
Some info. about @Malicioustorm, @MalSec, @ShadowDXS

Apr 22nd, 2012
  1. I've had some friendly conversations with @Malicioustorm. (He had been introduced by Sabu as the Storm who was involved in Lulz Security, and most people seemed to assume that this was correct.) I was sad to see that on 4/14/12 @Malicioustorm deleted all 1,658 of his tweets.
  4. Then he continued tweeting (and sporadically deleting tweets) until 4/21/12, when he deleted all remaining tweets and tweeted "like a hurricane, I remain calm and detached while everything around me is ripped apart. I am storm, this is my departure... ~vale"
  6. I did some googling on variations of that phrase (as Google didn't find the exact phrase), and got to this page (warning: autoplays music, some NSFW (but nice) pics, and crashes my browser)
  8. (I highlighted the text because it was hard to see otherwise). "Like a hurricane, I remain calm and detached in the center while everything around me is ripped apart." This appears to be an original quote (or at least not otherwise online), as Google doesn't find references to it other than on this site and references to it.
  10. I did some more Googling and saw the name "Jordan" somewhere. (I wasn't keeping track of exactly what I did, sorry.) Google's cache says that where it currently says "I'm storm, I'm of age & I live some place dark" used to say "I'm Jordan, I'm 18 & I live in Daytona Beach"
  13. (Image for when Google cache changes: )
  15. I tweeted the above info., without drawing any conclusions or stating any opinions about it.
  17. @MalSec -- an account with which @Malicioustorm seems to be affiliated, although the exact relationship isn't clear -- replied, and I replied to them:
  21. @MalSec confirmed that LulzSec's logs "say the same thing" (I'll assume an IP address in the Daytona Beach area and/or a reference to the name Jordan).
  23. This confirms that either this information applies to @Malicioustorm, or it doesn't. And of course initially that sounds stupid and useless, until you consider the fact that if it *does,* it's almost certain that the FBI already picked up @Malicioustorm, probably quite some time ago. Which means that anyone who's been corresponding with that account has been under FBI surveillance, which I think is pretty significant.
  25. Does Daytona Beach, FL really have *that* many 18-year-olds named Jordan (or who've used the name Jordan) with a strong interest in Anonymous and hacking? Keep in mind that "Jordan" has probably shared other personal information about himself online. And once they've narrowed it down to a few suspects, they can get warrants for additional information to narrow it down further. As we've seen from recently-announced arrests, many hackers are not especially careful about hiding their identities.
  27. So there we were, me having helpfully pointed out that the information was either wrong or right.
  29. Upon which @MalSec promptly deleted their tweet.
  31. Wait, what?
  35. MalSec replied:!/MalSec/status/193789845867462656
  37. (Text in case they delete: "Multiple people run this account. Professionalism was thought to be valued more than correction. You'll see. @tmichaels1"
  39. And then this:!/MalSec/status/193792526946271235
  41. (Text in case they delete: "And a lulzy day it was indeed. Good read. @tmichaels1")
  43. The link expands to . What's this? Another reference to Daytona Beach, FL!
  45. From the article: "Two weeks ago, LulzSec tweeted [!/LulzSec/status/76360807209902080 ], β€œThis is the guy that paid us to hack,” and pointed to the account of Branndon Pike, a 21-year-old from Daytona, Florida, who is a former Anonymous contributor. He told Fox News [ ] that LulzSec was pranking him because they were upset he had linked them to Anonymous."
  47. OK, now we have just a little more information than before. Either the Jordan/18/Daytona Beach information is wrong, or it's right, or @Malicioustorm (and possibly @MalSec, if that's what they were trying to draw my attention to) is trying to frame @ShadowDXS (but inexplicably using the name "Jordan" instead of "Branndon").
  49. I asked about this!/tmichaels1/status/193798397789081601
  50. ("@MalSec Not sure what I'm looking for, but apparent @malicioustorm dox & @ShadowDXS (Branndon Pike, both Daytona, FL.")
  52. Prompting @ShadowDXS to chime in:!/ShadowDXS/status/193819046813241344
  54. ("@tmichaels1 @MalSec @Malicioustorm who the fuck is maliciousstorm or malsec and why is my name getting tossed in the mix?")
  56. I look at ShadowDXS's timeline. Yeah, he's never conversed with @MalSec or @Malicioustorm. Which actually seems a bit weird, because he's conversed with and about many of the other people involved in LulzSec and Anonymous. He doesn't know who (apparent) Storm is? Odd.
  58. But his next tweet is friendlier (!/ShadowDXS/status/193871214257766401 ) , and contains a link to a chat log:
  59. Showing that ShadowDXS went into the #MalSec IRC and encountered Storm, who promptly acknowledged ShadowDXS and admitted that he's "the person i ripped off for my identity." Only the location though, which is what I'd asked about. And Shadow is like "kthxbai," and that's all settled, right?
  61. Wait, what?
  63. Storm was just hanging out in IRC despite being so concerned about something that he just deleted his whole Twitter? He volunteered that he'd stolen ShadowDXS's identity without even being asked about it? And specifically the location, nothing else (again without being prompted)? Would they even allow ShadowDXS in the #MalSec IRC when there's a history of enmity between them?
  65. I'm tentatively calling BS on the chat.
  67. So where are we now? OK, we know that there's a hacker named Branndon Pike a/k/a ShadowDXS (21 in June 2011) from Daytona Beach, FL who's angry at LulzSec participants.
  68. We also know that he's had FBI contact and many people think he's an informant, enough that he gets annoyed about it.!/ShadowDXS/status/155029670860034048
  69. It appears he's been thoroughly doxed and repeatedly insulted by various people. I'm not going to link to those as I haven't researched their accuracy and have nothing against him or his family members.
  71. We know that @Malicioustorm, an account promoted by Sabu after he became an informant, either *has* or *wants us to think he has* some connection to a website apparently owned by an 18-year-old Jordan from Daytona Beach, FL.
  73. We know that @MalSec (an account that started less than a month after Sabu's arrest was publicly announced) confirmed that the LulzSec chat logs (owned by FBI) also have information about a Jordan from Daytona Beach, FL. But they deleted this confirmation as soon as I asked about it.
  75. We know that ShadowDXS wants us to think that Malicioustorm ripped off ShadowDXS's identity.
  77. And we know nothing about what happened to the original Storm who actually participated in LulzSec. He was doxed, and NOT as a young Floridian. His collaborators were arrested. Either he wasn't arrested (which means he must be extraordinarily -- dare I say unbelievably -- good at hiding his identity, and the dox are wrong), or he was arrested and it wasn't announced. He might be free but prohibited from using computers. Or he might be an informant.
  79. Here are some theories. My money is on either 1 or 2.
  81. 1) The original Storm is missing (in hiding or in prison, or otherwise not using computers). The FBI or another law enforcement agency used his identity to catch other hackers (aided by Sabu). The Malicioustorm Twitter account was being run by an agent or informant, perhaps ShadowDXS. If the latter, he forgot that he'd used a similar quote on his website, and didn't realize that the "Jordan/18/Daytona Beach" info. was saved in Google's cache. @MalSec made things worse by not noticing that Daytona Beach was mentioned in the article they sent me.
  83. OR
  85. 2) ShadowDXS was the original Storm involved in LulzSec, and the dox previously found on Storm were wrong. When things started to get hot, he tried to pretend that he wasn't involved, and was just being framed. (The FBI probably would have figured out that he was lying, and since he's not in prison, he must be an informant now.)
  87. OR
  89. 3) The Malicioustorm Twitter account was being run by the original Storm, who is so clever that he's one of the only high-profile hackers who hasn't yet been arrested. Sabu said to follow the guy because -- well, he likes the guy. And Malicioustorm referred to a site (certainly not his own site, because LE probably would have been able to trace him from that) with that Jordan/18/Daytona Beach info. just to throw people off the track. And the fact that the information was *changed* in the last couple months to "storm/of age/some place dark" just throws us off the track further. Certainly storm is a fairly common online handle, so Malicioustorm could have found the site of someone using that name who's also in Daytona Beach, home of a guy he's trying to frame. Maybe even the chat is accurate, and Storm (who's so careful that he hasn't yet been arrested) admitted his scheme in writing to the guy he's trying to frame. Yeah, I guess it's *possible.*
  91. Which of these do you think is most likely? Are there other possibilities I missed? Feel free to tweet at me (but note that I ignore trolls): @tmichaels1
