The Jester (hacktivist)
|Occupation||Grey hat hacktivist|
|Known for||Hacking anti-American, jihadist, and homophobic websites|
The Jester (also known by the leetspeak handle th3j35t3r) is an unidentified computer vigilante who describes himself as a grey hat hacktivist. He claims to be responsible for attacks on WikiLeaks, 4chan, Iranian President Mahmoud Ahmadinejad, and Islamist websites. He claims to be acting out of American patriotism. The Jester uses a denial-of-service (DoS) tool known as "XerXeS", that he claims to have developed.
Identity and communication
The Jester first appeared on Twitter, where he announced his attack on the Taliban website alemarah.info on January 1, 2010. On June 26, 2010, he established his WordPress blog "Jester's Court". The Jester also communicates via his I2P IRC channel #jester and cautions these are the only three authentic methods of communication from him: "As per usual, because of the large amount of imposters trying to pass themselves off as me I will only speak in THREE places, here via this blog, my twitter and the i2p IRC network outlined above where my nick (th3j35t3r) is registered to myself. If you see a ‘jester’ anywhere else it's not me." In November of 2017 Jester set up an instance of the Mastodon social networking server, named Counter Social, where he continues to use the alias @th3j35t3r.
The Jester had stated that he was a former soldier and had served in Afghanistan and elsewhere. A former defense operative claimed that The Jester was a former military contractor involved in US Special Operations Command projects. On April 10, 2012, The Jester gave a live chat interview to a class of Computer Science students at the University of Southern Maine where he confirmed his military service and stated he served four "operational tours".
XerXeS and other tools
The Jester claims to have originally developed his DoS script as a means to test and harden servers. After learning from an article that Jihadists were using the Internet to recruit and coordinate terror cells, The Jester resolved to disrupt online communications between Jihadists. He weaponized his script and created a front-end known as "XerXeS" in order to solve the script's usability problems.
The Jester posted several tweets claiming to be responsible for the downtime WikiLeaks was experiencing. He justified his alleged attacks by claiming that WikiLeaks was "attempting to endanger the lives of our [US] troops, 'other assets' & foreign relations." In retaliation to The Jester's reported efforts, hacktivists including a group named Anonymous in support of WikiLeaks were reported as temporarily disrupting the website of MasterCard as well as attacking websites of Amazon and PayPal.
On November 29, 2010, someone claiming to be The Jester stated that he had been raided by the U.S. and attempted to solicit money for legal fees. The Jester purported that the person was an impostor, though writers at InfoSecIsland believe the hoax was created by The Jester himself.
On December 28, 2010, a DoS attack targeted 4chan.org. On that same day, The Jester tweeted "4chan.org — that looks like a TANGO DOWN (not) maybe you guys pissed off the wrong person trying to (wrongly) ID me?" This tweet is believed to be a reference to claims by 4chan users that The Jester was a man from Montana.
In March 2011, The Jester employed a different style of attack by using an XSS vulnerability to make it appear as if fabricated articles were inserted online Libyan newspapers The Malta Independent Online and the Tripoli Post. On March 28, 2011, he tweeted links to the forged articles. The articles were not visible in search, or to viewers of those websites and viewable only via the inserted links. These tweets drew the attention of Anthony M. Freed, who examined the articles and discovered they were anomalies not contained in the newspapers' respective archives. Further inspection by Freed revealed The Jester left a watermark of his signature Harlequin avatar on the articles he created, which can only be seen by tilting the computer monitor back at an angle. The fabricated articles reported degradation in troop morale among fighters loyal to Muammar Gaddafi and incidents of his soldiers abandoning their posts. Freed concluded The Jester's objective was a "psyops campaign aimed at breaking the spirit of the troops loyal to Libyan strongman Muammar Gaddafi." The Jester confirmed this in a subsequent interview later the same year.
In June 2011 The Jester vowed to find and expose members of LulzSec. He attempted to obtain and publish personally identifiable information of key members within group, whom he described as "childish". On June 24, 2011, he claimed to have revealed the identity of LulzSec leader Sabu as Xavier Kaotico, an information technology consultant possibly from New York City. In July of the same year he falsely accused Hugo Carvalho, a Portuguese IT professional, of also being Sabu, leaving The Jester's outing claims to be considered suspect. However, in a post on his blog in November 2011, The Jester retracted his prior identifications for "Sabu", issued an apology and correctly identified "Sabu" as Hector Xavier Monsegur, 28, of New York. Sabu's identity was confirmed on March 6, 2012, when Monsegur was arrested by the FBI and it was revealed that he had been acting as an FBI informant in the interim.
In October 2011, at the Hackers Halted USA conference, The Jester gave a surprise live presentation and fielded questions through an online chat with presenter Jeff Bardin. His identity was authenticated via his Twitter account. Jester answered questions about XerXeS and other tools in development and discussed his motivations for attacking militant jihadi recruiting websites. On August 26, 2012, Bardin hosted a similar presentation at Utica College for the college's Cybersecurity Master's program.
Late November 2011, th3j35t3r claimed to take down multiple jihadist sites permanently, with his newest tool known as 'Saladin'. Saladin is claimed to be similar to other 'Apache Killer' tools used by hackers. Critics have claimed Saladin does not exist, and that he is relying on domain expiration.
On May 14, 2012, The Jester's Twitter account (@th3j35t3r) appeared to have been deleted, along with all posts on his WordPress blog. However, the Twitter account and WordPress blog were merely temporarily deactivated and were subsequently restored May 16, 2012.
On July 2, 2013, the Jester took responsibility for a series of DoS cyberattacks against the Ecuadorean stock exchange and the country's tourism website, and promised to attack any other governments considering granting asylum to NSA leaker Edward Snowden. In a June blog post, he wrote that Snowden "is not a goddam hero, here to save Americans from 'the government' because of privacy infringements and breaches of the 4th amendment, he is a traitor and has jeopardized all our lives." In tweets, the Jester also alluded to a plan to seize control of the fire alarms at the Ecuadorean embassy in London, which would force WikiLeaks founder Julian Assange to set foot on UK soil and face potential extradition to Sweden to face sexual assault charges.
On October 21, 2016, the Jester took responsibility for "defacing" the official website of the Russian Ministry of Foreign Affairs. The "hack" was later shown to be fake, actually being a POST based XSS on the website, not a deface or hack.
SANS report: "The Jester: A Lesson in Asymmetric Warfare"
In December 2011, T. J. O'Connor, a research analyst in the Information Technology and Operations Center (ITOC), produced a comprehensive report for the SANS Institute detailing the history of The Jester's hacking campaigns titled "The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare". The paper examines the history, motives and impact of two years worth of The Jester's hacking, and provides a detailed analysis of the timeline of his attacks, a speculative analysis of the tools he may use, and review of his use of social media and public relations through his blog.
QR code attack
On March 5, 2012, The Jester changed his Twitter account @th3j35t3r avatar from his signature Jester icon to a QR code without comment or explanation. Scanning a QR code redirects a browser to a website. Scanning The Jester's icon led to a URL where he had an image of his signature Jester icon and an embedded, hidden code that allegedly exploited a vulnerability that affects Safari, Chrome and Android browsers. "When anyone scanned the original QR code using an iPhone or Android device, their device would silently make a TCP shell connection back to my remote server," The Jester wrote. "Like a phone call, if you like." This was however exposed to be fake and the exploit was stolen from a 2-year-old CVE advisory.
- Keizer, Gregg (2010-11-30). "WikiLeaks moves to Amazon servers after DOS attacks". Computerworld New Zealand. Retrieved 2010-12-29.
- "Hacktivist Tactics Raise Ethical Questions". Infosecisland.com. 2010-01-27. Retrieved 2011-08-30.
- th3j35t3r (2010-07-03). "[Interview] The Jester". ethicalhack3r (Interview). Interviewed by ethicalhack3r. Retrieved 2010-12-29.
- th3j35t3r (23 June 2010). "About Jester". Retrieved 2010-12-29.
- Anthony M., Freed (November 29, 2010). "The Jester Hits WikiLeaks Site With XerXeS DoS Attack". Infosec Island.
- Rosenbach, Marcel; Stark, Holger (2010-12-07). "Julian Assange Becomes US's Public Enemy No. 1". Der Spiegel. Retrieved 2011-12-02.
- Vance, Ashlee (2010-12-03). "WikiLeaks Struggles to Stay Online After Attacks". The New York Times. Retrieved 2010-12-29.
- th3j35t3r (26 June 2010). "Maybe I might setup a blog here??". Retrieved 2012-06-07.
- th3j35t3r (23 May 2012). "IRC Channel". Retrieved 2012-06-07.
- "Transcript: Patriot Hacker th3j35t3r Addresses USM Students". Infosec Island. 2011-04-11. Retrieved 2012-05-28.
- Freed, Anthony M. (2010-02-10). "Jester Unveils XerXeS Automated DoS Attack". Infosec Island. Retrieved 2011-01-03.
- Freed, Anthony M. (2010-02-04). "More Talks with Anti-Jihadi Hacker The Jester". Infosec Island. Retrieved 2011-01-03.
- Bailey, Laurelai (2010-07-08). "XerXeS source code". SecLists.Org Security Mailing List. Retrieved 2011-07-08.
- th3j35t3r (2010-06-30). "Hacker macht Jagd auf Online-Dschihadisten". Die Welt (Interview). Interviewed by Florian Flade. Retrieved 2010-12-29.
- th3j35t3r (2010-06-30). "Unredacted Original Interview with Newspaper 'Die Welt'". th3j35t3r.wordpress.com (Interview). Interviewed by Florian Flade. Retrieved 2010-12-29.
- "Afghan Taliban deny meeting U.N. envoy". Reuters. 2010-01-30. Retrieved 2011-01-03.
- David Leigh, Luke Harding WikiLeaks cyber attacks: a tango with the Jester The Guardian, 2 February 2011
- "Did WikiLeaks Hacker The Jester Pull Police Raid Hoax?". Infosecisland.com. 2010-12-02. Retrieved 2011-08-30.
- Sullivan, Bob (2010-12-07). "Red Tape - WikiLeaks hacker a villain or a hero?". Redtape.msnbc.msn.com. Archived from the original on 2011-05-02. Retrieved 2011-08-30.
- Prefect (2010-12-10). "Anonymous Turns Operation Payback Toward "The Jester"". Praetorian Prefect. Retrieved 2011-01-02.
- (2011-03-24) "Hacktivist Maintains Attack on Westboro Baptist Church" Retrieved 28 March 2011
- Freed, Anthony (2011-03-30). "Patriot Hacker The Jester's Libyan Psyops Campaign". Infosec Island. Retrieved 2011-12-01.
- "Hacktivist "The Jester" Draws Crowd at Hacker Halted". Infosec Island. 2011-10-31. Retrieved 2011-11-23.
- Poeter, Damon (24 June 2011). "Will LulzSec's Hit on Arizona Cops be its Last Hurrah?". PC Magazine. Ziff Davis. Archived from the original on 25 June 2011. Retrieved 25 June 2011.
- Halliday, Josh (24 June 2011). "LulzSec: the members and the enemies". The Guardian. London. Guardian Media Group. Archived from the original on 25 June 2011. Retrieved 25 June 2011.
- Chapman, Stephen (24 June 2011). "LulzSec's leader, Sabu, revealed?". ZDNet. CBS Interactive. Archived from the original on 25 June 2011. Retrieved 25 June 2011.
- "The Quest to Unmask the Ringleader of Anonymous - Technology". The Atlantic Wire. 2011-07-14. Retrieved 2011-08-30.
- Wagenseil, Paul (8 March 2012). "Despite Being Anonymous, Hacktivist Sabu Wasn't Hard to Find". Security News Daily. Retrieved 13 March 2012.
- "5 'Anonymous' hackers busted after one becomes FBI informant". Newsday. AP. March 6, 2012.
- Goldman, David (March 6, 2012). "Anonymous in disarray after major crackdown snares leaders". CNN.
- "th3j35t3r: BIG shout-out to Mr H.Cooper". Twitter. Retrieved 2012-09-01.
- ʇuıɐs ʞɔopuooq™ (November 27, 2011). "jihadunspun.com - TANGO DOWN - PERMANENTLY (yes forever)". Twitter.
- ʇuıɐs ʞɔopuooq™ (November 27, 2011). "muslimdefenseforce.islamicink.com - TANGO DOWN - PERMANENTLY". Twitter.
- ʇuıɐs ʞɔopuooq™ (November 27, 2011). "falojaa.net - TANGO DOWN - PERMANENTLY". Twitter.
- "th3j35t3r's Saladin Tool Exposed". Twitter. 12 May 2012. Retrieved 2013-07-02.
- ""Patriotic hacktivist" The Jester unmasked—or maybe it's a big troll". Ars Technica. May 15, 2012.
- th3j35t3r (16 May 2012). "Not totally sure what just happened, but damn it's getting out of hand now". Retrieved 2012-05-28.
- Snowden and Assange Targeted by Mysterious Hacker "The Jester", Mother Jones, 2 July 2013
- "In Soviet Russia, we get out-propagandered by a guy in a jingly hat". Jesterscourt.cc. October 23, 2016. Retrieved October 24, 2016.
- "How the Jester fooled Russians—and Fox News—with one simple trick. [Updated]". 25 October 2016.
- "Department of Electrical Engineering and Computer Science - Home". Eecs.usma.edu. Retrieved 2012-07-09.
- O'Connor, T. J. (December 30, 2011). "The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare" (PDF). SANS Institute.
- Wagenseil, Paul (March 13, 2012). "Anti-Anonymous hacker threatens to expose them". MSNBC.
- "What Is A QR Code And Why Do You Need One?". Search Engine Land. October 15, 2009.
- Wagenseil, Paul (March 12, 2012). "Pro-American Hacker's Attack Threatens to Expose Anonymous". Security News Daily.
- "th3j35t3r and QR Exploits Exposed Part 2". Wordpress. March 13, 2012.
- "Cve - Cve-2010-1807".
- Counter Stream – The Jester's blog