Email Security

Messy Breakups: A History of Hacker Relationships Gone Bad

Natalie Petitto

February 14, 2022

20 min

The rise of sophisticated cybercriminal organizations such as Wizard Spider and LockBit are creating havoc for businesses around the world. They are professional, organized, and actively recruiting new members. But what happens when these criminals turn on one another? In the spirit of Valentine’s Day, let’s look at some high-profile hacker relationships and the messy breakups that ensued.

The canary on the docks

Hector Xavier Monsegur, cofounder of cybercrime gang LulzSec, faced a 21 to 26 year prison sentence for hacking conspiracy and other charges. During the criminal investigation, Monsegur confessed to cybercrimes against a number of large, high-profile targets, including Sony, Fox Television, PBS, and Nintendo. According to US officials, the cyberattacks cost victim companies tens of millions of dollars.

Monsegur confessed to his crimes and immediately agreed to cooperate with the United States Federal Bureau of Investigation (FBI).

Over the course of several months, Monsegur worked as an informant for the FBI, “disrupting up to 300 cyberattacks on high-profile and international targets,” according to The New York Times. When Monsegur’s sentencing was repeatedly delayed, it became clear to his previous crime family that Monsegur had turned on them.

Dubbed “Tweety Bird” by his criminal co-conspirators, Monsegur was reportedly harassed and threatened by some in the cybercrime community, forcing the government to relocate Monsegur and his family to a safe location. A t-shirt featuring cartoon character Tweety Bird made the rounds online, and several hackers who were arrested as a result of Monsegur’s cooperation with the FBI accused Monsegur of entrapment.

Monsegur walked away from a life of crime and avoided prison. His former friends did not fare as well. Eight co-conspirators were arrested, thanks to Monsegur’s cooperation with the FBI, including Jeremy Hammond, who received a 10-year prison sentence.

“Anonymous,” Monsegur’s previous crime family, did not take the breakup well: “We will never forgive,” an anonymous poster said, “and we will never forget until every Anon is free.”

The master of social engineering

“When someone trusts you, they let their guard down.” These are the infamous words of Albert Gonzales, criminal hacker turned informant. Arrested in 2003 in a bank lobby while cashing out a stack of programmed blank debit cards, Gonzales has the distinction of turning on his fellow hackers to become a United States Secret Service informant, only to turn on the Secret Service and continue his crime spree while working as an informant.

According to a report by The New York Times, Gonzales was part of the cybercrime group Shadowcrew, dubbed by a federal prosecutor as “an eBay, Monster.com and MySpace for cybercrime” in the early 2000s. Like the ransomware gangs of today, Shadowcrew sold products, including stolen card numbers and card embossers, as well as services, including tips on executing email scams and intel on vulnerable companies.

Like Monsegur, Gonzales betrayed his criminal partners, becoming a paid informant for the Secret Service. Known as Operation Firewall, Gonzales’s work as an informant with the Secret Service included convincing Shadowcrew users to communicate through a VPN designed by the US government. In the ultimate betrayal, Gonzales assembled a group of Shadowcrew users in a group chat, during which time Secret Service agents rounded them up one by one. Twenty-eight arrests were made, resulting in 19 criminal indictments.

If the Secret Service believed that Gonzales could be loyal to them, they were wrong. While working as an informant, Gonzales played the field. He continued his relationship with his criminal partners and masterminded the hacking of several high-profile companies, including BJs Wholesales Club, Barnes & Noble, Target, and more.

His crimes while working as in informant eventually caught up with him, and Gonzales was arrested. At Gonzales’s sentencing hearing, the judge called Gonzales a two-timer. “I’m guilty of not only exploiting computer networks but exploiting personal relationships,” Gonzales said at the hearing, “particularly one that I had with a certain government agency who believed in me.”

Partners in crime

While Monsegur and Gonzales belonged to the top cybercrime groups of the past, new groups with equally and, in some cases, even more sophisticated organizational structures, are stalking businesses around the world.

Wizard Spider, the group behind Conti ransomware, previously known as Ryuk, and most recently, for the devastating ransomware attack on the Irish Health Service (HSE), is one such sophisticated gang. Possibly bankrolled by the Russian government, Wizard Spider engages in big game hunting campaigns, targeting high-profile entities in mission critical industries, including healthcare and utilities.

LockBit, the ransomware-as-a-service (RaaS) provider group previously known as ABCD, operates much like a traditional business, marketing its services on the dark web and offering an affiliate program complete with partner benefits.

LockBit is part of a ransomware cartel headed by ransomware group Maze. Inviting LockBit into its cartel reveals Maze’s sophistication compared to other cybercriminal groups. Rather than being potentially eaten by a competitor, Maze chose to partner with them.

While these partnerships may seem like a smart business choice that benefits all the associated hackers in the long-term, the fact is that these businesses are owned and operated by criminals. Their clientele? Criminals. Suffice to say, the prospect that these individuals will remain loyal to one another when the door is kicked in is laughable at best.

Avoiding toxic relationships

Businesses cannot afford to wait for groups like Wizard Spider and LockBit to be dismantled by law enforcement and for hackers to turn against each other. In many cases, even groups that are forced to split eventually rekindle their relationships, including, most recently, Emotet, which was forcibly shut down in an international sting in 2021, only to reemerge later that year.

Battling these organizations requires understanding what you’re up against. Gone are the days of hooded, lone hackers sending out mass waves of clumsy phishing emails in their basements.

Today’s cybercrime groups have organizational structures that resemble legitimate businesses. They have affiliate partners buying, using, and selling their products. They employ a staff of gifted, criminal engineers who steal, spy, extort, intimidate, and reverse engineer. They have powerful investors. They are targeting businesses of every size and in every industry.

Fortifying your business against these individuals will be a monumental task, and ransomware prevention requires a company-wide commitment, from the c-suite to the IT department to the end users entrusted with your hardware and systems. Finally, think like the enemy: When their backs are against the wall, cybercriminals are concerned with only one thing: self-preservation. It’s time for businesses to follow suit.