The suspicion was confirmed by an FBI affidavit made public on Tuesday. It reveals that once PayPal had detected the initial DDoS attack against its blog, they made sure to log the IP addresses bombarding the main site with requests with a Radware intrusion prevention system.
After ten days, the company had collected enough information to compile a list of some 1,000 IP addresses that were involved in the DDoS attack, and they handed the list to the FBI.
That was in December last year, and since then, agents have mounted an investigation that resulted in the January and the recent arrests.
According to Wired, PayPal's Radware IPS had no trouble distinguishing legitimate requests from those initiated by the Low Orbit Ion Cannon (LOIC) tool used by Anonymous supporters since those packets contained a specific set of strings such as "wikileaks", "wikileakshttp", "goof", "goofhttp", "block-https-ascii" and "goodnight".
"This pattern suggests that attackers were either actively allowing their clients to be remotely controlled with universally-applied parameters, or were intentionally placing this configuration into the application when directed to do so," says in the affidavit.
It seems, then, that this is just the beginning in a longer string of arrests to come.
It is likely that the FBI didn't have enough personnel to investigate the involvement of all the alleged actors in one sitting, but I'm also inclined to think that they count on a drawn-out investigation and occasional arrests to send a greater message to Internet hacktivists: "No matter how long it takes, we're going to get you all."
Anonymous and LulzSec have reacted to this news by posting a joint communiqué in which they urged people to close their PayPal accounts in protest.
"What the FBI needs to learn is that there is a vast difference between adding one's voice to a chorus and digital sit-in with Low Orbit Ion Cannon, and controlling a large botnet of infected computers. And yet both of these are punishable with exactly the same fine and sentence," they stated.
"PayPal's willingness to fold to legislation should be proof enough that they don't deserve the customers they get," it said."Join us in our latest operation against PayPal - tweet pictures of your account closure, tell us on IRC, spread the word."
If comments on Twitter are to be believed, a source inside PayPal revealed that almost 25,000 people responded by doing just that. In the meantime, LulzSec announced it will "raise anchor and leave harbor for one final journey" in order to mount another attack on PayPal.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.