Business Harassment: Identifying Historic Threat Actors
Sometimes, threats and harassment of individuals can take place over a long period of time, but often, substantial damage can take place over a shorter time frame - say, a few months. This was the case for a business owner client who had received anonymous harassing messages and threats over several months in 2012. While the threats had stopped, the client always remained cautious about the historic events, and recently asked us to take a look.
The threats took the form of emails from a Gmail account that had no background history associated with it (i.e. no real user name, no reviews, no photos etc). Essentially, the Gmail account provided no further information on its owner or their location.
However, our in-house threat database revealed that this particular email address was part of a data set that was being traded on underground forums. From observing that data, we managed to determine a particular username. When we took that username and further investigated, we found several social profiles for other services that used the same username. Unfortunately, all these social profiles led nowhere. The person who committed the harassment was meticulous about covering their tracks. Worse still, they had stopped using that email address many years ago - meaning there were no digital breadcrumbs we could collect through time.
We placed this email and username on our ‘cold case’ list, meaning we would recheck for any new uses each month. Just two months later, after a break of many years, the individual started using the same username again - this time on a dating site. When viewing that public profile, the extra details allowed us to confirm an identity to a person that had also been a customer of our client around 2012. The person who had been harassing our client had then moved from being a customer of our clients, to funding a direct competitor. It appears the harassing behaviour was intended to destabilise our client and take their attention away from their business, while the harasser launched a new enterprise in the same sector.
Our client was aware of a competitor who had been copying their business intellectual property for several years, but hadn’t made the connection between the business competitor and the personal harassment. We delved a little deeper for the client and found further anonymous accounts used to harass other businesses and individuals over a long time frame. The person committing the harassment now holds a prominent public facing role in another business sector, whilst remaining a ‘quiet partner’ in the business that competes with our client.
This is a perfect example of where one small mistake can de-anonymise a threat actor, even if activities took place over a decade ago (we can go back to the 1990’s if required). The person responsible had schemed to take attention away from a new competitor, through a series of threatening digital harassments. They then effectively disposed of all digital aspects that could tie them to their activity. However, as no repercussions from their activities took place over time, they then felt safe to re-start their usage of their original email address and username… and this is what enabled them to be identified.