Anonymous hacks HBGary Federal, exposing Team Themis: proposed disinformation and harassment campaign against WikiLeaks supporters and journalist Glenn Greenwald on behalf of Bank of America

Opening

On February 5–6, 2011, the hacktivist collective Anonymous compromised HBGary Federal’s email server and posted more than 40,000 internal emails on The Pirate Bay. The emails revealed that HBGary Federal CEO Aaron Barr, working with Palantir Technologies, Berico Technologies, and Endgame Systems — collectively branded “Team Themis” — had assembled a proposal to wage a coordinated disinformation, persona-management, and harassment campaign against WikiLeaks supporters, including Salon journalist Glenn Greenwald, on behalf of law firm Hunton & Williams acting for Bank of America. The hack exposed the full anatomy of a privately-contracted information-operations program targeting U.S. journalists and civil society, assembled by companies whose capabilities had been developed in part through federal R&D contracts.

What Happened / Key Facts

The hack: Anonymous gained initial access via a SQL injection vulnerability in HBGary’s website CMS, extracted hashed employee passwords, cracked them, and leveraged password reuse across email, Twitter, and LinkedIn accounts to compromise Barr’s email administrator credentials. Anonymous monitored the server for approximately 30 hours before extracting the full archive. The hack was explicitly retaliatory: Barr had publicly announced he had identified Anonymous leadership through social network analysis and planned to sell the information to the FBI.

Team Themis formation: In late 2010, HBGary Federal (Barr), Palantir Technologies (engineer Matthew Steckman, subsequently placed on leave), Berico Technologies, and Endgame Systems formed “Team Themis” under the coordination of Hunton & Williams partner John Woods. The client was Bank of America, which was reportedly concerned about WikiLeaks holding internal documents for release. A parallel engagement targeted critics of the U.S. Chamber of Commerce, including the publication ThinkProgress and labor union organizers.

The civil-society-targeting pitch: The Team Themis proposal — a PowerPoint presentation that bore Palantir’s logo — described an initial engagement at $200,000/month, escalating to $2 million/month at full operational intensity, with a 40/30/30 revenue split among the firms. HBGary Federal’s projected cut: $500,000–$700,000/month.

Proposed tactics, per the pitch document as reported by Salon, NPR, and Ars Technica (the specific document was distributed across the Anonymous email archive):

• Submitting falsified documents to WikiLeaks, then exposing them as forgeries to discredit the organization’s verification processes
• Disinformation campaigns to “feed the fuel between the feuding groups” — sowing discord among WikiLeaks supporters
• Compiling dossiers on critics and their families
• Persona management (fake social media profiles) to amplify counter-narratives
• Infrastructure hacking against target organizations
• Targeted pressure on journalists identified as “amplifiers” of WikiLeaks

Glenn Greenwald as a specific named target: On December 3, 2010, Barr emailed the Team Themis group that they needed to “highlight people like Glenn Greenwald” because Greenwald “was critical in the Amazon to OVH transition and helped WikiLeaks provide access to information during the transition. It is this level of support we need to attack.” Steckman added Greenwald to the pitch deck’s “spotlight” section. The document characterized targeted journalists as having “a liberal bent” who would “if pushed choose professional preservation over cause” — explicitly predicting that intimidation tactics would be effective. Greenwald would go on to receive and co-publish the Snowden NSA documents in June 2013, approximately 30 months after being named as a target in this proposal.

Congressional response: On March 1, 2011, more than 17 House Democrats called for a congressional investigation into potential violations of federal law — including forgery, wire fraud, and computer fraud statutes — by Hunton & Williams and Team Themis. On March 16, 2011, Rep. Hank Johnson (D-GA) questioned Gen. Keith Alexander (NSA director / U.S. Cyber Command commander) and Deputy Undersecretary of Defense James Miller at a House Armed Services Subcommittee on Emerging Threats hearing, asking about DOD/NSA contracts with Team Themis members. Johnson requested all contracts with HBGary Federal, Palantir, and Berico from DOD, DOJ, and the Director of National Intelligence.

No investigation proceeded: Despite congressional calls, no DOJ investigation was opened and no charges were filed against Team Themis members or Hunton & Williams. Aaron Barr resigned from HBGary Federal on February 28, 2011; he was subsequently employed as a cybersecurity executive at a large federal contractor. Palantir CEO Alexander Karp apologized to Greenwald and severed ties with HBGary Federal. Matthew Steckman was later promoted. Berico Technologies co-founder Pat Ryan was later elected to Congress (NY-18, 2022). HBGary, Inc. was acquired by ManTech International in February–March 2012.

The accountability inversion: Barrett Brown, the journalist who created ProjectPM to organize analysis of the leaked HBGary documents and who publicized the Team Themis findings, was arrested in September 2012, indicted on charges including sharing a hyperlink to hacked Stratfor data, and faced 105 years in potential prison exposure. He was convicted in 2014 and served approximately four years. No Team Themis principals were prosecuted.

Why This Event Matters

This event is the most completely documented historical instance of the DHS SBIR incubation pipeline producing capabilities that were then proposed for deployment against U.S. journalists and civil society. HBGary Inc. received $1.075M in DHS SBIR funding (2006–2007) for botnet detection and mitigation — nominally defensive cyber research — plus approximately $1.79M in parallel DOD SBIR awards for rootkit analysis tools. By 2009–2011, the matured capabilities were commercialized, and HBGary Federal was developing offensive products (Magenta rootkit, 12 Monkeys rootkit — both sourced from the email archive, not independently confirmed from government procurement records) for defense and intelligence clients. The Team Themis pitch proposed to extend that operational capability to a private-sector client targeting U.S. journalists.

The event establishes the pattern documented in dhs-sbir-as-surveillance-rd-incubation-pipeline with primary-source specificity: government R&D investment → capability maturation → commercial operationalization → proposed civil-society targeting. It illustrates the infrastructure-decoupling-cascade-artifacts-persisting-past-animating-cause mechanism: the defensive justification (botnet detection) fully decoupled from the downstream proposed deployment (disinformation and harassment of journalists) within five years of the initial SBIR award.

Broader Context

Team Themis was not an isolated incident. It occurred within a broader landscape of private intelligence contractors performing services for corporate clients that had previously been the province of government law enforcement and intelligence agencies. Endgame Systems — one of the Team Themis participants — had by 2011 built a substantial commercial zero-day exploit business. The Air Force’s June 2010 persona management software solicitation demonstrates that government agencies were simultaneously demanding these capabilities for their own use. The private-sector market for information-operations capabilities was downstream of and parallel to the government-funded development pipeline, not separate from it.

The accountability gap also fits a pattern: the journalist who exposed the proposals (Brown) faced more severe legal consequences than any of the contractors who assembled them. This asymmetry recurs across civil-society-targeting cases and is itself structural — it reflects the institutional incentive to prosecute exposure rather than the conduct exposed.

Research Gaps

• Primary contract documentation for Magenta (NBCHC08004) from a government procurement source independent of the Anonymous email archive
• Full transcript of March 16, 2011 House Armed Services Subcommittee hearing (Rep. Johnson / Gen. Alexander / Dr. Miller)
• Whether DOD/DOJ/DNI responded to Rep. Johnson’s contract-disclosure requests
• Confirmation of Team Themis financial terms from any source independent of the email archive (Bank of America denies having seen the presentation)

Related Entries

• hbgary-2006-2011-dhs-rd-to-civil-society-targeting-case-study — full research note
• dhs-sbir-as-surveillance-rd-incubation-pipeline — anchor theme
• infrastructure-decoupling-cascade-artifacts-persisting-past-animating-cause — decoupling mechanism
• 2006-09-01–hbgary-dhs-sbir-phase-1-botnet-detection
• 2007-12-01–hbgary-dhs-sbir-phase-2-botnet-detection
• 2012-02-27–mantech-acquires-hbgary
• barr-aaron
• hoglund-greg
• brown-barrett
• palantir-technologies — cross-reference Investigation 2
• snowden-edward — Greenwald was a Team Themis target 30 months before Snowden