Deciphering the Matthew Keys Indictment

The Indictment against Matthew Keys, the former Sacramento KTXL FOX 40 web producer and Reuters journalist charged in the Eastern District of California for providing members of Anonymous with network login credentials to hack into the server of the station and the LA times (both are owned by the Tribune company), is a bit of a head-scratcher. It seems he started out as double agent of sorts, infiltrating the group for journalistic purposes. Did he change from role-playing in internet chat room sessions to joining in the group’s illegal activity? Clearly, the Government believes he did.

The Indictment is here. One person who turned on him seems to be Anonymous Sabu, aka Hector Monsegur. But others may have as well.

Yesterday’s DOJ press release:

The three-count indictment alleges that in December 2010 Keys provided members of the hacker group Anonymous with log-in credentials for a computer server belonging to KTXL FOX 40’s corporate parent, the Tribune Company. According to the indictment, Keys identified himself on an Internet chat forum as a former Tribune Company employee and provided members of Anonymous with a login and password to the Tribune Company server. After providing log-in credentials, Keys allegedly encouraged the Anonymous members to disrupt the website.

According to the indictment, at least one of the computer hackers used the credentials provided by Keys to log into the Tribune Company server, and ultimately that hacker made changes to the web version of a Los Angeles Times news feature. The indictment further alleges that Keys had a conversation with the hacker who claimed credit for the defacement of the Los Angeles Times website. The hacker allegedly told Keys that Tribune Company system administrators had thwarted his efforts and locked him out. Keys allegedly attempted to regain access for that hacker, and when he learned that the hacker had made changes to a Los Angeles Times page, Keys responded, “nice.”

Keys’ case is related to Sabu’s case in Sacramento pertaining to the HB Gary hack. (Notice of Related Case here.)

Both cases related to computer hacking attacks by the group that called itself “Anonymous.” The Keys case alleges that Keys gave login credentials to members of Anonymous and encouraged them to vandalize the web site of his former employer, a news organization. Defendant Monsegur, who used the nickname “Sabu,” appeared in the Internet chat log at the core of the Keys case, and, in that chat log, offered advise on how to conduct the network intrusion. Monsegur later became a cooperating defendant in the Southern District of New York.

On March 6, 2012, Sabu was charged, along with five other alleged Anonymous, Internet Feds and LulzSec members. See this Wall St. Journal article which includes a link to the charges against Sabu and:

  • Ryan Ackroyd / Kayla
  • Jake Davis / Topiary
  • Darren Martyn / pwnsauce
  • Donncha O’Cearrbhail / palladium
  • Jeremy Hammond / Anarchaos/sup_g

The charges in the March, 2012 cases include a reference to the defacing of the LA Times website.

Of course, Sabu had been cooperating with the feds long before that, since his “secret arrest” in June, 2011. Here’s an unsourced timeline.

From a press release by the U.S. Attorney for the Eastern District of California in March, 2012:

United States Attorney Benjamin B. Wagner announced today the unsealing of the guilty plea of Hector Xavier Monsegur, aka “Sabu,” aka “Xavier DeLeon,” aka “Leon,” of New York City. Monsegur pleaded guilty to a twelve-count information, which included the allegation that Monsegur conspired to carry out a hacking attack on HBGary Inc. and HBGary Federal LLC. Monsegur entered his guilty plea in the Southern District of New York on August 15, 2011, but the plea was maintained under seal until today.

….The attack on HBGary was carefully investigated by the FBI in Sacramento and the case was transferred to New York for Monsegur’s plea. Importantly, the Sacramento investigation greatly benefitted from the assistance of HBGary itself.

Keys is now charged with conspiracy to transmit information to damage a protected computer, transmitting information to damage a protected computer and attempted transmission of information to damage a protected computer.

Reuters has suspended Keys with pay. His work station has been dismantled, and Reuters says:

Any legal violations, or failures to comply with the company’s own strict set of principles and standards, can result in disciplinary action. We would also observe the indictment alleges the conduct occurred in December 2010; Mr. Keys joined Reuters in 2012.”

Gawker reported a long time ago that Keys maintained he had infiltrated Anonymous, as a journalist. Here’s Keys, in his own words, describing how he infiltrated Anonymous, got Sabu to trust him, and then later, was kicked out of the chat room and became a persona non gratis. He even discusses the defacing of the LA Times website. As to Sabu, he writes:

He said he would try to destroy the reputation of anyone who might expose him or ruin his reputation or that of Anonymous. He’d release personal information about any individual whom he considered his enemy or Anonymous’ enemy. He’d steal their credit card information and charge hundreds of dollars in charitable donations. He’d invent stories so as to discredit any whistle blower or hacker-turned-informant.

Here’s a March, 2011 Sabu tweet doing just that:

Keys has known he was under investigation since at least October, 2012 when his home in New Jersey was searched. The search warrant affidavit, with many more details and connections, is here, courtesy of Dennis Romero at LA Weekly. The pages laying out the probable cause for the warrant and Keye’s alleged actions and interactions are here.

Kevin Gosztola at Firedoglake’s Dissenter provides a detailed history linking the various cases. He also concludes Sabu is not the only one cooperating against Keys.

According to Keys’ Sacramento docket, Keys has been issued a summons to appear — no arrest warrant. That suggests to me he is represented by counsel who has been negotiating with the Government for a while, and the Government is not concerned he is a flight risk.

Frequently, when a deal has been reached before Indictment, the feds will file an Information with the agreed upon charges, rather than go to the grand jury for an Indictment. Does the return of the Indictment against Keys and the issuance of a summons, rather than an arrest warrant, suggest negotiations, while conducted in good faith, ultimately broke down and no deal was reached, and the feds are keeping all options open by bringing all possible charges?

It seems from Keys’ twitter feed yesterday and today, he was aware of everything but the timing of the charges.

DOJ has to go through extra hoops when targeting a journalist for criminal prosecution. But if Sabu began providing information on Keys in June, 2011 when he began cooperating, it sure seems like they could have gotten authorization for a search warrant before October, 2012. Were they waiting to see if the other defendants in the March 2012 case, or other cases, would cooperate and corroborate Sabu’s information before proceeding against Keys? Or did they delay, hoping to wear Keys down over time and convince him to take a pre-indictment plea offer? Could be a little of both.

5 Replies to “Deciphering the Matthew Keys Indictment”

  1. While I did read the entire piece (and many of the links) this is a plain vanilla comment (no links or quotes) and is just a test.

    1. I turned the paywall off on this post until I can confirm with TinyPass that when you sign up on the individual post page for all site access, that’s what you get. Since there are only 2 posts now, I wanted to be sure that the people who signed up through the Guantanamo page have access to this post and comments until I get it ironed out.

Comments are closed.