The Man Who Went To War With Anonymous - And Lost

Back when you were in school, did you ever get assigned a group project, then end up doing all of the work?

Among the vast troves of stolen documents published to Wikileaks, there’s a Powerpoint about Wikileaks itself, titled “The Wikileaks Threat.” It details what the organization is and what makes it so powerful, with an emphasis on details that don’t paint it in the best light: like Julian Assange’s alleged sex crimes, his “minion” supporters, and that it’s, quote, “NOT in a healthy position right now.” After a dozen slides, the presentation turns to what can be done to take Wikileaks down. Suggestions include:

“[A] media campaign to push the radical and reckless nature of Wikileaks activities. Sustained pressure. Does nothing for the fanatics, but creates concern and doubt amongst moderates.”

“Feed the fuel between the feuding groups. Disinformation. Create messages around actions to sabotage or discredit the opposing organization. Submit fake documents and then call out the error.”

“Cyber attacks against the infrastructure to get data on document submitters. This would kill the project.”

The presentation was co-authored by three government technology contractors: HBGary Federal, Berico Technologies, and Peter Thiel’s Palantir. But after researching this episode, it just seems so obvious that all the work in this group project was done by Aaron Barr.

Barr’s a handsome guy: physically fit, tattoos, light brown eyes, a strong chin, and slicked back black hair colored with a tasteful amount of gray at the ends. He’s a vet, having completed only two semesters of college before joining up with the U.S. Navy in his youth. It was there that he developed his computer skills, as a signals intelligence officer specializing in analytics. In all, he had the kind of service career most soldiers could only dream of: deployed for a dozen years in countries like Japan, Spain, and all around Europe, when he wasn’t on warships. After retiring he got a job with the military contractor Northrop Grumman, then in 2009 a security consultant named Greg Hoglund recruited him to help found a government cybersecurity company, HBGary Federal.

As the journalist Parmy Olson describes in her book “We Are Anonymous” (a major source of research for this episode), Barr “relished” his new job. At one point during his first month, he couldn’t sleep for three nights in a row. He’d send emails to Hoglund in the middle of the night, his mind racing with new ideas for government contracts.

But even after a whole year, only one of those ideas was really making the company any money: the regular social media “training” sessions that Barr would host for corporate executives. For $25,000, he would teach you and your company how to gather information about people — quote, “specific techniques that can be used to target, collect, and exploit targets with laser focus,” end quote — through websites like Facebook, LinkedIn, and Twitter. And he was confident: at a conference hosted by the Department of Justice, he claimed that the techniques had a “100 percent success” rate.

In late 2010, his course caught the attention of a law firm, Hunton & Williams, which represented major organizations like the U.S. Chamber of Commerce and Bank of America. Some of their clients, it turned out, had a real interest in what Barr was claiming expertise in. Bank of America, for example, had reason to believe that the website Wikileaks was soon going to publish a large tranche of its sensitive and valuable data. Maybe social media sleuthing could help them catch these modern day cyber bank robbers? Barr put together some grand ideas for a counteroffensive and, before his presentation, he researched Hunton & Williams’ own staff, digging up whatever information he could find about them to prove the effectiveness of his approach. It didn’t work, though — the deal fell through.

With HBGary Federal nearing total failure, Barr needed a way to more effectively sell his message — to demonstrate how he could help clients gather real, valuable intelligence on important targets through social media. To prove himself. To save the company.

It was then, with little more to lose, that the cybersecurity gods answered his call. From the shadows, the perfect target for an Aaron Barr operation announced itself. And he started salivating.

On December 8th, 2010, around 1,200 hackers worldwide charged up a program on their computers called the Low Orbit Ion Cannon. By using specific command line parameters, they each connected to a specific Internet Relay Chat (IRC) server. In doing so, they were effectively registering themselves to a botnet.

At that point, a leader coordinating the campaign began to send commands to the specific IRC channel everyone was connected to. The commands were designed to weaponize all of those users’ collective computing powers, sending massive amounts of traffic to servers belonging to Mastercard, Visa, and PayPal.

It was only the latest salvo in a broader, novel conflict between institutional powers and guerilla internet activists that began weeks earlier, when Wikileaks had published 251,287 U.S. diplomatic cables dating all the way back to 1966. “Cablegate,” as it was called, was like a cybersecurity terrorist attack, positioning Wikileaks as a clear enemy of the U.S. state. As a consequence, major payment companies lined up to block all channels for its funding. In retaliation, freedom of information absolutists around the web teamed up to teach those companies a lesson. “Operation Payback.” They combined forces via the Low Orbit Ion Cannon, then performed distributed denial of service attacks at such a scale as to temporarily shut down Mastercard’s and Visa’s websites, and slow down PayPal.

“We will fire at anything or anyone that tries to censor WikiLeaks, including multibillion-dollar companies such as PayPal,” the hackers who called themselves ‘Anonymous’ wrote online. “Twitter, you’re next for censoring #WikiLeaks discussion. The major shitstorm has begun.”

Aaron Barr once liked Wikileaks — when it released video of US gunships killing Reuters photographers in Iraq, for example, demonstrating the unjust carelessness of his military. But after Cablegate, the veteran changed his view. He expressed his feelings in emails with colleagues, reported later on by Ars Technica:

“Governments and corporations should have a right to protect secrets, senstive information that could be damage to their operations. I think these groups are also saying this should be free game as well and I disagree. Hence the 250,000 cables. WHich was bullshit… Society needs some people in the know and some people not. “

Besides Wikileaks, he took umbrage with the hackers who claimed to “defend” it.

“When they took down MasterCard do u think they thought alright win one for the small guy! The first thought through most of their malcontented minds was a rush of power. That’s not ideals.”

It’s not that he cared so much for corporations, Barr said, but that he saw through the hackers’ purported moral code, to their true motives.

“dude whos evil? US Gov? Wikileaks? Anonymous? Its all about power. The Wikileaks and Anonymous guys think they are doing the people justice by without much investigation or education exposing information or targeting organizations? BS. Its about trying to take power from others and give it to themeselves. I follow one law. Mine.”

And what was his law telling him now?

“These folks, these sheep believe that all information should be accessible. BS. And if they truly believe it then they should have no problem with me gathering information for public distribution.”

He came up with a plan to stick it to the power-hungry hackers, and save his company at the same time. He would do what the almighty U.S. government couldn’t, and unmask Anonymous.

“I am going to focus on outing the major players of the anonymous group I think. Afterall – no secrets right? 🙂 We will see how far I get.”

He began to frequent the online chat rooms where Anonymous members hung out, using the handle “CogAnon.” As he explained to colleagues:

“I have developed a persona that is well accepted within their groups and want to use this and my real persona against each other to build up press for the talk.”

The talk he’s referring to would be in two months’ time, at a conference in San Francisco called “B-Sides.”

“I am going to tell a few key leaders under my persona, that I have been given information that a so called cyber security expert named Aaron Barr will be briefing the power of social media analysis and as part of the talk with be dissecting the Anonymous group as well as some critical infrastructure and government organizations I will prepare a press sheet for Karen to give to Darkreading a few days after I tell these folks under persona to legitimize the accusation. This will generate a big discussion in Anonymous chat channels, which are attended by the press.”

In case you didn’t follow, the idea was that as “CogAnon,” Aaron Barr would inform select members of Anonymous about an upcoming talk about them at a conference in San Francisco. (At this point, the talk wasn’t public knowledge.) Then he would inform the media, to get some buzz going. After that, surely, CogAnon would have earned the respect of his fellow hackers, for having found out about the talk in advance and warning the community. And once word spread in online hacker circles…

“This will then generate press about the talk, hopefully driving more people and more business to us. But it will also make us a target.”

In online chat rooms, CogAnon was an eager, youthful new recruit. He used all the hacker lingo, like “leet speak,” the spelling of words using numbers and symbols. And he was ready to hack some corporations.

Meanwhile, in the real world, Aaron Barr was diligently documenting the hundreds of other hackers in these chat rooms. He observed which were most active and, in particular, what times of day those users would log off. When a user he was tracking went offline, he would quickly switch over to Facebook, where he’d friended dozens of people who’d expressed public support for Anonymous.

His idea was that if a particular Facebook account regularly came online at around the same time an Anonymous screen name went offline, it might demonstrate a link between a real person and an online persona. Like, if on Wednesday, Thursday, and Friday, a hacker named “RanLeviSuXXX” exited Anonymous chat rooms at 3:45, 3:56, and 7:30 PM GMT, and then Nate Nelson popped up online on Facebook a few minutes later each time, Barr would figure that Nate was probably RanLeviSuXXX.

And though hackers were less likely to publish lots of personal information online, most of them would at least leave some clues behind, allowing him to glean information about them and their networks.

“Hackers may not list the data, but hackers are people too so they associate with friends and family. Those friends and family can provide key indicators on the hacker without them releasing it…”

The security expert who got paid tens of thousands of dollars to teach social media sleuthing to corporations was confident in his techniques. A programmer he worked with was the first person to really challenge him on it.

In one exchange from January 19th, 2011, for example, the programmer pushed back on Barr’s assumption that he could infer useful intelligence by comparing a Facebook user’s friends list to members of a Facebook group — for example, one which supports Anonymous.

Parts of the conversation that follows are redacted from public records.

Coder: No it won’t. It will tell you how mindless their friends are at clicking stupid shit that comes up on a friends page. especially when they first join facebook.

Barr: What? Yes it will. I am running throug analysis on the anonymous group right now and it definately would.

Coder: You keep assuming you’re right, and basing that assumption off of guilt by association.

Barr: Noooo….its about probabilty based on frequency…c’mon ur way smarter at math than me.

Coder: Right, which is why i know your numbers are too small to draw the conclusion but you don’t want to accept it. Your probability based on frequency right now is a gut feeling. Gut feelings are usually wrong.

The argument was triggered by Barr’s idea to connect Facebook users’ groups and friends lists, but it’s really a much broader debate. The programmer is trying to get Barr to understand that he just doesn’t have enough data, or good enough data, to be as confident as he is. That his entire methodology isn’t rigorous enough to draw any meaningful conclusions about real peoples’ connection with Anonymous.

Barr, who’s staked his career on this strategy, is obstinate.

Coder: Yeah, your gut feelings are awesome! Plus, scientifically proven that gut feelings are wrong by real scientist types.

Barr: On the gut feeling thing…dude I don’t just go by gut feeling…I spend hours doing analysis and come to conclusions that I know can be automated…so put the taco down and get to work!

__ Coder__: I’m not doubting that you’re doing analysis. I’m doubting that statistically that analysis has any mathematical weight to back it. I put it at less than .1% chance that it’s right. You’re still working off of the idea that the data is accurate.

In another exchange, when Barr references his “advanced analytical techniques,” the programmer calls him out on it.

You keep saying things about statistics and analytics but you haven’t given me one algorithm or SQL query statement.

Barr wasn’t hearing it. “You just need to program as good as I analyze,” he told his programmer. The programmer later voiced his concerns to a different official at HBGary Federal:

He’s on a bad path. He’s talking about his analytics and that he can prove things statistically but he hasn’t proven anything mathematically nor has he had any of his data vetted for accuracy, yet he keeps briefing people and giving interviews. It’s irresponsible to make claims/accusations based on a guess from his best gut feeling when he has even told me that he believes his gut, but more often than not it’s been proven wrong.

Another colleague pleaded with Barr that, quote: “You could end up accusing a wrong person. Or you could further enrage the group. Or you could be wrong, and it blows up in your face, and HBGary’s face, publicly.” End quote.

Barr wouldn’t listen. On Friday, February 4th, 2011, the Financial Times published an exclusive story. Quote:

“An international investigation into cyberactivists who attacked businesses hostile to WikiLeaks is likely to yield arrests of senior members of the group after they left clues to their real identities on Facebook and in other electronic communications, it is claimed. [Aaron] Barr said he had collected information on the core leaders, including many of their real names, and that they could be arrested if law enforcement had the same data.”

Even some colleagues who had previously expressed concerns were now buzzing over the good press. “We should post this on the front page, throw out some tweets,” Hoglund wrote. “‘HBGary Federal sets a new bar as a private intelligence agency.’ The pun on bar is intended lol.” That same day, HBGary got a call from the FBI: they wanted to meet as soon as possible to discuss the findings.

But not everyone was swayed.

I feel his arrogance is catching up to him again and that has never ended well…for any of us.

On the evening Barr’s Financial Times puff piece was published, “Tflow,” a skilled but modest hacker, created a closed online chat room, and invited three people to join.

There was “Topiary,” a relatively unskilled hacker, but had become well known in the Anonymous community thanks to his cleverness and charisma.

Then there was Sabu, the cocky but talented one who usually spoke in street slang.

The oddest of the group was “Kayla,” a bubbly and whip smart hacker who claimed to be a 16-year-old girl. She even claimed Kayla was her real name. It was a kind of brag: that even if authorities knew her first name, they still wouldn’t figure out who she was.

None of the four members of this makeshift council knew one another’s identities, and a couple hadn’t even encountered one another before. But through their combined powers, Tflow hoped they could do something about this Aaron Barr guy.

Exactly how much of a threat he posed was unclear. In the Financial Times, he claimed to have uncovered personal information belonging to what he called a “core” ten or so members of Anonymous, plus other data mapping the group’s internal structure. If that were true, and Barr shared that information with the public and law enforcement — as seemed to be his intention — then Anonymous, and those few members in particular, would be in deep trouble.

The thing is: Anonymous really didn’t have any core leaders, or any kind of hierarchical structure. If Barr was wrong about that, was he wrong about the identities he uncovered? Would he be endangering innocent people? Or perhaps he’d stumbled into some right answers. They couldn’t take any chances.

Sabu, arguably the best hacker of the group, scanned the website belonging to HBGary Federal. He discovered that it was served by a third-party publishing system. That system had an obvious SQL injection vulnerability. It was trivial to exploit.

Inside of the company’s website, Sabu picked out three, long alphanumeric strings associated with the email account passwords used by Aaron Barr and two other executives. They were MD5 hashes, an effective means of turning a password into something totally illegible. Neither Sabu nor his colleagues could crack them, but after posting them to a specialty web forum “hashkiller.com,” random hackers from around the web managed to do it in just a couple of hours’ time.

With Barr’s password, “kibafo33,” Sabu and his buddies had full access to his work email. Tflow — the organizer — downloaded to his own server everything Barr had ever sent or received, and compiled it all into a torrent file.

Meanwhile, like their own, personal TV show, the hackers watched in real time as Barr, Hoglund, and their equally unaware colleagues celebrated the good press from the Financial Times. And they scoured through Barr’s email history for equally entertaining nuggets of information.

It didn’t take long before they found some of Barr’s intel on their group: a PDF with a brief description of what Anonymous was, its history of cyberattacks, and some miscellaneous note taking. They figured out that Barr was using Facebook to try to identify hackers’ real identities, and the results demonstrated how that strategy was going. His list of usernames alongside real life identities didn’t seem so rigorous, it was clearly unfinished, and Sabu and his friends weren’t even acknowledged.

This whole time — while he was selling talks, picking fights, and bragging in the press — Aaron Barr had basically nothing.

With their identities secured, and a gold mine of access to exploit and data to leak, the only matter left to discuss was when to punish Aaron Barr, and how. The hackers debated with giddy schadenfreude.

What happened to Aaron Barr and HBGary Federal next isn’t disputed, though reports of the order and timing of events vary. Here’s the best we can do, in reconstructing timeline:

Barr’s Saturday began without any fanfare, quiet, as he hung out with his family and sent off a few work emails from his iPhone. He didn’t know that he was being well and thoroughly pwned, but he was smart enough to check HBGary Federal’s website. According to his account, he wasn’t actually surprised by what he found: a surge in traffic, exceeding what one could reasonably expect just from a positive article.

“”Ddos!!! ******,” he wrote to his colleagues, promising to, quote, “take the gloves off.”

“They think all I know is their irc names!!!!! I know their real fing names. Karen I need u to help moderate me because I am getting angry. I am planning on releasing a few names of folks that were already arrested. This battle between us will help spur publicity anyway.”

In place of HBGary Federal’s website was a long note. “Now the Anonymous hand is bitch-slapping you in the face,” it read. “It would appear the security experts are not expertly secured.” It ended with the group’s motto:

We are Anonymous

We are Legion

We do not forgive

We do not forget

Expect us.

Barr logged into a fake Twitter account he used to track Anonymous, and reached out to “CommanderX,” a person he thought was central to what he envisioned as the group’s hierarchical structure, pleading:

“CommanderX. This is my research… I am not going to release names I am merely doing security research to prove the vulnerability of social media so please tell [redacted] and [redacted] or whoever else is hitting our site to stop.”

Here, though, Barr’s phony research failed him. “Uhhh… not my doing!” CommanderX replied. He wasn’t in charge of the attack because he wasn’t a leader of Anonymous, because Anonymous didn’t have leaders, as Barr had so confidently claimed in the press. CommanderX laughed it off.

“if it is some of your guys just want to make sure they don’t get too aggressive.”

CommanderX asked which website was being attacked, then replied ominously. Quote: “I warn you that your vulnerabilities are far more material. One look at your website locates all of your facilities. You might want to do something about that. Just being friendly.” End quote.

The following day, February 6th, was Super Bowl Sunday. The hackers decided to start their day by having some fun.

It was around 8 in the morning on the east coast when CogAnon logged onto the “AnonOps” instant messaging channel. Quickly, he received a message. It was from the raconteur, Topiary. Evidently, there was an important Washington, D.C.-based mission in the works. “I take it from your host that you’re near where our target is,” Topiary wrote. Barr, not realizing that they’d connected him with his CogAnon account, wondered how Topiary knew that he was in the area.

“Be careful. He may get suspicious quickly,” a hacker wrote in a separate chat, where members of Anonymous gathered to laugh over Topiary’s gag. Another chimed in: “I’d laugh so hard if he sends an e-mail about this.” “Guys,” one member asked, “Is this really happening? Because this shit is awesome.”

They toyed with their prey until they grew bored. Then around midday, they decided it was time.

Barr was on his couch, wearing a t-shirt and jeans, when a thought crossed his mind: his iPhone hadn’t buzzed for a while. Usually it pinged constantly with new emails — especially, you’d figure, when his company was under attack by the world’s largest hacktivist collective.

He pulled out the phone and refreshed his inbox. “Cannot Get Mail.” Verify password.

Barr went into his Settings and re-entered his password, “kibafo33.” No luck. As Olson wrote, quote, “a tickling anxiety crawled up his back as he realized what this meant.” End quote.

He ran upstairs to his home office, sat at his laptop, opened up Facebook, and couldn’t log in. Twitter: no luck. Not Yahoo either. He was even locked out of his World of Warcraft account. It turned out that Sabu, for kicks, had tested kibafo33 on other websites, discovering that the so-called cybersecurity expert was using the same password for all of his accounts. So Sabu locked him out of all of them.

At the same time he was trying every possible means of getting into his accounts, Barr noticed that his WiFi router was lighting up like a Christmas tree. They were penetrating his home network.

“Something will be happening tonight,” Topiary wrote to CogAnon shortly thereafter, indicating that worse was to come. “How available are you throughout the evening?”

Though he didn’t yet know it, north of 40,000 of Aaron Barr’s emails were then being uploaded to the public torrents website Pirate Bay. The archive included not only embarrassing emails among colleagues, but nondisclosure agreements, classified documents, and other sensitive information relating to government agencies and multinational corporations. Soon, they would be available for public consumption.

During the Super Bowl, Barr logged into his now outed CogAnon account, and faced the wave of insults and derision. “Well Aaron,” Topiary added, “thanks for taking part in this little mini social test to see if you’d run to your company with ‘news’ about Anon. You did, we leeched it, we laughed.” He paused for a moment.

“Die in a fire. You’re done.”

In the hours and days that followed, Aaron Barr’s phone number, home address, and social security number were posted to social media. As Sabu had bragged to his fellow hackers, quote, “We have everything from his Social Security number, to his career in the military, to his clearances, to how many shits a day he takes.” End quote.

In the hours that followed came a flood of prank calls, an unsolicited pizza delivery, and a visit from two strangers. Someone tried to take pictures through his windows, and many online threatened him and even his children. Taking no chances, Barr and his wife packed suitcases, grabbed the kids, and temporarily left home.

Meanwhile, representatives of HBGary Federal entered Anonymous chat rooms and attempted to negotiate with their conquerors. Barr was working alone, they said. They couldn’t fire him because he owned part of the company.

It couldn’t have come at a worse time for HBGary Federal, really. In its dying embers, while Barr was attempting to save it with some press attention, the company was trying to sell, for a cost of two million dollars. Following the attack, obviously, the buyers grew reticent. A company representative told the Financial Times how, in all, the incident cost HBGary Federal, and its parent company HBGary, millions of dollars. “I wish it had been handled differently,” she lamented.

While HBGary Federal was slowly being put to rest, and its clients worked to pick up the pieces, those members of Anonymous who’d orchestrated the downfall rejoiced. But it wouldn’t be long before they, too, had their day. CommanderX, Tflow, Topiary, Kayla, and Sabu would all be arrested at various points between June and September, 2011.

Dedicated Malicious Life listeners will remember Sabu as Hector Monsegur, the Puerto Rican New Yorker who, as much as any Anonymous member can lead anything, effectively ran the famous LulzSec movement, which in a rush of 50 days attacked organizations from Sony to PBS to the CIA.

Topiary, Jake Davis, was just 18 years old when he spun a web for Aaron Barr, and frankly he didn’t look one day older than that. He did his hacking from a black leather gaming chair in the island of Yell, part of the Shetland Islands, an archipelago off the north-east coast of Scotland. Facing up to 10 years in prison in 2013, he only ended up serving 38 days.

Kayla — the teenage girl who liked to chat about teenage girl kinds of things, like her job at a salon, and her sidegig babysitting — was, creepily enough, a 24-year-old man named Ryan Ackroyd. A veteran of the British military, he lived in South Yorkshire. He was tried alongside his colleagues Topiary and Tflow, and ended up with the heftiest jail sentence of the bunch: 30 months.

Tflow was the real 16-year-old of the group. Born in Baghdad before moving to London at age five, Mustafa Al-Bassam would, even after his 20-month jail sentence, go on to earn a PhD, and make Forbes’ famous annual 30 Under 30 list in the technology category, for his contributions to uncovering government surveillance.

On the opposite end of the spectrum was CommanderX, a nearly 50-year-old man named Christopher Doyon. He used to describe himself as the leader of Anonymous, which may be why Barr thought that too. In fact, he was basically homeless. After posting bail he fled to Canada, and was only arrested in 2021, when a group of Mexican law enforcement agents dressed as civilians gained entry into the strange community where he was living in Mexico City.

And what of Aaron Barr? Following his public humiliation, two weeks after the conference where he’d once planned to unmask Anonymous, he resigned from HBGary Federal. He quickly picked up work as the Chief Data Officer of a new defense contractor, where he continued his work in social media analysis, authoring three patents and leading the development of a, quote, “unique social media analysis platform focused on providing context to content through innovative approaches to digital life pattern analysis.” End quote.

Never change, Aaron. Never change.

Latest episodes

The Man Who Went To War With Anonymous - And Lost

Hosted By

Ran Levi

Co-Founder @ PI Media