For anyone who watches TV shows about mystery or criminality, we usually realize that it only takes one mistake to take down a would-be criminal. In the hacker world it can work exactly the same way, however that mistake is often something entirely mundane such as bragging in a chat room, or not obfuscating the origin of an attack—this time it happened to be an image taunting authorities that included a photograph of his girlfriend’s breasts.
The hacker, Higinio O. Ochoa III was charged last week by the FBI for several hacks that involved breaking into US law enforcement agencies and leaking phone numbers and home addresses of police officers. The 30-year-old Linux administrator from Galveston, Texas is thought to be part of a hacker group affiliated with Anonymous called CabinCr3w.
The woman in the photo is thought to be his girlfriend who lives in Melbourne, Australia.
Through some basic cybersleuthing, access to Facebook public photos (which lead to private photos via a warrant), the FBI was able to follow a Twitter account attached to the hacker—later determined to be Ochoa—that led them to further photos of his girlfriend.
Gizmodo has written up an excellent takedown of the entire process and how the FBI homed in on their prey using the cleavage on display,
Here is what happened: back in February, Ochoa allegedly posted a tweet using the handle @Anonw0rmer. In that tweet, he directed followers to a site in which he posted pilfered information from various law enforcement agency websites. At the bottom of that site there was the image of this woman, now identified as his girlfriend, with a sign that read “PwNd by w0rmer & CabinCr3w <3 u BiTch’s !”
The picture—taken with an iPhone—had GPS information which showed that the photo was taken at the woman’s home in Wantirna South. The GPS information was embedded in the photo’s EXIF data (EXIF is a set of standard tags that includes information such as location, camera type, and other image information in every photo you take with your smartphone).
Breast jokes aside—Ochoa fell into the hands of the FBI by making the oldest mistake in the book: bragging about his exploits where people could hear him.
People are quick to forget that smartphones “know” a lot more about the subject of the photograph than they tell them. The presence of metadata is extremely useful for categorizing and properly slotting photographs taken from a phone; but it also means that a person’s privacy can be accidentally breached by these devices via the EXIF data and a simple GPS coordinate.
Under normal circumstances, a photograph including a GPS coordinate is not a problem; but for someone bragging about illegal acts it’s a neon sign pointed right at the person who took the photograph. If nothing else had happened, the coordinates would have led Australian authorities to Ochoa’s girlfriend’s door to ask questions (or surveil her to find out who she talks to.)
It is believed that Ochoa was involved in the leak of documents from AZDPS that were sent to LulzSec during their 50 day rampage. LulzSec themselves didn’t do that hack, but some unknown hackers had retrieved the documents involved and LulzSec used their sheer popularity to distribute them under the document title “China La Migra.”