Did WikiLeaks Hacker The Jester Pull Police Raid Hoax?

Thursday, December 02, 2010

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

Was the The Jester (th3j35t3r) himself the instigator of reports that he had been the subject of a raid by law enforcement officials on Monday?

That seems likely to be the case.

On Tuesday evening I received a Twitter notification stating that "Jester (@th3j3st3r) is now following your tweets". It seemed strange to receive this notification since The Jester and I have been following one another on Twitter since early this year.

Then I noted that the account used a different spelling - a lower case "s" was used in place of the "5" used in The Jester's original Twitter account.

Upon visiting the new account I saw there were several Tweets, the first of which was the same as the last Tweet The Jester made on Sunday on his original account after launching a DoS attack on the WikiLeaks site:

www.wikileaks.org - TANGO DOWN - for attempting to endanger the lives of our troops, 'other assets' & foreign relations #wikileaks #fail

The second Tweet on the new account stated that The Jester had been raided:

Got raided Monday. More to come... All accounts are in jeopardy. Follow my new blog http://th3j35t3r.net and twitter @th3j3st3r @th3j35t3r

There were also several exchanges between the account owner and several other Tweeters.

The link to the "new blog" in the message went to a site that appeared to be a mirror of The Jester's WordPress blog, but with a few differences - the new site had a solicitation in the left hand column and link to donate funds supposedly for "attorney fees".

The new site also had the following blog entry:

So much for being quiet around here. The fire is starting to stir.. as many of you already are aware my door was kicked in and all of my equipment was seized. The weird thing is it was the local sheriffs office not the government. Hmmm..

In the mean time, my email and WordPress accounts are probably jeopardized so I decided to launch on my own server since nothing can be trusted at this time. I still have copies of all utilities, code, and web backups.

I am trying to raise money from my supporters for attorney fees. If I can raise the required $10k, I will release XerXes along with a port to Win32.

I will keep everyone posted as things start to unfold. I am not sure whats going to happen, no charges have been filed as of yet. Thanks for all your support! Don't forget, Follow the new ‘th3j35t3r‘ Twitter!

I then visited The Jester's WordPress blog and saw that it still had not been updated since September 17th, and The Jester's original Twitter account had not been updated since he had launched the attack against WikiLeaks on Sunday.

It did not take long for word to get around that The Jester may have been the subject of a search and seizure, with several re-Tweets and blog posts appearing on the matter, including on Infosec Island.

It also did not take long for several people to surmise that the accounts were probably created by an impostor, and that the whole thing was either a hoax or an elaborate scheme to capitalize on The Jester's notoriety for the WikiLeaks DoS attacks by scamming sympathizers with a solicitation for funds.

I kept checking all of the websites throughout the day Wednesday updating the information as it became available, and also made several attempts to contact The Jester via email, direct messages on Twitter, and Skype.

Wednesday afternoon, the mirror site had been edited; the solicitation for funds in the left hand column was removed. Also gone was the sentence from the blog post, "I am trying to raise money from my supporters for attorney fees. If I can raise the required $10k, I will release XerXes along with a port to Win32."

Several hours later, attempts to view the mirror site were met with a generic message stating that the website was unavailable. I assumed at first that the owner was getting nervous about the attention the "hoax" was garnering and decided to take the site down altogether.

Then early Wednesday evening The Jester finally made an appearance. He Tweeted on his original account that there was an impostor:

Jester The raid story = fabricated by the imposter (@th3j3st3r - www.th3j35t3r.net) to facilitate him capitalizing on the name, or to draw me out.

He also exchanged several direct messaged via Twitter with one of my coworkers via our @InfosecIsland account confirming the notion that there was an impostor:

Jester @InfosecIsland wont forget your objective reporting sir. gonna have to 'darken again real soon' Came out to try to save this imposter.

I then revisited the mirror site only to find that the URL www.th3j35t3r.net was now being pointed to The Jester's WordPress blog, and it still is as of the writing of this article. This seemed highly suspicious to me and my colleagues.

When reviewing the chain of events, I noted that the second message on the "impostor" Twitter account contained "@" mentions of both the new Twitter account and The Jester's original account:

Got raided Monday. More to come... All accounts are in jeopardy. Follow my new blog http://th3j35t3r.net and twitter @th3j3st3r @th3j35t3r

I had to ask myself, why would an impostor in the midst of scamming The Jester's followers announce his actions to the "real" Jester by alerting him with an "@" mention in his Tweet?

Now all of the Tweets on The Jester's original Twitter account regarding the impostor have been deleted, and the last one showing is from Sunday's DoS attack on WikiLeaks.

I also began to wonder why The Jester, who I have had dozens of hours of instant message conversations with, did not seem to be very upset that someone was using his name to scam his fans.

The Jester was angry enough about militant Islamic recruiting for jihad to take down Taliban websites and the President of Iran's website, as well as several others, and he was also angry enough about the WikiLeaks disclosures to launch a DoS attack on their site.

He has been in several heated exchanges on multiple forums defending his use of the XerXeS DoS tool, and comes off as a genuinely passionate person who is not likely to take any guff from anyone.

So, why then was he not very peeved about the supposed impostor trying to use his name to social engineer money out of his followers?

Why is the URL of the mirror site pointed at his WordPress blog now, and all references to the events deleted except for the Tweets on the supposed impostor's Twitter account?

The Jester is willing to use the XerXes DoS tool against so many others, so why did he not use it against the impostor's website? Could it be that he did not want to DoS his own servers?

The logical conclusion might be that The Jester himself is most likely the perpetrator of the whole "police raid" hoax.

Although there is no concrete proof that this is the case, the weight of the available evidence leads me to believe personally that The Jester was behind the entire episode.

The Jester has many times thanked me for my objectivity in reporting on his exploits, and this article is also meant to be an objective piece.

I have made multiple attempts to contact The Jester since Sunday's DoS attack on WikiLeaks and since the "police raid" shenanigans began, and during his brief IM conversation with my coworker, but with no reply.

I invite The Jester to get in touch with me if he would like to offer some insight into why he seemed to take little offense at being the shill for a social engineering scheme, and explain why the supposed impostor's website is not being subject to XerXeS.

I would also like to know what he thinks about the supposed impostor's URL being directed to his WordPress blog now.

I also invite any of you who are following these events to chime in on the theory, or offer up one of your own.

Several interviews with The Jester, along with two videos he made for Infosec Island that demonstrate the XerXeS Dos attack in action, can all be found HERE.

Possibly Related Articles:
26759
Network->General
Jester Patriot Hackers DDoS Hacker Search and Seizure WikiLeaks XerXeS th3j35t3r Raid
Post Rating I Like this!
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Man Anthony, this is becoming very crazy and convoluted. But maybe that is the goal.

Just a theory, but could be that "The Jester" is a cover for a US government hacker.

And the story pulls attention (and the negative press) away from a US government based attack and to a lone vigilante hacker.

Just a thought... :)
1291329756
1a7064c205020fd7fd50a987624d2031
Derrick Buxton Unlikely, The Jester does things that the government cant afford to be connected to, and we can see that we aren't the best at keeping secrets.
1291332938
Default-avatar
Dr Jones Well, I think what is compounding the problem is rampant speculation. With all due respect to Mr. Freed. A good reporter reports. Mr. Freed seemed to delve into the fortuneteller world.

I think that we should all just calm down and let the facts present themselves.

Jester was correct in calling you out on your skills as a reporter (in this case) I enjoy your work, however, way too much conjecture and not enough fact. Even if your argument is that you are an analyst; it would be better to wait until you have some facts.

1291333783
Default-avatar
J J Why are you even bothering to report on DoS attacks? Any nincompoop and his grandma could throw together a DoS tool very quickly. Further, it has been stated that the DoS attack on the Wikileaks site was fairly weak.
Finally, why do you waste your time following someone like Jester, who obviously doesn't have the technical skill to do anything of substance, as easily observed from his choice of attack methods?
1291351006
Default-avatar
Gerald Tucker "The logical conclusion might be that The Jester himself is most likely the perpetrator of the whole "police raid" hoax.

Although there is no concrete proof that this is the case, the weight of the available evidence leads me to believe personally that The Jester was behind the entire episode."

Wow. Logical conclusion? That sounds like cheap attorney logic to me - pure speculation. Analyst or reporter, in either role you have failed miserably on this one, Mr. Freed.
1291388474
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.