LulzSec

LulzSec (a contraction for Lulz Security) was a black hat computer hacking group that claimed responsibility for several high profile attacks, including the compromise of user accounts from PlayStation Network in 2011. The group also claimed responsibility for taking the CIA website offline. Some security professionals have commented that LulzSec has drawn attention to insecure systems and the dangers of password reuse. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks. One of the founders of LulzSec was computer security specialist Hector Monsegur, who used the online moniker Sabu. He later helped law enforcement track down other members of the organization as part of a plea deal. At least four associates of LulzSec were arrested in March 2012 as part of this investigation. Prior, British authorities had announced the arrests of two teenagers they alleged were LulzSec members, going by the pseudonyms T-flow and Topiary.

At just after midnight (BST, UT+01) on 26 June 2011, LulzSec suddenly released a "50 days of lulz" statement, which they claimed to be their final release, confirming that LulzSec consisted of six members, and that their website was to be shut down. Their final release included accounts and passwords from many different sources. Despite claims of retirement, the group committed another hack against newspapers owned by News Corporation on 18 July, defacing them with false reports regarding the death of Rupert Murdoch. The group had also helped launch Operation AntiSec, a joint effort involving LulzSec, Anonymous, and other hackers.

Former members and associates
LulzSec consisted of seven core members. The online handles of these seven were established through various attempts by other hacking groups to release personal information of group members on the internet, leaked IRC logs published by The Guardian, and through confirmation from the group itself.
 * Sabu – One of the group's founders, who seemed to act as a kind of leader for the group, Sabu would often decide what targets to attack next and who could participate in these attacks. He may have been part of the Anonymous group that hacked HBGary. Various attempts to release his real identity have claimed that he is an information technology consultant with the strongest hacking skills of the group and knowledge of the Python programming language. It was thought that Sabu was involved in the media outrage cast of 2010 using the skype "anonymous.sabu" Sabu was arrested in June 2011 and identified as a 29-year-old unemployed man from New York’s Lower East Side. On 15 August, he pleaded guilty to several hacking charges and agreed to cooperate with the FBI. Over the following seven months he successfully unmasked the other members of the group. Sabu was identified by Backtrace Security as Hector Montsegur on 11 March 2011 in a PDF publication named "Namshub."
 * Topiary – Topiary was also a suspected former member of the Anonymous, where he used to perform media relations, including hacking the website of the Westboro Baptist Church during a live interview. Topiary ran the LulzSec Twitter account on a daily basis; following the announcement of LulzSec's dissolution, he deleted all the posts on his Twitter page, except for one, which stated: "You cannot arrest an idea". Police arrested a man from Shetland, United Kingdom suspected of being Topiary on 27 July 2011. The man was later identified as Jake Davis and was charged with five counts, including unauthorized access of a computer and conspiracy. He was indicted on conspiracy charges on 6 March 2012.
 * Kayla/KMS – Ryan Ackroyd of London, and another unidentified individual known as "lol" or "Shock.ofgod" in LulzSec chat logs. Kayla owned a botnet used by the group in their distributed denial-of-service attacks. The botnet is reported to have consisted of about 800,000 infected computer servers. Kayla was involved in several high-profile attacks under the group "gn0sis". Kayla also may have participated in the Anonymous operation against HBGary. Kayla reportedly wiretapped 2 CIA agents in an anonymous operation. Kayla was also involved in the 2010 media outrage under the Skype handle "Pastorhoudaille". Kayla is suspected of having been something of a deputy to Sabu and to have found the vulnerabilities that allowed LulzSec access to the United States Senate systems. One of the men behind the handle Kayla was identified as Ryan Ackroyd of London, arrested, and indicted on conspiracy charges on 6 March 2012.
 * Tflow – The fourth founding member of the group identified in chat logs, attempts to identify him have labelled him a PHP coder, web developer, and performer of scams on PayPal. The group placed him in charge of maintenance and security of the group's website lulzsecurity.com. London Metropolitan Police announced the arrest of a 16-year-old hacker going by the handle Tflow on 19 July 2011.
 * Avunit – He is one of the core seven members of the group, but not a founding member. He left the group after their self-labelled "Fuck the FBI Friday". He was also affiliated with Anonymous AnonOps HQ. Avunit is the only one of the core seven members that has not been identified.
 * Pwnsauce – Pwnsauce joined the group around the same time as Avunit and became one of its core members. He was identified as Darren Martyn of Ireland and was indicted on conspiracy charges on 6 March 2012. The Irish national worked as a local chapter leader for the Open Web Application Security Project, resigning one week before his arrest.
 * Palladium – Identified as Donncha O'Cearbhaill of Ireland, he was indicted on conspiracy on 6 March 2012.
 * Anarchaos – Identified as Jeremy Hammond of Chicago, he was arrested on access device fraud and hacking charges. He was also charged with a hacking attack on the U.S. security company Stratfor in December 2011.  He is said to be a member of Anonymous.
 * Ryan Cleary, who sometimes used the handle ViraL. Cleary faced a sentence of 32 months in relation to attacks against the US Air Force and others.

Motivations
LulzSec did not appear to hack for financial profit, claiming their main motivation was to have fun by causing mayhem. They did things "for the lulz" and focused on the possible comedic and entertainment value of attacking targets. The group occasionally claimed a political message.

When they hacked PBS, they stated they did so in retaliation for what they perceived as unfair treatment of WikiLeaks in a Frontline documentary entitled WikiSecrets. A page they inserted on the PBS website included the title "FREE BRADLEY MANNING. FUCK FRONTLINE!" The 20 June announcement of "Operation Anti-Security" contained justification for attacks on government targets, citing supposed government efforts to "dominate and control our Internet ocean" and accusing them of corruption and breaching privacy. The news media most often described them as grey hat hackers.

In June 2011, the group released a manifesto outlining why they performed hacks and website takedowns, reiterating that "we do things just because we find it entertaining" and that watching the results can be "priceless". They also claimed to be drawing attention to computer security flaws and holes. They contended that many other hackers exploit and steal user information without releasing the names publicly or telling people they may possibly have been hacked. LulzSec said that by releasing lists of hacked usernames or informing the public of vulnerable websites, it gave users the opportunity to change names and passwords elsewhere that might otherwise have been exploited, and businesses would be alarmed and would upgrade their security. They denied responsibility for misuse of any of the data they breached and released. Instead, they placed the blame on users who reused passwords on multiple websites and on companies with inadequate security in place.

The group's later attacks have had a more political tone. They claimed to want to expose the "racist and corrupt nature" of the military and law enforcement. They have also expressed opposition to the War on Drugs. Lulzsec's Operation Anti-Security was characterized as a protest against government censorship and monitoring of the internet. In a question and answer session with BBC Newsnight, LulzSec member Whirlpool (AKA: Topiary) said, "Politically motivated ethical hacking is more fulfilling". He claimed the loosening of copyright laws and the rollback of what he sees as corrupt racial profiling practices as some of the group's goals.

History
A federal indictment against members contends that, prior to forming the hacking collective known as LulzSec, the six members were all part of another collective called Internet Feds, a group in rivalry with Anonymous. Under this name, the group attacked websites belonging to Fine Gael, HBGary, and Fox Broadcasting Company. This includes the alleged incident in which e-mail messages were stolen from HBGary accounts. In May 2011, following the publicity surrounding the HBGary hacks, six members of Internet Feds founded the group LulzSec.

The group's first recorded attack was against Fox.com's website, though they still may have been using the name Internet Feds at the time. It claimed responsibility for leaking information, including passwords, altering several employees' LinkedIn profiles, and leaking a database of X Factor contestants containing contact information of 73,000 contestants. They claimed to do so because the rapper Common had been referred to as "vile" on air.

LulzSec drew its name from the neologism "lulz", (from lol), "laughing out loud", which represents laughter, and "Sec", short for "Security". The Wall Street Journal characterized its attacks as closer to Internet pranks than serious cyber-warfare, while the group itself claimed to possess the capability of stronger attacks. It gained attention in part due to its brazen claims of responsibility and lighthearted taunting of corporations that were hacked. It frequently referred to Internet memes when defacing websites. The group emerged in May 2011, and successfully attacked websites of several major corporations. It specialized in finding websites with poor security, stealing and posting information from them online. It used well-known straightforward methods, such as SQL injection, to attack its target websites. Several media sources have described their tactics as grey hat hacking. Members of the group may have been involved in a previous attack against the security firm HBGary.

The group used the motto "Laughing at your security since 2011!" and its website, created in June 2011, played the theme from The Love Boat. It announced its exploits via Twitter and its own website, often accompanied with lighthearted ASCII art drawings of boats. Its website also included a bitcoin donation link to help fund its activities. Ian Paul of PC World wrote that, "As its name suggests, LulzSec claims to be interested in mocking and embarrassing companies by exposing security flaws rather than stealing data for criminal purposes." The group was also critical of white hat hackers, claiming that many of them have been corrupted by their employers.

Some in the security community contended that the group raised awareness of the widespread lack of effective security against hackers. They were credited with inspiring LulzRaft, a group implicated in several high-profile website hacks in Canada.

In June 2011 the group took suggestions for sites to hit with denial-of-service attacks. The group redirected telephone numbers to different customer support lines, including the line for World of Warcraft, magnets.com, and the FBI Detroit office. The group claimed this sent five to 20 calls per second to these sources, overwhelming their support officers. On 24 June 2011, The Guardian released leaked logs of one of the group's IRC chats, revealing that the core group was a small group of hackers with a leader Sabu who exercised large control over the group's activities. It also revealed that the group had connections with Anonymous, though was not formally affiliated with it. Some LulzSec members had once been prominent Anonymous members, including member Topiary.

At just after midnight (UTC) on 26 June 2011, LulzSec released a "50 days of lulz" statement, which they claimed to be their final release, confirming that LulzSec consisted of six members, and that their website was to be taken down. The group claimed that they had planned to be active for only fifty days from the beginning. "We're not quitting because we're afraid of law enforcement. The press are getting bored of us, and we're getting bored of us," a group member said in an interview to the Associated Press. Members of the group were reported to have joined with Anonymous members to continue the AntiSec operation. However, despite claiming to retire, the group remained in communication as it attacked the websites of British newspapers The Times and The Sun on 18 July, leaving a false story on the death of owner Rupert Murdoch.

Initial targets
The group's first attacks came in May 2011. Their first recorded target was Fox.com, which they retaliated against after they called Common, a rapper and entertainer, "vile" on the Fox News Channel. They leaked several passwords, LinkedIn profiles, and the names of 73,000 X Factor contestants. Soon after on 15 May, they released the transaction logs of 3,100 Automated Teller Machines in the United Kingdom. In May 2011, members of Lulz Security gained international attention for hacking the American Public Broadcasting System (PBS) website. They stole user data and posted a fake story on the site which claimed that Tupac Shakur and Biggie Smalls were still alive and living in New Zealand. In the aftermath of the attack, CNN referred to the responsible group as the "Lulz Boat".

Lulz Security claimed that some of its hacks, including its attack on PBS, were motivated by a desire to defend WikiLeaks and Chelsea Manning. A Fox News report on the group quoted one commentator, Brandon Pike, who claimed that Lulz Security was affiliated with the hacktivist group Anonymous. Lulz Security claimed that Pike had actually hired it to hack PBS. Pike denied the accusation and claimed it was leveled against him because he said Lulz Security was a splinter of Anonymous.

In June 2011, members of the group claimed responsibility for an attack against Sony Pictures that took data that included "names, passwords, e-mail addresses, home addresses and dates of birth for thousands of people." The group claimed that it used a SQL injection attack, and was motivated by Sony's legal action against George Hotz for jailbreaking the PlayStation 3. The group claimed it would launch an attack that would be the "beginning of the end" for Sony. Some of the compromised user information was subsequently used in scams. The group claimed to have compromised over 1,000,000 accounts, though Sony claimed the real number was around 37,500.

Corporate attacks
Lulz Security attempted to hack into Nintendo, but both the group and Nintendo itself report that no particularly valuable information was found by the hackers. LulzSec claimed that it did not mean to harm Nintendo, declaring: "We're not targeting Nintendo. We like the N64 too much — we sincerely hope Nintendo plugs the gap."

On 11 June, reports emerged that LulzSec hacked into and stole user information from the pornography website www.pron.com. They obtained and published around 26,000 e-mail addresses and passwords. Among the information stolen were records of two users who subscribed using email addresses associated with the Malaysian government, three users who subscribed using United States military email addresses and 55 users who LulzSec claimed were administrators of other adult-oriented websites. Following the breach, Facebook locked the accounts of all users who had used the published e-mail addresses, and also blocked new Facebook accounts opened using the leaked e-mail addresses, fearing that users of the site would get hacked after LulzSec encouraged people to try and see if these people used identical user name and password combinations on Facebook as well.

LulzSec hacked into the Bethesda Game Studios network and posted information taken from the network onto the Internet, though they refrained from publishing 200,000 compromised accounts. LulzSec posted to Twitter regarding the attack, "Bethesda, we broke into your site over two months ago. We've had all of your Brink users for weeks, Please fix your junk, thanks!"

On 14 June 2011, LulzSec took down four websites by request of fans as part of their "Titanic Take-down Tuesday". These websites were Minecraft, League of Legends, The Escapist, and IT security company FinFisher. They also attacked the login servers of the massively multiplayer online game EVE Online, which also disabled the game's front-facing website, and the League of Legends login servers. Most of the takedowns were performed with distributed denial-of-service attacks. On 15 June, LulzSec took down the main server of S2 Games' Heroes of Newerth as another phone request. They claimed, "Heroes of Newerth master login server is down. They need some treatment. Also, DotA is better."

On 16 June, LulzSec posted a random assortment of 62,000 emails and passwords to MediaFire. LulzSec stated they released this in return for supporters flooding the 4chan /b/ board. The group did not say what websites the combinations were for and encouraged followers to plug them into various sites until they gained access to an account. Some reported gaining access to Facebook accounts and changing images to sexual content and others to using the Amazon.com accounts of others to purchase several books. Writerspace.com, a literary website, later admitted that the addresses and passwords came from users of their site.

Government-focused activities
LulzSec claimed to have hacked local InfraGard chapter sites, a non-profit organization affiliated with the FBI. The group leaked some of InfraGard member e-mails and a database of local users. The group defaced the website posting the following message, "LET IT FLOW YOU STUPID FBI BATTLESHIPS", accompanied with a video. LulzSec posted:

"It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama [sic] have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it[.]"

On 9 June, LulzSec sent an email to the administrators of the British National Health Service, informing them of a security vulnerability discovered in NHS systems. LulzSec stated that they did not intend to exploit this vulnerability, saying in the email that "We mean you no harm and only want to help you fix your tech issues."

On 13 June, LulzSec released the e-mails and passwords of a number of users of senate.gov, the website of the United States Senate. The information released also included the root directory of parts of the website. LulzSec stated, "This is a small, just-for-kicks release of some internal data from senate.gov – is this an act of war, gentlemen? Problem?" referencing a recent statement by the Pentagon that some cyberattacks could be considered an act of war. No highly sensitive information appears in the release.

On 15 June, LulzSec launched an attack on CIA.gov, the public website of the United States Central Intelligence Agency, taking the website offline with a distributed denial-of-service attack. The website was down from 5:48 pm to 8:00 pm eastern time.

On 2 December, an offshoot of LulzSec calling itself LulzSec Portugal, attacked several sites related to the government of Portugal. The websites for the Bank of Portugal, the Assembly of the Republic, and the Ministry of Economy, Innovation and Development all became unavailable for a few hours.

Relationship to WikiLeaks
In June 2011, WikiLeaks representative Sigurdur Thordarson contacted members of the Anonymous group LulzSec and told them to join a new IRC server. Thordarson said he and Assange wanted help infiltrating several Icelandic corporate and government sites. They explained that they wanted evidence of corruption or that the government was unfairly targeting WikiLeaks and that evidence could help start an uprising in Iceland. LulzSec hackers Sabu and Topiary were skeptical but later believed that Assange was personally part of the chat. According to another former core member of LulzSec, members of the group failed to access Icelandic government servers when the server didn't respond correctly. Thordarson offered LulzSec an encrypted spreadsheet of classified government data that needed to be decrypted and explained that WikiLeaks had computers at MIT trying unsuccessfully for two weeks. Sabu took over communicating with WikiLeaks, and Assange visited the chat several more times in the next few weeks. According to chat logs, Thordarson and Sabu talked about submitting the Syria files and about recruiting Sabu to become member of WikiLeaks, and WikiLeaks gave the hackers a script to help search emails. In June 2020, the Department of Justice filed an indictment against Assange that included allegations he conspired and tried to recruit Anonymous and LulzSec hackers.

Operation Anti-Security
On 20 June, the group announced it had teamed up with Anonymous for "Operation Anti-Security". They encouraged supporters to steal and publish classified government information from any source while leaving the term "AntiSec" as evidence of their intrusion. Also listed as potential targets were major banks. USA Today characterized the operation as an open declaration of cyberwarfare against big government and corporations. Their first target of the operation was the Serious Organised Crime Agency (SOCA), a national law enforcement agency of the United Kingdom. LulzSec claimed to have taken the website offline at about 11 am EST on 20 June 2011, though it only remained down for a few minutes. While the attack appeared to be a DDoS attack, LulzSec tweeted that actual hacking was taking place "behind the scenes". At about 6:10 pm EST on 20 June, SOCA's website went down yet again. SOCA's website was back online sometime between 20 and 21 June. The website of the local district government of Jianhua District in Qiqihar, China, was also knocked offline. Early in the morning on 22 June, it was revealed that LulzSec's "Brazilian unit" had taken down two Brazilian government websites, brasil.gov.br and presidencia.gov.br. They also brought down the website of Brazilian energy company Petrobras.

On 20 June, two members on the "Lulz Boat" reportedly leaked logs that LulzSec was going to leak on 21 June. They also claimed that the two had leaked information that aided authorities in locating and arresting Ryan Cleary, a man loosely affiliated with the group. LulzSec posted various personal information about the two on Pastebin including IP addresses and physical addresses. Both had been involved with cyber-crimes in the past, and one had been involved with hacking the game Deus Ex.

After LulzSec encouragement, some began tagging public locations with physical graffiti reading "Antisec" as part of the operation. Numerous beachfronts in Mission Beach, San Diego were vandalized with the phrase. Some local news organizations mistook the graffiti in Mission Beach as signs of the Antisec Movement. Many commenters on the local news websites corrected this.

On 23 June, LulzSec released a number of documents pertaining to the Arizona Department of Public Safety, which they titled "chinga la migra", which roughly translates to "fuck the border patrol". The leaked items included email addresses and passwords, as well as hundreds of documents marked "sensitive" or "for official use only". LulzSec claimed that this was in protest of the law passed in Arizona requiring some aliens to carry registration documents at all times. Arizona officials have confirmed the intrusion. Arizona police have complained that the release of officer identities and the method used to combat gangs could endanger the lives of police officers.

On 24 June 2011, LulzSecBrazil published what they claimed were access codes and passwords that they used to access the Petrobras website and employee profile data they had taken using the information. Petrobras denied that any data had been stolen, and LulzSecBrazil removed the information from their Twitter feed a few hours later. The group also released personal information regarding President of Brazil Dilma Rousseff and Mayor of São Paulo Gilberto Kassab.

On 25 June 2011, LulzSec released what they described as their last data dump. The release contained an enormous amount of information from various sources. The files contained a half gigabyte of internal information from telecommunication company AT&T, including information relating to its release of 4G LTE and details pertaining to over 90,000 personal phones used by IBM. The IP addresses of several large corporations including Sony, Viacom, and Disney, EMI, and NBC Universal were included. It also contained over 750,000 username and password combinations from several websites, including 200,000 email addresses, usernames, and encrypted passwords from hackforums.net; 12,000 names, usernames, and passwords of the NATO online bookshop; half a million usernames and encrypted passwords of players of the online game Battlefield Heroes; 50,000 usernames, email addresses, and encrypted passwords of various video game forum users; and 29 users of Priority Investigations, an Irish private investigation company. Also included were an internal manual for AOL engineering staff and a screencapture of a vandalized page from navy.mil, the website of the United States Navy. Members of the group continued the operation with members of Anonymous after disbanding.

Despite claiming to have retired, on 18 July LulzSec hacked into the website of British newspaper The Sun. The group redirected the newspaper's website to an also-hacked redesign website of another newspaper The Times, altering the site to resemble The Sun and posting a fake story claiming that Rupert Murdoch had died after ingesting a fatal dose of palladium. They objected to the involvement of News Corporation, the Murdoch-owned company that publishes The Sun and The Times, in a large phone hacking scandal. The hacked website also contained a webcomic depicting LulzSec deciding on and carrying out the attack. The group later redirected The Sun website to their Twitter feed. News International released a statement regarding the attacks before having the page the statement appeared on also redirected to the LulzSec Twitter page and eventually taken offline. The group also released the names and phone numbers of a reporter for The Sun and two others associated with the newspaper and encouraged their supporters to call them. In recent times NovaCygni of AntiSec has openly touted that the news channel Russian Television (RT) has openly stated support for the Anonymous movement and that at least one reporter for them is an active member of Anonymous. They further included an old email address and password of former News International executive Rebekah Brooks. News Corporation took the websites offline as a precaution later in the day.

Denied activities
The media reported a number of attacks, originally attributed to LulzSec, that the group later denied involvement in. On 21 June, someone claiming to be from the group posted on Pastebin that they had stolen the entire database of the United Kingdom Census 2011. LulzSec responded by saying that they had obtained no such data and that whoever posted the notice was not from the group. British officials said they were investigating the incident, but have found no evidence that any databases had been compromised or any information taken. The British government, upon concluding their investigation, called the claims that any information on the census was taken a hoax.

In June 2011, assets belonging to newspaper publisher News International were attacked, apparently in retaliation for reporting by The Sun of the arrest of Ryan Cleary, an associate of the group. The newspaper's website and a computer used in the publishing process of The Times were attacked. However, LulzSec denied any involvement, stating "we didn't attack The Sun or The Times in any way with any kind of DDoS attack". Members of AntiSec based in Essex England claimed responsibility for the attack.

In June 2011, Karim Hijazi, CEO of security company Unveillance, accused the group of blackmailing him by offering not to attack his company or its affiliates in exchange for money. LulzSec responded by claiming that Hijazi offered to pay them to attack his business opponents and that they never intended to take any money from him.

Hacker actions against LulzSec
A number of different hackers have targeted LulzSec and its members in response to their activities. On 23 June 2011, Fox News reported that rival hacker group TeaMp0isoN were responsible for outing web designer Sven Slootweg, who they said used the online nickname Joepie91, and that they have intentions to do the same with every member. A Pastebin post in June 2011 from hacker KillerCube identified LulzSec leader Sabu as Hector Xavier Monsegur, an identification later shown to be accurate.

A group calling themselves Team Web Ninjas appeared in June 2011 saying they were angry over the LulzSec release of the e-mail addresses and passwords of thousands of normal Internet users. They attempted to publicly identify the online and real world identities of LulzSec leadership and claimed to do so on behalf of the group's victims. The group claimed to have identified and given to law enforcement the names of a number of the group's members, including someone they claimed to be a United States Marine.

The Jester, a hacker who generally went by the leetspeak handle, vowed to find and expose members of LulzSec. Claiming to perform hacks out of a sense of American patriotism, he attempted to obtain and publish the real world personally identifiable information of key members, whom he described as "childish". On 24 June 2011, he claimed to have revealed the identity of LulzSec leader Sabu as an information technology consultant possibly from New York City. On 24 June 2011, a hacker allegedly going by the name Oneiroi briefly took down the LulzSec website in what he labelled "Operation Supernova". The Twitter page for the group also briefly became unavailable.

On 24 June 2011, The Guardian published leaked logs from one of the group's IRC channels. The logs were originally assumed to have been leaked by a disillusioned former member of the group who went by the nickname m_nerva, yet fellow hacker Michael Major, known by his handle 'hann', later claimed responsibility. After confirming that the leaked logs were indeed theirs, and that the logs revealed personal information on two members who had recently left the group due to the implications of attacking the FBI website, LulzSec went on to threaten m_nerva on their Twitter feed. LulzSec claimed the logs were not from one of their core chatting channels, but rather a secondary channel used to screen potential backups and gather research.

A short time before LulzSec claimed to be disbanding, a group calling itself the A-Team posted what they claimed was a full list of LulzSec members online along with numerous chat logs of the group communicating with each other. A rival hacker going by the name of TriCk also claimed to be working to reveal the group's identities and claimed that efforts on the part of rival hackers had pushed the group to disband for fear of being caught.

Law enforcement response
On 21 June 2011, the London Metropolitan Police announced that they had arrested a 19-year-old man from Wickford, Essex, named by LulzSec and locally as Ryan Cleary, as part of an operation carried out in cooperation with the FBI. The suspect was arrested on charges of computer misuse and fraud, and later charged with five counts of computer hacking under the Criminal Law Act and the Computer Misuse Act. News reports described him as an alleged member of LulzSec. LulzSec denied the man arrested was a member. A member of LulzSec claimed that the suspect was not part of the group, but did host one of its IRC channels on his server. British police confirmed that he was being questioned regarding alleged involvement in LulzSec attacks against the Serious Organized Crime Agency (SOCA) and other targets. They also questioned him regarding an attack on the International Federation of the Phonographic Industry in November 2010. On 25 June 2011 the court released Cleary under the bail conditions that he not leave his house without his mother and not use any device connected to the internet. He was diagnosed the previous week with Asperger syndrome. In June 2012 Cleary, together with another suspected LulzSec member, 19-year-old Jake Davis, pleaded guilty conspiring to attack government, law enforcement and media websites in 2011.

At around the same time as Cleary's arrest, Federal Bureau of Investigation agents raided the Reston, Virginia facility of Swiss web hosting service DigitalOne. The raid took several legitimate websites offline for hours as the agency looked for information on an undisclosed target. Media reports speculated the raid may have been related to the LulzSec investigation.

A few days before LulzSec disbanded, the FBI executed a search warrant on an Iowa home rented by Laurelai Bailey. Authorities interviewed her for five hours and confiscated her hard drives, camera, and other electronic equipment, but no charges were filed. Bailey denied being a member of the group, but admitted chatting with members of LulzSec online and later leaking those chats. The FBI was interested in having her infiltrate the group, but Bailey claimed the members hated her and would never let her in. The questioning by the FBI led a local technical support company to fire Laurelai, claiming she embarrassed the company.

On 27 June 2011, the FBI executed another search warrant in Hamilton, Ohio. The local media connected the raid to the LulzSec investigation; however, the warrant was sealed, the name of the target was not revealed, and the FBI office in Cincinnati refused to comment on any possible connection between the group and the raid. No one was charged with a crime after the FBI served the warrant. Some reports suggested the house may have belonged to former LulzSec member m_nerva, whom was originally suspected of leaking a number of the group's logs to the press, and information leading to the warrant supplied by Ryan Cleary.

On 19 July 2011, the London Metropolitan Police announced the arrest of LulzSec member Tflow. A 16-year-old male was arrested in South London on charges of violating the Computer Misuse Act, as part of an operation involving the arrest of several other hackers affiliated with Anonymous in the United States and United Kingdom. LulzSec once again denied that any of their membership had been arrested, stating "there are seven of us, and we're all still here."

On the same day the FBI arrested 21-year-old Lance Moore in Las Cruces, New Mexico, accusing him of stealing thousands of documents and applications from AT&T that LulzSec published as part of their so called "final release".

The Police Central E-Crime Unit arrested an 18-year-old man from Shetland on 27 July 2011 suspected of being LulzSec member Topiary. They also searched the house of a 17-year-old from Lincolnshire possibly connected to the investigation, interviewing him. Scotland Yard later identified the man arrested as Yell, Shetland resident Jake Davis. He was charged with unauthorized access of a computer under the Computer Misuse Act 1990, encouraging or assisting criminal activity under the Serious Crime Act 2007, conspiracy to launch a denial-of-service attack against the Serious Organised Crime Unit contrary to the Criminal Law Act 1977, and criminal conspiracy also under the Criminal Law Act 1977. Police confiscated a Dell laptop and a 100-gigabyte hard drive that ran 16 different virtual machines. Details relating to an attack on Sony and hundreds of thousands of email addresses and passwords were found on the computer. A London court released Davis on bail under the conditions that he live under curfew with his parents and have no access to the internet. His lawyer Gideon Cammerman stated that, while his client did help publicize LulzSec and Anonymous attacks, he lacked the technical skills to have been anything but a sympathizer.

In early September 2011, Scotland Yard made two further arrests relating to LulzSec. Police arrested a 24-year-old male in Mexborough, South Yorkshire and a 20-year-old male in Warminster, Wiltshire. The two were accused of conspiring to commit offenses under the Computer Misuse Act of 1990; police said that the arrests related to investigations into LulzSec member Kayla.

On 22 September 2011, the FBI arrested Cody Kretsinger, a 23-year-old from Phoenix, Arizona who was indicted on charges of conspiracy and the unauthorized impairment of a protected computer. He is suspected of using the name "recursion" and assisting LulzSec in their early hack against Sony Pictures Entertainment, though he allegedly erased the hard drives he used to carry out the attack. Kretsinger was released on his own recognizance under the conditions that he not access the internet except while at work and that he not travel to any states other than Arizona, California, or Illinois. The case against him was filed in Los Angeles, where Sony Pictures is located. Kretsinger pleaded guilty on 5 April 2012 to one count of conspiracy and one count of unauthorized impairment of a protected computer. On 19 April 2013, Kretsinger was sentenced for the "unauthorized impairment of protected computers" to one year in federal prison, one year of home detention following the completion of his prison sentence, a fine of $605,663 in restitution to Sony Pictures and 1000 hours of community service.

On 8 August 2013, Raynaldo Rivera, age 21, known by the online moniker "neuron", of Chandler, Arizona, was sentenced to one year and one day in federal prison by United States District Judge John A. Kronstadt. In addition to the prison sentence, Judge Kronstadt ordered Rivera to serve 13 months of home detention, to perform 1,000 hours of community service and to pay $605,663 in restitution to Sony Pictures.

On 6 March 2012, two men from Great Britain, one from the United States, and two from Ireland were charged in connection to their alleged involvement with LulzSec. The FBI revealed that supposed LulzSec leader Hector Xavier Monsegur, who went by the username Sabu, had been aiding law enforcement since pleading guilty to twelve counts, including conspiracy and computer hacking, on 15 August 2011 as part of a plea deal. In exchange for his cooperation, federal prosecutors agreed not to prosecute Monsegur for his computer hacking, and also not to prosecute him for two attempts to sell marijuana, possession of an illegal handgun, purchasing stolen property, charging $15,000 to his former employer's credit card in a case of identity theft, and directing people to buy prescription drugs from illegal sources. He still faces a misdemeanor charge of impersonating a federal agent. Five suspects were charged with conspiracy: Jake Davis, accused of being the hacker "Topiary" (who had been previously arrested); Ryan Ackroyd of London, accused of being "Kayla"; Darren Martyn of Ireland, accused of being "pwnsauce"; Donncha O’Cearrbhail of Ireland, accused of being "palladium"; and Jeremy Hammond of Chicago, accused of being "Anarchaos". While not a member of LulzSec, authorities suspect Hammond of being a member of Anonymous and charged him with access device fraud and hacking in relation to his supposed involvement in the December 2011 attack on intelligence company Stratfor as part of Operation AntiSec.

On 8 April 2013, Jake 'Topiary' Davis and three other LulzSec members pleaded guilty to charges of computer hacking at Southwark Crown Court in London.

On 24 April 2013, Australian Federal Police arrested 24-year-old Matthew Flannery of Point Clare, who boasted on Facebook "I’m the leader of LulzSec". Flannery, who went by the username Aush0k, was arrested for the alleged hacking of the Narrabri Shire Council website on which homepage sexually explicit text and an image were left. On 27 August 2014, Flannery entered guilty pleas to five charges of making unauthorised modification of data to cause impairment, and dishonestly obtaining the Commonwealth Bank details of a woman. Flannery, who said the reference to LulzSec was a joke, lost his job of computer technician in a security company. On 16 October 2014, he was sentenced to 15 months of house arrest which continues until mid-April 2016, alongside a 12 months good behaviour bond.