On April 16, a post went up on the international drug discussion forum Bluelight.ru announcing the death of Dennis “Coolio” Moran.
“Coolio has died last night from an OD,” wrote user cr00k. “I don’t know anything about the substance he used or the circumstances. He had been contemplating suicide for a while. Any info on his death would be appreciated!”
Coolio is a Berkley, California-based hacker who first gained notoriety in February 2000 when a potent 1 gigabit per second denial-of-service attack on Yahoo!’s routers brought their websites down for several hours. Over the next week, eBay, Amazon, E*Trade and Buy.com were also attacked and temporarily brought down.
CNN reported on the investigations following the attacks:
It’s a name that keeps popping up as the FBI continues to seek parties believed to have information connected to last week’s attacks on popular Web sites.
Agents from every FBI field office are involved in the investigation.
One hacker they are focusing on uses the name “Coolio” and is believed to live in the Midwest. He was identified by investigators at the private firm Securify and Stanford University in California.
Investigators have associated a name and address with this “Coolio.”
But since “Coolio” also is the name of a popular rap artist, many Coolios pop up as nicknames.
Another popular “Coolio” the FBI has spoken with resides in Southern California, sources said, and has been linked to “Global Hell,” a group of teens known for hacking into government computers.
“‘Coolio’ is such an incredibly popular name among the script kiddies, also being gangsta’ rap wanna-be’s, it could be an entirely other hacker calling himself ‘Coolio,’” said B.K. DeLong, a staff member with Attrition.org, which chronicles Web site defacements.
The authorities couldn’t connect Coolio to the February 2000 attacks (mafiaboy was later charged) but, by March, the attention he’d received led to Coolio, then 17 years old, being arrested in his parent’s basement “on felony charges for allegedly gaining unauthorized access to [the anti-drug site] DARE.com computer system in Los Angeles,” reported CNN.
He was also charged with defacing cwc.gov (Chemical Weapons Convention) and RSA.com, the website of RSA Security Inc., the firm that investigated his involvement in the February attacks, reported ABC News.
The first defacement of Dare.com took place on November 14, 1999:
The second defacement took place on November 17. ”The anti-drug site was defaced with pro-drug slogans and images, including one of Donald Duck with a hypodermic syringe in his arm,” reported USA Today.
Coolio’s work is saved at http://frigo.ca/coolio/.
CannabisNews.com summarized the affidavit that led to Moran’s arrest. Coolio had tagged his name on Dare during both attacks (“Coolio is k-r4d and so are drugs” and “Craftily owned by Coolio :D.”)
Detective Michael Brausman of the Los Angeles Police Department, the first investigator on the case, used the search engine Locoseek.com to find a Web page that included an email address for “Coolio@k-r4d.com.” This he traced to an Web site called: http://leet.k-r4d.com hosting a directory with the name Coolio. In this directory the detective found one of the images that was posted on the defaced DARE site.
A search warrant was executed and the owner of the leet.k-r4d server handed over logs and email conversations related to Coolio.
They found that the person using the Coolio account was also using the email address firstname.lastname@example.org and had sent email messages to the Web sites email@example.com and firstname.lastname@example.org. The messages announced that the Web sites www.DARE.com and www.cwc.gov — a federal site that deals with the reporting and inspection requirements of the Chemical Weapons Convention — had been hacked. The attrition.org Web site is well known to hackers, according to Swindon, and hosts a gallery of archived hacked pages for future viewing.
Vanity and the email record would prove Coolio’s undoing. A message dated Nov. 4, 1999, from email@example.com to firstname.lastname@example.org, read: “Hello, I was wondering if it’s possible to register cool.io and host the NS for it like Internic domains. I’m not interested in it for a Web page, but just to allow an IP to reverse resolve to Cool.io (my nickname). If there’s any way I could buy the domain for this, please email me pricing and information. Thanks, Dennis Moran.”
Further, a message dated Nov. 14, 1999, included Moran’s name, address and phone number.
Moran was interviewed by police for the first time in February 2000 when, after speaking with his father in private, he admitted and explained his attacks on Dare, CWC and RSA.
Billing itself as “the most trusted name in e-Security,” RSA Security, which is based in Bedford, Mass., was hacked on Feb. 12 by Coolio, who posted taunting messages — “Owned by Coolio,” “Copyright 2000 Coolio”, “RSA Security Inc. Hacked,” “Trust us with your data! Praise Allah!”
Moran denied involvement in the Yahoo! attacks. He was ordered to pay a fine of $15,000 ($5,000 to each victim), serve nine months in prison and to help program jail computers according to USA Today.