YouTube, Discord, and ‘Lord of the Rings’ Led Police to a Teen Accused of a US Swatting Spree

Credit to Author: Dhruv Mehrotra, Andrew Couts| Date: Thu, 01 Feb 2024 01:28:52 +0000

A California teenager prosecutors say is responsible for hundreds of swatting attacks around the United States was exposed after law enforcement pieced together a digital trail left on some of the internet’s largest platforms, according to court records released this week.

Alan Winston Filion, a 17-year-old from Lancaster, California, faces four felony charges in Florida’s Seminole County related to swatting, or fake threats called into the police to provoke a forceful response, according to Florida state prosecutors. Police arrested Filion on January 18, and he was extradited to Seminole County this week.

Filion’s arrest, first reported by WIRED on January 26, marks the culmination of a multi-agency manhunt for the person police claim is responsible for swatting attacks on high schools, historically black colleges and universities, mosques, and federal agents, and for threats to bomb the Pentagon, members of the United States Senate, and the US Supreme Court. Ultimately, a YouTube channel, Discord chats, and usernames related to The Lord of the Rings helped lead authorities to Filion’s doorstep.

Florida prosecutors charged Filion with four felony counts, including three related to allegedly making false reports to law enforcement and one for unlawful use of a two-way radio for “facilitating or furthering an act of terrorism” that authorities say targeted people based on race, religion, or other protected classes. While prosecutors alleged that Filion “is responsible for hundreds of swatting and bomb threat incidents throughout the United States,” the charges Filion faces relate to a single May 12, 2023, swatting attack against the Masjid Al Hayy Mosque in Sanford, Florida.

An attorney for Filion was not immediately available to respond to WIRED’s request for comment.

More than a year before the swatting attack on the Florida mosque, agents with the US Federal Bureau of Investigation interviewed Filion’s father, William, at his home in Lancaster, California, according to court documents made public on Wednesday. The interview took place on April 21, 2022, the same day the owner of a Telegram channel linked to swatting activity posted, “SOMEONE JUST REPORTED ME TO THE FBI… LOL!”

In October 2022, authorities investigating swatting incidents involving calls made to a school in Anacortes, Washington, came across a Telegram user associated with multiple swatting and doxing channels. The user, “Nazgul Swattings,” had claimed responsibility in one of these channels for the threats to the Washington schools, according to the same court documents.

Over the following months, court records say, the FBI monitored channels linked to this user. One of those, a channel called Torswats (formerly Nazgul Swats), had shared recordings of nearly 20 hoax calls threatening locations around the country, including schools in Iowa, Louisiana, Maryland, Oklahoma, Pennsylvania, and Texas.

As the FBI tracked Torswats’ public channels, Brad “Cafrozed” Dennis, a private investigator, was running his own parallel investigation on behalf of high-profile Twitch streamers who’d been swatted. In December, Dennis reached out to a user behind Torswats and asked to chat on a peer-to-peer chatting service called Tox under the guise of ordering a swat. According to records shared with WIRED, not mentioned in the arrest warrant, while interacting on Tox, Dennis used Wireshark to monitor his network traffic. In the process, he uncovered an IP address and the username “Paimon Arnum,” which was previously unknown to law enforcement.

A quick search on Google uncovered a YouTube account under that name that shared similarities with other Nazgul accounts. He sent this information to the FBI.

“Nazgul,” “Paimon Arnum,” and other usernames police claim are linked to online accounts Filion used are related to J.R.R. Tolkien’s The Lord of the Rings. For example, the owner of the Torswats Telegram channel posted images of a Nazgul, which translates to “Ring Wraith” in Tolkein’s “black speech” language, according to court documents. Authorities say Filion used several usernames containing the phrase “Ring Wraith.” In emails between Dennis and the FBI, the private investigator also flagged a Discord account with the username “Dushatar,” which used a Nazgul as its profile image, court records say. The same Discord user previously used the handles “Paimon Arnum,” “Paimon Arnum Onkmokhob,” and “Paimon Arnum Angmarob,” according to court records, which investigators note are all “detailed, obscure ambiguations of words within Tolkein’s ‘black speech’ language.” Police say they also found Lord of the Rings-related words and online content linked to six Google accounts that they claim Filion used.

In April and May, the FBI sent subpoenas to Discord and Google requesting information about accounts linked to Dushatar on Discord and Paimon Arnum on YouTube. The records provided by the companies confirmed that a user had logged into both accounts using the same residential IP address in Lancaster California, court documents say.

In June, the FBI sent another subpoena to Google asking for information about five other accounts that shared cookies with the Gmail account tied to Painum Arnum. The arrest records say these accounts had watched YouTube videos about hoax shootings and bomb threats to schools around the US and had looked up things like “How many Jews are in the US,” “Criminal mastermind swatting,” ”Arm a pipe bomb,” and “Text to speech for phone call.”

On July 15, the FBI executed a search warrant on Filion’s Lancaster home and seized his phones and computers. This includes a Samsung device on which investigators say they observed Telegram activity related to earlier swatting attacks, images shared to the Torswats Telegram channel, email addresses connected to the Google accounts authorities claim Filion used, and other activity allegedly linked to the teenager, according to the arrest warrant. It’s unclear why the FBI waited until January to arrest Filion.

At 2 pm EST on Wednesday, Filion shuffled into a Seminole County courtroom and stood quietly as the judge read the charges against him. He is currently being held without bond.

https://www.wired.com/category/security/feed/