For some reason, despite the criminal prosecution, one of the two official Twitter accounts of NullCrew is still live as of this writing. The founders of NullCrew loved to depict themselves as ASCII Art aliens in their old-school-style ezine, FTS (Fuck The System), which made it to issue #5 before they began being arrested. (FTS Issue #5 is available at exploit-db.com
Time Warner - March 6, 2013
FTS2014 will give you a sense of the way these guys think. By the way, all of the Twitter accounts they claimed to be using in this magazine are still live today. ( @NullCrew_FTS, @siph0n_NC, and @zer0pwn)
Just had a talk with
@Bell_Support, this is going to be fun.
The 40,000+ userids and passwords, dumped from a database server, are still available online.
Orbit was primarily caught because there was a snitch within NullCrew. The snitch, described as a "CW" in the criminal complaint, or "Collaborating Witness", wanted to be able to tweet "officially" for NullCrew, and was granted permission to the shared Twitter account. Once the CW had access, they checked the login history and found an IP address in Morristown, TN. Charter Communications was able to provide a subscriber street address for the IP 184.108.40.206. This IP came up repeatedly in the course of the investigation, being used to plant a hacked .php page on a University server, regular accessing a shared hacking platform in Chicago and more in hacked business accesses.
My favorite story, however, was of the auto accident.
(Updated: the admins of siph0n.net contacted me to make clear that their site has no association with siph0n the NullCrew member. We've removed that portion of this article at their request.)
Getting to the Sentence
Part of the defendant's problem as sentencing approached was that Mr. French, who goes by the name "TJ" for "Timothy Justen", boasted over much about his association with many truly evil hackers over the years. TJ claimed, according to his pre-sentencing memo, did claim to be a member of Team Poison, but denied emphatically that he had been involved with the TeamPoison April 2012 hacks against NATO and the United Nations, and the August 2011 hacks against NASA. TeamPoison was run by Trick, aka Junaid Hussain, who was recently killed by a Hellfire Missile strike after becoming the leader of ISIS's hacking forces, and repeatedly hacking the Department of Defense.
Zer0pwn, one of the other arrested members of NullCrew, updated his Twitter profile to give as his description "victim of sabu's wrath" implying that perhaps Sabu was involved with their arrests.
Facing a possible seven year sentence, one of the things the defendant appealed to was the relatively lenient sentences for people who had performed similar crimes. TJ's attorney appeals to cases such as Nicholas Knight (from Team Digi7al) who confessed to hacking DHS, the National Geospatial Intelligence Agency, and assorted universities and businesses but was only sentenced to 24 months. He lists several other cases, but comes back to a 17-year old hacker who also received only 24 months, concluding:
"This 24-month sentence alone compels a sentence for TJ far below the government's asserted guideline range in order to avoid unwarranted disparities." (We wrote previously about how these "slap on the wrist" sentences were leading to others charging "unwarranted disparities" on behalf of their clients. See: "Hacking, Carding, SWATting and OCD: The Case of Mir Islam"
Several of my professional colleagues have commented that this sentence seems to hefty, but they were unaware of the extent of the damages to Bell Canada. While Null (the Quebec citizen) identified the breach potential, it was Mr. French that took that information and used it to rampage through the files of Bell.ca. "According to prosecutors, million of files were exfiltrated and 300,000 of them contained client information. At the time of the hack, Bell Canada said 22,421 login and password combinations along with five credit card numbers were exposed, but court documents indicate the number was smaller. Orbit later allegedly posted approximately 12,700 logins and passwords online and Tweeted a link to the data."