How suspect in attack on Akron’s city websites was tracked down
The hunt was on for who attacked the city of Akron’s websites last year.
Someone on Twitter who identified himself as AkronPhoenix420 — a person who was part of the international activist movement Anonymous — had already claimed credit online.
But investigators didn’t know who was behind the Guy Fawkes mask.
Security staff at an Akron tech firm, eyemg, suspected the attacker did digital surveillance before unleashing a barrage of internet traffic that crippled the city’s websites.
And when they started analyzing IP addresses, they quickly zeroed in on 24.93.205.42.
Whoever was behind that IP address appeared to be doing reconnaissance July 6-July 30, testing to see how vulnerable the city sites were before launching the attack Aug. 1.
Now that they had an IP address, investigators started the “legal process” with private companies to find the attacker’s identity, court records said.
They began with Charter Communications, which does business as Spectrum. The company reported the IP address 24.93.205.42 belonged to a customer named James E. Robinson who had a contact phone number that began with 989, an area code from central Michigan.
Investigators next went to that phone number’s provider, Verizon, and learned that the Michigan phone number matched a James E. Robinson of Akron.
Twitter, meanwhile, pulled IP connection records for AkronPhoenix420 and revealed the same name — James E. Robinson — to investigators, court records said.
Investigators thought they had their man, but waited and watched as attacks hit websites connected to the National Institutes of Health, the U.S. Department of Treasury, the U.S. Department of Defense and others around the world.
“These attacks bear many similar characteristics such as the method of attack and the targeted domains were specifically mentioned by twitter moniker AkronPhoenix420,” FBI Agent Michael G. Gerfin wrote in an affidavit
How could Robinson — a factory supervisor who couldn’t hold on to a legal driver’s license — be so internet savvy? Experts say he didn’t have to be. There’s an app for that. Europe-based webstresser.org marketed itself as a benign testing service that companies could use to see how well their own websites could stand up to a distributed denial of service attack, or DDoS.
But European law enforcement, who shut down the business in April, said the company in reality knowingly sold nefarious internet tools to people like Robinson, who used them to launch cheap, effective attacks that shut down websites by overwhelming them with traffic.
Americans, Forbes reported, made up the majority of webstresser. org’s customers — and their targets.
Packages cost between $18.99-$49.99 per month.
Once international law enforcement rounded up the administrators of webstresser.org, police around the globe began following up with their clients.
“The message here is that people who use these services will not stay anonymous,” Gert Ras, head of the Netherlands National High Tech Crime Unit, told Forbes.
On the day news broke about the webstresser. org raid and shutdown, AkronPhoenix420 tweeted that a “stressor” he used in all of his attacks “had been wiped out.”
“Always remember to protect yourself for the safety of your own life and others. we do not play games ... this is not a joke ... it is not a click ... it is not a gang,” he tweeted. “it’s a way of life. we are who we are because we believe in something better for the world, for everyone.”
In a separate tweet, AkronPhoenix420 seemed determined to battle on despite the loss of webstresser.org.
“You cannot kill an idea as long as one person still believes..because ideas are bulletproof,” he said.
“I myself would gladly put my name in my life at risk if it meant saving the lives of others.”