How the Waltham cyberstalker’s reign of fear was ended

The recent arrest and federal charges against a 24-year-old alleged cyberstalker brings into light the terrible fallout from unrelenting online harassment, and highlights that no one is truly anonymous online, not even criminals.

The crime

Arrested on 6 October, Ryan Lin of Newton, Massachusetts allegedly harassed and cyberstalked his former roommate for over a year in a manner so egregious and terrifying that it merited a federal investigation.

The harrowing details of his alleged activities are in a 28-page affidavit, written by FBI Agent Jeffrey Williams, provided by the U.S. Department of Justice—the crux of it is that Lin used email, SMS, social media and phone apps to make life a living hell for his victim; for over a year he harassed her, her roommates, her family and friends, her employers, her landlord and the community she lived in by sending death threats, rape threats, bomb threats and even child pornography.

Lin was a computer science graduate of Rensselaer Polytechnic Institute (RPI), and he had enough cybersecurity knowledge to effectively anonymize himself while he embarked on his campaign of harassment.

Outside of his formal computer science education, Lin had more than a passing understanding of infosec and opsec practices. A quick perusal of one of his active Twitter accounts reveals an interest in the Tor project, Tails (the privacy-centric Linux distribution), major data breaches like Yahoo and Equifax, and the nuances of VPN use.

The affidavit also mentions that Lin had harassed a number of former high school and college classmates. He either impersonated them with fake social media accounts under their names, or he tried to socially engineer his way into their Facebook profiles to harass them directly by creating fake profiles under the name of shared classmates.

The technology

According to the affidavit, Lin used a VPN to cover his tracks while he created the accounts that he used to send his harassing messages. VPNs hide your computer’s IP address and the traffic between you and your VPN provider is encrypted, making it incomprehensible to anyone intercepting it.

VPNs are an important security tool but there’s one major caveat: the encrypted tunnel between you and your VPN provider provides protection against everyone other than your VPN provider, who gets to see everything passing through your network.

There are a dime-a-dozen VPNs out there, including many free ones. Using a shoddy VPN service provided by an untrustworthy company can put your data at more risk than not using one at all. No matter who your VPN provider is though, you should expect them to cooperate with law enforcement if they are subpoenaed to do so.

As Lin himself noted on Twitter just days before he was arrested, a VPN can’t be relied upon to for anonymity:

Something that everyone should know  – VPN provides privacy. TOR provides *decent* anonymity (if you use it correctly) #vpn #tor #broadbandprivacy

It’s interesting that given this knowledge, it seems it was his own VPN traces that ended up being key in his arrest, according to the affidavit.

Another highly portentous tweet was called out in the affidavit:

For example, on June 15, 2017, Lin, using the Twitter handle @ryanlindev, re-tweeted a tweet from “IPVanish,” that read: “Your privacy is our priority. That’s why we have a strict zero log policy.” Lin criticized the tweet, saying, “There is no such thing as VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”

The affidavit details that Lin went through pains to anonymize his traffic by using a mix of proxy servers, several different VPN services and Tor.

In a number of the instances of online harassment under investigation, the user both used a VPN and used an anonymizing service to mask his true IP address. Taking this two-step approach provides the user with another layer of anonymity, and demonstrates an awareness of and concern about the exact issue that Lin highlights in his tweet-the fact that VPN’s track activity with logs.

From the affidavit, it appears that FBI Agent Williams used VPN logs to identify IP addresses that could be traced to Lin’s home and former employer. But that wasn’t a smoking gun, so to speak, just one of many data points used to build the case.

More data points in the case related to email addresses attributed to Lin, which he used to communicate openly with his victim and her roommates. It seems he accessed those emails using the same VPN-assigned IP address that he used to create the email accounts used to harass and threaten his victim.

Lin could face at least five years in prison if he’s convicted.

https://twitter.com/ChrisVillani44/status/916381104126545922/

The impact

I took a special interest in this story as I live in the city that was the target of the frequent shooting and bomb threats: Waltham, a small city of just about 60,000 people.

The bomb threats started in July of this year and were sent to city schools, government offices, libraries, daycare facilities, and even a federal archive building.

In addition to the wide swath of threats, they were also increasing in frequency: there was a time where threats were sent to Waltham schools daily for days and weeks on end—in the span of just a few months the schools received dozens of bomb threats, with 24 threats in just one day.

Aside from the huge impact this made on local police (Waltham is a city of just 60,000 people), the emotional impact on the community can’t be understated.

Each school bomb threat prompted school closures or a complete student evacuation until the schools were swept and deemed safe, and with these threats coming near-daily, scaring many children from going to school, and there were more than a few parents that opted to keep their kids at home from school entirely.

There wasn’t much information that law enforcement could divulge to help calm fears as they were actively pursuing an investigation, and it seemed like there was no end in sight for these terrifying bomb threats as they continued.

Thankfully since the arrest, the bomb threats promptly stopped, and Waltham residents (myself included) are relieved, but also horrified at the nature of what was motivating these threats, unbeknownst to all of us at the time.

I’ll leave you with the words of Harold H. Shaw, Special Agent in Charge of the Federal Bureau of Investigation, Boston Field Division:

As alleged, Mr. Lin orchestrated an extensive, multi-faceted campaign of computer hacking and online harassment that caused a huge amount of angst, alarm, and unnecessary expenditure of limited law enforcement resources

This kind of behavior is not a prank, and it isn’t harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today’s arrest will deter others from engaging in similar criminal conduct.