The US Federal Bureau of Investigation said this afternoon that it had arrested a total of fourteen individuals thought to belong to the Anonymous hacking group, in connection with their alleged participation in a series of distributed denial-of-service attacks (DDoS) against PayPal last year.
The defendants, all of whom were in the 20s or early 30s, were arrested on no-bail arrest warrants in a series of raids in Alabama, California, Colorado, the District of Columbia, Massachusetts and five other states.
Two other individuals were also arrested today on what the FBI said were related cybercrime charges.
One of them, Scott Matthew Arciszewski, 21, was arrested in Florida on charges that he illegally accessed files from a website belonging to security organisation InfraGard last year, and then publicly posted information telling others how to break into the site.
The other indictment charged Lance Moore, 21, of stealing protected business information from an AT&T server in June this year, and posting it on a public file hosting site. The thousands of documents, applications and files that Moore is alleged to have stolen was later made publicly available by the LulzSec hacking group, the indictment alleges.
War on PayPal
According to the San Jose indictment, the 14 individuals who were arrested today were all members of Anonymous who conspired to attack PayPal last December in retaliation for its perceived opposition to WikiLeaks.
Soon after the whistleblower site started publicly releasing classified US State Department cables late last November, PayPal terminated an account that WikiLeaks had set up to collect donations, citing violations of its terms of service.
The move prompted a series of angry retaliatory DDoS attacks against PayPal by members of the Anonymous hacking collective. Similar attacks were carried out by Anonymous members against several other sites that were seen as opposing WikiLeaks.
The attacks, dubbed "Operation Avenge Assange," were coordinated by Anonymous using an open source tool called Low Orbit Ion Cannon, originally designed to perform penetration testing on enterprise networks.
The 14 individuals named in today's indictment have each been charged with intentionally causing damage to a protected computer and conspiracy. The conspiracy charge carries a maximum of five years in prison and a $250,000 (£155,000) fine, while the intentional damage charge carries a maximum penalty of 10 years in prison and a $500,000 (£310,000) charge, the FBI noted.
The individuals named in the San Jose indictment are Christopher Cooper, 23, Joshua Covelli, 26, Keith Downey, 26, Mercedes Haefer, 20, Donald Husband, 29, Vincent Kershaw, 27, Ethan Miles, 33, James Murphy, 36, Drew Phillips, 26, Jeffrey Puglisi, 28, Daniel Sullivan, 22, Tracy Valenzuela, 42 and Christopher Quang Vo, 22. One individual was unnamed.
Anonymous up in arms
The raids come amid a recent spike in activity by Anonymous. Just last week, members of the group claimed credit for breaking into computers belonging to military contractor Booz Allen Hamilton and exposing the email addresses and passwords of more than 90,000 military personnel.
Earlier this month, Anonymous was labelled a cyberterrorism group by the Arizona Department of Public Safety after members of the group repeatedly attacked Arizona police union websites to protest the state's tough immigration laws. ln December, Anonymous launched a series of DDoS attacks against several organisations, including PayPal and Amazon, to protest what it claimed were efforts to suppress whistleblower site WikiLeaks.
Today's FBI raids shouldn't come as a surprise, said Josh Shaul, CTO of Application Security. "They got a lot of people angry," he said. "When you play with fire you are going to get burned."
What is unusual, however, is that some Anonymous members appeared to have put little effort into concealing their tracks, he said. "It seems like these folks who got caught were brazen and careless about the way they went about their hacking activity."
Many of the recent attacks by Anonymous and splinter group LulzSec appear to be focused on embarrassing the victims, not about outright data theft or sabotage. Even so, "they are certainly going to want to make an example of anyone they can bring in," Shaul said.