I was always curious as to what they were doing to hide their identities. I read the logs, and I am a bit disappointed that the extent of their methods of hiding themselves were so narrow - involving only VPN providers.
The old way of doing this was to own a series of boxes around the world and setup your own SOCKS server, ssh forwards etc. You use boxes that are being used internally at small companies for email or web hosting, meaning that there aren't any admins on there looking for weird traffic patterns.
You setup a group of servers like that, and chain them together. Symlink all logs to null, and make sure the first box you jump onto is the most unsuspecting (and one that you have most control over).
With a group that I was a member of 10+ years ago we would abandon boxes that had a sysadmin that seemed like he knew what he/she was doing (looking at history logs) or boxes that had a lot of user activity on them but not a lot of resources (it only takes one user to wonder why the net connection is slow for the exploit and you to be found ). The best best were to scan for old ftpd's running on old kernels.
These were boxes that had been bought and setup for something like email or a small webpage and then forgotten about (usually setup by external IT). You patch the exploit so nobody else can get it, install a backdoor, and not do anything noticeable. We had access to such boxes for years and as far as I know we were never noticed by anybody.
VPN providers are constantly monitoring for abuse, and when they get a law enforcement notice they will comply. It is only a matter of time before you get caught if you are using them. I would suspect that law enforcement found out which VPN providers were being used some months ago, and set up honeypots at each one waiting for members of anonymous to reconnect.
The old way of doing this was to own a series of boxes around the world and setup your own SOCKS server, ssh forwards etc. You use boxes that are being used internally at small companies for email or web hosting, meaning that there aren't any admins on there looking for weird traffic patterns.
You setup a group of servers like that, and chain them together. Symlink all logs to null, and make sure the first box you jump onto is the most unsuspecting (and one that you have most control over).
With a group that I was a member of 10+ years ago we would abandon boxes that had a sysadmin that seemed like he knew what he/she was doing (looking at history logs) or boxes that had a lot of user activity on them but not a lot of resources (it only takes one user to wonder why the net connection is slow for the exploit and you to be found ). The best best were to scan for old ftpd's running on old kernels.
These were boxes that had been bought and setup for something like email or a small webpage and then forgotten about (usually setup by external IT). You patch the exploit so nobody else can get it, install a backdoor, and not do anything noticeable. We had access to such boxes for years and as far as I know we were never noticed by anybody.
VPN providers are constantly monitoring for abuse, and when they get a law enforcement notice they will comply. It is only a matter of time before you get caught if you are using them. I would suspect that law enforcement found out which VPN providers were being used some months ago, and set up honeypots at each one waiting for members of anonymous to reconnect.