Three men, who allegedly were part of a multi-year hacking campaign executed by the Syrian Electronic Army (SEA), left a long digital trail that didn't make them hard to identify, according to court documents.
The U.S. Department of Justice unsealed charges on Tuesday against the men, who are accused of hacking companies and defacing websites.
The SEA, which emerged around July 2011, claimed credit for prominent hacks that sought to support Syrian President Bashar al-Assad. The group targeted the White House, Harvard University, Reuters, the Associated Press, NASA and Microsoft, among others.
Those charged are Ahmad Umar Agha, 22, of Damascus, Syria; Firas Dardar, 27, of Homs, Syria, and Peter Romar, 36, of Walterhausen, Germany. They were charged in the U.S. District Court for the Eastern District of Virginia with multiple conspiracies related to computer hacking, prosecutors said in a news release.
Agha and Dardar are believed to be in Syria, which may make it difficult for them to face trial in the U.S. The FBI has added them to its Cyber's Most Wanted list, offering a US$100,000 reward for information that leads to an arrest.
The Washington Post, citing U.S. officials, reported on Tuesday that Romar was arrested in Germany, and the government will seek his extradition.
The group was accused of breaching organizations primarily through targeted emails that sought to trick recipients into divulging account credentials, a scheme known as phishing.
Their attacks were frequently successful. In 2011 and 2012, the SEA posted fraudulent content on the websites of Reuters and the Washington Post.
The SEA also briefly took over the Associated Press' Twitter account in April 2013, posting a bogus tweet that the White House had been bombed and that U.S. President Barack Obama was injured.
Much of their other activity was centered on punishing media outlets for their coverage of the Syrian conflict. The SEA defaced Web pages and at times directed major websites to ones they controlled.
Such high-profile targets brought the group under intense scrutiny, though, and the criminal complaints made public on Tuesday show they took few precautions to mask their identities.
Agha, whom investigators allege is "The Pro," registered a Gmail account in November 2010 with a phone number.
"This email account was used to receive stolen credentials from victims, to register domains used by the conspiracy and to communicate with co-conspirators," the criminal complaint reads.
The Gmail account also contained an email with Agha's real identification documents along with wedding photos.
Dardar, who is believed to have used the nickname "The Shadow," exchanged 218 emails with Agha, also through a Gmail account he registered, prosecutors said.
Peter Romar allegedly maintained a Gmail account under the name "Pierre Romar" and a Facebook account under the same alias. Investigators found a copy of his German passport in his Gmail, job applications and messages to Dardar sent through Facebook, the complaint says.
Law enforcement can get access to online accounts of suspects by obtaining warrants from a court.
Private computer security companies had also been unraveling the digital trail around the same time as law enforcement.
IntelCrawler, a firm now owned by InfoArmor, published an extensive 94-page report on the SEA, which contained detailed technical documentation of The Pro and The Shadow.