Operation Payback


Operation Payback was a coordinated, decentralized group of attacks on high-profile opponents of Internet piracy by Internet activists using the "Anonymous" moniker. Operation Payback started as retaliation to distributed denial of service attacks on torrent sites; piracy proponents then decided to launch DDoS attacks on piracy opponents. The initial reaction snowballed into a wave of attacks on major pro-copyright and anti-piracy organizations, law firms, and individuals.
Following the United States diplomatic cables leak in December 2010, the organizers commenced DDoS attacks on websites of banks who had withdrawn banking facilities from WikiLeaks.

Background and initial attacks

In 2010, several Bollywood companies hired Aiplex Software to launch DDoS attacks on websites that did not respond to takedown notices. Piracy activists then created Operation Payback in September 2010 in retaliation. The original plan was to attack Aiplex Software directly, but upon finding some hours before the planned DDoS that another individual had taken down the firm's website on their own, Operation Payback moved to launching attacks against the websites of copyright stringent organisations Motion Picture Association of America and International Federation of the Phonographic Industry, giving the two websites a combined total downtime of 30 hours. In the following two days, Operation Payback attacked a multitude of sites affiliated with the MPAA, the Recording Industry Association of America, and British Phonographic Industry. Law firms such as, Davenport Lyons and Dunlap, Grubb & Weaver were also attacked.

Attacks on the recording industry

Law firms

On September 21, 2010, the website of United Kingdom law firm was subjected to a DDoS attack as part of Operation Payback. When asked about the attacks, Andrew Crossley, owner of ACS:Law, said: "It was only down for a few hours. I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish."
When the site came back online a 350MB file, which was a backup of the site, was visible to anyone for a short period of time. The backup, which included copies of emails sent by the firm, was downloaded and made available on various peer-to-peer networks and websites including The Pirate Bay. Some of the emails contained unencrypted Excel spreadsheets, listing the names and addresses of people that ACS:Law had accused of illegally sharing media. One contained more than 5,300 Sky broadband customers whom they had accused of illegally sharing pornography, while another contained the details of 8,000 Sky customers and 400 Plusnet customers accused of infringing the copyright on music by sharing it on peer-to-peer networks. This alleged breach of the Data Protection Act has become part of the ongoing investigation into ACS:Law by the Information Commissioner's Office.
On September 30, the Leesburg, Virginia office of Dunlap, Grubb & Weaver law firm - also doing business as the "U.S. Copyright Group" - was evacuated by the police after an emailed bomb threat was received. It's believed the event could be connected to Anonymous. Non-related copyright or law firms sites, such as websheriff.com, were also attacked. These attacks were originally organized through an Internet Relay Chat channel. The attacks also became a popular topic on Twitter.

Australian pro-copyright organization

On September 27, 2010, the DDoS attack on the Australian Federation Against Copyright Theft unintentionally brought down 8,000 other small websites hosted on the same server.

ACAPOR

In September 2010, in an attempt to ensure that Portuguese citizens can't access thepiratebay.org, Associação do Comércio Audiovisual de Portugal filed a complaint against The Pirate Bay. The complaint was filed with the General Inspection of Cultural Activities, which is part of the Portuguese Ministry of Culture. According to the movie rental association, The Pirate Bay is directly responsible for about 15 million illegal downloads in Portugal every year. By installing a Pirate Bay block on all ISPs, ACAPOR hoped to decrease the financial damage it claims The Pirate Bay causes.
On October 18, 2010, the ACAPOR website was defaced, presenting text from Operation Payback and a redirect to The Pirate Bay after a few seconds. In addition to defacing the website, a copy of the email database of ACAPOR was uploaded to The Pirate Bay. The leaked e-mails so far revealed ACAPOR's methods of denunciation, its dissatisfaction with the Portuguese government and justice system, its perception of the copyright debate as war, and its antagonism with the ISPs. ACAPOR claimed that "the business of ISPs is illegal downloading."

More attacks

On October 4, 2010, Operation Payback launched an attack on the Ministry of Sound website and the Gallant Macmillan website.
On October 7, 2010, they attacked the website of the Spanish copyright society, sgae.es. As of October 7, 2010, the total downtime for all websites attacked during Operation Payback was 537.55 hours.
On October 15, 2010, Copyprotected.com was SQL injected and defaced, and three days later Operation Payback launched a DDoS attack against the UK Intellectual Property Office.
Production companies SatelFilm.at and Wega-Film.at were hit by "drive-by" DDoSes on October 21, 2010, in response to their efforts to gain a court injunction against an ISP that refused to block a movie-streaming website, Operation Payback then knocked porn website Hustler.com offline the following day.

Musician and copyright advocate

During the 2010 MIPCOM convention, Gene Simmons of KISS stated:
In response to Simmons' comments, members of Operation Payback switched their attentions to his two websites, SimmonsRecords.com and GeneSimmons.com, taking them both offline for a total of 38 hours. At some point during the course of this DDoS, GeneSimmons.com was hacked and redirected to ThePirateBay.org, In response to the attack Simmons wrote:
This led to additional attacks and subsequently more downtime for his websites. Later, Simmons's message was removed from his website. More than one year later, in December 2011, a person supposedly known under the nickname "spydr101" was arrested in relation to the attack against GeneSimmons.com. He was charged with conspiracy and unauthorized impairment of a protected computer.

RIAA

On October 26, 2010, LimeWire was ordered to disable the "searching, downloading, uploading, file trading and/or file distribution functionality" after losing a court battle with the RIAA over claims of copyright infringement. Not satisfied with the injunction, the RIAA announced its intention to continue the Arista Records LLC v. Lime Group LLC trial to recover damages caused by the program. In retaliation, members of Operation Payback announced that they would attack RIAA's website on October 29, despite the fact that the group typically does not hit the same target twice. On October 29, riaa.org indeed was taken offline via denial-of-service attack. After the attack, riaa.com and riaa.org sites were inaccessible in Europe. Operation Payback's main site was attacked later that day, and they subsequently moved their website from tieve.tk to anonops.net.
During the damages phase of the LimeWire trial, the RIAA attempted to switch from seeking statutory damages per-work to seeking them per-infringement, but did not quote a total damage amount, nor a method of calculating the number of infringements. The judge in the case rejected the proposal, holding that case law only supported statutory damages on a per-work basis for large-scale infringement, thus capping the potential award at $1.5 billion. On March 15, 2011, four days after the ruling, a report appeared on Law.com highlighting the judge's remark that the per-infringement award sought by the record companies might total in the "trillions"; the report estimated $75 trillion in its attention-grabbing headline. This figure was repeated in PC Magazine on March 23. An Operation Payback call-to-arms followed, citing the $75 trillion figure as if it were still being actively sought by the RIAA, and a DDoS attack on the RIAA website commenced on March 25.

November 5, 2010 attacks

Around October 28, 2010, the group set up a new website with the intention of coordinating protests around the world to raise awareness of their cause. The date for the protest activities were on November 5, the intended day of the Gunpowder Plot, with which Anonymous heavily affiliates through its use of Guy Fawkes masks.
The protest activity included an attack on the United States Copyright Office, after which the FBI launched an investigation. They later arrested one person accused of taking part in the attack on PayPal.

Hiatus and resumption of website attacks

On November 9, 2010, Operation Payback temporarily ceased attacking websites. The hiatus lasted about four months, ending with an early March 2011 attack that temporarily took down the website of BMI, a prominent collection society operating on behalf of music publishers. This was followed by the aforementioned second attack on the RIAA website.

Sarah Palin

On December 8, 2010, U.S politician Sarah Palin announced that her website and personal credit card information were compromised. Palin's team believed the attack was executed by Anonymous, though Anonymous never commented about Palin as a possible target for any attack. In an interview with RT, an Anonymous member said, "We don't really care about Sarah Palin that much, to be honest. I don't really know what she's trying to accomplish or what attention she is trying to gain. We personally don't care about Sarah Palin." Palin's technical team posted a screenshot of a server log file showing the wikileaks.org URL Visa attacks had been denial of service attacks, but credit card data was not compromised. It is unknown whether Palin's card was compromised as part of a broad attack on Visa or a specific attack on the Palins. Palin's email was previously hacked while she was campaigning during the 2008 U.S. presidential election.

Operation Avenge Assange

In December 2010, WikiLeaks came under intense pressure to stop publishing secret U.S. diplomatic cables. Corporations such as Amazon, PayPal, BankAmerica, Swiss bank PostFinance, MasterCard and Visa either stopped working with or froze their customers' donations to WikiLeaks due to political pressures. In response, those behind Operation Payback directed their activities against these companies. Operation Payback launched DDoS attacks against PayPal, PostFinance and the Swedish Prosecution Authority. On December 8, 2010, a coordinated DDoS attack by Operation Payback brought down both the MasterCard and Visa websites. On December 9, 2010, prior to a sustained DDoS attack on the PayPal website that caused a minor slowdown to its service, PayPal announced on its blog that it would release the frozen funds in the account of the Wau Holland Foundation that was raising funds for WikiLeaks, but would not reactivate the account. Regarding the attacks, WikiLeaks spokesman Kristinn Hrafnsson denied any relation to the group and said, "We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets." On the same day, a 16-year-old boy was arrested in The Hague, Netherlands, in connection with the distributed denial-of-service attacks against MasterCard and PayPal. The boy was an IRC operator under the nickname of Jeroenz0r.
On December 10, 2010, The Daily Telegraph reported that Anonymous had threatened to disrupt British government websites if Assange were extradited to Sweden. Anonymous issued a press release in an attempt to clarify the issue.
Electronic Frontier Foundation co-founder John Perry Barlow described the attacks as "the shot heard round the world—this is Lexington."
The following is a list of sites and domains known to have been targeted:
TargetSiteAttack timeRef.
PostFinancepostfinance.ch2010-12-06
Swedish Prosecution Authorityaklagare.se2010-12-07
EveryDNSeverydns.com2010-12-07
Joseph Liebermanlieberman.senate.gov2010-12-08
MasterCardmastercard.com2010-12-08
Borgstrom and Bodströmadvbyra.se2010-12-08
Visavisa.com2010-12-08
Sarah Palinsarahpac.com2010-12-08
PayPalthepaypalblog.com2010-12-09
Amazonamazon.com2010-12-09

PayPalapi.paypal.com:4432010-12-10
MoneyBookersmoneybookers.com2010-12-10
Conservatives4Palinconservatives4palin.com2010-12-10

Operation Payback's attempt to take down Amazon.com was aborted after they failed to recruit enough users to their botnet; CNN noted that the massive Amazon website "is almost impossible to crash."
In late December, the FBI began to raid suspected participants in Operation Payback.
At the beginning of 2011, Operation Payback brought down Zimbabwean government websites after the Zimbabwean President's wife sued a newspaper for $15 million for publishing a WikiLeaks cable that linked her with the alleged trade in illicit diamonds. On January 27, 2011, five males aged between 15 and 26 were arrested in early morning raids in the U.K. on suspicion of involvement, and the FBI executed 40 search warrants the same day.

Criticism

The United Kingdom Intellectual Property Office said that when its site was attacked, those responsible were depriving its citizens of access to information they have a democratic right to access. Other critics claimed the attacks restricted Gene Simmons' right to free speech.
A spokesman for the MPAA said, "It's troubling that these groups seem more concerned about the rights of those who steal and copy films, music, books, and other creative resources than the rights of American workers who are producing these products."
There was also some criticism from the Pirate Party UK and United States Pirate Party, which in a joint public statement urged the group to "Immediately cease the Distributed Denial-of-Service attacks and to instead seek out a legal method to express your frustration and disquiet with the copyright industry, and their perversions of copyright law for personal gain."
While acknowledging that the DDoS attacks on credit card and banking web sites serve as political protests, cyber experts said that Operation Payback has not done any long-term damage: most sites are back online, these attacks have not penetrated and brought down entire banking systems used to conduct transactions, and people are still continuing to use their credit cards to make payments. "This is more like a noisy political demonstration, like a mob surrounding a bank and refusing to let anyone in or out" said one cyber expert.

Tools and communication

Operation Payback members used a modified version of the Low Orbit Ion Cannon to execute the DDoS attacks. In September 2010, a "Hive Mind" mode was added to the LOIC. While in Hive Mind mode, the LOIC connects to IRC, where it can be controlled remotely. This allows computers with LOIC installed on them to behave as if they were a part of a botnet. Utilising this tool, the coordinators of Operation Payback were able to quickly take down websites belonging to anti-piracy groups. Botnets of all sizes have also been used.
Members of Operation Payback reportedly used an IRC channel to communicate about which targets to select, after which instructions for attacking the targets were produced and posted on various imageboards. Media such as Twitter and Facebook were also been utilized for coordination, but on December 8, 2010, Operation Payback's Facebook page was removed and its official Twitter account was suspended. Additionally a federal court order forced Encyclopedia Dramatica to delete its Operation Payback article, which featured a detailed history of the operation, including personal information of some individuals associated with the companies attacked.

Federal indictment

In October 2013, 13 members of Operation Payback were indicted in Federal court in Alexandria, Virginia as co-conspirators in violation of 18 U.S.C. § 731 and 18 U.S.C. § 1030. In 2014, some of the members received a plea deal, reducing their felony charges to a single misdemeanor.