Blog Details

The threats started in spring. 

In April 2024, a mysterious somebody using the win handles “Waifu” and “Judische” started posting death threats on Telegram and Discord channels geared in opposition to a cybersecurity researcher named Allison Nixon. 

“Alison [sic] Nixon is gonna score necklaced with a tire filled with gasoline rapidly,” wrote Waifu/Judische, both of which will be words with offensive connotations. “Decerebration is my fav form of brain death, thats whats gonna happen to alison Nixon.” 

It wasn’t long sooner than others piled on. Any individual shared AI-generated nudes of Nixon.

These anonymous personas focused Nixon because she had change into a audacious threat: As chief study officer on the cyber investigations company Unit 221B, named after Sherlock Holmes’s condo, she had constructed a career monitoring cybercriminals and serving to score them arrested. For years she had lurked quietly in online chat channels or old pseudonyms to hold interplay with perpetrators straight whereas piecing collectively clues they’d carelessly tumble about themselves and their crimes. This had helped her ship to justice a series of cybercriminals—especially members of a loosely affiliated subculture of anarchic hackers who call themselves the Com.

Nonetheless members of the Com aren’t supreme-making an try fervent in hacking; some of them also engage in offline violence against researchers who song them. This includes bricking (throwing a brick through a victim’s window) and swatting (a perilous form of hoax that capabilities reporting a false assassinate or hostage instruct at somebody’s home so SWAT groups will swarm it with guns drawn). Individuals of a Com offshoot known as 764 hold been accused of even more violent acts—at the side of animal torture, stabbings, and college shootings—or of inciting others in and start air the Com to commit these crimes.

Nixon started monitoring members of the community more than a decade in the past, when other researchers and folk in regulation enforcement hold been largely ignoring them because they hold been younger—many of their younger folk. Her early consideration allowed her to fabricate solutions for unmasking them.

Ryan Brogan, a special agent with the FBI, says Nixon has helped him and colleagues title and arrest more than two dozen members of the community since 2011, when he first started working with her, and that her skills in exposing them are unparalleled. “When you score on Allison’s and my radar, you’re going [down]. It’s supreme-making an try a subject of time,” he says. “Regardless of how worthy digital anonymity and tradecraft you try to verbalize, you’re performed.”

Even supposing she’d performed this work for more than a decade, Nixon couldn’t perceive why the person on the serve of the Waifu/Judische accounts used to be threatening her. She had given media interviews about the Com—most neutral no longer too long in the past on 60 Minutes—nonetheless no longer about her work unmasking members to score them arrested, so the hostility regarded to return instantly. And though she had taken an ardour in the Waifu persona in years previous for crimes he boasted about committing, he hadn’t been on her radar for a whereas when the threats started, because she used to be monitoring other targets. 

Now Nixon resolved to unmask Waifu/Judische and others to blame for the death threats—and take them down for crimes they admitted to committing. “Previous to them death-threatening me, I had no reason to listen to to them,” she says. 

Com beginnings

Most folk hold never heard of the Com, nonetheless its impact and threat are rising.

It’s a web community comprising loosely affiliated groups of, basically, younger folk and twentysomethings in North The usa and English-talking parts of Europe who hold change into portion of what some call a cybercrime formative years circulation. 

World regulations and norms, and fears of retaliation, terminate states from going all out in cyber operations. That doesn’t terminate the anarchic Com.

Over the closing decade, its prison activities hold escalated from easy disbursed denial-of-service (DDoS) assaults that disrupt web sites to SIM-swapping hacks that hijack a victim’s phone service, in addition to to crypto theft, ransomware assaults, and corporate recordsdata theft. These crimes hold affected AT&T, Microsoft, Uber, and others. Com members hold also been fervent in tons of forms of sextortion geared in opposition to forcing victims to physically smash themselves or file themselves doing sexually articulate activities. The Com’s impact has also unfold previous the digital realm to kidnapping, beatings, and other violence. 

One longtime cybercrime researcher, who requested to reside anonymous as a result of his work, says the Com is as spacious a threat in the cyber realm as Russia and China—for one outlandish reason.

“There’s simplest up to now that China is consuming to head; there’s simplest up to now that Russia or North Korea is consuming to head,” he says, referring to world regulations and norms, and fears of retaliation, that terminate states from going all out in cyber operations. That doesn’t terminate the anarchic Com, he says.

FRANZISKA BARCZYK

“It’s miles a somewhat significant threat, and folk have a tendency to … push it below the rug [because] it’s supreme-making an try a bunch of teens,” he says. “Nonetheless spy on the impact [they have].”

Brogan says the amount of smash they terminate in phrases of monetary losses “can change into staggering in a short time.”

There is now not any single put where Com members congregate; they unfold throughout a series of web forums and Telegram and Discord channels. The team follows a protracted line of hacking and subculture communities that emerged online over the closing two a protracted time, received notoriety, and then old or vanished after prominent members hold been arrested or other factors precipitated their decline. They differed in motivation and verbalize, nonetheless all emerged from “the the same primordial soup,” says Nixon. The Com’s roots might perhaps well perhaps even be traced to the Scene, which started as a community of tons of “warez” groups engaged in pirating computer games, song, and flicks.

When Nixon started having a spy on the Scene, in 2011, its members hold been hijacking gaming accounts, launching DDoS assaults, and operating booter products and services. (DDoS assaults overwhelm a server or computer with traffic from bot-controlled machines, preventing legit traffic from getting through; booters are tools that somebody can rent to originate a DDoS attack against a purpose of preference.) Whereas they made some money, their essential purpose used to be notoriety.

This changed around 2018. Cryptocurrency values hold been rising, and the Com—or the Community, as it most continuously referred to as itself—emerged as a subgroup that finally took over the Scene. Individuals started to present consideration to monetary score—cryptocurrency theft, recordsdata theft, and extortion.

The pandemic two years later seen a surge in Com membership that Nixon attributes to social isolation and the pressured circulation of teens online for education. Nonetheless she believes economic stipulations and socialization problems hold also driven its progress. Many Com members can’t score jobs because they lack skills or hold behavioral problems, she says. A host who hold been arrested hold had nervous home lives and distress adapting to varsity, and some hold confirmed indicators of psychological illness. The Com presents camaraderie, crimson meat up, and an outlet for personal frustrations. Since 2018, it has also supplied some a solution to their money problems.

Free-knit cells hold sprouted from the community—Superstar Fraud, ShinyHunters, Scattered Spider, Lapsus$—to collaborate on clusters of crime. And they purpose excessive-profile crypto bros and tech giants and hold made tens of millions of bucks from theft and extortion, per court records. 

Nonetheless dominance, vitality, and bragging rights are restful motivators, even in profit operations, says the cybercrime researcher, which is partly why members purpose “spacious whales.”

“There is monetary score,” he says, “nonetheless it’s also [sending a message that] I’m able to reach out and contact the folk that verbalize they’re untouchable.” If fact be told, Nixon says, some members of the Com hold overwhelming ego-driven motivations that terminate up conflicting with their monetary motives.

“Most continuously their monetary schemes crumple as a result of their ego, and that phenomenon will be what I’ve made my career on,” she says.

The hacker hunter emerges

Nixon has straight darkish hair, wears wire-rimmed glasses, and has a tiny produce and bookish demeanor that, on first impact, might perhaps well perhaps enable her to pass for a teen herself. She talks about her work in rapid cadences, fancy somebody whose brain is beefy of facts which are below stress to score out, and he or she exudes a sense of urgency as she tries to score folk perceive the threat the Com poses. She doesn’t suppress her happiness when somebody she’s been monitoring will get arrested.

In 2011, when she first started investigating the communities from which the Com emerged, she used to be working the evening shift in the security operations heart of the security company SecureWorks. The center spoke back to tickets and security signals emanating from customer networks, nonetheless Nixon coveted a instruct on the company’s counter-threats crew, which investigated and published threat-intelligence experiences on basically instruct-backed hacking groups from China and Russia. Without connections or experience, she had no path to investigative work. Nonetheless Nixon is an intensely outlandish person, and this created its hold path.

YLVA EREVALL

Where the threat crew interested by the impact hackers had on customer networks—how they broke in, what they stole—Nixon used to be more drawn to their motivations and the persona traits that drove their actions. She assumed there will hold to be online forums where prison hackers congregated, so she googled “hacking forums” and landed on a put referred to as Hack Boards.

“It used to be if fact be told tiring easy,” she says.

She used to be very much surprised to spy members overtly discussing their crimes there. She reached out to somebody on the SecureWorks threat crew to spy if he used to be responsive to the put, and he disregarded it as a instruct for “script kiddies”—a pejorative term for unskilled hackers.

This used to be a time when many cybersecurity experts hold been transferring their heart of attention far off from cybercrime to instruct-backed hacking operations, that hold been more delicate and getting rather just a few consideration. Nonetheless Nixon likes to zig where others zag, and her colleague’s dismissiveness fueled her ardour in the forums. Two other SecureWorks colleagues shared that keenness, and the three studied the forums all the method through downtime on their shifts. They interested by making an try to title the folk operating DDoS booters. 

What Nixon loved about the forums used to be how accessible they hold been to a newbie fancy herself. Possibility-intelligence groups require privileged score entry to to a victim’s community to compare breaches. Nonetheless Nixon might perhaps well perhaps score entry to all the pieces she mandatory in the final public forums, where the hackers regarded to verbalize nobody used to be staring at. Attributable to this, and they made mistakes in operational security, or OPSEC—letting run dinky biographical facts such because the city where they lived, a college they attended, or a instruct they old to work. These crucial aspects published of their chats, mixed with other recordsdata, might perhaps well perhaps reduction whisper the articulate identities on the serve of their anonymous masks. 

“It used to be a shock to me that it used to be barely easy to settle out who [they were],” she says. 

She wasn’t by the immature boasting and petty fights that dominated the forums. “Quite just a few folk don’t devour to terminate this work of discovering out chat logs. I imprint that that is a really outlandish ingredient. And perhaps my brain is constructed moderately uncommon that I’m consuming to terminate this,” she says. “I hold a special abilities that I’m able to battle through rubbish and it doesn’t bother me.” 

Nixon rapidly realized that no longer the whole members hold been script kiddies. Some exhibited right ingenuity and “highly efficient” skills, she says, nonetheless because they hold been applying these to frivolous functions—hijacking gamer accounts instead of draining monetary institution accounts—researchers and regulation enforcement hold been ignoring them. Nixon started monitoring them, suspecting that they would at closing command their skills at more significant targets—an intuition that proved to be supreme-making an try. And when they did, she had already amassed a wealth of info about them. 

She continued her DDoS study for 2 years till a turning point in 2013, when the cybersecurity journalist Brian Krebs, who made a career monitoring cybercriminals, acquired swatted. 

A pair of dozen folk from the security community labored with Krebs to whisper the perpetrator, and Nixon used to be invited to support. Krebs sent her items of the puzzle to compare, and at closing the team identified the perpetrator (though it would take two years for him to be arrested). When she used to be invited to dinner with Krebs and the opposite investigators, she realized she’d stumbled on her folk.

“It used to be an wonderful moment for me,” she says. “I used to be fancy, wow, there’s all these fancy-minded folk that supreme-making an try hold to support and are doing it supreme-making an try for the devour of the sport, in total.”

Staying one step ahead

It used to be porn stars who supplied Nixon with her subsequent spacious study heart of attention—one which underscored her skill at spotting Com actors and prison traits of their nascent levels, sooner than they emerged as essential threats.

In 2018, somebody used to be hijacking the social media accounts of definite adult-movie stars and using those accounts to blast out crypto scams to their orderly follower bases. Nixon couldn’t settle out how the hackers had hijacked the social media profiles, nonetheless she promised to support the actors get hold of score entry to to their accounts in the event that they agreed to whisper her the deepest messages the hackers had sent or bought all the method through the time they controlled them. These messages led her to a discussion board where members hold been talking about how they stole the accounts. The hackers had tricked rather just a few these actors into disclosing the cellular phone numbers of others. Then they old a mode referred to as SIM swapping to reset passwords for social media accounts belonging to those other stars, locking them out. 

In SIM swapping, fraudsters score a victim’s phone number assigned to a SIM card and score in touch with they administration, so that calls and messages intended for the victim traipse to them instead. This includes one-time security codes that sites text to story holders to substantiate themselves when having access to their story or changing its password. In one of the instances though-provoking the porn stars, the hackers had manipulated telecom workers into making the SIM swaps for what they notion hold been legit reasons, and in other instances they bribed the workers to score the commerce. The hackers hold been then in a position to alter the password on the actors’ social media accounts, lock out the dwelling owners, and verbalize the accounts to advertise their crypto scams. 

SIM swapping is a highly efficient formulation that would perhaps additionally be old to hijack and drain whole cryptocurrency and monetary institution accounts, so Nixon used to be very much surprised to spy the fraudsters using it for barely unprofitable schemes. Nonetheless SIM swapping had infrequently been old for monetary fraud at that point, and fancy the earlier hackers Nixon had viewed on Hack Boards, the ones hijacking porn big title accounts didn’t seem to take hold of the vitality of the formulation they hold been using. Nixon suspected that this might perhaps commerce and SIM swapping would rapidly change into a significant distress, so she shifted her study heart of attention accordingly. It didn’t take long for the fraudsters to pivot as successfully.

Nixon’s skill at having a spy ahead in this reach has served her all the method through her career. On a pair of times a hacker or hacking team would score her consideration—for using a novel hacking reach in some minor operation, shall we verbalize—and he or she’d start up monitoring their online posts and chats in the assumption that they’d at closing terminate one thing significant with that skill. 

And they did. After they later grabbed headlines with a showy or impactful operation, these hackers would seem to others to hold emerged from nowhere, sending researchers and regulation enforcement scrambling to fancy who they hold been. Nonetheless Nixon would already hold a dossier compiled on them and, in some instances, had unmasked their right identification as successfully. Lizard Squad used to be an instance of this. The team burst into the headlines in 2014 and 2015 with a series of excessive-profile DDoS campaigns, nonetheless Nixon and colleagues on the job where she labored on the time had already been staring at its members as folk for a whereas. So the FBI sought their assistance in figuring out them.

“The ingredient about these younger hackers is that they … serve going till they score arrested, nonetheless it takes years for them to score arrested,” she says. “So a huge aspect of my career is supreme-making an try sitting on this recordsdata that has no longer been actioned [yet].”

It used to be all the method through the Lizard Squad years that Nixon started constructing tools to scrape and file hacker communications online, though it would be years sooner than she started using these concepts to scrape the Com chatrooms and forums. These channels held a wealth of info that will perchance well perhaps no longer seem helpful all the method through the nascent stage of a hacker’s career nonetheless might perhaps well perhaps show serious later, when regulation enforcement acquired around to investigating them; but the contents hold been consistently in chance of being deleted by Com members or getting taken down by regulation enforcement when it seized web sites and chat channels.

Nixon’s work is uncommon because she engages with the actors in chat areas to intention out recordsdata from them that “wouldn’t be in any other case assuredly accessible.”

Over several years, she scraped and preserved irrespective of chatrooms she used to be investigating. Nonetheless it wasn’t till early 2020, when she joined Unit 221B, that she acquired the chance to scrape the Telegram and Discord channels of the Com. She pulled all of this recordsdata collectively precise into a searchable platform that other researchers and regulation enforcement might perhaps well perhaps verbalize. The corporate hired two light hackers to support produce scraping tools and infrastructure for this work; the tip result’s eWitness, a community-driven, invitation-­simplest platform. It used to be before all the pieces seeded simplest with recordsdata Nixon had aloof after she arrived at Unit 221B, nonetheless has since been augmented with recordsdata that other customers of the platform hold scraped from Com social areas as successfully, some of which doesn’t exist in public forums anymore.

Brogan, of the FBI, says it’s an incredibly helpful arrangement, made more so by Nixon’s hold contributions. Other security corporations scrape online prison areas as successfully, nonetheless they seldom portion the reveal with outsiders, and Brogan says Nixon’s work is uncommon because she engages with the actors in chat areas to intention out recordsdata from them that “wouldn’t be in any other case assuredly accessible.” 

The preservation project she started when she acquired to Unit 221B couldn’t hold been greater timed, since it coincided with the pandemic, the surge in new Com membership, and the emergence of two traumatic Com offshoots, CVLT and 764. She used to be in a position to take hold of their chats as these groups first emerged; after regulation enforcement arrested leaders of the groups and took administration of the servers where their chats hold been posted, this arena topic went offline.

CVLT—pronounced “cult”—used to be reportedly founded around 2019 with a give consideration to sextortion and baby sexual abuse arena topic. 764 emerged from CVLT and used to be spearheaded by a 15-twelve months-light in Texas named Bradley Cadenhead, who named it after the first digits of his zip code. Its heart of attention used to be extremism and violence. 

In 2021, as a result of what she noticed in these groups, Nixon turned her consideration to sextortion among Com members.

The form of sextortion they engaged in has its roots in verbalize that started a decade in the past as “fan signing.” Hackers would verbalize the specter of doxxing to coerce somebody, assuredly a younger female, into writing the hacker’s address on a half of paper. The hacker would verbalize a photograph of it as an avatar on his online accounts—a more or much less trophy. In the kill some started blackmailing victims into writing the hacker’s address on their face, breasts, or genitals. With CVLT, this escalated even further; targets hold been blackmailed into carving a Com member’s title into their skin or accomplishing sexually articulate acts whereas recording or livestreaming themselves.

One day of the pandemic a blinding series of SIM swappers crossed into baby sexual abuse arena topic and sadistic sextortion, per Nixon. She hates monitoring this grotesque verbalize, nonetheless she seen but any other to exploit it for correct. She had long been frustrated at how leniently judges handled monetary fraudsters as a result of their crimes’ apparently nonviolent nature. Nonetheless she seen but any other to score harsher sentences for them if she might perhaps well perhaps tie them to their sextortion and started to present consideration to those crimes. 

At this point, Waifu restful wasn’t on her radar. Nonetheless that used to be about to commerce.

Endgame

Nixon landed in Waifu’s crosshairs after he and fellow members of the Com hold been fervent in a orderly hack though-provoking AT&T customer call records in April 2024.

Waifu’s team received score entry to to dozens of cloud accounts with Snowflake, an organization that presents online recordsdata storage for prospects. A form of prospects had more than 50 billion call logs of AT&T wi-fi subscribers saved in its Snowflake story. 

They tried to re-extort the telecom, threatening on social media to leak the records. They tagged the FBI in the publish. “It’s fancy they hold been begging to be investigated,” says Nixon.

Amongst the subscriber records hold been call logs for FBI agents who hold been AT&T prospects. Nixon and other researchers imagine the hackers might perhaps well perhaps hold been in a position to title the phone numbers of agents through other reach. Then they might perhaps perchance well hold old a reverse-search for program to title the dwelling owners of phone numbers that the agents referred to as or that referred to as them and stumbled on Nixon’s number among them. Right here’s when they started harassing her.

Nonetheless then they acquired reckless. They allegedly extorted almost $400,000 from AT&T in commerce for promising to delete the call records they’d stolen. Then they tried to re-extort the telecom, threatening on social media to leak the records they claimed to hold deleted if it didn’t pay more. They tagged the FBI in the publish.

“It’s fancy they hold been begging to be investigated,” says Nixon.

The Snowflake breaches and AT&T records theft hold been grabbing headlines on the time, nonetheless Nixon had no thought her number used to be in the stolen logs or that Waifu/Judische used to be a prime suspect in the breaches. So she used to be perplexed when he started taunting and perilous her online.

FRANZISKA BARCZYK

Over several weeks in Could and June, a sample developed. Waifu or one among his pals would publish a threat against her and then publish a message online animated her to chat. She assumes now that they believed she used to be serving to regulation enforcement compare the Snowflake breaches and hoped to intention her precise into a dialogue to extract recordsdata from her about what authorities knew. Nonetheless Nixon wasn’t serving to the FBI compare them but. It used to be simplest after she started having a spy at Waifu for the threats that she turned responsive to his suspected characteristic in the Snowflake hack.

It wasn’t the first time she had studied him, though. Waifu had come to her consideration in 2019 when he bragged about framing one other Com member for a hoax bomb threat and later talked about his involvement in SIM-swapping operations. He made an impact on her. He clearly had technical skills, nonetheless Nixon says he also assuredly regarded immature, impulsive, and emotionally unstable, and he used to be desperate for consideration in his interactions with other members. He bragged about no longer needing sleep and using Adderall to hack through the evening. He used to be also moderately reckless about preserving personal crucial aspects. He wrote in deepest chats to 1 other researcher that he would never score caught because he used to be correct at OPSEC, nonetheless he also informed the researcher that he lived in Canada—which turned out to be correct.

Nixon’s course of for unmasking Waifu followed a basic recipe she old to unmask Com members: She’d intention a orderly investigative circle around a purpose and the whole personas that communicated with that person online, and then seek their interactions to slim the circle to the folk with essentially the most crucial connections to the purpose. Just among the becoming leads came from a purpose’s enemies; she might perhaps well perhaps gather rather just a few recordsdata about their identification, persona, and activities from what the folk they fought with online talked about about them.

“The enemies and the ex-girlfriends, assuredly talking, are the becoming [for gathering intelligence on a suspect],” she says. “I devour them.”

Whereas she used to be doing this, Waifu and his team hold been reaching out to other security researchers, making an try to assemble recordsdata about Nixon and what she shall be investigating. Additionally they attempted to plant false clues with the researchers by shedding the names of alternative cybercriminals in Canada who might perhaps well perhaps plausibly be Waifu. Nixon had never viewed cybercriminals engage in counterintelligence tactics fancy this.

Amid this subterfuge and confusion, Nixon and one other researcher working with her did rather just a few consulting and imperfect-checking with other researchers about the clues they hold been gathering to score obvious they had the neutral title sooner than they gave it to the FBI.

By July she and the researcher hold been delighted they had their man: Connor Riley Moucka, a 25-twelve months-light excessive college dropout dwelling along with his grandfather in Ontario. On October 30, Royal Canadian Mounted Police converged on Moucka’s home and arrested him.

Per an affidavit filed in Canadian court, a plainclothes Canadian police officer visited Moucka’s dwelling below some pretense on the afternoon of October 21, nine days sooner than the arrest, to secretly take hold of a photograph of him and compare it with a describe US authorities had supplied. The officer knocked and rang the bell; Moucka opened the door having a spy raveled and informed the client: “You woke me up, sir.” He informed the officer his title used to be Alex; Moucka most continuously old the alias Alexander Antonin Moucka. Happy that the actual individual that answered the door used to be the person the US used to be looking out for, the officer left. Waifu’s online rants against Nixon escalated at this point, as did his attempts at misdirection. She believes the seek the advice of with to his door spooked him.

Nixon received’t verbalize precisely how they unmasked Moucka—simplest that he made a mistake.

“I don’t hold to put collectively these folk in no longer score caught [by revealing his error],” she says.

The Canadian affidavit against Moucka reveals a series of alternative violent posts he’s supposed to hold made online previous the threats he made against her. Some involve musings about changing precise into a serial killer or mass-mailing sodium nitrate capsules to Murky folk in Michigan and Ohio; in one other, his online persona talks about acquiring firearms to “abolish Canadians” and commit “suicide by cop.” 

Prosecutors, who listing Moucka’s online aliases as at the side of Waifu, Judische, and two more in the indictment, verbalize he and others extorted on the least $2.5 million from on the least three victims whose recordsdata they stole from Snowflake accounts. Moucka has been charged with almost two dozen counts, at the side of conspiracy, unauthorized score entry to to computer systems, extortion, and wire fraud. He has pleaded no longer guilty and used to be extradited to the US closing July. His trial is scheduled for October this twelve months, though hacking instances assuredly result in plea agreements instead of going to trial. 

It took months for authorities to arrest Moucka after Nixon and her colleague shared their findings with the authorities, nonetheless an alleged accomplice of his in the Snowflake conspiracy, a US Navy soldier named Cameron John Wagenius (Kiberphant0m online), used to be arrested more hasty. 

On November 10, 2024, Nixon and her crew stumbled on a mistake Wagenius made that helped title him, and on December 20 he used to be arrested. Wagenius has already pleaded guilty to 2 charges throughout the sale or attempted sale of confidential phone records and can even very successfully be sentenced this March.

For the time being Nixon continues to compare sextortion among Com members. Nonetheless she says that final members of Waifu’s team restful taunt and threaten her.

“They are persevering with to persist of their nonsense, and they are getting taken out one after the other,” she says. “And I’m supreme-making an try going to serve doing that till there’s nobody left on that aspect.” 

Kim Zetter is a journalist who covers cybersecurity and national security. She is the creator of Countdown to Zero Day.