It may be that we’re looking at some “parallel construction” [wikipedia] here; this sounds a bit dodgy.
To some of my earlier comments about ‘tradecraft’ – if you’re interested in how good the retro-scope is: you definitely want to read this. [dailybeast]
The suspect arrested Thursday for a wave of bomb threats against Jewish Community Centers in the United States employed an array of technologies, including Bitcoin and Google Voice, to make himself virtually untraceable for months, The Daily Beast has learned. But in the end, it only took one careless slip-up to lead police to his door.
So: bitcoin to pay for services such as proxies, to make it harder to backtrack the proxy user account. The suspect clearly expected that law enforcement would peel back the first layer or so of his protections, and would start chaining together his access with warrants.
My guess would be that the FBI showed up at SpoofCard with a warrant, got the information about the proxy service that was connecting to them (Google Voice), then didn’t even need Google: they immediately looked for connections into/out of the SpoofCard service during that time, and probably got a back-reference to a cluster of networks in Israel. Having Google’s logs would be a plus, of course. One thing a lot of people that are trying to hide don’t expect is that tools like Palantir are specifically designed to time-synchronize events: a connection from here happens to there which then connects to another place. Then, the connections drop – again, in sequence. Defeating that is difficult but not impossible: if you’re going to do something very naughty, like this guy was doing, think about how to make it asynchronous. I’ll leave that as an exercise for the advanced student.
The FBI traced the phone calls back to a service called SpoofCard that allows users to mask their caller ID, so their phone calls can appear to come from any number they choose.
The FBI sent a subpoena to the company that runs the service, New Jersey-based TelTech, in the hope of obtaining the caller’s real number. But that phone number turned out to be a disposable Google Voice line established under an alias.
The server logs from both TelTech and Google weren’t much more helpful. They showed that the suspect routed his Internet connection through anonymous proxy servers overseas. Even the caller’s voice was anonymous—he used Spoofcard’s voice-changing option to make himself sound like a voice synthesizer imitating a woman. And rather than use a traceable credit card or PayPal, the perpetrator paid for his Spoofcard in Bitcoin—another dead end.
So far, so good. Then:
But in his rush to reach as many Jewish institutions as possible, the original bomb hoaxer grew careless. On at least one occasion, he neglected to route his Internet connection through a proxy server, leaving behind a real IP address in the server logs. The address was in Israel, where police traced it to a WiFi access point that Kaydar was allegedly accessing through a giant antenna pointed out a window in his home.
I find that a bit odd. After setting all that up, then he made a basic newbie mistake? That sounds sort of like the Silk Road bust: here’s this guy with pretty good tradecraft who suddenly embeds the critical IP address in a file and leaves it on an open area in a server. So this guy was using layered proxies and bitcoin payments to mask his identity and then used an open WiFi from his home? That reeks of parallel construction. Anyone who knows enough to go to the lengths that he did, knows that once you’re localized down to a WiFi access point, your location is known (unless you’re travelling to the access point, in which case it’s a matter of time before they pull surveillance cameras in that known time-frame, and then they have your picture!).
Anyhow, it’s an interesting story because it says a lot about the capabilities of the various intelligence agencies. Reading between the lines, it sounds like what happened was a time-chart of connections was produced, then it took a couple days to scrub that against various databases and the originating geography of the threats jumped out. From there it was probably a matter of confirming the connections locally with a few of the providers involved. If you don’t think that Israel is keeping traces of connections into/out of their internet space, or that the NSA isn’t also, you ought to rethink that view based on this incident.
I’m glad they caught him. He sounds like he’s going to experience some tough times and if he really has got mental health issues, his misfortune is about to be compounded.