Sydney hacker Aush0k disputes AFP charges

A NSW man sentenced to 15 months home detention for defacing the website of a local council claims he has been wrongly charged and misrepresented by the Australian Federal Police.

Matthew Flannery

Matthew Flannery, known as Aush0k online, was accused by the AFP of taking advantage of a known ColdFusion exploit to access the website of Narrabri Shire Council in order to put in a backdoor to enable access, deface the site with an image and alter the site’s internal structure.

Flannery was last month found guilty of two counts of unauthorised access and modification of restricted data; two counts of unauthorised modification of computer data; and dishonestly obtaining/dealing in personal financial information.

He received a combined sentence of 15 months’ home detention, which continues until mid-April 2016, alongside a 12 month good behaviour bond.

But Australia’s hacker community - and Flannery himself - have long said Flannery was not the person who initially broke into the site and uploaded the remote shell.

Both Flannery and other sources say he encouraged an associate to break into the website, while he simply accessed the shell from his work - at the time IT security firm Content Security - at which point he came to the attention of the AFP.

Flannery, who has decided to speak out following his recent sentencing, now claims the AFP raided the house of the associate he says broke into the website, but did not lay any charges.

"Why were people raided as a result of my arrest - because they were associated with me? Why were they raided?" Flannery said on ABC's 7:30.

"And saying this serves no benefit to me, it's more a question of the AFP's integrity. Why were those people raided and arrested for much more serious offences and yet saw no charges or any kind of media attention whatsoever?"

He said he had been shocked and horrified that the AFP had taken his ‘joke claims’ to a Facebook friend that he was the leader of international hacker collective LulzSec seriously, and publicised them to the world.

"I would like to know if that is solely what they are basing their claims off of and, if so, then why did the AFP - in a press release in front of the world - state that I had made claims in online chat communities that were frequented by Lulzsec members that I was the leader of Lulzsec?" Flannery asked.

"I certainly did not proclaim to other LulzSec members - because I've never met any - that I was the leader of LulzSec."

The AFP declined to comment on Monday afternoon when contacted by iTnews.

AFP national manager of cyber crime, Commander Glen McEwen told 7:30 he couldn't confirm Flannery was a member of LulzSec, but he also couldn't categorically rule it out.