Mir Islam, a 21-year-old Brooklyn man who pleaded guilty to an impressive array of cybercrimes including cyberstalking, “doxing” and “swatting” celebrities and public officials (as well as this author), was sentenced in federal court today to two years in prison. Unfortunately, thanks to time served in this and other cases, Islam will only see a year of jail time in connection with some fairly heinous assaults that are becoming all too common.
While Islam’s sentence fell well short of the government’s request for punishment, the case raises novel legal issues as to how federal investigators intend to prosecute ongoing cases involving swatting — an extremely dangerous prank in which police are tricked into responding with deadly force to a phony hostage crisis or bomb scare at a residence or business.
On March 14, 2014, Islam and a group of as-yet-unnamed co-conspirators used a text-to-speech (TTY) service for the deaf to relay a message to our local police department stating that there was an active hostage situation going on at our modest town home in Annandale, Va. Nearly a dozen heavily-armed officers responded to the call, forcing me out of my home at gunpoint and putting me in handcuffs before the officer in charge realized it was all a hoax.
At the time, Islam and his pals were operating a Web site called Exposed[dot]su, which sought to “dox” public officials and celebrities by listing the name, birthday, address, previous address, phone number and Social Security number of at least 50 public figures and celebrities, including First Lady Michelle Obama, then-FBI director Robert Mueller, and then Central Intelligence Agency Director John Brennan.
Exposed.su also documented which of these celebrities and public figures had been swatted, including a raft of California celebrities and public figures, such as former California Governor Arnold Schwartzenegger, actor Ashton Kutcher, and performer Jay Z.
At the time, most media outlets covering the sheer amount of celebrity exposure at Exposed[dot]su focused on the apparently starling revelation that “if they can get this sensitive information on these people, they can get it on anyone.” But for my part, I was more interested in how they were obtaining this data in the first place.On March 13, 2013 KrebsOnSecurity featured a story — Credit Reports Sold for Cheap in the Underweb –which sought to explain how the proprietors of Exposed[dot]su had obtained the records for the public officials and celebrities from a Russian online identity theft service called sssndob[dot]ru.
I noted in that story that sources close to the investigation said the assailants were using data gleaned from the ssndob[dot]ru ID theft service to gather enough information so that they could pull credit reports on targets directly from annualcreditreport.com, a site mandated by Congress to provide consumers a free copy of their credit report annually from each of the three major credit bureaus.
Peeved that I’d outed his methods for doxing public officials, Islam helped orchestrate my swatting the very next day. Within the span of 45 minutes, KrebsOnSecurity.com came under a sustained denial-of-service attack which briefly knocked my site offline.
At the same time, my hosting provider received a phony letter from the FBI stating my site was hosting illegal content and needed to be taken offline. And, then there was the swatting which occurred minutes after that phony communique was sent.
All told, the government alleges that Islam swatted at least 19 other people, although only seven of the victims (or their representatives) showed up in court today to tell similarly harrowing stories (I was asked to but did not testify).
Going into today’s sentencing hearing, the court advised that under the government’s sentencing guidelines Islam was facing between 37 and 46 months in prison for the crimes to which he’d pleaded guilty. But U.S. District Court Judge Randolph Moss seemed especially curious about the government’s rationale for charging Islam with conspiracy to transmit a threat to kidnap or harm using a deadly weapon.
Judge Moss said the claim raises a somewhat novel legal question: Can the government allege the use of deadly force when the perpetrator of a swatting incident did not actually possess a weapon?
Corbin Weiss, an assistant US attorney and a cybercrime coordinator with the U.S. Department of Justice, argued that in most of the swatting attacks Islam perpetrated he expressed to emergency responders that any responding officers would be shot or blown up. Thus, the government argued, Islam was using police officers as a proxy for assault with a deadly weapon by ensuring that responding officers would be primed to expect a suspect who was armed and openly hostile to police.
Islam’s lawyer argued that his client suffered from multiple psychological disorders, and that he and his co-conspirators orchestrated the swattings and the creation of exposed[dot]su out of a sense of “anarchic libertarianism,” bent on exposing government overreach on consumer privacy and use of force issues.
As if to illustrate his point, a swatting victim identified by the court only as Victim #4 was represented by Fairfax, Va. lawyer Mark Dycio. That particular victim did not wish to be named or show up in court, but follow-up interviews confirmed that Dycio was representing Wayne LaPierre, the executive vice president of the National Rifle Association.
According to Dycio, police responded to reports of a hostage situation at the NRA boss’s home just days after my swatting in March 2013. Impersonating LaPierre, Islam told police he had killed his wife and that he would shoot any officers responding to the scene. Dycio said police initially had difficulty identifying the object in LaPierre’s hand when he answered the door. It turned out to be a cell phone, but Dycio said police assumed it was a weapon and stripped the cell phone from his hands when entering his residence. The police could have easily mistaken the mobile phone for a weapon, Dycio said.
Another victim that spoke at today’s hearing was Stephen P. Heymann, an assistant U.S. attorney in Boston. Heymann was swatted because he helped prosecute the much-maligned case against the late Aaron Swartz, a computer programmer who committed suicide after the government by most estimations overstepped its bounds by charging him with hacking for figuring out an automated way to download academic journals from the Massachusetts Institute of Technology (MIT).
Heymann, whose disability requires him to walk with a cane, recounted the early morning hours of April 1, 2013, when police officers surrounded his home in response to a swatting attack launched by Islam on his residence. Heymann recalled worrying that officers responding to the phony claim might confuse his cane with a deadly weapon.
One of the victims represented by a proxy witness in today’s hearings was the wife of a SWAT team member in Arizona who recounted several tense hours hunkered down at the University of Arizona, while her husband joined a group of heavily-armed police officers who were responding to a phony threat about a shooter on the campus.
Not everyone had nightmare swatting stories that aligned neatly with Islam’s claims. A woman representing an anonymous “Victim #3” of Islam’s was appearing in lieu of a cheerleader at the University of Arizona that Islam admitted to cyberstalking for several months. When the victim stopped responding to Islam’s overtures, he phoned in an active shooter threat to the local police there that a crazed gunman was on the loose at the University of Arizona campus.
According to Robert Sommerfeld, police commander for the University of Arizona, that 2013 swatting incident involved 54 responding officers, all of whom were prevented from responding to a real emergency as they moved from building to building and room to room at the university, searching for a fictitious assailant. Sommerfeld estimates that Islam’s stunt cost local responders almost $40,000, and virtually brought the business district surrounding the university to a standstill for the better part of the day.
Toward the end of today’s sentencing hearing, Islam — bearded, dressed in a blue jumpsuit and admittedly 75 pounds lighter than at the time of his arrest — addressed the court. Those in attendance who were hoping for an apology or some show of remorse from the accused were left wanting as the defendant proceeded to blame his crimes on multiple psychological disorders which he claimed were not being adequately addressed by the U.S. prison system. Not once did Islam offer an apology to his victims, nor did he express remorse for his actions.
“I didn’t expect to go as far as I did, but because of these disorders I felt I was invincible,” Islam told the court. “The mistakes I made before, I have to pay for that. I understand that.”
Sentences that noticeably depart from the government’s sentencing guidelines are grounds for appeal by the defendant, and Judge Moss today seemed reluctant to imprison Islam for the maximum 46 months allowed under the criminals statutes to which Islam had admitted to violating. Judge Moss also seemed to ignore the fact that Islam expressed exactly zero remorse for his crimes.
Central to the judge’s reluctance to sentence Islam to the statutory maximum penalty was Islam’s 2012 arrest in connection with a separate cybercrime sting orchestrated by the FBI called Operation Card Shop, in which federal agents created a fake cybercrime forum dedicated to credit card fraud called CarderProfit[dot]biz.
U.S. law enforcement officials in Washington, D.C. involved in prosecuting Islam for his swatting, doxing and stalking crimes were confident that Islam would be sentenced to at least two years in prison for trying to sell and buy stolen credit cards from federal agents in the New York case, thanks to a law that imposes a mandatory two-year sentence for crimes involving what the government terms as “aggravated identity theft.”
Much to the government’s chagrin, however, the New York judge in that case sentenced Islam to just one day in jail. But by his own admission, even while Islam was cooperating with federal prosecutors in New York he was busy orchestrating his swatting attacks and administering the Exposed[dot]su Web site.
Islam was re-arrested in September 2013 for violating the terms of his parole, and for the swatting and doxing attacks to which he pleaded guilty. But the government didn’t detain Islam in connection with those crimes until July 2015. Since Islam has been in federal detention since then, and Judge Moss seemed eager to ensure that this would count as time served against Islam’s sentence, meaning that Islam will serve just 12 months of his 24-month sentence before being released.
There is absolutely no question that we need to have a serious, national conversation about excessive use of force by police officers, as well as the over-militarization of local police forces nationwide.
However, no one should be excused for perpetrating these potentially deadly swatting hoaxes, regardless of the rationale. Judge Moss, in explaining his brief deliberation on arriving at Islam’s two-year (attenuated) sentence, said he hoped to send a message to others who would endeavor to engage in swatting attacks. In my estimation, today’s sentence sent the wrong message, and missed that mark by a mile.
Let us give thanks to His Excellency Barack for the appointment of this guardian of the King’s Justice, Judge Moss, who once again has supported His Excellency’s goal of protecting the guilty.
Brian, You da Man!!
The facts in this case are way off in the article and the comments. Firstly, there is no parole in the Federal system he was actually on a standard Pre-Trial release which he violated.
Here’s my take on what happened; He’s arrested in the first case and works with the Fed’s during that period he is arrested in the swatting case instead of violating him and putting into custody they do nothing till July 2015 which is not unusual when the person in question is working with the Federal Govt.
Of course the time spent while in custody is considered against the final sentence you think he should be deprived of his liberty for over a year without it counting against his final sentence.
I don’t know if it is the same outside of my state, but here we count the time served before a trial times two. So if a person serves 6 months waiting for trial, they get credit for a year.
The law seems to be insufficient to properly prosecute this offender. People have gotten a year in jail for shoplifting, and that isn’t a violent crime. Swatting IS A VIOLENT CRIME! It has to be treated as such. We put pot dealers in jail for much longer and they are not dealing in data that causes financial ruin of innocent victims. Everything crime this person committed has a victim who suffered, and I am certain that a measly 2 year sentence didn’t provide adequate justice to his victims.
It us amazing to me that on thèse times on which police officers are being shot and they in turn sometimes overreact by shooting first, that the American public still feels sorry for the criminals and their rights, which they forfeited when the trespassed on someone else’s. It is only a matter of time that some innocent citizen gets killed as a result of such irresponsible and criminal actions.
Well, after first watching the news these past few weeks, then reading several articles about both cyber and conventional criminals, it isn’t hard for me, or anyone, to conclude we have a major systemic problem here. The common denominator is our political and judicial system that apparently has found themselves facing criminals that are a lot smarter than they are. The sad news is they think doing more of the same is going to change things. Time to turn things upside down and start over with the basics. Let’s start with the basic principals of good and evil, then teach our kids to be good rather than evil. Lastly we need to punish the hell out of those who choose the wrong path, with few or no excuses for bad behavior. When can we start because I am ready.
I would not say smarter … more sociopathic in a different kind of evil that the normal corruption (vote buying, groupthink) that characterizes most politicians. As for the judicial system … every one of this jerk’s criminal actions should result in a sentence independent of the other sentences. The first goal of incarceration is to get the criminal away from the rest of us so those who were harmed can recover, and the rest of us don’t get attacked either.
“Islam’s lawyer argued …” bah, the criminal is a sociopath. From Brian’s description of his behavior during the trial, I have to figure he will do something similar again. And I hope Brian will let us know when he is released from prison, as he will continue to be a threat; he will select other targets.
Hmm. Isn’t a heavily armed SWAT team a kind of weapon? Isn’t a false call to activate a SWAT team a way of misusing that weapon?
Isn’t SWATting attempted murder, or at the minimum isn’t it assault with a deadly weapon? If a member of the SWAT team touches the victim, isn’t it assault and battery?
(Don’t misunderstand me: I’m not suggesting the SWAT team members are committing those crimes. They are doing their jobs. I’m suggesting the perpetrator is using the police as a weapon against the victim.)
I think you have an extra `s` in `sssndob[dot]ru` — instead of `ssndob[dot]ru`.
It is not just various crimes by the title, it is many crimes committed against various people. That is how punishment should go, for EACH crime against EACH person who suffered from this man because that is how many times he trespassed.
Swatting as in his case, is the same as any other serious crime. Some countries would punish this as a first degree offence.
And then, when an investigation takes long, it means that there are more hidden things to find which means the offender created more lies. He should not have this time added as discount for it is what he caused.
The worry here is also what was his purpose for doing these things. Is it perhaps to create a decoy or a ‘test’ for something much larger? Only then would I say yes, let the bird fly, watch him and see where he flocks.
simple solution, once he gets out, kill the mudslime and his lawyer, extermination is the only solution
With apologies, the pedant in me just can’t let this go:
“swatting — an extremely dangerous prank in which police are tricked into responding with deadly force”
The police are tricked into an armed response – deadly force is not a given (not to belittle the fact that it is a risk, of which the perpetrators are presumably indifferent).
Maybe Mr. Islam’s sentence would have been longer if you had sent him a cease and desist letter telling him that you don’t want him visiting your website, Brian.
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/
Too bad he didnt share a few songs on Bittorrent… he’d be in jail for years and years.
“an extremely dangerous prank in which police are tricked into responding with deadly force to a phony hostage crisis or bomb scare at a residence or business.”
The bigger question which it appears nobody wants to bring up is:
Why is it so easy to get a SWAT team to bust down doors throwing flashbangs? Cops are too damn scared to actually go to a door and knock? A small amount of… INVESTIGATION maybe. That’s the real problem.
The judge being reluctant to follow sentencing guidelines is just the beginning of the crazy in this. The part I don’t get is, why was this sleazeball not charged with 19 counts of attempted murder? Because I don’t see any reason why swatting isn’t exactly that.
Swatting is a form of terrorism.
Justice was not served Mr. Krebs, makes one think there was some backroom dealing going on.
There need to be consequences to discourage things like this, but long prison sentences are not necessarily more effective when you’re talking about people who are assuming there is no risk of getting caught. It would be better to have more resources investigating minor crimes with short punishments rather than allowing most of it to go on unchecked because Justice is only interested in cases that will result in long sentences. A guy like this would be deterred by any sentence if he thought it likely he would be caught.
Some of your readers may want to see this post on the same story that goes into more details about the tragedy of justice that occurred here.
http://garwarner.blogspot.com/2016/07/hacking-carding-swatting-and-ocd-case.html
Thanks, Gary, nice post.
Actually, it looks like he was sentenced to about 48 months, there is an automatic 15% reduction in the federal system bringing the sentence down to about 4.1 months of which you spend the last six months in a half way house. I suspect he’s being released into a half way house as he’s served as much time as he is legally required by law due to the fact he was in custody for over 34 months.
Beyond ridiculous sentence, bothersome is that most of the victims wanted to remain anonymous – are they afraid of possible revenge by this scum or something ?
I’ll bet he got a light sentence _because_ he swatted the NRA spokesman. The liberal judge probably liked that.