Slightly more interesting than the Harvard Hoax Bomb threat this shows what can happen when you rely on a VPN as your only OPSEC mechanism.
The operative (a 16yr high school kid) wanted to avoid school, so he sent in a bomb threat using a “no logs” VPN service… with a server located in the same country he resides in (effectively reducing it to a local proxy). The police seized the server used by the VPN service (they claim there were no logs to recover from there); but they also (apparently) seized the traffic logs of the data centre hosting the VPN server.
With the logs of the traffic to the data centre, rather than the logs of the VPN service, they were able to identify the operative. Simple traffic analysis would allow them to correlate the connection from the operative’s house to the VPN service. From there, it was no doubt a matter of simple police work, the most likely suspects being those with the motive to disrupt the target (i.e. the kid who goes to that school is more likely to be the operative than an international connection).
Lessons Learned:
A final reminder: DO NOT use a VPN for anonymity!
Hacker Tradecraft : "€œNo logs" EarthVPN user arrested after police finds logs
The operative (a 16yr high school kid) wanted to avoid school, so he sent in a bomb threat using a “no logs” VPN service… with a server located in the same country he resides in (effectively reducing it to a local proxy). The police seized the server used by the VPN service (they claim there were no logs to recover from there); but they also (apparently) seized the traffic logs of the data centre hosting the VPN server.
With the logs of the traffic to the data centre, rather than the logs of the VPN service, they were able to identify the operative. Simple traffic analysis would allow them to correlate the connection from the operative’s house to the VPN service. From there, it was no doubt a matter of simple police work, the most likely suspects being those with the motive to disrupt the target (i.e. the kid who goes to that school is more likely to be the operative than an international connection).
Lessons Learned:
- A VPN is not an anonymity enabling service, it is a privacy enabling service. They are different. Don’t get them confused or you’ll make a fatal error.
- Traffic analysis is a powerful capability. Do whatever you can to compromise its utility to the adversary. Originate your actions from a connection that is not associated directly with you. Operate during peak hours when your traffic will be masked by other people’s — “go with the flow, blend in” (Moscow Rules).
- Law enforcement officials have resources to devote to solving crime. One of those resources is time. Optimise your OPSEC practices to exhaust the time resources of your adversary. Don’t make it easy for them. “Wars are won by logistics”.
- Police work is not limited to the realm of technical possibility and plausible deniability. If you are the most likely suspect, they will question and interrogate you. You will, most likely, fail to survive this interrogation. Interrogators use: isolation, fear and rapport. Unless you are trained to handle these tactics, you will confess. Do not become the most likely suspect. Keep to the crowds.
A final reminder: DO NOT use a VPN for anonymity!
Hacker Tradecraft : "€œNo logs" EarthVPN user arrested after police finds logs
Last edited: