Symantec Offers $50,000 To Keep Source Code Private
February 7, 2012

Symantec Offers $50,000 To Keep Source Code Private

Members of hacking network Anonymous released an email thread Monday claiming that Symantec Corporation offered $50,000 in return for promising to keep the source code tied to its PCAnywhere and Norton Antivirus tools private.

That deal, however, fell through, according to the AnonymousIRC Twitter account (, and the group said the code will be released for free to the Internet at large.

CNET received confirmation from Symantec that it had offered to pay $50,000 to keep the source code off the Internet, stating it was part of a sting operation involving an undisclosed branch of law enforcement, who posed as Symantec employees.

An email exchange, posted at, revealing the extortion attempt, shows a purported Symantec employee named Sam Thomas negotiating payment with an individual named “Yamatough” to prevent the release of the source code.

“We will pay you $50,000 USD total,” Thomas said in the email to Yamatough on Thursday, February 2. “However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months “¦ After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.”

Symantec admitted in mid-January that a 2006 security breach of its networks led to the theft of the source code, after retracting earlier statements that its network had not been hacked. The source code affects versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks and PCAnywhere.

Symantec told CNET that an individual tried to extort money for the return of the code in question, and the company was in contact with the alleged extortionist, trying to work out a solution. However, after weeks of discussions regarding proof of the code and how to transfer payment, talks broke down and the deal was never made.

After weeks of discussions, Yamatough was apparently becoming impatient, as seen in the following statement: “If we don´t hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code. Don´t f*** with us.”

Yamatough also warned Symantec to avoid tracing him or the deal would be canceled. He also accused the company of being in contact with the FBI, a charge Thomas denied in the emails. “We are not in contact with the FBI,” he wrote. “We are using this email account to protect our network from you. Protecting our company and property are our top priorities.”

Yamatough demanded that Symantec transfer money via Liberty Reserve, a payment processing firm based in San Jose, Costa Rica. But Thomas was reluctant, calling it “more complicated than we expected.” Thomas instead suggested wiring the funds through PayPal, transmitting a $1,000 test as “a sign of good faith.” Yamatough rejected that offer.

Yamatough posted one final thread today with the subject line “10 minutes” that threatens to release the code immediately if Symantec doesn´t agree to use Liberty Reserve to transfer the funds.

“Since no code yet being released and our email communication wasn´t also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we've made mirrors so it will be hard for you to get rid of it,” Yamatough posted.

“We can´t make a decision in ten minutes. We need more time,” responded Thomas, ending the discussion.

Yamatough said he never intended to take any money. “We tricked them into offering us a bribe so we could humiliate them,” Yamatough told Reuters.

In recent weeks, the hacker has posted segments of code for Norton Utilities and other programs.

Symantec, however, said that most of its customers were not in any increased danger of cyber attacks as a result of the code´s theft and possible release. But, it cautioned, users of its remote-access suite PCAnywhere may face a “slightly increased security risk.”

Symantec instructed PCAnywhere users in late January to disable the product until the company could issue a software update to protect them against attacks from the stolen source code.

Another member of the Anonymous collective, The RealSabu, said in an apparent update: “Stay tuned for the f***ing lulz “¦ Let´s just say Symantec tried to give us 50,000 reasons not to release sources!”

The chain of emails between Thomas and Yamatough began on January 18, 2012.

A company representative for Symantec released a statement via email on the matter Monday night: “In January, an individual claiming to be part of the ℠Anonymous´ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession,” a company representative said in an email on Monday night. “Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.”

Searches for “Sam Thomas” on LinkedIn as a Symantec employee turned up no results, and emails to the account went unreturned but did not fail.

CNET reports that A 1.2gb file labeled “Symantec´s PCAnywhere Leaked Source Code” was posted on The Pirate Bay last night. But at press time there was no information from Symantec whether or not the file was actual source code data.


On the Net: