Federal authorities this week arrested a North Carolina man who allegedly ran with a group of online hooligans that attacked Web sites (including this one), took requests on Twitter to call in bomb threats to thousands of schools, and tried to frame various online gaming sites as the culprits. In an ironic twist, the accused — who had fairly well separated his real life identity from his online personas — appears to have been caught after a gaming Web site he frequented got hacked.
On Feb. 12, the U.S. Justice Department announced the arrest of Timothy Dalton Vaughn, a 20-year-old from Winston-Salem, N.C. Vaughn is alleged to have been a key member of the Apophis Squad, a gang of ne’er-do-wells who made bomb threats against thousands of schools and launched distributed denial-of-service (DDoS) attacks against Web sites — including KrebsOnSecurity on multiple occasions.
The feds say Vaughn used multiple aliases on Twitter and elsewhere to crow about his attacks, including “HDGZero,” “WantedByFeds,” and “Xavier Farbel.” Among the Apophis Squad’s targets was encrypted mail service Protonmail, which reached out to this author last year for clues about the identities of the Apophis Squad members after noticing we were both being targeted by them and receiving demands for money in exchange for calling off the attacks.
Protonmail later publicly thanked KrebsOnSecurity for helping to bring about the arrest of Apophis Squad leader George Duke-Cohan — a.k.a. “opt1cz,” “7R1D3n7,” and “Pl3xl3t,” — a 19-year-old from the United Kingdom who was convicted in December 2018 and sentenced to three years in prison. But the real-life identity of HDGZero remained a mystery to both of us, as there was little publicly available information at the time connecting that moniker to anyone.
That is, until early January 2019, when news broke that hackers had broken into the servers of computer game maker BlankMediaGames and made off with account details of some 7.6 million people who had signed up to play “Town of Salem,” the company’s browser-based role playing game. That stolen information has since been posted and resold in underground forums.
A review of the leaked BlankMediaGames user database shows that in late 2018, someone who selected the username “hdgzero” signed up to play Town of Salem, registering with the email address firstname.lastname@example.org. The data also shows this person registered at the site using a Sprint mobile device with an Internet address that traced back to the Carolinas.
The Justice Department indictment against Vaughn and Duke-Cohan released this week alleges the pair were equally responsible for sending spoofed bomb threat emails to 2,000 schools in the United States and more than 400 in the U.K., falsely warning that various explosive devices were planted at the schools and would be detonated unless a ransom demand was paid.
In this snippet from a January 2018 online chat taken from a channel maintained by HDGZero, the accused can be seen claiming credit for the bomb threats and posting links to stories in various local media outlets about schools evacuating students in response to the threats. The bomb threat emails were made to look like they were sent by different high-profile squads of online gamers competing against one another in the wildly popular game Minecraft.
The government maintains that, through their various Twitter handles, Duke-Cohan and Vaughn even offered to take requests for shutting down specific schools with bomb threats.
“We are OPEN for request for school lockdowns / evacs,” read a tweet from the Twitter account @apophissquadv2, which the Justice Department says Duke-Cohan and Vaughn shared. “Send us your request to email@example.com (FREE).”
The government alleges that Vaughn also participated with Duke-Cohan in reporting the hijack of a United Airlines flight bound for the United States. That flight, which had almost 300 passengers on board, was later quarantined for four hours in San Francisco pending a full security check.
The indictment charges Vaughn and Duke-Cohan with conspiracy and eight additional felony offenses, including making threats to injure in interstate commerce and making interstate threats involving explosives. Vaughn is additionally charged with intentionally damaging a computer and interstate threat to damage a protected computer with intent to extort.
A Justice Department press release on the indictment states that if convicted of all 11 charges, Vaughn would face a statutory maximum sentence of 80 years in federal prison. If convicted of the nine charges in the indictment in which he is named, Duke-Cohan would face a statutory maximum sentence of 65 years in federal prison.
I read the following on ZDnet: “In a blog post published last September, ProtonMail founder Andy Yen said that Duke-Cohen made the mistake of using ProtonMail’s very own VPN service when making their threats against the company, allowing ProtonMail to restrict the number of potential suspects.”
Was it a combination of the leaked DB and ProtonMails effort regarding the above? Even though that is not clear to me, it is good to see these guys get what was coming for them.
Certainly Duke-Cohan did use multiple accounts on Protonmail, and that was very much part of his undoing. I don’t believe that was the case with HDGZero.
Jesus, life (80 years) sentence for something like this? Seems a little harsh, dont it?
It’s not sentenced 80 years, thats just all crimes with the maximum sentence combined. As you can read, the leader “George Duke-Cohan” was sentenced to three years in prison while he could have faced 65 years.
Almost, but not quite all of it, sentencing for offences in the US vs. the UK where G D-C was convicted is very different. The UK has a overall proportionality test which is applied along with the sentencing council guidelines which defines maximum sentences for practical purposes.
Hence, even if you tot it all up, you still don’t get 65 years in the UK for any of these offences.
The DOJ always does that on their press releases. That’s just the statutory maximum. Sentencing guidelines will bring that *way* down. My guess is if the accused are convicted and they don’t have any prior offenses, they will receive a small fraction of the maximum punishment.
Spot on, Brian — and kudos for another excellent report.
Yes, the ultimate sentence will likely be a small fraction of the quoted max. And while I agree that 50-60-70-80 years may seem like much, I fear the 1-2-3 years that may actually result will be too small. Which would be a shame.
What some may fail to recognize is that every single threat carries the risk that a first responder — or perhaps someone at the target location — being injured or even killed. Most likely by accident, but an accident that would not have happened but for the threat. And let’s not forget how much money was spent responding to hundreds or even thousands of threats and attacks. That’s taxpayers’ money.
So perhaps these criminals — yes, they’re criminals — will get off easy. Because if someone responding to (or as a result of) a threat is injured or killed, the charges are much more serious. And 50-60-70-80 years may not seem quite so onerous.
And I can’t think of anyone more deserving…
Bryan, you might want to make note of the fact that this press release came from FBI’s PR management department. Their job is to cast this in such a light so last two hopefully deter future crimes. Just my 2¢
In the US it’s standard practice to go for the max on each count. That way if half of them get dropped you still have a substantive ‘pool’ of years to work with on the successful convictions.
Dukes-Cohen was sentenced to 3 years in the UK (out in 1 for being good), hopefully the US will do the right thing, extradite him and make him serve proper justice when he gets out
If you are young enough, you get a “get out of jail free” pass??
There has to be enough time to make them think about it and a year or two just isn’t going to do it.
How long til they graduate to phoning threats into the police causing deaths? How long before they cause a crash of a plane by phony bomb threats?
I never thought it funny to evacuate schools even when I was a teenager. The idea of it being wrong needs to be driven home with a sledge hammer.
Apparently youve never spent a year or 2 locked in a cell, or even seriously considered what that might be like. A year or 2 behind bars will feel like 10.
Average # of kids in US school = 979, add in staff = 50, parents/family members = 1958, total of 2987, add in responding service people and round it up to 3000 people per school terrorized.
Personally I think it would be “fair” to give him only 1 month in jail per school. Which works out to 166 years.
At only 80 years, he is only potentially serving 1 day for every 205 people terrorized. or 14.6 days per school.
In reality he will likely spend less than 1 day per school. But hey, out of the 6,000,000 people he terrorized, at least one of those will likely be looking for him when he gets out – be it a week or 80 years. So he can look forward to getting out of jail to meet karma.
I like your formula, seems about right to me
For a long time I was in the camp of “lock ’em up for 100 years.” But recently I’ve been contemplating what we as a society want to accomplish and should accomplish with the criminal justice system, in particular for non-violent yet large-scale crimes such as discussed here. I’ve come to believe that the desire for multi-life-length sentences is really only serving our selfish need to satisfy our anger, outrage, and indignation over the brazenness and massive scale of these crimes. We consider ourselves civilized because we don’t lead the perpetrator into the town square to be stoned to death by an angry mob. But is locking a person away in a concrete cell for his entire lifetime really more enlightened? From a practical standpoint, the average cost of housing a prisoner in the U.S. is nearly $35K
Is that a good use of taxpayer dollars? Especially coupled with the waste of a life?
So what might be the alternatives? Well the case of Frank Abagnale comes to mind. Perhaps a viable alternative would be the perpetrator spends the next 10 years tracking down others who commit similar acts. This would serve a positive societal purpose, perhaps at $35K per year is even a bargain, and 10 years should be long enough to “age out” of criminal behavior. Include some restitution and community service: visiting all of those schools and apologizing.
You clearly don’t get what these people did calling it “non-violent”. The actions they put in motion caused violence, sometimes resulting in the death. You are a pathetic buddy of the puke trying to make light of Adults that know exactly what they are doing, making others suffer. The next step for bad people like this is killing people in person. If justice was real, he would be put to death immediately upon conviction. That is the only deterrent to people like this. They have no respect for anyone in any capacity. They enjoy making others suffer, getting paid for it is only icing on the cake to them.
Jesus, did someone hack your email or something? You seem particularly triggered by this.
Two wrongs don’t make a right, but three lefts do… The people in the comments besides this one make me question the entire humanity of society.
The Dutch have it nailed down correctly, prisoners are rehabilitated back into society and taught to contribute proactively to the society in which they live and work.
They are closing prisons because they can not maintain the inmate demand, the decline in crime has been continually falling for the last 15 years. They once had the highest crime rate in Europe, now they have the least.
Where do you get your stats from?
These idiots can’t keep going around doing this….80 years isn’t harsh at all. (especially since they probably won’t even serve time, just a suspended sentence)
Cybercrime has very real world consequences…do we need someone else to get murdered by another lolol swat raid? They got away with their fun and games for a while….now it’s caught up to them they can deal with it.
He didn’t mind putting the lives of others at risk. Yes, he should face a vary harsh sentence, for his crimes, and to deter others.
I dunno. Running through several hundred buildings (some of them in the air at the time) and shouting “FIRE!” seems pretty harsh to me.
Sometimes I think people make the mistake of gauging the severity of a crime by “how long it takes to commit” or “how simple it is to commit”, and not so much by the consequences for the victims.
“The government alleges that Vaughn also participated with Duke-Cohan in reporting the hijack of a United Airlines flight bound for the United States.”
And if that allegedly hijacked airliner was shot down by US Air Force fighters what would have been the appropriate punishment? What is the appropriate punishment for endangering the lives of 300 innocents for what amounts to a purposeless, childish prank? Not even considering anything else. IMHO, Guy Fawkes comes to mind as to what should be the appropriate punishment…
Yet again, the old adage “you can run but you can’t hide” comes to mind.
The claim that “on the internet no-one knows you are a dog” may be true, but the location of your kennel will always be discovered.
I’m becoming alarmed by the frequency of similar cases. It appears to me that DDOS, doxxing and other assorted forms of petty cybercrime are becoming the cool thing to do among edgy teen gamers – a demographic I was a part of myself not too long ago.
What happened to the good ‘ol days where we just swapped warez and war dialed for Sprint codes?
[shakes fist at kids on lawn]
So, what you’re saying is that George Duke-Cohan didn’t rat on his partner, despite intense pressure? That’s somewhat admirable.
Timothy Dalton Vaughn (a great villain name, btw) was caught because of a game account that was registered anonymously with a throwaway email address?
He was dumb enough to use a moniker that was known. After you read Brian’s book, you might want to pick up American Kingpin. The main ‘character’ in that one was identified in the real world by a similar hiccup in his Internet history.
That throwaway email address came with a steep price: his IP address.
“The data also shows this person registered at the site using a Sprint mobile device with an Internet address that traced back to the Carolinas”
What no claims of Timothy Dalton Vaughn having Autism Spectrum Disorder ?
This is an honest question – does making thousands of bomb threats constitute legally defined terrorism? Seems to me that if fits (at least) the layman’s definition… actions whose sole purpose is to cause terror and disruption of normal society.
I like to think so, and I like to think that if so, it would give the authorities additional sentencing options, but I’m asking.
That’s a good question. I sure hope that’s the case, but I’m not entirely sure myself. I agree with you, if it’s not, it most definitely should be considered terrorism. These people think it’s funny to call in a bomb threat to places, but in reality, people (unfortunately) have died as a result. It’s not “just a prank” when actual lives are involved. I tend to think of the teachers and principals of the schools in those situations. Regardless of if they actually think the bomb threat is true or not, these are people (a) just trying to do their jobs, (b) trying to protect the kids, and (c) wanting nothing more than to go home and be with their families.
You think these kids were scared? I think so…
“Sandy Hook Elementary School students have been sent home for the day after a bomb threat forced an evacuation on the sixth anniversary of the massacre.”
Like so many questions, the answer depends on definitions. According to the OED, one definition of terrorism is “violence and intimidation in the pursuit of political aims”. I doubt you could prove that these youths cared about politics – so by that definition, no, they didn’t commit terrorism.
Another definition is: “In extended or weakened use: the instilling of fear or terror; intimidation, coercion, bullying.” By that definition, yes.
What matters in the courts is, of course, the legal definition. I’m not a lawyer and I don’t play one on the Internet ….
Probably not. The feds define terrorism as “the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives” (28 C.F.R. Section 0.85)
No “force and violence” and I would argue no “political or social objective”. There certainly wasn’t a political objective, and I don’t think there was a social one either. “Stirring up sh*t” isn’t a social objective. So while the actions were reprehensible, I don’t think they meet the definition of terrorism.
No political aims -> no terrorism
No it does not. Terrorism is that act of using violence to affect political change. There was no politics here and the potential for “violence” was secondary to the act. Mischief, reckless endangerment, intestate fraud or whatever else they are charged with sure, but terrorism should reserved for terrorists.
Here’s a rather well-thought-out definition of terrorism:
And the “primary site” is really entertaining/educational site to boot!
Throw away the key.
Can nobody see that ‘pussyfooting around’ with these useless so-called members of society is the cause of the increase in crime whether by cyber or traditional means today?
Rehabilitation – are you joking? These evil barstewards enjoyed the lazy life doing nothing at all except sitting behind their screens and extorting the rest of the hard-working population AND putting many in mortal danger.
Indeterminent sentensing could be the answer – just imagine not knowing if or when you will ever be released – fantastic!
Maybe Vaughn will use “BustedByFeds” as an alias after he’s released.
The punishment for many crimes including these need to be more custom tailored. Just applying a X years in prison could be adjusted to X years in work/ redemption program, with release conditional on review and continued oversight, all paid by the offenders … Hey some of the offenders could become very successful in an honest career (in the security business for this case).
You are so right, if terrorizing so many people only lands someone a few days jail per incident, there is no deterrent. It should be one month to one year per school. Which maybe isn’t enough either.
Or maybe just pay each person terrorized $20 and give them an apology. That would be a total of $120,000,000 (see my post up above)
Why do these guys always have some connection to Minecraft? I used to play it in 2014 but I thought that era of “hackers” were over
Minecraft mod coding was the way a lot of younger hackers got introduced to programming. Especially since it had the immediate gratification of pretty graphical effects as a reward for the coding efforts.
That said, there are tons of kids who picked up programming basics from minecraft and moved on to real languages without acting like the immature sociopaths the apothitwits were.
As a customer of Protonmail, I also thank KrebsOnSecurity but I was less than happy with the ProtonMail CTO who after an initial short attack, foolishly goaded the attackers with, “we’re back you clowns!”
From the “State of Security” Blog
“Hello, you have made a choice to not listen to us. I got bullied at this school and you did nothing. Now you will understand the true mean of pain. I am coming into school with 3 bombs, and a .22 hand gun. If I see any staff or student I will shoot them and kill them. When I run out of bullets, I will slit there throats and watch them bleed out on the floor. If I see any police at the school I will blowup the bombs.”
“We follow in the foot steps of our two heros (sic) who died in the Columbine High School shooting. Natural selection is coming and we plan on being the onse (sic) to start it off.”
Sounds like retaliation to me.
What does the leaked data from Town of Salem / Blank Media Games have to do with the inditement? Or is that just anecdotal?
It links his online personas/aliases to the IP address/locations of real people.
Reading the indictment it is not clear how DA is going to show that HDGZero and Timothy Dalton Vaughn are the same persona. I hope that hdgzero account at Town of Salem, registered with the email address firstname.lastname@example.org is not the only proof that they have. If it is, and they manage to indict the guy, that would be really scary.
Not sympathizing with HDGZero, but Timothy Dalton Vaughn does deserve a due process.
The hacked information is not likely the proof of identity for prosecution. More likely it was used with the other known information to justify a search warrant. The result of the search likely provided information tying all of the charged crimes to the individual.
They will get a fraction of that time, maybe a year or two.
A man who bombed my inlaws house in 2011 and 2012 received 7 years in federal. And yes, he set them off, one of which lifted both cars in the driveway 3 feet off the ground. Seven years!
The state would have to follow up with other charges once he is released next year.
These guys, a couple years and it would probably not even deter them from doing it again.
Hackers like this should have appropriate penalties, including placement on a hacker registry, much like a sex offender registry, that is available to the public. In addition, they should be banned from using computers for life, except under circumstances approved by their parole officer. I think the idea of garnishing their pay to compensate victims for “pain and suffering” would also be appropriate.
Not allowing someone to use computers is simply not a realistic punishment. First, they are criminals, do you think they are going to listen? Second, my cellphone can be used to hack, and it is quickly becoming almost impossible to survive in modern society without one. Many jobs will require them to use computers in some form or fashion, so now they can’t get jobs? Never going to be enforceable.
Perhaps something like “Computer use is restricted to devices inspected and/or controlled by the parole department or some other trusted group. Touching any other device or computer is a violation.” You can have your phone, after we lock it down and periodically check it. You can have your work computer. We have vetted and warned the IT staff of your company about you.
I Think They are very dumb.
IF They really wanted to get funds They made 2 mistakes… They was asking too much!
second… they used same wallet for all
they are Not Criminals, IF You are not Criminal you should not commit crimes!!
Only Criminals Know how to do Criminal things.
they are not mafia or organized mobsters but just silly dumb kids
All I can say is that there is always someone smarter than you…unless you’re God.
in Occult world, some People belive that iF they do sin
or other bad things they Will get same power as God has.
Where or where did you get your “occult” information from? Pretty much every occult teaching there is states that those who use the occult to cause harm will have it come back to them 3 fold, its known as the 3 fold law. There are some that consider sex as a means of enlightenment, so if thats what you mean by sin, then sure. But you seem to imply all sin, including violence, which is nonsense.
I just like your use of the word ‘hooligans’! I haven’t heard that word used in a while. Very good.
It is positive to read a report of a criminal being caught and sentenced, without details of the perpetrator’s Asperger’s syndrome overshadowing the seriousness of the crimes committed. People also need to get used to the fact that in this digital age, being able to orchestrate DDOS attacks and mask your identity online, does not equate to genius or giftedness that should result in a job offer instead of incarceration. Younger generations have had a running start with internet technology and so the new default standard should not be as revered as it appears to be in some quarters. Having said that, I think that it is tragic that young people choose to go down such foolish paths as these, essentially throwing their lives away for no good reason.
Seven, this rule is so underrated
Keep identities and profiles completely separated
Read the indictment. Count 11 is extortion and this along with the many other counts deserve 10 years in jail.
Trump is Only Hope what usa has.
Trump is Only who Will Fix all that mess in usa.
No problem giving these guys harsh sentences, you need to make examples to serve as a deterrent to the next batch of cretins.
this goofus got caught because he foolishly used his “hacker” name to play some mindless video game???
What a BLUNDER.
almost feel sorry for the guy…
But wait a minute… what if i make a new account and sign-in to my nephew’s NintendoSwitch as “HDGZero”?
Is some court gonna rubberstamp a search warrent?
Are the FEDs gonna and kick-down the door?
Seems a bit flimsy to me…
As another person already noted, very often goofs like this are used to obtain search warrants that lead to the discovery of more corroborating details.
This may not be over yet. The indictment refers to “Unindicted Co-Conspirator 1”, aka “PartialDuplex”, who is said to be resident in Hampshire (that’s the UK not US). This Apophis member is singled out for special attention, compared to various others “known and unknown to the Grand Jury”. The implication is that they know who he is and where he lives; I don’t recall seeing anything here about an Apophis arrest other that of Duke-Cohan. Either there isn’t enough evidence against him or the chances of getting him extradited on the basis of the existing evidence are not good (in which case I would advise Mr PartialDuplex to resist the temptation to go to any Hacker conventions in Las Vegas).
And as for George Duke-Cohan himself, it does look as if there is a fair likelihood that when he emerges blinking into the sunlight – what am I saying, it’s England, pouring rain – next June he may well be re-arrested immediately on the basis of the US indictment. Possible extradition to the US could not be prevented by the application of the “Double Jeopardy” principle, as that was revoked here in 2005. The FBI might have to wait until Duke-Cohan had served the remaining 18 months of his sentence “under licence”, that’s all.
So the big question is, whether the FBI is going to put young George on their “10 Most Wanted” posters. And the smaller question is, who is the Third Man?
Personally I feel that the US prison terms are about right. I seriously doubt people like this can be rehabilitated as they’re clearly seriously disturbed in ways that cannot be fixed.
Criminals like this needs to be locked up until such time they’re harmless to let out, and a couple of old geezers in their 80’s fits the bill.