SWATers and Hackers: Inside the Cyberspace Bullying Case of Ottawa Teen
In this article, which first appeared in the April 2015 issue of Ottawa Magazine, Judy Trinh looks at the latest craze in teen pranks — and why the technical skills of hackers make these acts very difficult to trace. The author continues to follow the case, which returns to court on November 3. Follow Judy Trinh at @JudyTrinhCBC for updates.
The text came from someone called “Reaper.” The words were taunting; the tone was blasé yet threatening. It was 10:23 p.m. on Friday, January 23. Reaper was concerned I had missed a news story: “[Someone] should be more careful … his home had some unexpected visitors today I see.”
Then the photo shown above, from CTV Ottawa’s news coverage of the event, came through on my cell from the same number. It showed three tactical officers, armed with submachine guns, huddled outside a house near John McRae Secondary School. According to Ottawa Police Service (OPS) sources, a student living in the house had allegedly sent an email to the school’s administrators announcing intentions to take hostages at gunpoint.
The school went into secure mode, locking the exterior doors to the building while police investigated. But it wasn’t a real threat: it was a SWATing — a hoax call intended to incite a response by heavily armed SWAT (Special Weapons and Tactics) officers. And who would claim responsibility for the prank? “Aerith.” In an email to the school, a hacker group that goes by the name Aerith said they were going to launch a violent attack on the school. In a copy of the email sent to me, Aerith added that the SWATing was payback for a student who was co-operating with police to unmask the group’s members.
Aerith made headline news in the city in November 2014 when the hacker group took responsibility for replacing the mundane green swirl of the City of Ottawa website with a dancing banana on a black screen. In bold white text, the hackers threatened Ottawa police Constable Joel Demore, the lead detective in a North American SWATing investigation. The hackers believe Demore arrested the wrong person.
Back up to May 2014, when Ottawa police charged a Barrhaven teenager with more than 60 offences, ranging from public mischief to uttering threats. They allege that he used Twitter to solicit SWAT requests. Through the Twitter account @ProbablyOnion2, the teen had allegedly offered to use his internet prowess to make fake 911 calls. The targets of the pranks were schools, homes, and television stations. On @ProbablyOnion2, brags were made about his exploits, openly mocking law enforcement for their inability to find him. It would take police agencies in at least five U.S. states and three provinces, as well as the FBI and RCMP, more than two months to find the alleged SWATer.
The evidence trail, which consists of a tangled web of internet addresses, as well as statements from accomplices and victims, led to a single detached brown brick house on a quiet street. Neighbours told me the boy was arrested while on an afternoon walk with his parents. Plainclothes police officers rushed out of a vehicle and pushed the teen to the ground before cuffing him. Then a white van full of tactical officers pulled up in front of his house. Armed with a search warrant, Demore and his colleagues seized boxfuls of computers, wireless devices, and data transmission equipment.
“The Crown is proceeding on smoke, but is there fire?” asks criminal defence lawyer Joshua Clarke, who is representing the alleged Barrhaven SWATer. He acknowledges that a significant amount of evidence has been amassed against his client but says much of it is highly technical and complex. I ask about the information he has received from the Aerith hackers. Won’t it help defend the Barrhaven teen? After all, since defacing the City of Ottawa website, the Aerith hacker group has posted information on Twitter that they say points to a young man in New Jersey framing the local boy. But Clarke views Aerith as nothing more than a distraction and scoffs at what the group might have to offer.
“They say they have irrefutable proof, but at the end of the day, it’s just a bunch of [web] links,” says Clarke of Aerith’s stance in the case. “I cannot rely on the evidence of people who refuse to identify themselves. It will be viewed with suspicion by the courts.”
The fact that the defence is largely ignoring help from anonymous hackers has not stopped Aerith from trying to get the attention of police. After all, they didn’t stop at a dancing banana. The hackers threatened to take down several government websites, including that of the Supreme Court of Canada and Parliament Hill — all in an apparent pursuit to exonerate the Barrhaven teen.
But the real prize for Aerith was the Ottawa police website. In an attempt to force investigators to reopen the investigation, Aerith launched a distributed denial of service (DDoS) attack in late November 2014. The hackers programmed a small army of anonymous internet servers to flood ottawapolice.ca with data. Launched from servers based in Russia, Brazil, and Germany, the DDoS attack knocked the OPS website offline for more than a week. Ottawa police Chief Charles Bordeleau is adamant that no private information was stolen, but even if they didn’t get away with the valuables, the hackers did prove that they can break through the front door.
Keith Murphy, CEO of Ottawa cyber security firm Defense Intelligence, says DDoS attacks are the most prevalent and easiest type of cyber attack to launch.
“It’s beyond me how this could have happened. At this point, everyone should have a plan in place for when [DDoS attacks] happen,” says Murphy. Because DDoS attacks require only rudimentary computer skills, Murphy believes Aerith likely consists of a group of teenagers who have no patience with due process.
“If you’re really young and you think someone’s been wronged, you want to jump to their defence and talk to the people doing the investigation,” Murphy says. (Indeed, in 2012, an investigation of nearly 4,000 cyber crime offences involving threats on the internet showed that people aged 12 to 17 make up 27 percent of all the individuals charged with these kinds of offences; it is the largest age category.)
But the hackers’ strategy might have backfired. Now that Ottawa police have a new cyber security apparatus in place to divert DDoS attacks, the hackers have lost their primary weapon. And despite repeated email requests by Aerith to negotiate, police are brushing off their demands like lint. The hackers have been told that police will not accept the group’s evidence without a face-to-face meeting. Aerith has refused, but they are still sending documents to members of the media.
On Boxing Day 2014, a 27-page PDF file arrived in my inbox. It came from Reaper, who said that he was working with Aerith. The document outlined the “proof” that supposedly exonerates the Barrhaven teen.
The crux of the information involves the Twitter account @ProbablyOnion2. The alleged Barrhaven SWATer, who turned 17 in March 2015, is under a court order that bans him from using social media, wireless devices, or any computer without parental supervision. Yet five months after his arrest, someone was tweeting from @ProbablyOnion2 — the account that was linked to SWATings for which he was initially arrested.
The PDF file also includes screen captures of several chats between Reaper and someone with the alias @CherryTheGod. That Twitter handle startled me. Back in May 2014 — one day after the Barrhaven teen was arrested — @CherryTheGod told me over Twitter that it was he who had hacked into the Barrhaven teen’s accounts and reported him to the FBI as the SWATer.
I asked Murphy of Defense Intelligence to look at the PDF file. He acknowledged there was no smoking gun but that the file was “not necessarily useless.” Still, Murphy said, this would be a difficult case in which to prove either innocence or guilt. “You can fake IP addresses, you can fake email, you can bounce your tracks around [on the internet] and remain anonymous. This will require a lot of digging.”
I have tried to do my own digging, especially when it comes to my source, Reaper. He first got in touch with me more than a month before the City of Ottawa website hack. He described himself as a friend of the Barrhaven teen. Reaper says he watched the takedown of his former classmate. He sent me texts and emails full of information that, weeks later, appeared in Aerith communiqués. When I pushed to meet him in person, he strung me along for months before finally standing me up at a Tim Hortons on Bank Street. But he did deliver on one occasion: months earlier — before the cyber attack on the city website — Reaper set up a meeting for me with the alleged SWATer.
I met the Barrhaven boy at a bus shelter adjacent to a Quickie convenience store near his home. I recognized him from the yearbook photos his former classmates had sent me. He walked toward me like “Steve” in the Minecraft game. He was bulky, with a square upper body and what looked like a rash on his neck. Those who know him said he was often teased in school about this birthmark. The accused SWATer told me that he started learning computer code when he was 10.
I asked him why he thinks he is being set up.
“I piss people off when I game,” he said, referring to the many hours he spent playing Minecraft and Call of Duty. Then he told me that his home had been SWATed six times in two years and that hackers posted his private information, including passwords and online personas, on the internet just one day before he was arrested. He claimed police never fully investigated the crimes for which he is being charged. Our initial meeting lasted less than 10 minutes. He left in a hurry, worried that his dad — who is also his surety while he is out on bail — would wonder where he had gone.
Two weeks later the teen called me from a pay phone. He said he was ready to tell me more about why he is being targeted. He claimed that he was creating malware for Russians he met on the so-called Deep Web and that he was getting paid upwards of $5,000 per virus. He also expressed frustration about his lawyer, who he says knows “shit” about technology. Then the phone line disconnected.
I asked my investigative sources at the OPS about the level of skill the alleged SWATer possesses. One officer described his as a prodigy. That same officer also confirmed that they had found malware on the teen’s computers. What police would not say is whether the computer was infected with a virus or if they found evidence that he was creating malware. One thing is clear: the teen has the technical expertise to make anonymous SWAT calls and the ability to hack government websites.
Despite the bravado and reported evidence that accompanied the DDoS attacks, police have not dropped charges against the Barrhaven teen. In fact, they are looking into the possibility that Aerith and the local teen SWATer are one and the same — even though the Barrhaven teen has more than 15 conditions placed on him and can use a computer only in the presence of his parents.
Still, investigators say they can’t keep watch over him 24/7. As one investigator put it: “There are more important crimes to solve — child pornographers, murders, people abusing kids.”
It is possible the teen will be exonerated, but that will happen in court, not in cyberspace. It will be a judge who decides the teen’s fate, not an anonymous hacker.