One of the most active actors of the past several months has been a hacktivist group who identify themselves as ‘Crackas With Attitude’ (CWA). CWA reportedly used social engineering to obtain and release information from the personal accounts of John Brennan and Jeh Johnson, as well as other anti-Law Enforcement targets. Now, amid purported splits among members, we are afforded a greater insight into this group.

The ostensible leader of CWA is Cracka (@phphax), who claims the core of the group is made up of themself and the co-leader, Cubed (@fruityhax). Alongside these two are Incursio (@incursiosubter), Derp (@derplaughing) and Zoom (@internetbear). The latter three have since split with CWA.

On 23 October, a user known as “Pop” (@whitehat_scum) claimed to have doxed Cracka, providing a purported image and correspondence over Kik (a mobile instant messenger) with users ‘Wolf’ and ‘Lorenzo’, the latter a likely reference to the Motherboard journalist who covered many stories pertaining to CWA Cubed previously used the handle @php5hax and, before CWA was established, @errorbased. While using the @errorbased handle, Cubed identified himself as ‘Wolf’, a name that features in Pop’s exposed Kik conversation with Cracka.

Competing hypotheses exist. One user, ‘Jester (@th3j35t3r) claimed that Cracka was in fact ‘MLT’, a former member of TeaMp0isoN. He similarly accuses Cubed of the same background. It is difficult to substantiate Jester’s claims, as we have observed no evidence to link Cracka with TeaMp0isoN.

In fact, it is very difficult to tie Cracka with any previous activity, which may be thanks to good operational security. Take the twitter handle of Cracka, for example. Up until 24th April 2014, the handle @phphax tweeted multiple times per day with benign content, but then fell silent for over a year. In September 2015, when the handle became active once more, the style had changed dramatically and resembled the tone we recognize today. Misinformation was also rife; differing information on their age, location and backgrounds were frequently referred to.

CWA PHPHAX

Information regarding the backgrounds of other members can be garnered, however. Judging by IRC conversations that we observed in early 2015, as well as discussions on social media, Incursio and Derp were heavily involved in Deletesec, a hacking group active between 2012 and 2014.  These two members are also linked to the UK. It is claimed that they have both previously been arrested in the UK for Computer Misuse Act. Indeed, the language used by most of the accounts associated with CWA was distinctly British in nature.

Amid all of the chaos – and whether CWA has disbanded or not – the saga tells us three main things. Firstly, the use of social engineering as a hacktivist tool continues to gain in popularity. Secondly, it highlights the level individuals go to in order to obscure their true identity, achieved through misdirection and misinformation. Lastly, many hacktivist groups are amorphous; individuals rarely retain a monogamous loyalty to a group in the face of competing egos, motivations and aims.

The challenge is to manage the information you are exposing online and gain an understanding of actors so you can cut through the noise and understand how developments are relevant to you and your organization.