Reflections on a Swatting: Inside One Bitcoin Engineer’s Security Battle

October 16th, 2017 started off like any other Monday. I awoke at 6 a.m. and drove to the YMCA to play racquetball, ready to start the week with a win.

When I finished playing, I tweeted out a cute quip:

I then hit the steam room and the shower to relax and freshen up. Upon returning to my neighborhood, I encountered an unusual problem: a police cruiser with its lights flashing was blocking the entrance. I came to a stop and rolled down my window:

“Hi Officer, is there a problem? I’m just trying to get to my house.”

“Sorry, we have to secure the area due to an ongoing incident.”

“Is it an active shooter?”

“Unclear, but we have information that he has long guns on the premises.”

“Well shit, what should I tell my family to do? They’re at the house.”

“Call them and tell them to get in the car and exit the community.”

“Will do!”

I pulled off the main road and found a place to park so that I could call the house.

“Hey, don’t panic but the police are locking down the neighborhood due to an incident. You should get in the car and leave.”

“OK, I’ll be right out.”

I waited a few minutes and then received a call back.

“The police stopped me as I was leaving and asked me if I was OK. Apparently they were called to our house! They want you to come speak with them at the mobile command unit around the corner.”

I drove back to the entrance and told the patrol officer that his captain wanted to speak with me, so he waved me through. Upon entering the mobile command unit, the first thing I was asked was:

“Sir, do you have any enemies?”

To which I replied:

Then came the media

It wasn’t long before the news stations showed up; apparently, they didn’t even know what “swatting” meant.

The news stations managed to get a copy of the phone call that was made by the attacker; you can listen to it here. The attacker claimed that they shot and killed someone and were holding others hostage after rigging the front door with explosives.

Once the news crews left and everything calmed down, I figured I should let the attacker know that they failed to achieve their goal.

Within a few hours of making my tweet, I received a threatening voicemail from a number with a New York area code; you can listen to the voicemail here. Note a common theme between the 911 call and the voicemail — both times he demands $50,000 (or the equivalent in BTC.)

“Next time I do anything to you, it won’t involve the police.”

Within 48 hours the Durham Police Department told me that they had traced the call to a throwaway server in Texas but hit a dead end and were turning the case over to the FBI. I never heard from the FBI. I lost any confidence in the ability of law enforcement to protect me a long time ago, so this was disappointing but not surprising.

What did I do in response? I installed 360-degree 4K resolution surveillance around my property, double-checked the rest of my physical security setup, took a few firearms out of the safe, and I waited.

Fortunately in my intuition, the attacker didn’t have the guts to put his own life in danger by physically attacking me proved to be right. There were no further (physical) incidents.

Shit just got real

Swatting is not a game; it can be fatal. Case in point:

I have little hope that the perpetrator will be found, but I feel compelled to offer an additional incentive.

I want to make it extremely clear that I will not tolerate threats against myself or anyone I care about. I will defend myself and my loved ones until my dying breath with every resource at my disposal.

The following message is signed with this PGP key.

http://lopp.net/audio/bounty.txt.asc

***

There was a lot of speculation that this was related to the Bitcoin scaling debate, but the attacker never said what his motivations were. After the fact, he left me this voicemail demanding a ransom payment… but didn’t even give me an address to which I should send the BTC!

After speaking with other folks who have been harassed, I fully expected other annoyances such as:

Using stolen credit cards to purchase things and ship them to my house.
Purchasing drugs / illegal things on darknet sites and shipping them to my house.
Tampering with the accounts for my utilities to get them turned off.
Forging a deed in an attempt to claim ownership of my home.

On November 9, I got email bombed by a bot that was signing me up for a ton of email marketing lists.

Since the emails were “legitimate” marketing rather than mass emails from a few sources, I decided pretty quickly that the best option was to just I turn off my email for the day and made most of the signups bounce, preventing my email address from getting added to the lists of the marketers. Having 8 years of experience writing email marketing software has its perks.

Twelve hours later statoshi.info was DoS attacked and my host blackholed the IP address to save their own infrastructure. No big deal.

A few thoughts on OPSEC

I’ve kept this detail a secret for the past year, but I wasn’t home when the…

Article Source…