLASSIFIED
..-
nus «loWXIentCQfttlinS ncithet te«>mmen4atiol:l$ not eon~h.lSions 01 the fBI. It is the property '(>( the FBI and is loaned to yow agency;it an\i its contents ate not to be distribl.lte4 Ol.l'tsi4eyow .g~y.
b6b7C
lnvestigatiotlce 4/27/2012 at Los Gatos, California~~~~~~~~~~~~----------------------------------------------file * 2 S SA - SF -1454 S 6 cl Date ~ktite4 '_'.;;.N,;.;;.A~ _
by 'S~ I
·1.
-FEDERAL BUREAU OF INVEsTIGATION
FD-302 (Rev, 10..6-95)-••
b6b7C
Pateohl'ao~iption 0:i L2 7 120 1.2
On April 27. 2012. speci1l Agent I I returnedsix hard, d~ive.s tol at hi_s plac-e of empkoyment;.IMAGESAACK,2_36 Sant:a Cruz Avenue, L9S G_atos, Ca~_ifornia, 95030. Ac-opyof th~ signed :£0"0-597 Unit-ed-St-at-esDepartment of JusticeFed~r-al 'bure-au of Investigation Receipt :for t>_ropertyRec-eived/R~tu~ned/Released/Sei_zed had been placed in a l~ enveIopand sent to the f_ile.
UNCLASSIFIED
~~00ll2-
~
The' evidence obtained i_n this -investigation did not de_,;ivee_noughprobable c-ause to result -in the identif_i~of a subject for b6a prosecuteable of_fense. On Ap,;i_l 18, 2012, SA~received a b7Clette:r from the United States Attot:ney IS Off_ice st-atl.~g that th_eiroff_ice has closed the investigat_ion. The abovementioned letter hasbeen attached and _is made a part of this document.
On Apri_l 27, 201_2, S~ I I.retut:ned the hard drivesprcvd.ded by Imagesha~k as evidence -in capt_ioned case back to t_hevictim company.
Synopsis: To Close Captioned Case.
Details: l\ssistant ~nit:d State~ 'l\ttorney (AUSA)I I andSpecial Agent (SA)I Ihave discussed captionedinvestigat~ on -~nd l.S s atus on _numerous occasions. On March 16-,2012, AU?Al I jn)IUir~d via emai_; -if captioned investig-ati<?n couldbe closed. SA_ Jadvl.sed that Sl.nce there are no good sUbJectinte_rnet protocol (IP) addresses and no good follow-up leads orinformation from cu,;rent sources, captioned -investigation shou14-beclosed.
(Closed)/' /~
b6b7C
Approved By:
Drafted By:
Case 1D #: 288A-SF-14S486
Title: ANT~-SEC;UNSUB(S), et aliIMAGESHACK- VICTIMCOMPUTERINTRUSION
From: San _Franc-iscoSquad Ct2/Sa~~~~ ~Contact: S~
To: San Francisco
Date: 04/27/2012Precedence: ROUTlNE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED•(Rev.OS..Ql·ZOO8)
It is -recommended that capt_ioned c-ase be closed and thatcol_lected on c-aptioned case be destcroyed and/of -retut:ned
ct~>~o-':u e l\z~~J-.\\.
evidence
2,
,UNCLASsIFIED
++
put~suant ,to' Eo"Btpolicy., -';['he:te~'axe 'no pending leads 01:',f"urthe1:'inves tigat,ion: re9:uired:' on capt Ioned case ,
To:- San Eo"rancisco -From:- San ":£i'i'anGlsc'oRe: 288A-S:£i'-~_{S486-,'04/27/2012
UNCLASSIFIED
"
. ,"
.. j, I '
., AssistantUnited States Attorney
',MEcINDAJIAAG·
I appreciate allof'your. work on tlie case. .Please do not hesitate to contact me if you haveany questions. Lean be reached a~ I
,Very.truly ¥ours,
This letteris to confirm that my office-has closedthe investigation intothe ImageShack.intrusion by agroup known as Anti-Sec, Based on our conversations, you have conducted an,exhaustive investigation and have been unable to identify the individual responsible for theintrusion .. If'you find new,evidence, 'please re-submitthe casefor prosecution,
RE': 'JmageShack'Intrusion,
'pear Special-AgentCJ1
"
Aprfl'18', 2012'
DD: (408) 5)5·5061 .'FAX:(408) J35·5066
150 Almaden Boulevard, Suite 900.SanJose; California '95113
f(Jnited States AttorneyNorthern District ofCalifornia
,. U.S. DeI>~rtm.f Justice
b6b7C
Special AgentFederal Bureau of Investigation;1919 S>Bascom Avenue, Sulte'400'Campbell, CA 95008
XXXXXXXXXXXXXXXXXXXXXXXXX Deleted Page(s) XX No Duplication Fee XX For this Page XXXXXXXXXXXXXXXXXXXXXXXXX
FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1204913-0
4 ! -ORIGINAL PACKAGE COPY FD-192 OF 1B1 (EVIDENCE RETURNED)! -COPY OF A SIGNED FD-597
! SF
SF 2 ! SILICON VALLEY RCFL REPORT OF EXAMINATION DATED 11/17/2009;! AND 08/09/2010 AND RETURN TO AGENCY RECEIPT DATED 08/19/2010.! (NO REFERENCE SERIAL)
-----------------------------------------------------------------------------b6! SF 3 ! -ORIGINAL PACKAGE COPY FD192 (CHAINS OF CUSTODY) lA'D b7C
! -ORIGINAL 1B2 ENCLOSED !
1 ORIGINAL NOTES RE INTERVIEW OF~I ~! FD-597 RECEIPT FOR PROPERTY; FD-941 CONSENT TO SEARCH! COMPUTERS; ONE CD WITH PRINTED COPIES
By 5·(:(1.To Be Returned 0 Yes ..e:(NoReceipt Given. 0 Yes ffNoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure
o Yes, ~oFederal Taxpayer Information (FTI)
, 1 0 Yes ld"" No
Title: 'Po-lll--5f"v;Ut(!~J1:SV\ A"Q.fi-rlA"tt- v !VJ7NtD~~"~\.('~~Reference: _
Serial # ofOriginating Docnment
Date Received 1\)1of' 'M»)1 "'From f51,c ~~J~ ,k..JI'-a.e VA
They posted this message after the attach on multiple security threads:I IiThis message linked back to the antisec's website:
Server named:
Anti-sec gained access to one of our database servers.
The first user complaint came in at 6:59pm pst.
On July 10th, at approximately 7 pm PST, ImageShack's services were compromised by a hackinggroup named anti-sec.
July 10th Hack
Estimated company loses
b6b7Cb7E
Chat logs:
On August 2 early in the morning about 12:50am pst we were compromised again. They were unable toeffect users as we stop them in time. We have chat logs of our employee included.
August 2 Hack
,.
As an added bonus, if publication wasn't enough, these exploits aremirrored and distributed widely across the Internet with a nice
littleadvertisement embedded in them for the crew or website which first
of. If whitehats were truly about security this stuff would not bepublished, not even exploits with silly edits to make them slightlyunusable.
hold
Meanwhile, script kiddies copy and paste these exploits and compilethem, ready to strike any and all vulnerable servers they can get a
security industry uses full-disclosure to profit and developscare-tactics to convince people into buying their firewalls,anti-virus software, and auditing services.
TheFull-disclosure is the disclosure of exploits publicly - anywhere.
about.all
Anti-sec. We're a movement dedicated to the eradication offull-disclosure. We wanted to give everyone an image of what we're
__I II I
\_\
I I I I I I I C-I I C-I I __ I x., \ I I I C-I I C--I <I_I_I I_I I_I\ __ ,_I\ __ , I\ I I I I_I I_I\ __ ,_I\ I_I
II I'_\ I _' II__I'_, _\ I _' II_' II_\' I __I
Proudly presents ...
______ I II __ \_I \I I \ \\ I\ \ _
I >\ >\ >
\1 \1 \1
_____I I_I __ I\__\ I \ __\ II __\1 \ I I I
C---- I I I__I I __ I\1 \1
I___I
II__C-)
b7E
"No images were harmed in the making of this ... image."
Signed: The Anti-sec Movement
owned.getting
This isn't like before. This time everyone and everything is
"you are a target and you will be rm'd. Only a matter of time."
How do we plan to achieve this? Through the full and unrelenting,unmerciful.elimination of all supporters of full-disclosureand the security industry in its present form. If you own a
securityblog, an exploit publication website or you distribute any
exploits ...
It is our goal that, through mayhem and the destruction of allexploitive and detrimental communities, companies, and individuals,full-disclosure will be abandoned and the security industry will beforced to reform.
certainly continue to be a very important in the eyes of many, ourbattle is that of the removal of full-disclosure for the purpose ofmaking it harder for the security industry to exploit its
consequences.
willIt's about money. While the world is difficult to change, and money
exposed the vulnerability to the public.
•• ,I
- anti-sec.
If you think that we oppose your website, our advise is to pack it up andshut it down, because we're coming for you.
Replacing images ...
b7E
~Iimination:,6(allown a secvri~:;iciu wmi~'
I"'AI~l.n;I\I continue to befor the purpose
iProudty presents ...
Anti-sec. We're a movement dedicated to the eradiCation of - isclosure. We wanted to giveeveryone a~ jm8g~ of what wet'reall abo4t
· I iFuH-disclosJre is the disclosure of exploi~ publicly - anywhere. e secu'rity industry uses full-diSClosure:t? profit :and develop scare-tactics to convince into bUying their f rewalis. anti-virussoftware, and alldi~ing services. '
Meanwhi~e"knpt ~ddies copy and pasaeiihese expJoitsand I~ th.J. ready to strike any and allvulnerable Servers lthey can gat a hold ofl If whitehats were about se;curitythis stuff would nofpublished. 'riot. •I exploits with silly edits to make them ut:'lusable. . -
. ~ : ' !" I 'if publica.Uonwasn't lenough, these exploits I mirrq.red and distributed
a nice little advertisement embedded' in- for the crew or website ...'....',..,n.bility to the publ'b.,' '-. .:'; , ! -
~,-. _-. .
- _-----~~---
, .
,,ttr
".i~.."'",,"..""...~""""~·!:
1.)
~\'
i
-\--.~ 4 E>Dzlo= '-t .fkea, '~;y &c.,!4{ R/ I f ,/:l-O{ I>i •j
To Be Returned 0 Yes CJ...NOReceiptGiven 0 Yes !J'1ifoGrand JuryMaterial - DisseminateOnlyPursuant to Rule 6 (e)FederalRulesof CriminalProcedure
DYes g,.NOFederalTaxpayer Information(fTI)
DYes
\
'By ---S--4A-::::::;' LI I----~~c
'(Address)
Serial # of Originating Document. -:- _
'.1, Date Receive~ ~)<j _"\.::..~_:;';._I::.-;D:::;.__ --'-_
! From &J; Sv,. Gu.,40-CkP ,<Vh. ili~ :.f2e.=(Name ofContribu'ltTlfnitrviewee)
Field Office Acquiring Evidence _-";";::~=-_-'-__ --' __ -'- _
,.I
II,,f
I.iI
I.II.• f
II!.I!
I!,.
II .I '•!\,!!l-iIiI).I
I;: i!.
/1+{pJFO-340(Rev.4-11-03)
File Number ~'f't=<:;='-: I 'J\:) ~
o
,. 1
'.. 1. I
1I
I't!ij,,
i,I.!
For Official Use Only
Enclosures: 0Page 1 of3
Summary of Examination:Attached and made part of this report is Imaging Report dated November 17, 2009.While this report addresses the examination processes, the attached Imaging Reportaddresses the imaging of the submitted evidence.
1) Hacking rootkits and logs
On October 20,2009, Special Agent! lFederal Bureau ofInvestigation, requested that the above noted specimens, property of ImageShack, beexamined pursuant to a signed consent form. She requested that the following itemsbe searched for, identified (if present), documented, and reported on by the SVRCFL:
b6b7Cb7E
Request:
Specimens:
Date specimen received: October 21, 2009
Title: ANTISEC UNSUBS; (V) IMAGESHACK
Ref No.: N/A
Reference: Communication (Request for Service) dated October 20, 2009Imaging Report dated November 17, 2009
Lab No.: SV-09-0162
b6b7C
Case ID No.: 288A-SF-145486
Date: August 9, 2010San FranciscoSanJoseRASAlL- ____~
REPORT OF EXAMINATION
4600 BohannonDriveSuite 200
Menlo Park, CA 94025Silicon Valley RegionalComputer Forensic Laboratory
To:
18-1 (Re'~1-26-2007)/' e- '''--$
b6b7Cb7E
For Official Use Only
288A-SF-145486SV-09-0162Page 2 of3
~obe returned to submitting aaencv.1) All original items.!2)
Disposition of Evidence:
Derivai ive Evi A.
2
1
SAl Iprovided thd I Legal authorityfor the examination was provided as a signed consent form that was reviewed by theexaminer prior to starting the examination.
~ used the examination image for review. The following processes wereperformed:
Details of Examination:
These files were exported to a digital report. The other hard drives provided didnot contain anything that appeared to be relevant.
3
2
1
b6b7C
b7E
For Official Use Only
288A -SF-145486SV-09-0162Page 3 of3
Silicon Valley Regional Computer Forensic LabComputer Analysis Response Team
Examiner:
3) ~~ __ ~~ __ ~ __ ~ __ ~~~ ~until its released to the investigator with this report.
4) Special handling instructions include:a. All files contained on this DVD have the potential to contain viruses and other
malicious code exported from the examined computer media. Therefore, thisDVD should not be viewed on any networked computer OR any computerconnected to the Internet. It is recommended this DVD only be viewed on astandalone workstation designed for the purpose of evidence review. Pleaseconsult your systems administrator for assistance and guidance.
b. In certain investigations, files and information containing contraband such aspornographic images and trade secrets may have been discovered and copied ontothis DVD. This can also include pornographic and obscene images of children.Extraordinary care must be taken to safeguard this material and properly secure itwhen not being used for investigative or legal purposes. The SVRCFLrecommends this DVD be secured in appropriate storage, such as an evidencefacility, when not being reviewed by the investigator.
c. File attributes such as time/date stamps are dependent on several factors such ascomputer date/time settings and time zones. Where possible and feasible,dateitime attributes have been preserved and details can be found in the electronicreport contained herein.
d. THIS DVD SHOULD NOT BE DUPLICATED or DISSEMINATED to partiesoutside of the requesting law enforcement agency or prosecutor's office withoutfirst consulting with Silicon Valley RCFL.
e. This DVD is intended primarily for law enforcement and prosecution use. It is notrecommended that this DVD work product be used for evidentiary hearings, trials,or other official proceedings. If any contents of this DVD are needed for a legalproceeding, the Silicon Valley RCFL should be contacted so that the relevantitems can be provided in a form suitable for these purposes.
b6b7Cb7E
For Official Use Only
Enclosures:0Page 1 of3
Digital evidence media items were imaged to media to be retained as archives, and tostaging media for future forensic examination by an assigned forensic examiner.
SummaryofExamination:
Refer to the final Report of Examination for information on services requested. Thisreport relates to the imaging processes only.
Request:
Specimens:r------------------------------,
b6b7C
Datespecimensreceived: October 21, 2009
Title: Image Shack
Ref.No.: N/A
Reference: Communication (Request for Service) dated October 20, 2009
Lab No.: SV-09-0162
CaseIDNo.:288A-SF-145486
San FranciscoSan Jose RAs.A......1 ----'
Date: November 17,2009To:
REPORT OF EXAMINATION
4600 Bohannon DriveSuite 200
Menlo Park, CA 94025Silicon Valley RegionalComputer Forensic Laboratory
18-1 (Rev. 3-26.-2007)
" '"
b7E
b7E
For Official Use Only
NlASV-09-0162Page 2 of3
Physical Examination of Evidentiary itemsWrite Protect MediaHardware Geometry and System InformationCreate Image
The following processes were performed during imaging of the original evidence:
room.L...-__ .....I1 All the original evidence was returned to the SVRCFL evidence control
The staging media will be used in the examination phase to further satisfy the request,while the archive copy will be retained in the SVRCFL evidence control room inorder to preserve the evidence should it be required in the future for authentication orcourt processes.
To preserve the original evidence and minimize any risk of damage to the original, anexact copy of the user-accessible data located on the evidentiary items was createdonto staging media. (The exact copy will hereafter be referred to as an image.) Theimages were created using approved and appropriate forensic imaging software towrite to forensically clean staging media prepared for use in an examination. Unlessotherwise noted, the original evidence was write-protected using a hardware-writeprotection device to prevent any unintentional or accidental destruction ormodification of the original evidence. An archive copy was also made usingapproved and appropriate software.
Upon submission to the SVRCL, each submitted item was inventoried. As part of theinventory process, each item was assigned a unique SVRCFL bar code, and wasentered into the SVRCFL evidence system. Where appropriate, make, model, andserial number for each imaged item was recorded, and each item was digitallyphotographed.
Prior to conducting any forensic process, I reviewed the legal authority, presented asa "Consent to Search" form.
Details of Examination:
For Official Use Only
N/ASV-09-0162Page 3 of3
Silicon Valley Regional Compter Forensics LabComputer Analysis Response Team
This imaging of this case is complete. The staging media will be given to anexaminer for additional forensic processing.
All original evidence items returned to the SVRCFL evidence control room. All DEitems will be retained in the SVRCFL evidence control room for a period of fiveyears in order to preserve the evidence in the event additional forensic processes orlegal proceedings require its use. After this time, the DE will be returned to therequestor's agency for disposition.
Disposition of Evidence:
Stagin media used durin the course of this examination includes the following:1.
b7E
Derivative Evidence (DE) generated during the course of this examination includesthefollro~~~·n~ _,
Evidence Type: 0 General o Drug o Firearm/Weapon~CART oValuable o Firearm/Other
Special Handling Instructions Initial Receipt Date andTime
o Batteries o Biohazard o FOI Signat l- /0/Dft')IJ7o HAZMAT o Latents o Refrigerateo Req. Charging oNone Printed Name: I / : ~Pr-...o Other Reason: Collected
Relinquished. Custody Date and Accepted Custody Date andTime Time
~ 10)"/d7 Signature: IO{'l/1J4Printed Name] r Printed Name
FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1204913-0
b6b7C()41t
{OIOOl /fPt/)U
~ ~~I. In addition, the ac er s pos e a message on einternet which claims the ANTI-SEC is a movement dedicated to theeradication of full disclosure. Their message further explainedthey plan to achieve this "through the full and unrelenting,unmerciful elimination of all supporters of full-disclosure andthe security industry in its present form."
IDrafted By: I I
/4Slfmt5Case ID #: 288A-SF-~ (pending),-l~
288A-SF-NEW-GJ (Pending)? l
Title: ANTI-SEC;UNSUB(S), et ai;IMAGESHACK - VICTIM;COMPUTER INTRUSION
Approved By:
b6b7C
From: San FranciscoSquad CY-2/Sarn~J~o~s~e~RA~ ~Contact: SA~ ~
ATTN: Computer Intrusion Unit #2SSA I ITo: Cyber Division
Date: 10/08/2009Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION••....(!<$"'~0\1.31-2003)
b6b7Cb7E
Synopsis: To Open'Case and subfiles.
Details: On October 8, 2009, Special Agent (SA)I I metwith employees of IMAGESHACK located at 236 North Santa CruzAvenue, Los Gatos, California, 95030, to discuss two recentcomputer intrusions of IMAGESHACK servers. IMAGESHACK is acompany which provides internet image hosting.
IMAGESHACK advised SAl Ithat the first computerintrusion occurred on July 10, 2009 at approximately 7 pm PacificStandard Time (PST). A group by the name of ANTI-SEC gainedaccess to one of t~e company database servers. The server thehacker(s) accessed_ I forIMAGESHACK customers to include I I
~--~~~-------------'
b6b7C
b6b7Cb7E
b6b7Cb7E
b6b7Cb7E
2
••
It is requested that the new case and subfiles beopened and assigned to SAl I
SUB GJGrand Jury
It is requested that the following subfiles be opened:
~~~~I IMAGESHACK estimates their losses at approximately$26,000.
the August attack IMAGESHACK believes theable to
Jui
On August 2, 2009, IMAGESHACK believes the samehacker(s) came back and gained access to their servers again.IMAGESHACK has full and com lete 10 s. It is a arent thehacker s
IMAGESHACK advised this computer intrusion affectedaRproximately 50 million images and every user that was on their
•San Francis~ From: San Francisco288A-SF-NEW, 10/08/2009
I
~ • v t... To:Re:
I -
NAME AGENCY POSITIONFBI Special AgentFBI Special AgentFBI Special AgentFBI Special AgentFBI Special AgentFBI Special AgentFBI Special AgentFBI Supervisory Special Agent b6FBI Intelligence Analyst b7CFBI SSTFBI Evidence Control TechnicianFBI Evidence Control Technician
Pursuant to the above captioned investigation, theFederal Bureau of Investigation (FBI) requests that the belowlisted individuals be placed on the Federal Grand Jury 6E list,in as much as they may require access to grand jury informationduring the course of the investigation:
Dear Sir:
ANTI-SEC;UNSUB(S), et aliIMAGESHACK - VICTIM;COMPUTER INTRUSION
Assistant United States Attorneyb6b7C
Attention:
Honorable Joseph P. RussonielloUnited States AttorneyNorthern District of California450 Golden Gate AvenueSan Francisco, California 94102
Nov.ember 10, 2009
450 Golden Gate Ave.San Francisco, CA 94102(415) 553-7400
In Reply, Please Refer to /FileNo. 288A-SF-145486-GJ~~
Federal Bureau of Investigation
u.s. Department of Justice
••I
; .~,:J ,",
2
b6b7CBy:
Supervisory Special Agent
Stephanie DouglasSpecial Agent in Charge
Sincerely,
b6b7C
Should you have any questions regarding this matter,please do not hesitate to contact r-=s""'A_,_,_I -...J1 San JoseResident Agency, telephone number ....I ___,
•
d(This document contains neither recommendations nor conclusions of-the FBI. It is the property of the FBI and is loaned to your agency;it and its contents, are not to be distributed outside your agency.
b6b7C
(via facsimile)_12/14/2009 at Campbell, California----~----------Investigation on
The file copy of the Grand Jury Subpoena has beenattached and is made a part of this document.
II The subooena I
[Date dictated' NA
.1File # 288A-SF-145486-GJ ""?:by SAl I
b3b6b7CI
GRAND JURy MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
On December 14, 2009, Spectal Agent~(~S~A~,)_~I ~1served a Grand Jurv subpoena via. facsimile tol r
- 1-
FEDERAL BUREAU OF INVESTIGATION
•'.-'. ;.ED-302 (Rev, 10-6-95)
12/14/2009Date of transcription
* If not applicable, enter "none".
This subpoena is issued onapplication of the United States ofAmerica
JOSEPH P. RUSSONIELLOUnited States Attorne
U.S. ATTORNEY
December 11, 2009b6b7C
This subpoena shall remain in effect until you ar'~~~WJ~~JNlepart by the court or by an officer acting onbehalf of the court. ¢'Q' . (>0
R (';.~U~.S~.M~A~G~IS~TRA~TE~ruD~~G~E~O~R~C=L~E~RK~O~F~C~O~UR~T~~~~~~~~~----------------------------
RICHARD W. WIEK!NG
IZI Pleaseseeadditional information on reverse.
Compliance with this subpoena will be deemed satisfactory when you provide all the materials to the agent serving thissubpoena and no appearance will be necessary.
Please see attachment.
YOU AREALSO COMMANDED to bring with you the following document(s) or object(s):*
DATEANDTIME
COURTROOMAs directed by the court
January 6, 2010 at 9:30 a.m.
PLACEUnited States District Court280 South First StreetSan Jose, CA 95113
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States.DistrictCourt at the place, date and time specified below.
:A0110 (Rev.12/89) Subpoena to Testify Be~ and Jury
b3b6b7C
Procedure.(2) , "Fees and mileage need not be tendered to the witness upon service of a subpoena issued on behalf of the United States or an officer or agency
thereof (Rule 45(c), Federal Rulesof Civil Procedure; Rule 17(d), Federal Rulesof Criminal Procedure) or on behalf of certain indigent parties andcriminal defendants who are unable to pay such costs (28 USC1825, Rule 17(b) Federal Rulesof Criminal Procedure)".
RETURN OF SERVICE (1)
DATE PLACERECEIVED
j d- ) ) 't Jd-O''() ,BY SERVER
UAlt 1"1SERVED
1'.).- ) \ \.f I ')_-L) oi::.tKVtU UN lI"KINI NAlllt)
.::.tKVtU tH ll"'KIN I NAMt}
,S p(L~J1 ~STATEMENT OF SERVICEFEES
TRAVEL ~- ISERVICES .i-> ITOTA~
DE'CLARATION OF SERVER(2)
I declare under penalty of perjury under the laws of the United States of America that the foregoinginformation contained in the Return of Service ~nd Statement of 1:', .,,; Fp.p.<: is trueand r.n rect
(1) As to who may serve a SUbpoenaand the manner of its service seeRule 17(d),Federal Rulesof Criminal Procedure, or Rule45(c),FederalRulesof Civil
'AOll0 (Rev. 12/89) Subpoena to Testify Bef.and Jury
Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of thisinformation, disclosure, reproduction, distribution, or use of this information is prohibited (IS.USC, § 641). Please notify theoriginator or the local FBI Office immediately to arrange for proper disposition.
WARNING
Brief Description of Communication Faxed: _
Approved:
Originator's Facsimile Number: L-- '-- _
ITelephone: ....1 .1__---Originator's Name: Special Agent 1
Preservation RequestSubject:
From: FBI San Francisco - San Jose OfficeName of Office
Attn:
Name of OfficeDate: 12/14 /2009To:
Time Transmitted:Sender's Initials: .,LI __ --L _
Number of Pages: _4=-- _(including cover sheet)
D Top SecretD SecretD ConfidentialD Sensitive[ZJ Unclassified
D ImmediateD Priority[ZJ Routine
CLASSIFICATIONPRECEDENCE
COVER SHEET
FBI FACSIMILE
•., '•FD-448 (Rev. 6-2-97)
b3b6b7C
TelephoneRoom
_____________ ..J
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
~.
b3b6b7C
NA
(via facsimile)Investigation on
The file copy of the Grand Jury Subpoena has beenattached and is made a part of this document.
GRAND JURY MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
On December 14, 2009, Special Agent~(s~A~)~I------------~lserved a Grand Jury subpoena via facsimile tol r
12/14/2009 at Campbell, California----------------
File # 288A-SF-145486-GJ ......4- Date dictated--~==========~--------~~-----~------------------~by S_A;I _rI-------------~~c
12/14/2009Date of transcription
FEDERAL BUREAU OF INVESTIGATION
- 1-
FD-302 (Rev. 10-6-95) •
* Ifnot applicable, enter "none".
This subpoena is. issued onapplication of the United States ofAmerica
JOSEPH P. RUSSONIELLOUnited States Attorne
December 11, 2009
U.S. MAGISTRATE JUDGE OR CLERK OF COURTRICHARD W. WIEKING
This subpoena shall remain in effect until you ar~~~fi/;i~behalf of the court. .~'>' .
~
IZ1 Pleaseseeadditional information on reverse.
Compliance with this subpoena will be deemed satisfactory when you provide all the materials to the agent serving thissubpoena and no appearance will be necessary.
Please see attachment.
YOU AREALSO COMMANDED to bring with you the following document(s) or object(s):*
DATE AND TIME
COURTROOMAs directed by the court
January 6,2010 at 9:30 a.m.
PLACEUnited States District Court280 South First StreetSan.Jose, CA 95113
b3b6b7C
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the-United States DistrictCourt at the place, date and time specified below.
•t.A0110 (Rev. 12/89) Subpoena to Testify Befo.nd Jury
Procedure.(2) "Fees and mileage need not be tendered to the witness upon service of a subpoena issued on behalf of the United States or an officer or agency
thereof (Rule45(c), Federal Rules of Civil Procedure; Rule 17(d), Federal Rules of Criminal Procedure) or on behalf of certain indigent parties andcriminal defendants who are unable to pay such costs (28 USC1825, Rule 17(b) Federal Rulesof Criminal Procedure)".
b3b6b7C
RETURN OF SERVICE II)
DATE PLARECEIVED 1~))LjJ'UnJ1BY SERVER
UAIt: PLALt:SERVED
/2) IV jZODj!>I:KVI:U UN (pKINI NAIIlI:)
ISERVEDBY (PKIN I NAMt:) IIILt: -
Spe ..» tt--~+STATEMENT OF SERVICE FEES
TRAVEL ~- I SERVICES_______________ ITOTAL~
DECLARATION OF SERVER (2)
I declare under penalty of perjury under the laws of the United States of America that the foregoinginformation contained in the Return of Service and Statement of Service Fees is true ann correct
Executed on t'1.Ji Oe,~/!/L.ka1 )_OU!DATE
r0.J.- ./ ~f-1 S" AhO,-Otv-.. Ih--P. rfL~()
ADDRESS OF SERVER
.t~.~p/,dL (lA- 96{)O(~
ADDITIONAL INFORMATION
fplrleA V/'A. teo,., <~
~
(1) As to who may serve a subpoena and the manner ot its service see Rule 17(d), Federal Rulesot Criminal Procedure, or RUle45(c),Federal Rulesot Civil
•, .~~,AOll0 (Rev. 12/89) Subpoena to Testify Bef rand Jury
Information attached to the cover sheet is U.S. Government Property. Ifyou are not the intended recipient of thisinformation, disclosure, reproduction, distribution, or use of this information is prohibited (IS.USC, § 641). Please notify theoriginator or the local FBI Office immediately to arrange for proper disposition.
WARNING
Brief Description of Communication Faxed: -,..
Approved:
Originator's Facsimile Number: L J--------------------
ITelephone: L- ....J------Originator's Name: Special Agent I
Time Transmitted:Sender's Initials: L:J-===------Number of Pages: ___;3'-- _
(including cover sheet)
D Top SecretD SecretD ConfidentialD Sensitive[Z] Unclassified
D ImmediateD Priority[Z] Routine
CLASSIFICATIONPRECEDENCE
COVER SHEET
FBI FACSIMILE
•" .•> Fb-448'-(Rev. 6-2-97)I
b3b6b7CFrom: FBI San Francisco _ San Jose Office
Name of Office
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
The above referenced response provided bylhas been attached and is made a part of this documen~t~.------------------~
b3b6b7C
..._ T_h_e_r_e_S_p_Q_D_S_e__i_D_C_l__.l]dedthe following LI ....J
On December 23, 2009, Special Agent (sA)1 1received a response to a Federal Grand Jury Subpoena Vla facslmlie
(~r_Qm_1 ~IGRAND JURY MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
12/29/2009Date of transcription
- 1 -
FEDERAL BUREAU OF INVESTIGATION
•j)•FD-302 (Rev. 10-6-95)
b6b7C
Investigation on 12/23/2009 at Campbell, California (via facsimile)
File # 288A-SF-145486/GJ /2 Date dictated ,.N_A ......................................,
~ SAl I
WARNINGInformation attached 10 the COYersheet is U.S, Government Property. If yOU are not the intended recipient of thisinformation.disclosure, reproduction, distribution, or usc of this informationis prohibited (IS.USC, § 641). Please notizy theoriginator or the loc!il FBI Office immediately to arrange fol' n.to...ru:s_disool;iliM _~ __ - - _-~
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
N/ADate dictated/lpI
A~# 288A-SF-145486-GJ
by SAl
at Campbell, California----------------01/06/2010Investigation on
The information, which was provided in paper format,included the following informa~ion:
On January 6, 2010, Special Agent~I~~~ __~~ __~lreceiveda response via facsimile to the abovementioned Grand Jury sUbfoenafrom I _
I I
GRAND JURy MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
01/06/2010Date of transcription
FEDERAL BUREAU OF INVESTIGATION
- 1-
•" (1•FD-302 (Rev. 10-6-95)
J,., '
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
The file copy of the Grand Jury Subpoena and the CourOrder has been attached and is made a part of this document.
b6b7C
Investigation on 03/05/2010 at Campbell, California (via facsimile)
File # 288A-SF-145486-GJ.......-~ Date dictated NA~=========---.by SAl
b3b6b7C
GRAND JURy MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
03/05/2010Date of transcription
- 1 -
FEDERAL BUREAU OF INVESTIGATION
FD-302 (Rev. 10-6-95)
2010, Special A~~~~~ ~~~edand Court Order
Ona Grand Jur
b3b6b7C
* If not applicable, enter "none".
This subpoena is issued onapplication of the United States ofAmerica
JOSEPH P. RUSSONIELLOUnited States Attorne
March 3, 2010
U.S. MAGISTRATE JUDGE OR C;LERK OF COURTRICHARD W. WIEKING
This subpoena shall remain in effect until you ar ~»!~~~~~epart by the court or by an officer acting onbehalf of the court. :~~. ('>0b .
[{] Pleaseseeadditional information on reverse.
Compliance with this subpoena will be deemed satisfactory when you provide all the materials to the agent serving this. subpoena and no appearance will be necessary.
-See Attachment-
YOUAREALSOCOMMANDEDto bring with you the following document(s) or object(s):*
DATEANDTIME
COURTROOM
As directed by the court
March 17, 2010 at 9:30 am
PLACEUnited States District Court280 South First StreetSan Jose, CA 95113
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District.Court at the place, date and time specified below.
OJ 09-1 2009R02026.A0110 (Rev. 12/89) Subpoena to Testify Before Grand Jury
b3b6b7C
Procedure.(2) "Feesand mileage need not be tendered to the witness upon serviceof a subpoena issued on behalf of the United Statesor an officer or agency
thereof (Rule45(c), FederalRulesof Civil Procedure;Rule 17(d),Federal Rulesof Criminal Procedure) or on behalf of certain indigent parties andcriminal defendants who are unable to pay such costs(28 USC1825,Rule17(b)FederalRulesof Criminal Procedure)".
RETURN OF SERVICE (1)
DATE PLACERECEIVED
J/O/3fJlDBY SERVER
UAII: PLA~SERVED 3 is: )~D ;D' ·1
StKVtU UN(I"KININAMI:)
I :>tKVtUIH (I"KININAMI:) TITll:
gpe:Dt~ ~t-STATEMENT OF SERVICEFEES
TRAVEL .~--' 1SERVICES .:.1 TOTAL .......-DECLARATION OF SERVER (2)
I declare under penalty of perjury under the laws of the TInited States of America that the foregoinginformation contained in the Return of Service rrect
Executed on S" mar-vA d:DIDDATE r«-:]_ SAPhI". L .../L(£511~) ~ ..(,
ADDRESSOF SERVER -('4h\Jo1d1 t!IT 9SVt>cr'
ADDITIONAL INFORMATION
~Jq_;) VIA- ~C6',~lv
(1) Asto who may servea subpoena and the manner of its serviceseeRule17(d),FederalRulesof Criminal Procedure,or Rule4S(c),FederalRulesof Civil
A0110 (Rev. 12/89) Subpoena to Testify Before Grand Jury
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
03/29/2010 at Campbell, California----~--~-------Investigation on
cb6b7
~
V
b3
GRAND JURY MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
On March 29, 2010, Special Agent I I receivedvia u.S. Postal service a resnonse to a Grand Jurv subnoena from
03/31/2010Date of transcription
- 1 -
FEDERAL BUREAU OF INVESTIGATION
FD-302 (Rev. 10-6-95) ••
'---------------- -------------
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
b6b7C
by S_A~ ~ _
Date dictated NA----------------------File # 288A-SF-145486-GJ cr(via facsimile)11/22/2010 at Campbell, California----~~--------Investigation on
A copy of the abovementioned Grand Jury Subpoena has beenattached and is made a part of this document.
GRAND JURY MATERIAL - DISSEMINATE PURSUANT TO RULE 6(e)
11/22/2010Date of transcription
- 1-
FEDERAL BUREAU OF INVESTIGATiON
•••FD-302 (Rev. 10-6-95)
b3b6b7C
served
b3b6b7C
• Ifnot applicable, enter "none".
sSist~a. ttorney.150 Almaden Blvd., Suite 9 0 l-/San Jose, CA 95113 (408) 5 - 61Special Agent Melanie Adam, 1(408) 369-8900
This subpoena Is issued onapplication of the United States ofAmerica
MELINDA HAAG,United States Attorne
ONE NUMBEROF AS I TANT U.S.ATTORNEY
November 22, 2010
U.S: MAGISTRATEJUDGE OR CLERK.OF COURTRICHARD W. WIEKING
IZI Pleaseseeadditional information on reverse.
Compliance with this subpoena will be deemed satisfactory when you provide all the materials to the agent serving thissubpoena. No appearance will be necessary.
-See Attachment-
YOU AREALSO COMMANDED to bring with you the following document(s) or object(s):*
DATE N TIME
COURTROOMAs directed by the court
December8, 2010 at 9:30 am
PLACEUnited States District Court280 South First StreetSan Jose, CA 95113
YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States DistrictCourt at the place, date and time specified below.
OJ 09·1 2009R02026.AO110 (Rev.12/89) Subpoena to Testify Before Grand JulY
y'
---- ----------- -------------~
Procedure.(2) "Feesand mileage need not be tendered to the witness upon serviceof a subpoena issuedon behalf of the United Statesor an officer or agency
thereof (Rule45{c),FederalRules.ofCivil Procedure;Rule !7(d). FederalRulesof Criminal Procedure)or on behalf of certain Indigent partiesandcriminal defendantswho are unable to pay suchcosts(28USC1825,RuleI 7(b) FederalRulesof Criminal Procedure}".
b3b6b7C
RETURNOF SERVICEIIIDATE PLACE
RECEIVED /1)2-2-12-,;;> I IBY SERVER /DUAlt t'LALt.
SERVED J I ) 2- 2-- 12-;;> ) 0::>tHVtU UN It'HIN I NAliIltJ
., ,
. ~tKVtU tly WHINI NAMt.J IllLt
5pq Cc'-,\"& ~"tSTATEMENT OF SERVICEFEES -
TRAVEL _- I SERVICES ________ ITOTA~»->:/ DECLARATION OF SERVER(2)
I declare under penalty of perjury under the laws of the United States of America that the forel!o·nginformation contained in the Return of Service a t
Executed on .;:;t ;)_ r...~ ~)UJI!.J"/J~.r Q..oI (.)DATE ~tm~ttHVtK
/ 4j I <::j [: f::l.,,,,, P/.II<VL . ..4ve II---<.~ADDRESSOFSERVER
c?~ :2....1_ tA_,.._ q,ftJlYf-',ADDITIONAL INFORMATION
~JfJt{ Jlit ~UI "",~Iv
(1) Asto who may servea subpoena and the manner of its serviceseeHUle17101.I"ederalRulesof Criminal Procedure.or Rule45(c). Federalxutes or Livil
Case Agent: ~~~=~-r'-fSRC Code:..Q!:L '_~-=---=~"'""MCPI Codes:;_~~~_:"::::i=-+Assess PIIDENTITYTHDATE:,__ .1.=-..l-l.---lo.!::::;"_ __
D ACS and I I searches on the term Iresulted in a hit on case 288A-AT-99,96. serial J~J-.~T~h~l~is--s-e-r~i~a~l~is an FD-302 of an 2006 interview ofJ lat hisresidence inl lin which he I II I The information provided the following:
Name:~I ~
b6b7Cb7Db7E
Details: On 11/08/2011 a CHS provided writer with a CDcontaininql I
Synopsis: To open case and GJ subfile.
Title: I I ANTISECiTEXAS COMMISSION ON JAIL STANDARDS (TCJS.STATE.TX.US) -VICTIMCOMPUTER INTRUSIONS - CRIMINAL MATTERS
b7Cb6Approved By: ~
Drafted By: I~~TtK~L~~5~~~-~'----~o~
Case ID #: 288A-SA~ (Pending) I""""1~-SA-58304-K (Pending)- 2)~~IDf_Pr "!>A"'(P3f.Uia ...~:r- ,
From: San AntonioCyber C-4Con tac t : SA L...- ____~
Attn: Victim-Witness Coordinator
Attn: SSAICCU-~2~------------~
To: Cyber
Date: 1/17/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED••·t(R:ev.05-01-2008)
b6b7C
2
UNCLASSIFIED
opened.It is requested that the case and Grand Jury subfile be
To: San Antonio From: San AntonioRe: 288A-SA-63452, 02/09/2012
UNCLASSIFIED
II 'r.;, '(
b6b7C
GIVE SHORT SYNOPSIS OF CASE: Subject of case is involved in computer hackingwith the Anonymous group. Subject conducted unauthorized activity againstwww.tcjs.tx.us as part of a computer intrusion attack against the site.
IS THIS A SENSITIVE CASE?~N~ __
Commission on Jail Standards website at www.tcjs.tx.usARE THERE ANY VICTIMS IN THIS CASE? Yes IF SO, WHOM? Texas
IF THIS IS A BANK FRAUD CASE, IS THERE A PROGRAM AGENCY INVOLVED?(i.e., Comptroller of the Currency, FDIC, etc.) IF SO, LIST AGENCY ANDTHEIR FILE NUMBER' n/a
And LIST COUNSEL'S NAME AND ADDRESS:__~N~A~ __
DOES SUBJECT HAVE COUNSEL? ~U~n~k~n~o~w~n~ ___IF YES, CIRCLE ONE: FEDERAL DEFENDER / APPOINTED / RETAINED / PRO SE
IN WHAT COUNTY OR COUNTIES DID THE CRIME OCCUR? L- _rl=c=o=u=n=ty~-------
ESTIMATED DOLLAR LOSS: ~n~o~n~e~ __
(LIST LEAD CHARGE FIRST)
Title 18 USC 1030, Title 18 USC 2261 A(2) (A)ANTICIPATED CHARGES:
AGENCY CASE #:Any other agency involved:AGENT/AGENCY: __
IS THIS A SINGLE AGENCY, SHARED AGENCY OR TASK FORCE CASE? LIST ALL:
COUNTRY OF CITIZENSHIP: ~U~S~A~ __IMMIGRANT STATUS: NON-RESIDENT / UNDOCUMENTED / LEGAL PERMANENT RESIDENT / VALID VISA
ID#: __ARREST DATE:~n~a~ ___
SEX:~M==~~D~O~B~:~I=-~ ~SSN:L_ _J--------
ADDRESS.~·__~ ~---------------
NAME & AKA'S OF SUBJECT: I. Antisec
INFORMATION NEEDED F~M AGENT FOR COMPLETION OF CRIMIIIl OPENING FORMS:(Complete one form for each defendant)
b6b7C
AGENCY CASE #: 2BBA-SA-63452AGENT/AGENCY: ~FwB~I~ __
b6b7C
b7D
UNCLASSIFIED
Due to the amount, and frequency, of the data, it is notpossible to provide timely updates to the affected FBI field .offices and law enforcement agencies while also addressingcurrent CIP National Security and CIP Criminal case load.
It is anticipated that sosl I assistance willconsist of reading email, watching videos, and crnducting onlineresearch regarding CIP Criminal hacktivism. SOS_ Jassistance is requested to assist C-4 Cyber in mitigatinghacktivism threats which are presently ongoing in FBI SanAntonio's AOR and in other FBI Field Office AORs. CHS reportingis arriving daily, but becomes stale if not utilized immediatelyto assist in preventing or responding to CIP Criminal Hacktivismthreats. The duration of the captioned case is unknown and willbe commensurate with the operational life of the CHS.
Without SO~ I assistance, there is asubstantial risk of losing valuable information being provided by
Details: Writer requests sosl lassistance dueto the overwhelming amount of time-sensitive data bein r videdby a CHS. This data often contains
the CHS into CIP Criminal Hacktivism threats and the ability tomitigate these threats in a timely manner through prevention ofattacks or mitigation of known or attempted intrusions.
To: San Antonio From: San AntonioRe: 288A-SA-63452, 02/27/2012
UNCLASSIFIED
2
•
b6b7C
to captioned
3
UNCLASSIFIED
••
AT SAN ANTONIO, TEXAS
Please assign sos~I ~matter .
SAN ANTONIO
Set Lead 1: (Action)
LEAD (s) :
To: San Antonio From: San AntonioRe: 288A-SA-63452, 02/27/2012
UNCLASSIFIEDl-I
UNCLASSIFIED
The sUbjecT~~o~£~t~b~e~'~'n~1wTe~s~t~i~a~a.t~j.o~n~I----------------'_I~"JSIidentifiedthrQ~ IThe owners of www.lcso.org and www.pbso.org were notified
of trespasser activity against their sites.
Details: To date, during the course of this investigation,writer has accomplished numerous achievements.
Pertinent to this lead is the fact that I Iwas thesubject ofLI ~
I L See case 288A-AT-99196 for further informatiQn.Please be aware that I Imay bel
appears to be currently
The subject's full name is I DOB:r---------,l SSAN: [ I possible cellular telephone number
I las~ known ad~ress: I~----------------~ ~J This residence is~I ~
primary residence. Other possible residents atL.t-h-a-t--l-o-c-a-t....,i-o-n--m-a-y~beI II
to reside in
confirmation of the location of Iof this ca tioned case. r~------~Il~'s~b-e~l~l~'eved
To: San Francisco From: San AntonioRe: 288A-SA-63452, 04/11/2012
UNCLASSIFIED
UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE
••
3
b6b7C
AT SAN JOSE, CALIFORNIA
SAN FRANCISCO
Set Lead 1: (Action)'
LEAD (s) :
To: San Francisco From: San AntonioRe: 288A-SA-63452, 04/11/2012
UNCLASSIFIED, .,), .
Please determine the current residen~c~e~o~f~I ~ __~r. land determine whether he currently is~I ~1 I Please include information on any electronicequipment that may be observed in subject's possession .
To: San Antonio From: pan AntonioRe: 288A-SA-63452, 02/0~/2014
•UNCLASSIFIED:f
UNCLASSIFIED//FOR OFFICIAL USE ONLY
b6b7C
Details: San Antonio CI-1 received aSA-63452 serial #14 lead #3. Special ~~~~~~ __~ __~~ ~and Staff Operations Specialist (SOS) conductedlogical investigation of e-mail addresses. To date, FBI SanAntonio CI-1 ha~ exhausted all investigative resources and nopriority threats to national security warranting furtherinvestigation were identified. In the event additionalderogatory information is discovered, FBI San Antonio CI-1 willconsider opening an investigation. FBI San Antonio CI-1considers this lead covered.
UNCLASSIFIED//FOR OFFICIAL USE ONLY••(Rev. 05-01-2008)
I..
UNCLASSIFIED//FOR OFFICIAL USE ONLY
••C-4 for information only. Read and clear.
AT SAN ANTONIO, TX
SAN ANTONIO
Set Lead 1: (Info)
LEAD (8) :
To: San Antonio From: San AntonioRe: 288A-SA-63452, 05/03/2012
UN~ASSIFIED//FOR OFFICIAL us!ltNLY
2
UNCLASSIFIED
••
Upon locating the subject, whether online orphysically, writer will use all means available to observe theonline activity, especially the IP addresses used, by thesubject. It is anticipated that this will enable writer to linkpast known attacks to the subject beyond a reasonable doubt .
Synopsis: Case update and investigative plan.
I Iaka I I ANTISECiTEXAS COMMISSION ON JAIL STANOARDS (TCJS.STATE.TX.US) -VICTIMCOMPUTER INTRUSIONS - CRIMINAL MATTERS
Title:
b6b7C
L...--- __.I \ q,Case ID #: 288A-SA-63452 (Pending) ~
Drafted By:
From: San AntonioCyber C-4 ~----------------------------,Contact: SAl
Approved By:
To: San Antonio
Date: OS/25/2012Precedence: PRIORITY
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED •(Rev. 05-01-2008)
b7D
·'Details: Writer currently has no CHS coverage of the subject ofthe captioned case and no more open-source leads. A lead wassent tol I RA, r IDivision, to attempt tophysically locate subJect at filS last known physical address. Todate, I IRA has been unable to locate the subject.
~ ~IRA has a CHS that may be able to gain accessto the subject online and writer has requested that this beattempted. Writer has also requested I I RA to «onti plle fOattempt to locate the subject. Writer will work withttoprovide any needed information or Grand Jury subpoenas.
b6b7C
b7D
b6b7Cb7D
by S_A~ ~------------------~--~~--------------~~._-
This document contains neither recommendations nor conclusions of the FBI. It is thea1~lle~!1 :nd <tt ~~d!:fo ?our-:: le~it and its contents are not to be distributed outside your agency.
Date dictated not dictated
atL-1 ...J....--------Investigation on 05 / 31/2012
File # 288A-SA-63452/lq
Attached and made a part of this document is a copy ofthe request faxed to EDD_
Name:DOB:SSAN:
~O~n~~M~a~y~3~1~,2012, an employment request was faxed to theState ofl lEmplOymenf Development Department (EDD), viafacsimile number I . The request asked for employment
rI information from 01/01/2010 through present for the followingindividual:
05/31/2012Date of transcription
- 1-
FEDERAL BUREAU OF INVESTIGATION
FD-302 (Rev. 10-6-95) ••
./'\/ ,\)Ov, I\0
SpecJ.al Agent
Sincerely yours,
Name:DOB:SSAN:
Please provide employment information from 01/01/2010 b7D
through present for the following individual:
b7Cb6Dear State ofL..I ~FmplOyment Development Department:
Re: Employment for L..I ......
Attention: To Whom It May Concern
May 31, 2012
InReply, Please Refer toFile No. 288A-SA-63452
Federal Bureau of Investigation
U.S. Department of Justice
• •
b6b7C
UNCLASSIFIED
b7D
Synopsis: To claim statistical accomplishment.
Details: On 6/7/2012, an I~I~R~(~n~U~mb~~e~r~I~ ~was published based on CHslreporting. The subject ofthe IIR was (U//FOUO) Identification of Internet Relay Chat (IRC)Channels Used by Anonymous Members, as ofl I