The most interesting thing about Tuesday's news that the prominent Anonymous hacker known as Sabu had been cooperating with the FBI was that his true identity was no surprise.
Since late June of 2011, after his initial arrest and just about when his LulzSec crew ended its seven-week hacking campaign, Sabu had been thought to be a New York man of Puerto Rican ancestry with leftist leanings. (The original Sabu was a wrestler popular during the 1990s.)
Hector Xavier Monsegur — sometimes spelled as "Montsegur" — was one of two possible names for Sabu bandied about the Internet. The other name belonged to a Portuguese man who sold Monsegur a domain name years ago, and who was "outed" as Sabu at least once. (SecurityNewsDaily did not publish Monsegur's name before Tuesday and will not publish the Portuguese man's.)
In several online postings, enemies of Anonymous such as the patriotic hacker The Jester (@th3j35t3r on Twitter) and a group called the Web Ninjas identified Monsegur as Sabu, although The Jester later leaned toward the Portuguese name.
Members of Anonymous who try to stay secret "fail because they rely on each other to be effective," The Jester told SecurityNewsDaily in an online exchange. "This is the reason I work alone. I can't implicate anyone in my stuff, [and ] vice versa."
A untitled WordPress blog, which we'll call "Ceaxx" after its URL, was set up in August by parties unknown that correctly identified Sabu as Monsegur. It traced his Internet postings back to 2000, when he posted an impassioned rant about U.S. Navy bomb testing on the island of Vieques off Puerto Rico.
Ceaxx also linked to Xavier's Security Post, a well-written and informative blog that Monsegur apparently updated for about six months in 2006 under the alias "Xavier de Leon."
Both Ceaxx and an anonymous Pastebin posting on June 24, 2011, the day before LulzSec ceased its activities, gave Monsegur's primary email address as "compromise@gmail.com." A month later, a different Pastebin posting nailed Monsegur's full name, though it gave the address of a different public housing project, this one in East Harlem.
Monsegur's family was even profiled in the New York Times in October 2007 as part of a feature about people who had been barred from public housing for drug offenses. The Times story said Monsegur's father, also known as Hector Monsegur, and the elder Monsegur's sister had been caught and convicted of dealing heroin in 1997.
According to this week's media reports, the younger Monsegur continues to live in his grandmother's apartment in the Jacob Riis Houses on Avenue D in Manhattan's Alphabet City, along with younger siblings, his girlfriend and his girlfriend's two children.
Most convincing were the ownership records of the domain name "prvt.org," which the Portuguese man had sold to Monsegur. During a couple of public chat sessions with other Anonymous members, Sabu mentioned that he controlled the domain, which led his enemies to look up the domain records. On June 25 and 26, The Jester publicized his findings, which got Monsegur's name and address perfectly.
Despite Sabu's extraordinarily prolific Twitter feed, to which he continued to post until Monday, there appeared to be suspicions that he had flipped for the feds.
On Nov. 21, 2011, the Ceaxx blog, which had been inactive since August, named him as an informant.
"Over the past several months, all of the original LulzSec member except Sabu himself have been arrested. Even though Sabu has been publicly doxed [identified] and completely owned on several occasions," read the posting. "You may be asking yourself, why is he still free? The answer is Intel. The longer he is 'free' is the longer that the FBI and other LEAs [law enforcement agencies] can gather information on other hackers and move in for more arrests. Simple as that."
An FBI official confirmed to SecurityNewsDaily that the authorities had known Monsegur's name and address long before his arrest, but waited until they had enough evidence before knocking on his door.