Activity indicating use of the compromised accounts was traced from server logs to http://220.127.116.11. At the time of discovery the server was open to the public for browsing over HTTP, so I mirrored the contents. The server hosted a combination of hacking tools, password lists, logs of hacking attempts, pictures and videos of pyrotechnic/explosive devices, and recordings of (prank?) phone calls. The pictures, videos, and phone calls hint to me that the attacker was a juvenile with an interest in explosives, not just a random script kiddie who picked sciencemadness as a target of opportunity. I tentatively believe that the attacker is located near Derry, Northern Ireland, and attends or attended school there at Lumen Christi College.
Here's some pictures of a pyrotechnic device, sadly no interesting data in the EXIF.
Here are two videos. Again nothing interesting in the metadata. Nobody's face is visible but there is sound. Can anyone hear anything interesting in the audio?
In the second video, bomb2.AVI, you see that the person lighting the fuse is wearing dark slacks and a tie. Who wears dark slacks and a tie to play with pyrotechnics?! Perhaps someone who is forced to wear a uniform by their Catholic grammar school. Here are several files found on the server indicating unauthorized access attempts to Lumen Christi accounts and related resources:
The attacker appears to have installed a script, iframe, or malicious link somewhere -- I'm not sure where, but maybe sciencemadness.wikia.com, or maybe a sciencemadness post? -- that directs the browser to load a file from 18.104.22.168. The file automatically triggers a POST action on the sciencemadness site, such as changing the user's email address. Once the attacker has changed the email address they can request a password reset on the account and get full control. The attack is opportunistic: it only works if a sciencemadness member is already logged in at the time they encounter the malicious code.
This is one of the files. It would change a member's email address if a logged-in user loaded it. I have changed the file extension to .txt from .html so you can see what the code looks like instead of triggering the action.
Sciencemadness was not the only or earliest victim of whoever-it-is.
I didn't listen to these recordings all the way through. My American ears find them a little hard to follow. Are they prank calls? Reports of any interesting content appreciated. According to the phone number helpfully embedded in the file name they are to a McDonald's in Derry, which is also where Lumen Christi College is located.
Grab the IRC log file below and search for the first mention of Northern Ireland. The same person uploaded videos to his Youtube account that match the videos from the attacker's server.