Last week, while browsing the 2012 Cyber Attacks Timeline, I could not help but notice the huge amount of cyber attacks that the collective @CabinCr3w did between January and February 2012 in the name of the so-called #OpPiggyBank. You will probably remember that most of those Cyber Attacks, made in combination with @ItsKahuna, were targeting Law Enforcement Agencies in support of the occupy movements. The crew was not new to such similar actions (for instance they doxed the Citigroup CEO in October 2011), in any case I was impressed by their sudden peak and by the equally sudden disappearance in the second half of February.
Few clicks on Google were enough for me to came across an article on Threatpost that I had missed a couple of days before.
On March 20 federal authorities had arrested Higinio Ochoa, AKA @Anonw0rmer, a resident of Texas accused of working for the hacking group CabinCr3w. He had been taken into custody by FBI agents and charged with unauthorized access to a protected computer in a criminal complaint dated March 15 whose Offense Description indicates an “Unauthorized Access to a protected computer” made on February 2012 in the County of Travis, District of Texas.
The rich Resumé of the @CabinCr3w, part of which is listed on the Criminal Complaint, includes 10 cyber attacks made between January and February 2012, in particular one against the Texas Police Association, on February the 1st 2012, and one against the Texas Department of Public Safety, on February, the 8th 2012. The latter, at least according to an alleged self-written memorial that W0rmer Higinio Ochoa allegedly posted on pastebin on Mar 30 2012, is maybe the one for which he was charged.
The list of the facts contained in the Criminal Complaint and how the FBI combined them to identify Higinio Ochoa and to join his real identity with the virtual identity of W0rmer, is a brilliant example of Open Source Intelligence clearly summarized in this article by ArsTechnica. Incredible to believe for a hacker, who should be supposed to clean each trace he leaves on the cyber space, is the fact that the main security concern for a mobile device, the geo-tagging feature, was one of the elements which led Investigators to Higinio Ochoa. By mining EXIF data contained in a photo on the web page left after the defacement of the Texas Department of Public Safety (showing a woman in a bikini with the sign: “PwNd by w0rmer & cabincr3w”), the Feds were able to collect the GPS data in the image, and to consequently identify it was taken with an iPhone 4 at a location in South VIC, Australia. By browsing the (inevitable) Ochoa’s Facebook Profile, the agents also learned that a girlfriend of him, Kylie Gardner, had graduated from a high school in Australia, the same country in which the first photo was shot.
Inevitably, this event has (too) many points in common with the affaire of Sabu, the alleged leader of the infamous LulzSec Collective, arrested by the Feds approximately a month before.
Both crews, LulzSec and CabinCr3w, targeted Law Enforcement Agencies, both crews met the same destiny: hit in the heart (or better to say in the head) by those same Law Enforcements they mocked so deeply during their days of lulz.
But the points in common do not end here… Sabu was discovered to act as an informant of FBI, and the above quoted pastebin suggests that W0rmer did the same prior of his arrest.
Were you ever approached to be a confidential informant? Of course I was! Some body such as myself who not only participated in the occupy movement but knew many and knew the inner workings of the “infamous” cabin crew would not be just put away without wondering if he could be turned. I did how ever tell FBI that I would participate in the capture of my fellow crew mates
Even if it is not clear if his cooperation was really genuine. As a matter of fact in the following sentence, he refers to his role as an informant as a “play” which created confusion on FBI:
a play which undoubtfully both satisfied and confused the FBI
Maybe this is the reason why the Twitter account of the CabinCr3w on April 3, tweeted:
(Curiously it looks like at 00:04 (UTC +1) this tweet has just disappeared)
In any case the court documents indicate that Ochoa first appeared in federal court for the Southern District of Texas on March 21, subsequently released on bail and forbidden to use a computer or smart phone, hence it is possible that the post on pastebin, which is dated March 31st, has not been written directly from his hand.
Last but not least there is a strange coincidence: W0rmer had a twitter account with the nick @AnonW0rmer who ceased to tweet on March, the 20th (@ItsKahuna ceased to tweet on March, the 23rd while @CabinCr3w is the only still active). Guess what is the name associated with the @AnonW0rmer account? FBI HaZ A File on ME. A dark omen or a dissimulation?