SAN FRANCISCO (Reuters) - A federal grand jury has indicted Matthew Keys, deputy social media editor at Reuters.com, for conspiring with members of the Anonymous hacking collective to break into the computers of his former employer, Tribune Co. The alleged incident occurred before he joined Thomson Reuters Corp, the indictment filed on Thursday indicated.
The indictment charged Keys with three criminal counts, including conspiracy to transmit information to damage a protected computer. The indictment said that he promised to give hackers access to Tribune Co websites and that a story on the Tribune’s Los Angeles Times website was later altered by one of them.
Keys did not respond to requests for comment. But several hours after the indictment was handed down, he tweeted: “I found out the same way most of you did: From Twitter. Tonight I’m going to take a break. Tomorrow, business as usual.” His attorney did not return a phone call seeking comment.
A Thomson Reuters spokesman said the company was aware of the indictment and added: “Any legal violations, or failures to comply with the company’s own strict set of principles and standards, can result in disciplinary action. We would also observe the indictment alleges the conduct occurred in December 2010; Mr. Keys joined Reuters in 2012.”
The company did not comment on Keys’s employment status. However, a Thomson Reuters employee at the New York office where Keys worked said that his work station was being dismantled and that his security pass had been deactivated.
The documents in the case paint a picture of a disgruntled former Tribune employee who fell in with some of the most notorious hackers in the country—and then worked with them, as well as against them.
The case began in early December 2010, when Fox 40, a Tribune-owned television station in Sacramento, Calif., received emails saying someone had claimed to have an internal list of employees, according to an affidavit for a search warrant submitted by Los Angeles-based Federal Bureau of Investigation agent Gabriel Andrews.
A former colleague suggested Keys as a suspect, according to the FBI affidavit, because he had been terminated as an employee in October 2010 and then refused to hand over control of the Facebook and Twitter accounts he had run for Fox 40.
Within weeks of the first suspicious email, the affidavit said Keys told the same colleague that he had penetrated an elite chat group used by some of the most sophisticated members of Anonymous. According to the affidavit, Keys said he had learned of upcoming attacks on the Tribune’s Los Angeles Times, eBay’s PayPal and other companies. Two days later, a story on Latimes.com was defaced.
When Keys learned that a member of the hacking group had changed the Times story, Keys responded “nice,” according to the indictment.
Transcripts of the electronic chats excerpted in the affidavit and the indictment show someone using the nickname AESCracked offered to grant access to Tribune computers to others in the chat group. “Let me see if I can find some other users/pass I created while there,” he wrote after previous credentials were denied access, the indictment said. The indictment says Keys used the nickname AESCracked.
The documents appear to show Keys playing a double game for weeks before getting kicked out of the chat group. As a journalist between jobs, he took screenshots of the hacking group’s chats and sent them to media outlets, he wrote later on a personal blog cited by the FBI.
He claimed credit for that work in a posting on his personal website in March 2011, writing: “I identified myself as a journalist during my interaction.”
But others in the chat room were furious at the leaks. The leading figure, known as Sabu, said on Twitter days later that Keys was AESCracked and “gave full control of LATimes.com to hackers.”
Sabu, subsequently identified as Hector Xavier Monsegur, was arrested later in 2011 and began cooperating secretly with the FBI while continuing to lead an Anonymous spinoff called LulzSec, according to court documents.
The probe of Monsegur, who is awaiting sentencing for more serious breaches at Sony and elsewhere and is continuing to cooperate with prosecutors, led to chat transcripts containing evidence against Keys, the affidavit says.
Keys, now 26 and living in New Jersey, went to work for another television station before joining Reuters in January 2012 as deputy social media editor. He was relatively well known on Twitter, amassing more than 23,000 followers for his personal account, apart from his tweets under the Reuters brand.
He also wrote occasional longer blog entries for Reuters, including at least two about Anonymous. In a March 2012 entry, after Sabu’s exposure, Keys blogged about how he had gained entry to the elite chat group called InternetFeds and said Sabu had confided his New York location and other details.
One Sacramento acquaintance, Mona Vaughn, said Keys had “a pretty extreme personality.” She said she recommended him on LinkedIn before she found out that he had disparaged a former employer.
At Reuters, where his main mission was to promote journalists’ stories through social media, Keys drew attention last October by covertly creating a parody Twitter account, PendingLarry, which mocked Google after a premature release of an earnings report that included a space reserved for comment by CEO Larry Page. He was reprimanded by Reuters editors for that incident.
The case against Keys is being prosecuted by Benjamin Wagner, U.S. Attorney for the Eastern District of California, which includes Sacramento. Keys could face a maximum of 25 years in prison.
In an interview, Wagner said that Keys appeared to have been acting against Tribune primarily as an angry former employee.
But because Keys could have claimed he was acting as a journalist, Wagner said the case was taken to high-level officials at the Justice Department in Washington for approval multiple times “out of an abundance of caution.” Wagner declined to say whether Keys has been cooperating.
Some online activists used the Keys case to renew their criticism of the Computer Fraud and Abuse Act (CFAA), the anti-hacking law under which Keys was indicted. Federal prosecutors used the law against Aaron Swartz, a computer programmer who was accused of illegally distributing scholarly articles and hanged himself in January.
Hanni Fakhoury, an attorney at the Electronic Frontier Foundation, said the cases were fundamentally different but both highlighted the excessively draconian punishments that prosecutors could seek under the CFAA.
“Aaron’s case was about taking information in a way he wasn’t supposed to, and this is about vandalism in its simplest form,” Fakhoury said. “But the similarities are in how the sentencing scheme is so dramatic under the CFAA that he (Keys) could face 25 years.”
Keys is scheduled to be arraigned on April 12 in Sacramento, according to the court docket.
The case in U.S. District Court, Eastern District of California, is United States of America v. Matthew Keys, 13-82.
(This story corrects wording of fifth paragraph to make clear that work station, not computer, was being dismantled)
Reporting by Joseph Menn and Dan Levine; Additional reporting by Alistair Barr and Gerry Shih; Editing by Jonathan Weber and Ciro Scotti