British police announced today that they arrested a 19-year-old hacker in Scotland's isolated Shetland Islands who used the nickname "Topiary" online. Here's what we know about this core member of the hacking group Lulz Security, from interviews and leaked chat transcripts.
Topiary was the most visible member of the world's most visible hacking group. Earlier this year Lulz Security captivated the internet with a 50 day hacking spree in which they attacked the FBI, the CIA, and Sony, leaked tens of thousands of emails and passwords, boasting all the while on its massively popular Twitter account. Topiary was a LulzSec cofounder, the group's unofficial spokesman and aesthetic center. The last two were crucial roles in a group that relied as much on media savviness as hacking ability. He also helped fund LulzSec operations.
Topiary's history with members of LulzSec dates to before they adopted the catchy name and the cocky logo. Last February, he helped plan the hack of the security firm HBGary with future LulzSec members in a secret room on the chat network belonging to the hacktivist collective Anonymous. At the time, he was tentative about being associated with illegal hacking.
"I'm going to start saying, with future press, that I'm an observer/associate of Anon that agrees with Anonymous actions, rather than say I'm Anon… to avoid being raped by Feds," he said, according to leaked logs.
That didn't last long. Topiary vaulted into the spotlight a few days later when, as a member of Anonymous, he squared off with the Westboro Baptist Church in a webcast and hacked the Church's website live on-air. He became a favorite source of interviews for journalists, since he displayed a rare willingness to go "on voice"—something most hackers avoid for fear it will help in identifying them.
After LulzSec spun off from Anonymous, Topiary continued to act as unofficial spokesman while the group rose to fame with a series of increasingly-spectacular hacks. He ran Lulzsec's Twitter feed, and his style of swashbuckling, meme-inflected humor became the group's brand. A former Lulzsec insider tells us Topiary's skills at public relations greatly outweighed his hacking prowess. "We never see him do anything, no hacking or nothin," he said in an interview.
But Topiary was a skilled and reckless showman, happy to taunt and boast in his accent-tinted English then bask in the attention that resulted. He hosted a videochat victory party with about a dozen non-LulzSec friends the night the group hacked PBS and posted a fake story about Tupac, sharing links to hacked pages as they appeared, and making prank calls to what one person in attendance claimed was the White House situation room.
When police arrested a British teen for LulzSec-related hacking, he was defiant in an interview. "Worrying is for fools," he told us.
He's almost certainly worried now. While cracking jokes on Twitter isn't a crime, Topiary was apparently also involved in the illicit financing of LulzSec——servers and botnets don't come free. Topiary helped manage the group's donations via the cryptocurrency Bitcoin, and also apparently engaged in more old-fashioned schemes. Barrett Brown, a former Anonymous spokesman, shared a chat transcript in which Topiary approached him in June in an attempt to get him to help in laundering money for the operation:
[17:53] Barrett, if I were to need to register (hypothetically) a blank and extremely illicit but untraceable credit card in order to fund something equally illicit, would you (hypothetically) read me a 6-digit verification code if it were to be sent to your phone?
[17:54] lol no
[17:54] but Barrett!
[17:54] no more emails for you Barrett >:p
[17:55] you guys can figure out how to finance stuff without getting me involved
[17:55] okay I'm having the code sent to your phone now
[17:56] oh hey it worked
[17:57] * Topiary permanently links your number to the card's billing details
[18:01] your name is now Jenny R. Harper and you're from New York or something
(Brown said, despite Topiary's claim, he never got the code and has never been associated with LulzSec. "Randomly attacking people and taking overt joy in making problems for innocent people is nothing people can defend," he said.)
In recent days, as LulzSec disbanded then reformed, Topiary stepped back from the group. "I've been at this non-stop for a while, it's a big time-sink," he told the Guardian. "I just needed some air and a new page in the Anonymous/LulzSec era."
If it pans out, Topiary's arrest is the biggest blow yet to LulzSec and Anonymous, showing even the most senior members are vulnerable. Another core member, Tflow, was reportedly pinned as a 16-year-old British boy and arrested last week. Also last week, the FBI arrested 16 Anonymous suspects.
Topiary's once-voluble Twitter account was completely wiped on July 21st save one tweet. "You cannot arrest an idea."