By Joseph Menn and Jim Finkle
(Reuters) - Even as he urged tens of thousands of Twitter followers to rise up and attack government and law enforcement, the most wanted hacker on the planet was working for the FBI.
New Yorker Hector Xavier Monsegur, 28, was exposed on Tuesday as the person behind Sabu, the colorful leader of Lulz Security, a much-feared and talented offshoot of the cyber-activist group Anonymous.
Better known as LulzSec after its Twitter handle, the gang broke into computers at Sony Corp, an FBI-affiliated nonprofit agency in Atlanta, and a string of security companies with federal contracts. The group hacked the websites of Public Broadcasting Service (PBS) and Fox broadcasting, battered Arab government websites in support of regional uprisings, and for a time took requests from the public for targets.
Many hackers were stunned when they learned that Sabu had been arrested, given his technological skills and role as Lulz' de facto chief of security.
But details from court filings revealed something far more spectacular -- he had been cooperating with the Federal Bureau of Investigation since June 7.
"Anyone who trusted Sabu is going to be in a panic right now," said Jennifer Emick, a former Anonymous activist who began working against it when it started attacking the U.S. government. "Hard drives are being deleted."
Jake Davis, accused of being "Topiary," the most public face of Lulz, had been seized in late July, one of several arrests in Britain that followed Sabu's first encounter with the police.
Online chat rooms favored by Anonymous filled on Tuesday with bile and worry about who would be next. One member warned that Monsegur had better have good FBI bodyguards.
"There's some paranoia. There's a lot of hate being spewed," said Gregg Housh, a leader of Anonymous in its less criminal days and a regular correspondent of Sabu's.
Monsegur was born in New York, attended college and worked at various technology jobs. He displayed a rare combination of hacking talent, working-class sensibility and political conviction. In chats and Internet posts that gave Lulz unprecedented reach and popularity, he often seemed angry while Topiary was funny and irreverent.
In an interview with New Scientist, he said his first hacking for a cause was more than a decade ago when he interfered with communications during controversial U.S. Navy bombing exercises in Vieques, Puerto Rico.
He lived in a 14-story brick housing project overlooking the FDR Drive on Manhattan's Lower East Side. Neighbor Victor McCarty, 47, said Monsegur "never really came out of the building much. He always said he was busy on the computer."
On Tuesday, no one came to the apartment door, which was decorated with a faded sticker of the American flag.
Monsegur's anti-government hacking accelerated as federal investigators closed in. His tone became even more vitriolic after he was apprehended, possibly because the FBI wanted to flush out the most strident of his peers.
Monsegur was arrested in June on credit card fraud charges after Facebook was served with a warrant and turned over messages he had sent via the online social network.
He agreed to cooperate and secretly pleaded guilty on August 15 to some of the most serious Lulz crimes in exchange for the FBI seeking leniency for Monsegur at his sentencing, according to records unsealed on Tuesday.
U.S. prosecutors and the FBI announced charges against five other men on Tuesday: one in Chicago, two in Britain and two in Ireland.
"What this case shows is that the FBI is getting very effective in going after these groups," said Jerry Dixon, a former head of the Department of Homeland Security's National Cyber Security Division and director of analysis at Team Cymru, a cyber security research group.
"They are able to get members to turn in the others and peel back the onion and ferret out many more of the members."
So much hacking occurred with Sabu's encouragement after his arrest that the case has raised questions about what the government allowed in the interests of the investigation. An FBI spokeswoman declined to address the issue.
Monsegur's name had been circulating for months among security professionals and investigators.
Before his arrest, Sabu fretted in private chats that he would be tracked through a combination of his actions, nicknames and other digital crumbs he had left behind.
He urged colleagues to be careful and to wipe their computers and computers they hacked.
"There are many things hackers can do to hide their tracks, but they can rarely do everything," said Mark Rasch, a former cyber crimes prosecutor with the U.S. Justice Department now with CSC.
Lulz officially disbanded last year, merging back into Anonymous and Antisec, a loose affiliation of hackers targeting law enforcement and "white hat" security companies.
Anonymous veterans said they did not believe that Sabu's arrest and betrayal of his fellow hackers would end Antisec's activities.
"This is going to prompt a major response," said Barrett Brown, a past Anonymous spokesman who knew Monsegur and was interviewed by the FBI during a search on Tuesday.
The response on the Internet raged all day. "Last thing to say about Sabu, he's a traitor, a coward and a fiend," one Tweet said. "And unless he shows regret I will not feel bad if anything happens to him."
(Reporting By Joseph Menn in San Francisco, Jim Finkle in Boston and Aman Ali and Basil Katz in New York)
SUBSCRIBE AND FOLLOW
Get top stories and blog posts emailed to me each day. Newsletters may offer personalized content or advertisements.Learn more