11 min read

To Swat a Swatter

The conclusion to a 4 year long investigation in pursuit of the person behind an extortion attempt.
To Swat a Swatter

On October 16th 2017 a false bomb threat and hostage situation was reported to my local law enforcement that claimed to be me, at my address. This resulted in my neighborhood being shut down by police. I was not amused.

A few hours after goading my attacker, I received an extortion threat that worse things would happen if I didn't pay $50,000 in bitcoin. Instead of giving in, I spent the next year burning down my life and recreating it with extreme privacy. I wrote about what I learned from that project here:

A Modest Privacy Protection Proposal
How to reclaim your privacy in the surveillance age.

The Hunt Begins

Once I felt like I was safe from further attacks of this nature, I recounted my experience being swatted and posted a bounty for information on my attacker:

Reflections Upon a SWATting
October 16th, 2017 started off like any other Monday. I awoke at 6 AM and drove to the YMCA to play racquetball, ready to start the week…

Over the next year I received a handful of tips that pointed to the same person / set of aliases, but none of them were sufficient to get law enforcement involved. Everyone who came forward was unwilling to give their real identity, likely fearing for their own safety.

A Key Witness Emerges

Eventually my luck changed and I was contacted by someone who was willing to testify if they could be granted immunity.

It was tricky getting an affidavit put together; I spoke with several lawyers who didn't want to take me as a client because I wasn't in need of an expensive defense. None of them outright denied my request - they said they'd let me know, but never called me back.

This was another unforseen roadblock I ran into - it's really hard to get legal help when you're trying to prosecute a case. I guess this is because prosecution is always done by the State, thus all private practice criminal attorneys tend to be defense attorneys.

Bureaucratic Molasses

After exhausting options trying to find private practice prosecution help, I started calling folks in the justice system.

One private practice lawyer referred me to a special agent at the Attorney General's office in the state of my witness. I left a message but he never returned my call.

Next I called the FBI office in the state of my witness and was sent to a "tip line" with an indefinite wait time.

Next I called the FBI in North Carolina but was given no options that would put me in contact with a human.

Finally, I fell back to contacting the detective who was my original point of contact at Durham PD to try to work my way up the ladder. She no longer worked in the financial crimes unit and told me that Detective <REDACTED> would contact me. A week or so later I did get a phone call.

It was during this phone call that I learned what really happened with the Durham PD's investigation. They had told me that they handed the case over to a "federal investigator" which I assumed meant an FBI agent. It turns out it was just a "federally sworn" Durham PD detective. That detective never even contacted me, I don't even know their name, and I can only assume they never contacted the FBI.

Two Steps Forward, One Step Back

In November 2019 I engaged the services of a former federal prosecutor to put together a case to present to the FBI. They started performing a parallel investigation using their own resources, but still had trouble getting a contact at the FBI.

I also started coordinating with an attorney in the witness' state to figure out how we could get a signed affidavit. The plan was to then use this affidavit as additional evidence to present to the FBI.

Ultimately I was advised not to enter into any contractual agreements with the witness, we couldn't find a way to guarantee immunity, and the use of this witness as a lead turned into a dead end. After several months, our communications ceased.

The Intro

In February 2020 I attended Satoshi Roundtable and was fortunate to connect with <REDACTED>, who had contacts at the FBI and offered to make an introduction.

Once we had contact with an actual human at the FBI, things started progressing. I aggregated the tips I had received, sent them over, and wished the FBI happy hunting. Within a month the FBI investigation was transferred to a specific regional office because the leads pointed to someone in that area.

On June 6, 2020 I finally got a login to the Department of Justice's Victim Notification system. It only showed me a single entry of my case being opened on March 17. I was told I'd receive quarterly updates through it. I only ever received one update, 6 months later. All the update said was "case still under investigation."

A year went by with no new developments. I once again started losing hope. Perhaps the pandemic caused the FBI to adjust their priorities?

Confirmation

On June 25, 2021 I received word from my attorney that the FBI had located the suspect!

Today, Agent <REDACTED> from the FBI called me. They know who swatted you. They wouldn’t tell me who it was because the individual is a minor. Because the individual is a minor, the U.S. Attorney’s Office will not prosecute.

What the fuck? This was certainly not an outcome I had anticipated.

OK, confession time: the title was clickbait. When the FBI showed up at the perpetrator's house, I'm pretty sure it wasn't a tactical team. But neither do I have any insight into the FBI's actions; they won't talk about open investigations.

Another month went by and then I received another update:

I spoke to a state prosecutor yesterday. She says that they intend to file charges soon against the juvenile. She is not permitted to share the name with me because of his age. One of the charges will be extortion. If the case goes to trial, she will need you to testify. I told her that you were willing to do so.

Another 3 months went by without any updates... and then we learned he pleaded guilty to all of the charges against him:

  1. Extortion, a felony of the third degree
  2. Telecommunications fraud, a felony of the fourth degree
  3. Inducing panic, a misdemeanor of the first degree

We also learned that the State had been sending me victim notifications... to my old address at which I was swatted and haven't lived in several years. Oops.

In a rather ironic twist, I am obligated to protect the privacy of my attacker. I will not be revealing any information about him as it won't do anyone any good. I did show up at a court hearing to make a statement:

My Court Testimony

First off I’d like to thank the state of <REDACTED> and the Federal Bureau of Investigation for taking this case seriously. My local law enforcement gave up investigating this case pretty quickly and then it took 2 years for me to search for evidence on my own with my personal resources to make it interesting enough for the FBI to pursue.

You may be wondering why I bothered to fly across the country to be here, why I kept pursuing this case for years. I’m here to show the defendant that I’m a real person - not just a name and avatar on a computer screen. I also work in the cybersecurity industry, so I’m not the type of person who just brushes off threats against myself and those I care about.

Swatting is a crime for which victims rarely receive justice. Multiple swatting incidents have ended in the death of victims by police who thought they were violent criminals.

I was lucky that the Durham Police Department is more competent and cautious than some other departments in the United States. Had a few variables been different that day, someone could easily have been injured or killed. I’ve played out the scenarios in my mind more times than I can count.

The militarization of police combined with nonexistent authentication of 911 callers creates a great environment for swatting. When you think about it, the asymmetry is disturbing — a single anonymous phone call can result in lethal force being deployed in a matter of minutes against an arbitrary target. An anonymous phone call costs only a few dollars to make and yet can consume tens if not hundreds of thousands of dollars in public resources just to determine whether or not a threat is real. All without putting the attacker in any physical danger.

Since this incident I have learned just how difficult it is to protect yourself from swatting attacks. In order to make myself difficult to target I had no choice but to walk away from every account, every service, and every asset that tied my name to my physical address. This endeavor consumed hundreds of hours of research and tens of thousands of dollars in legal expenses. Over the past 4 years I’ve probably spent close to $100,000 on services for the express purpose of protecting my privacy. I’ve had to take these actions because of the industry in which I work - the company I founded helps high net worth individuals secure large sums of bitcoin. My public profile makes me a tantalizing target. I felt that my choice was between paying for extreme privacy or going completely underground and ceasing to be a public person with my real name. I’ve worked for too many years building my reputation to simply throw it away.

I’ve had to change many aspects of my day to day life; maintaining this level of privacy is inconvenient to say the least. Only a handful of people know the true address of my residence; my own neighbors don’t know who I am - they only know my pseudonym. I feel that I’m essentially living the life of someone in witness protection.

I pursued this case not only for myself, but for other victims. I was not the only person affected by this attack. My neighborhood has over 300 single family homes and all of the entrances and exits to the neighborhood were blocked off by police that morning. Many people were prevented from leaving their homes or reaching their families and were in fear of an imminent shootout.

From a broader scope, I am also here today on behalf of victims of other attacks. I have reason to believe that this was not an isolated incident by the defendant. I also know for certain that many of my industry colleagues as well as hundreds of celebrities, politicians, journalists, and gamers have had their own law enforcement agencies turned against them. I believe it’s important that the justice system sends a message that this activity is not a mere prank phone call.

But neither am I here to ruin the defendant’s life. I myself was once a naive teenager. I made decisions that hurt people, decisions that I regretted. It’s easy to do when you don’t yet fully comprehend the consequences of actions in the real world. I won’t pretend to know anything about the defendant's life, his motivations, or what led him down the path that has put him in this courtroom today. But I suspect that he has intelligence and talent, which would be a shame to waste.

I also wish to convey a message of hope. It’s not too late to turn your life around - plenty of people in the information security industry made mistakes as teenagers, were punished, and ended up becoming successful and respected professionals. Kevin Mitnick, Bryce Case, Kevin Poulson, Samy Kamkar, and dozens of others. You can use your skills to defend rather than attack, to build rather than destroy. It’s not the easy path, but it’s more fulfilling and you can’t put a price on the ability to sleep well at night with a clear conscience.

On the flip side, if you continue down the path of exploiting and harming people, you’ll spend your life constantly looking over your shoulder. It will catch up with you. Perhaps you’ll end up with a life destroying sentence from a court. Perhaps you’ll make the mistake of messing with someone who prefers to extract their justice outside of the legal system. If you learn one thing today, it should be that you can’t hide forever from someone who has the resources and determination to track you down.

This is a bittersweet moment for me. I’m happy to get closure on this case, but I take no satisfaction in the defendant’s punishment. I wish my attacker had not been a juvenile; it would have been far easier for me to hate such a person. I don’t believe I’m well versed enough in criminal justice to have an opinion about what an appropriate punishment should be; I leave that in the court’s hands.

Crime... and Punishment

Because the attacker was a minor without a prior criminal record, the punishment was lenient. They'll be on probation for several years and have to comply with a variety of court orders, otherwise they risk incarceration.

Why Did He Do It?

Some folks speculated early on that I was swatted due to pissing people off during Bitcoin's scaling debates.

Bitcoin engineer Jameson Lopp SWATted by angry crypto fans – TechCrunch
An engineer for BitGo, Jameson Lopp, faced down a horde of police officers with rifles at his home in Durham, North Carolina after someone sent an anonymous tip regarding a hostage situation at his home. The engineer has been vocal on Twitter about upcoming changes in the protocol. “They shut…

According to my attacker, he had no idea who I was at the time. He said that my twitter debates did anger / attract attention from people in his social circle and they doxxed me and gave the information to him to swat me as a prank.

I have begun the process of reaching out to those who provided credible information in order to determine bounty payouts.

It is my understanding that since I posted a bounty on the attacker in 2018 he has received a variety of threats; I ask that the few who know him leave him alone.

Was it Worth it?

Going back and looking at the resources I spent on this endeavor:

  • Dozens of hours on phone calls with law enforcement and attorneys.
  • 200+ emails over a 2 year period.
  • $1,000 to travel to court.
  • $9,000 in legal counsel fees
  • $100,000 in bounties

I'm satisfied with the outcome, but this was a ridiculous amount of time and resources consumed.

Final Thoughts

Unless it's a murder or some particularly heinous crime, justice is hard to come by in our legal system. If I didn't have both the resources and the inordinately strong sense of justice to fuel my determination, this case would have died an early death.

You may believe that because you're an upstanding citizen and taxpayer that you are entitled to justice if you are victimized. The truth is that the justice system only has the resources to go after the most dangerous criminals. If your case doesn't fall into the high priority queue, you'll have to do a fair amount of the legwork yourself.

Even with the resources at my disposal, it was challenging to find the right people who were willing to help me. What really grinds my gears is that a major turning point in this case was the result of personal networking - this is the epitome of privilege and not how I would expect a fair justice system to operate.