Hector Xavier Monsegur, the computer hacker known as Sabu, is flanked by his attorneys, Philip Weinstein and Peggy Cross-Goldenberg, as he arrives for sentencing in federal court on Tuesday. (AP/Seth Wenig)
Citing extraordinary cooperation in helping the government thwart hundreds of cyberattacks, Southern District Chief Judge Loretta Preska (See Profile) sentenced computer hacker Hector Xavier Monsegur to time served Tuesday.
Preska said Monsegur, who spent seven months behind bars after his June 2011 arrest, deserved a break because he quickly agreed to help investigators build cases against other hackers.
“Turning on a dime and doing good and not evil is the most important factor in this sentence,” Preska said.
Monsegur, 30, also known as “Sabu,” assured the judge he would never commit another crime, and apologized for hurting his family, friends, and victims of his hacking.
“I’m not the same person I was three years ago,” he said in court.
Monsegur pleaded guilty to 12 counts in August 2011, including conspiracy to engage in computer hacking and cyberattacks in 2010 and 2011 as part of the collective “Anonymous” to attack Visa, Mastercard and PayPal for refusing to process donations to Wikileaks and attack the computers of the governments of Tunisia, Algeria, Yemen and Zimbabwe.
Other allegations were based on Monsegur’s collaborations from December 2010 to May 2011 under the name “Internet Feds,” a group that hacked into the website of the Fine Gael political party in Ireland, the computer systems used by Fox Broadcasting (including confidential data of more than 70,000 potential contestants on the “X-Factor” show) and the security firm HBGary Inc. and HBGary Federal, where the group stole confidential data on some 80,000 user accounts.
Following the publicity from the earlier attacks, Monsegur and others formed the “LulzSec” groups in 2011, launching a number of major cyberattacks whose targets included PBS, Sony Pictures Entertainment and Bethesda Softworks, a video game company.
Monsegur’s bail was revoked in May 2012 because he made unauthorized online posts. He was held at the Metropolitan Correctional Center until December 2012, when he was released on bail.
Peggy Cross-Goldenberg and Philip Weinstein of Federal Defenders of New York represent Monsegur.
Cross-Goldenberg told the court that her client’s crimes, which include using stolen credit card information to pay personal bills and “leaving behind lighthearted calling cards” on the sites he and his cohorts hacked, showed “a level of immaturity.”
But Cross-Goldenberg said Monsegur immediately took full responsibility for his actions the day he was arrested, confessed to crimes that investigators didn’t know about and made the “heartfelt commitment to make up for his conduct.”
Monsegur, she said, dove in and worked around the clock to explore vulnerabilities in computer systems, including the water system of a major American city and the supply and distribution chain of an energy company in a foreign nation.
“Mr. Monsegur helped avoid over 300 intrusions,” she said, including ones aimed at the U.S. Congress and the federal courts, and “helped save millions if not billions of dollars.”
In March 2012, she said, Monsegur’s world became more dangerous, when the government took the unusual step of announcing his cooperation to the world. He was threatened by people who felt he betrayed the hacker movement, and his brother was physically assaulted.
“The publicity was dangerous,” she said, and all the time he was providing a “tremendous benefit” for the government, so he “has been punished in a way not contemplated by the guidelines.”
Assistant U.S. Attorney James Pastore, whom Monsegur hugged after sentencing, told Preska it was “difficult to fully quantify” the defendant’s cooperation. The prosecutor said Monsegur “averted potentially catastrophic problems with critical infrastructure” by identifying flaws in computer systems” and helped “unmask and prosecute a significant number” of criminal hackers.
Among those arrested with Monsegur’s assistance was Jeremy Hammond, who was sentenced to a 10-year prison term last year by Preska, who turned aside his claim that hacking was a form of civil disobedience.
“In his own words, Mr. Hammond had a stated goal of ‘creating maximum mayhem,’” she said.
Preska cited the words of both the defense and the prosecution when she discussed Monsegur’s three years of cooperation that uncovered both “substantial historical” revelations and efforts to have his followers or admirers send him additional information on vulnerable systems that he could pass on to the government.
Preska said his exposure to “all manner of danger” made the case “very, very unusual” and noted that the publicity surrounding his cooperation almost caused him to lose custody of his two young cousins.
The guidelines sentencing range was 259 to 317 months in prison, but the Probation Department in its presentence report recommended time served. Preska said the crimes to which Monsegur confessed—crimes of which the government was unaware—”substantially increased his range.”
Also increasing his sentencing range were some of the estimated damages, she said, some of which were “attributable to the vulnerabilities in the systems that were hacked.”
Preska closed the sentencing by praising Monsegur and expressing confidence that he would not be a repeat offender.
“You obviously have great skills,” she told him. “To deploy those skills for good would be a really good thing.”