Teen in hacker storm had troubled past, say others
At 16, he is accused of launching a campaign of online harassment that authorities allege spanned three provinces and eight U.S. states.
Yet while the dozens of criminal charges against him made headlines in May, it has been the past week and a half that has truly thrust the suburban Ottawa teen- ager into the spotlight.
In that time, a mysterious hacker has emerged to take down the City of Ottawa website and other sites and threaten further online vandalism — all, the hacker claims, in the name of helping the accused teen.
Who is this hacker? Who is the teenager? They are not the same person, insist the hacker and the boy’s father.
The hacker goes by the name “Aerith” and has a consuming interest in the case of the Barrhaven teen. Little else is known about him or her.
The teenager, in the charges made public in May, is accused of offences relating to what’s known as swatting, or making prank calls to send first responders to bogus emergencies. The charges have not been proven in court.
The boy, through his father, has declined to speak to the Citizen.
Information provided by two people who say they have had dealings with the boy paints an unflattering picture of a teen allegedly involved in questionable online activities.
They allege that the boy has admitted in the past to launching distributed denial of service (DDOS) attacks — similar to those that have been launched against websites in Ottawa, Toronto, Calgary and Laval, Que., in recent days — and that he allegedly was caught using numerous aliases to hide his real identity.
Sven Slootweg, a software developer in Dordrecht, Netherlands, said he had a run-in with the boy in November 2012.
Slootweg alleges the boy posed as a new user of a website that hosts a forum for the tech community, and tried to sell online storage and computing services at bargain rates. Several people jumped at the offer but the services never materialized, Slootweg says.
“It was a sales thread disguised as an introduction thread,” Slootweg said. “I did some further searching, and ended up with his real name.”
Slootweg, an administrator with the website, said the search turned up multiple aliases, many with the same email address.
Following those aliases led to other activities in which the teen was allegedly involved, including hackforums.net (a website dedicated to sharing information about malicious activity online) and numerous sites on “doxing” — mining and displaying personal information.
The boy was also allegedly involved in operating a website on which someone bragged about malicious online activity. The website is no longer active, but an Internet archiving service shows many questionable posts on the site, including a claimed DDOS attack on web hosting company FusionRax in August 2013.
A second forum member, Jarland Donnell, 29, an information-technology worker from Texas, claims to have intervened with the boy.
“I decided to keep him in check by threatening to call his mother at (her place of employment),” Donnell said. “This worked very well and managed to upset him. However, it resulted in him hiding his identity better. He began creating new identities using a local TOR (anonymity network) exit point in Ottawa. The forum staff could see through it every time. It was obvious.”
Donnell said he posted a link to the mother’s Facebook page on the forums. According to Donnell, he received a message almost immediately reading, “I’d like you to remove that URL address please ... I’m issuing refunds on request.”
Slootweg said he also was trying to get refunds for forum members.
“I eventually managed to get hold of (the boy) on Skype through a mutual acquaintance, and informed him that if he wouldn’t write an honest letter about his situation, refund those affected, and stay away from any shady/scamming business in the future … I would be publicly releasing all his information and history of scams/shady practices in a Google-able format. In other words, a last chance for him to clean up his act before really going public with it.”
Forum members also attempted to contact the teen’s parents and school, the Dutch website administrator said.
Slootweg said the teen did write the letter of apology he had requested.
“What I have done is wrong and I understand that you guys will hate me from now on, which I do not blame you,” reads the letter that Slootweg said he received. “I’ve had a rough life all my life, I thought computers were the best thing for years, however I always liked money. I’d do what ever I had to, to have money. I have a mental issue also (like none of you care anyways), so its really more challenging me for me (to) do things.”
The letter added: “I also like’d to request you leave me and my friends/family alone, I have quit the hosting business and I am sticking to what I like, programming …”
Slootweg said he was unaware of the alleged swatting attacks until he was contacted by the Citizen.
“He has been involved in DDOSrelated business and some other shady things before, as far as I’ve been able to find. That was apparently a while ago, though, and he’d claimed to no longer be involved with that,” he said.
Donnell, in Texas, was the target of an alleged swatting attack last April in which a fully armed team showed up at his door in Houston.
“The caller told the police that he was holding my family hostage and would begin killing the hostages soon,” he said. “At the exact time that this took place, the caller visited (my company’s) website and opened multiple support tickets taunting me about the swatting that was taking place. The visitor came from an Ottawa residential IP address.”
Donnell had no further information on who carried out the alleged cyber attack.
The father has maintained his son’s innocence. He said his son was not particularly active online before his arrest in May.
“He would play some video games with his brother and stuff, but that was it,” said the father, who cannot be named.
The father admitted being made aware of unspecified allegations about his son’s activities.
“The school mentioned something to me. I never looked into it. It was all bulls--- lies and outright nonsense and I ignored it. I do not believe there is any truth to any of it.”
The father said the hacker has provided evidence to exonerate his son in the form of a message posted on an anonymous Twitter account alleged to have been used by the boy.
The post, which appeared on the account @ProbablyOnion2 on May 8 at 6:16 p.m., read: “Still waiting for the horsies to bash down my door.” The father said the boy had been arrested around 3 p.m. that day and questioned how the tweet was posted if the teen was already in jail.
On Nov. 21, the hacker identifying himself as Aerith began his cyber attack, initially claiming to be part of the activist group Anonymous. He was quickly disavowed by Anonymous and changed his claim to state he was part of an independent group. The hacker attacked the City of Ottawa website and then targeted websites of the Supreme Court of Canada, Ottawa police and others.
Last week, the boy’s father confirmed that police have identified the father as a “person of interest” in the case. He has denied having anything to do with the hacker or his acts.
Numerous email conversations between the hacker and the Citizen, in an attempt to determine his intentions, reveal a seemingly close knowledge of the family of the accused teenager.
While a Citizen reporter was interviewing the father, the hacker tweeted at the reporter saying, “I hear you’re speaking with the youth’s father right now.”
Aerith told the Citizen he decided to attack the website of a defence contractor last week because he had discovered that the contractor was about to terminate the employment of the teen’s father. Asked about how the hacker knew about the possible termination, the teen’s father denied his employment was in question.
The boy’s father also denies he has ever had a conversation with the hacker and has openly said he does not support Aerith’s DDOS attacks.
Aerith says he is in regular contact with the family. He has said he is not the teen or the father.