Full Report
Callum Dare encouraged others to carry out dangerous hoaxes, made mini-movies from the footage
Analysis Summary
# Incident Report: Swatting Facilitation and Phishing Possession (Callum Dare)
## Executive Summary
Callum Dare, a 26-year-old administrator for the "Doxbin" platform, was sentenced to prison for encouraging and assisting global "swatting" attacks. Operating under the aliases "Chans" and "KT," Dare incited dangerous police responses by sharing "mini-movies" of previous raids and providing a platform for coordination. The incident resulted in international evacuations, major city disruptions, and the diversion of critical emergency resources before he was identified via digital forensics and financial trails.
## Incident Details
- **Discovery Date:** May 2019
- **Incident Date:** 2018–2019 (Active period)
- **Affected Organizations:** LAPD, University of California, Sandringham Hotel (Cardiff), Western Mail, etc.
- **Sector:** Public Safety, Higher Education, Media
- **Geography:** UK (Wales), US, and Canada
## Timeline of Events
### Initial Access
- **Date/Time:** Circa late 2018
- **Vector:** Dark Web Platform Administration/Social Engineering
- **Details:** Use of the Doxbin platform and the "#deadnet" IRC/chat channel to coordinate/host PII (Personally Identifiable Information) for targeting.
### Lateral Movement
- **N/A:** As a facilitator/administrator, Dare’s movement involved navigating various digital anonymity layers (Dark Web, IRC) rather than a single corporate network.
### Data Exfiltration/Impact
- **December 17, 2018:** Swatting of Sandringham Hotel in Cardiff; St Mary Street evacuated.
- **University Targets:** Bomb threats against a UC lecture theater and a separate US university during political protests.
- **Individual Target:** Canadian programmer swatted following a false report of a shooting and hostage situation.
- **Digital Contraband:** Possession of "The Man in the Onion" phishing kit designed to steal crypto-wallet credentials.
### Detection & Response
- **May 2019:** Investigation launched after the FBI provided intelligence to South Wales Police and Tarian ROCU.
- **Identification:** Cross-referencing Doxbin chat logs with a PayPal account and associated email address linked to Dare’s residence.
- **Arrest:** Dare arrested in Talbot Green; devices seized for forensic analysis.
- **July 2024 (approx.):** Dare sentenced to two years and three months in prison.
## Attack Methodology
- **Initial Access:** Recruitment and coordination via Doxbin and #deadnet.
- **Persistence:** Administrative roles on Dark Web infrastructure.
- **Defense Evasion:** Use of aliases ("Chans", "KT") and Dark Web anonymity tools.
- **Credential Access:** Possession of a phishing kit ("The Man in the Onion") for future credential harvesting.
- **Discovery:** Doxing (gathering PII) of targets to facilitate physical harassment.
- **Impact:** Psychological warfare, physical danger to targets, and massive disruption of public services via "Malicious Communications."
## Impact Assessment
- **Financial:** High local impact due to city-wide closures (Cardiff) and emergency service deployment costs.
- **Data Breach:** Exposure of PII via the Doxbin platform.
- **Operational:** Disruption of university lecture schedules, hotel operations, and emergency response availability for genuine crises.
- **Reputational:** High public fear and erosion of safety for targeted high-profile individuals and organizations.
## Indicators of Compromise
- **Network Indicators:** Traffic associated with Doxbin[.]org (defanged) and related IRC channels.
- **File Indicators:** "The Man in the Onion" phishing kit files.
- **Behavioral Indicators:** Patterns of "doxing" followed by immediate coordinated hoax calls to local law enforcement.
## Response Actions
- **Containment:** Takedown and seizure of Doxbin and #deadnet chat logs by international law enforcement (FBI/Canadian Authorities).
- **Eradication:** Arrest of the administrator and seizure of digital devices containing criminal evidence and phishing kits.
- **Recovery:** Public messaging from the Crown Prosecution Service to deter similar "swatting" activities.
## Lessons Learned
- **Cross-Jurisdictional Cooperation:** The incident highlights that international agency (FBI, Tarian, Canadian authorities) data sharing is essential for deanonymizing Dark Web actors.
- **OPSEC Failures:** Despite using Dark Web platforms, the actor’s link to a legitimate financial account (PayPal) provided the critical link for identification.
- **Psychological Profiles:** The actor leveraged his technical role to satisfy personal "thrills," indicating that "insider" facilitators are often motivated by subculture status rather than direct financial gain.
## Recommendations
- **Public Safety Education:** Enhanced training for dispatchers to identify "swatting" markers (e.g., VoIP artifacts, fake accents, specific scripts).
- **PII Protection:** Organizations should monitor "doxing" sites for employee or executive data to provide early warning of potential physical harassment.
- **Enhanced Crypto-Security:** Users should employ Hardware Security Modules (HSMs) to protect against credential-harvesting phishing kits like "The Man in the Onion."