A 19-year-old Canadian man was found guilty of making almost three dozen fraudulent calls to emergency services across North America in 2013 and 2014. The false alarms, two of which targeted this author — involved phoning in phony bomb threats and multiple attempts at “swatting” — a dangerous hoax in which the perpetrator spoofs a call about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.
Curtis Gervais of Ottawa was 16 when he began his swatting spree, which prompted police departments across the United States and Canada to respond to fake bomb threats and active shooter reports at a number of schools and residences.
Gervais, who taunted swatting targets using the Twitter accounts “ProbablyOnion” and “ProbablyOnion2,” got such a high off of his escapades that he hung out a for-hire shingle on Twitter, offering to swat anyone with the following tweet:
Several Twitter users apparently took him up on that offer. On March 9, 2014, @ProbablyOnion started sending me rude and annoying messages on Twitter. A month later (and several weeks after blocking him on Twitter), I received a phone call from the local police department. It was early in the morning on Apr. 10, and the cops wanted to know if everything was okay at our address.
Since this was not the first time someone had called in a fake hostage situation at my home, the call I received came from the police department’s non-emergency number, and they were unsurprised when I told them that the Krebs manor and all of its inhabitants were just fine.
Minutes after my local police department received that fake notification, @ProbablyOnion was bragging on Twitter about swatting me, including me on his public messages: “You have 5 hostages? And you will kill 1 hostage every 6 times and the police have 25 minutes to get you $100k in clear plastic.” Another message read: “Good morning! Just dispatched a swat team to your house, they didn’t even call you this time, hahaha.”
I told this user privately that targeting an investigative reporter maybe wasn’t the brightest idea, and that he was likely to wind up in jail soon. On May 7, @ProbablyOnion tried to get the swat team to visit my home again, and once again without success. “How’s your door?” he tweeted. I replied: “Door’s fine, Curtis. But I’m guessing yours won’t be soon. Nice opsec!”
I was referring to a document that had just been leaked on Pastebin, which identified @ProbablyOnion as a 19-year-old Curtis Gervais from Ontario. @ProbablyOnion laughed it off but didn’t deny the accuracy of the information, except to tweet that the document got his age wrong.
A day later, @ProbablyOnion would post his final tweet before being arrested: “Still awaiting for the horsies to bash down my door,” a taunting reference to the Royal Canadian Mounted Police (RCMP).
A Sept. 14, 2017 article in the Ottawa Citizen doesn’t name Gervais because it is against the law in Canada to name individuals charged with or convicted of crimes committed while they are a minor. But the story quite clearly refers to Gervais, who reportedly is now married and expecting a child.
The Citizen says the teenager was arrested by Ottawa police after the U.S. FBI traced his Internet address to his parents’ home. The story notes that “the hacker” and his family have maintained his innocence throughout the trial, and that they plan to appeal the verdict. Gervais’ attorneys reportedly claimed the youth was framed by the hacker collective Anonymous, but the judge in the case was unconvinced.
Apparently, Ontario Court Justice Mitch Hoffman handed down a lenient sentence in part because of more than 900 hours of volunteer service the accused had performed in recent years. From the story:
Hoffman said that troublesome 16-year-old was hard to reconcile with the 19-year-old, recently married and soon-to-be father who stood in court before him, accompanied in court Thursday by his wife, father and mother.
“He has a bright future ahead of him if he uses his high level of computer skills and high intellect in a pro-social way,” Hoffman said. “If he does not, he has a penitentiary cell waiting for him if he uses his skills to criminal ends.”
According to the article, the teen will serve six months of his nine-month sentence at a youth group home and three months at home “under strict restrictions, including the forfeiture of a home computer used to carry out the cyber pranks.” He also is barred from using Twitter or Skype during his 18-month probation period.
Most people involved in swatting and making bomb threats are young males under the age of 18 — the age when kids seem to have little appreciation for or care about the seriousness of their actions. According to the FBI, each swatting incident costs emergency responders approximately $10,000. Each hoax also unnecessarily endangers the lives of the responders and the public.
In February 2017, another 19-year-old — a man from Long Beach, Calif. named Eric “Cosmo the God” Taylor — was sentenced to three year’s probation for his role in swatting my home in Northern Virginia in 2013. Taylor was among several men involved in making a false report to my local police department at the time about a supposed hostage situation at our house. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax.
This is very sad to hear and swatting happens everywhere in the world. I live in Finland and there have been many similar cases over the past few years.
Yes, and most of them have been committed by one person: Julius Kivimaki. It doesn’t seem to matter how many cybercrimes you commit in Finland or how atrocious they are (and his were quite heinous and voluminous) they treat cybercriminals with kid gloves.
“most of them have been committed by one person”
Got some stats on that or is that just a shot in the dark/hyperbole?
Sure: https://krebsonsecurity.com/?s=kivimaki&x=0&y=0
Ask anyone in Finnish law enforcement that prosecutes cybercrimes. They all know him and express exasperation that their legal system simply doesn’t care about punishing these guys.
Also look up the history of a group called Hack the Planet (HTP).
That’s the difference between a civilized nation (Finland) and one thats justice system fucks people lives for cybercrimes (USA). It’s pretty obvious that people that are under 20 or were minors shouldn’t be getting jail time for cybercrimes. That’s counterproductive in almost every way, these kids will become hostile towards the system and only cause more harm in future. Give them a small fine and maybe probation for the worst offenders, that should be enough to scare the majority of. People like Kivimäki are an expection and for sure he will be getting harsher punishments if he continues behaving like this. I’m pretty sure he has already done some time in jail.
In Finland, as in most of nordic countries and other well-being countries of europe, the aim is to rehabilitate convicts so the sentences or general jail time aren’t so damn high. “Lifetime” sentence in Finland means on average 14 years of prison and thats only for the most cruesome killers, you can basically get away with a murder and only sit slightly under 10 years.
I don’t know how long are what kind of punishments you want for cybercriminals but I think they are pretty reasonable and the answer definitely isn’t years of prison.
Sorry, but Kivimaki belongs in a cage, or in a mental ward (or cage in a mental ward). I grow pretty tired of this attitude that hackers shouldn’t do real jail time just because they’re young, and that we should find better ways to use their talents. Screw that. If you can’t do the time, don’t do the crime. Some of these guys are doing some really bad stuff that puts peoples’ lives at risk and causes lasting damage to others.
This
Agree, also grow tired of the ones who become “reformed” and can then profit from their initial crimes, as “whitehats” forevermore.
“According to the article, the teen will serve six months of his nine-month sentence at a youth group home and three months at home “under strict restrictions, including the forfeiture of a home computer used to carry out the cyber pranks.”
He’s married? Expecting a child, and going to live in a home for brats?
I’d be laughing if it wasn’t so pathetic….
Agree on this one. Immature and devious ‘pranksters’ should not fathering children. If his wife is reading this… get out while you can and take your child with you. I would not have been as lenient as the judge. These were planned and deliberate criminal acts. The guy is likely to get worse before better.
He has been using a computer though that is how he met his wife my daughter from the UK, he also hacked into my mobile after my daughter went to Canada without my knowlege
The judge should have thrown the book at him. Swatting is no joke and these lil skiddies need to be taught a lesson. They act with inflated egos and near impunity because they know they are under-age and will get light sentences if caught. That needs to change.
You are 100% correct. And this is why it will continue because judges think it’s cute and “smart”, and so they move onto other things like the millions of scams being done yearly. Those many scams, almost nothing is done about them.
Wow! They threw the whole brochure at him.
LOL
…and that brochure was printed on REALLY lightweight paper, too.
Clearly Canada is a great place to commit these types of crimes.
But Brian, I was thinking it might be useful for you to post a page that documents all of the crime and resulting punishment that you are aware of. If more hacker wannabes were made aware that a good percentage of these people around the world get caught it could discourage some from starting.
The real shame is that many talented computer people could make a good, secure living using their abilities in a lawful (or mostly lawful) manner.
Thanks for reading my email over at the “Krebs manor”
I hope you know that was literary license and meant as a joke. We lived in a pretty small townhome at the time.
Okay you current location is the Krebs Castle ! LOL
Call me old-fashioned, but I think some traditional middle-eastern-type sentencing is called for in these cases. The kind that makes it very difficult to wipe…or to type.
Early in my computer security career (mid-1980’s) I jokingly suggested that the best way to stop the bulk of phone phreaks, hackers, etc., was to get all males 16-25 years old girlfriends or wives. They’d then be too busy to do this kind of stuff.
It’s been done before.
https://www.theatlantic.com/past/docs/issues/2001/12/hoffman.htm
He gets 9 months, out in 30 days most likely, for phoning in over 30 bomb threats. That’s it. 9 months.
Of course he’s white. Had he had brown skin he would be in prison for 10 years.
There is some truth to what you said. Canada is famous for that.
As long as we’re soft on this crime it will never end.
The best thing about the Internet is it is anonymous. The worst thing about the Internet is it is anonymous.
Hi, I completely disagree with you. There is nothing anonymous on the Internet. Not one thing.
With proper opsec there’s a degree of anonymity, but with horrid opsec, routinely found in the subculture this guy participated in, there’s none at all.
Maybe, but opsec is hard to do consistently well, and I’ve found that even the most seasoned and experienced cybercriminals stink at it, or at least make mistakes eventually that get them caught.
https://krebsonsecurity.com/category/breadcrumbs/
“Door’s fine, Curtis. But I’m guessing yours won’t be soon” How satisfying it must have felt to type that !
I expect that the word has now gotten out that you don’t swat Brian Krebs!
Regards,
The problem really is that police are clumsy enough to be susceptible to this type of attack. It’s like when a company gets hacked, the blame is on the company, because it’s difficult if not impossible to track the attackers down, and if it’s possible, someone will eventually do it. The fact that a SWAT team can be fooled by a kid is pretty bad security. The blame should be on the lack of SS7 security (phone spoofing) and lack of training and protocol by the SWAT teams.
The irony of course, is that now his dox is out there, he may get swatted himself lol.
ProbablyOnion now called DefiniteIdiot…
“soon-to-be father”
How does impregnating another teenager make him a responsible person who understands the implications of his decisions?
The mind boggles. “Teen proves responsibility and understanding of planning for the future by getting pregnant” no one says ever.
The double standard illustrates something about the POV of the judge.
the teenager is my daughter him on line when he was not meant to be using a computer and she flew to Canada without my knowledge to me this evening that my daughter who will have nothing to do with me for some reason is now pregnant, I am in utter shock. She flew from the UK so he was using a computer when he was not meant to that is how they met
too sad to bring a child into this maddness and the parents allow it
Exactly why did his parents allow it; so he would get a lesser sentence; its ludicrous
So who is Doxbin and why do we believe the content of their dump?
And what is their beef with our poor, misguided fried Curtis?
Doxbin was a site, although not the founder, the operator for most of its existence was nachash, except for a brief period where he tried to hand things off to a protege whose name I can’t recall. That service, along with a companion revenge porn operation called Pinkmeth, both came down thanks to Operation Onymous back in 2014.
The internet is full of egotistical blackhats, but nachash was the real deal – a sort of digital Jason Bourne. He’s the second scariest person I’ve ever encountered online, and his dox work was always deadly accurate.
Hope this straightens out that child – given how militarized US police forces are these days, it’s a miracle nobody has been killed by this moron’s actions!
Outside of the nuisance and possible physical harm due to misunderstandings at the site, diverting emergency resources unnecessarily endangers the rest of the community should a real emergency happen. Like calling in a false fire alarm, this puts the whole community at risk, not just the swatting victim.
Perhaps the judge didn’t consider this at the trial. If another family was taken hostage when the cavalry was at the opposite end of town chasing phantoms his verdict may have been different.
Many USA jurisdictions have a crime known as “felony murder”. If somebody loses their life, for any reason whatsoever, during the commission of a felony it’s considered murder, and the person doing the felony is the murderer.
It would be good to update the laws to clarify that felony murder applies to SWATting.
Me too i was in canada i got 4months. for raping bmo bank.
13k ammount. 2days.
Huh. Why do judges think the ability to send tweets is a sign of “high computer skills and high intellect?” I can see how they might think that in the USA, but in Canada? Really?
SWATing someone is dangerous and not a good move more likely to backfire and endanger innocent civillians
You’ve been involved in investigative reporting on computer security for over 15 years. In the world of computer security I assume everyone has heard of you. You have taken down multiple hackers. My question is, do the hackers that try to hack you, know who you are and your CV? Or is it that teen hackers just think they are smarter than everyone?
No idea. Hubris, youth and naivete obviously play a role, but beyond that I can’t really get inside their heads. I think at some point it became fashionable in certain circles to invoke my name or likeness for selling cyber crimey goods and services, and for a long time it’s been vogue to taunt and threaten me for cool points. Seems likely that some of these guys just take it to extremes at their own peril.
If your opsec can survive getting krebed, you are set.
If you can keep it up. That seems to be the problem. It’s relatively easy to keep your opsec in good shape most of the time. But all it takes is one careless slip-up. The kind of patient diligent caution required is definitely *not* the strong suit of kids like this.
Awesome work Brian. Thanks for all you write and do to help keep good people safe, and bad people at a safer distance
Even the right-leaning US Supreme Court ruled in favor of not sentencing adolescent offenders as adults–to some degree. The feeling of power that certain kinds of teens experience at keyboards connected to powerful computers can’t be overstated. Many aren’t qualified or inclined to get into analogous trouble in the tangible world. For myself, I’d like to know the recidivism rate for young hackers with a similar background who committed similar crimes–to see if the penalties are appropriate. Here’s a further suggestion: the sentences of teens who commit felonies should include ‘poison pill’ provisions that send them to additional time in adult prisons for their teenage felonies if they commit felonies as young adults, especially for the same crimes they committed when young. Just sayin.
I am not a public figure, but if I was and could afford it, I would get a second address to use as an address for my driver’s license and other credentials and documents. This would put a buffer between my actual residence and buffer address, where all my mail would come. An inexpensive mobile home and travel trailer lot could work for this. Unfortunately, many states will not let you use a P.O. Box for an address for state documents.
The number of (and it’s a word I don’t use lightly, as I normally hate it in how it’s overused) Legendary takedowns by Brian here, in a relatively short time, is seriously impressive, and makes it all look rather effortless – it’s good fun cackling at the misfortunes of those who’ve attempted to wrong the author and/or others.
Young smart people especially those who have enough time to engage in this can be social outcasts from normal society even though they have a digital social life. Sentencing needs to include hundreds of hours of community service teaching law enforcement cyber divisions everything they know, and hopefully in doing so, leading them away from the dark side of the force and into a career leveraging their talents for good. We are going to need them, because the bad guys are not going away anytime soon.
All we have to do is keep them away from computers until they “age-out”.
That said, the retirement age of judges (in Canada, anyway) is 75; twitter isn’t a “thing” for them.
I am in utter shock today to learn the my 18 year old daughter got married and the parents encouraged it and now she is pregnant after flying out from the Uk and meeting this person on line when clearly he should not have been using a computer so sad she is ruining her life