Silent no more: Exposing a campaign that intimidated researchers and journalists
On April 20, DataBreaches.net reported that a threat actor contacted this site to say that a researcher, @ido_cohen2, had been scared off the internet after the threat actor’s colleague(s) used a fake Emergency Data Request (EDR) to obtain the researcher’s account information from Twitter. DataBreaches could see that @ido_cohen2’s Twitter account had been deleted and that his DarkFeed website had been replaced with an “under maintenance” note. The threat actor also showed DataBreaches a snippet from a message they had supposedly sent @ido_cohen2 and another snippet that suggests that they had started targeting his account on or before April 12.
In fact, this threat actor had mentioned @ido_cohen2 to DataBreaches a few times in the past in ways that suggested that he was a target of their wrath.
In the April 20 post, DataBreaches did not disclose that the threat actor had named a second individual as a possible target of an EDR attempt to unmask them. Trying to protect the researcher publicly, DataBreaches had reported that the source had written to me, in part:
[Redacted]: know any researchers
[Redacted]: who need to be unmasked
But the fuller message in that part of the chat was:
[Redacted]: know any researchers
[Redacted]: who need to be unmasked
[Redacted]: might get this guy done too
Concerned that the researcher might be in danger, DataBreaches reached out to @pancak3lullz via DM on Twitter. DataBreaches did not know @pancak3lullz before this or have any relationship with them prior to this. DataBreaches told them about the throwaway mention that they might be a target of an EDR account.
To say that I later regretted having tried to help @pancak3lullz protect themself would be an understatement.
Despite my urging them to keep quiet publicly and not do anything other than protect himself, he managed to find out the source’s Telegram and confronted him. Then he proudly tweeted about it. DataBreaches does not know how he found out the source’s Telegram account (it wasn’t from me), but as a result of this guy’s tweets and proudly boasting about confronting the source, DataBreaches has been subjected to more ugly threats from the threat actor. Even when Pancak3lullz was urged to stop and was told that people were being threatened because of his public tweets, @pancak3lullz didn’t stop.
Last night, this site was threatened with being DDoSed if I published this article. But that wasn’t the only threat.
Look. i dont want to call your daughter
So be very careful what you do next.
I’m not like Sikerin, I’m worse.
If that sounds mild or confusing, it will make more sense when I have told you about the death threat too. But for now, let me emphasize this:
Twitter still hasn’t issued any response or statement as to whether @ido_cohen2’s account information was given to anyone using an EDR. Twitter does need to be transparent on this – did they give up information on someone in response to a phony EDR? And if they didn’t in @ido_cohen2’s case but now are aware of a campaign to get researchers’ and journalists’ information, what are they doing to prevent this type of attack given that there is a stated intent to misuse EDR and an intent to harm people?
Who is This?
But who is the threat actor and how did this start? And what else has he done? Let’s start with January of this year, when I first became aware of him. On January 5, this site was DDoSed and I was contacted by a stranger on Telegram. I tweeted something about it without indicating that anything scary was going on:
Well yes, my site was under DDoS attack this morning. And how is your new year going? pic.twitter.com/HAGdOaH19y
— Dissent Doe, PhD (@PogoWasRight) January 5, 2022
The stranger demanded to know who had given me the Groove scam letter that I had reported about here. The stranger kept insisting that it was someone he called “Sheriff “who gave me the draft of what was intended as a real scam attempt. I told the stranger that I had never heard of anyone named Sheriff and had no idea who he was talking about. I refused to remove the post, but told him that he was welcome to submit a comment or rebuttal and I would post it — as I would with anyone who objected to my reporting on an issue. Not unimportantly, perhaps, that scam attempt used @ido_cohen2’s Twitter identity as part of the intended scam. I had privately alerted @ido_cohen2 to that at the time.
Since that time, the source has contacted me fairly regularly, often telling me about entities he has hacked, and at other times asking for my help with certain requests. Brian Krebs has reported on information that he got from the same source, too, reporting that “Sheriff” as he is known to many, might be an Iranian state actor. Both Krebs and DataBreaches were suspicious that the source had some ulterior motives that involved trying to discredit journalists or get some basis for extorting journalists or researchers. He also seemed to have some agenda trying to get journalists to report that Sheriff was an Iranian state actor.
But while Krebs reported on the question of Sheriff and Iranian influence, DataBreaches passed on the story, despite the source having given me numerous screencaps of chats among a ransomware team purportedly showing Sheriff being discussed and thrown out for helping Iranian victims. The chat logs looked heavily doctored to me and it seemed suspicious that the source was so intent on convincing journalists to report that Sheriff was an Iranian state actor. But as part of checking into what he provided, I decided to contact Sheriff to ask him about the allegations.
On February 9, I contacted Sheriff on his thesecure.biz Jabber account. He was initially hostile and gave answers like “What’s RaidForums?” “What’s Iran?” etc. Eventually, he started to answer questions, but angrily accused me of hacking the Hotmail account that he used as his RaidForums login ([email protected]). That account had been mentioned in a federal affidavit last year involving domains registered to promote Iranian influence. I hadn’t hacked his Hotmail account (or even tried to) even though the source had given me the supposed login credentials. But it was curious that Sheriff claimed that he was locked out of the actual Hotmail account — was that a cover for the fact that the real Hotmail account was not really his account? Why would Sheriff use a Hotmail account mentioned in a federal indictment as his RaidForums login? I had no idea, but this wasn’t making sense. What also didn’t make sense was Sheriff seeming to quickly give in and angrily “admit” that he was an Iranian state actor. Note that I put “admit” in quotation marks, because that admission might easily have been a lie and part of some misinformation plot.
After “admitting” he was an Iranian state actor, Sheriff threatened that if I reported any of the chat, I would be punished. The following is a transcription of the last part of our chat, where he threatened me with the same fate as Jamal Khashoggi:
[email protected]: I will make sure you are punished if this is put online
[email protected]: You family too
Dissent: Oh ffs….
Dissent: Stop threatening.
Dissent: I don’t even know who your bosses are now.
[email protected]: My country
[email protected]: Do you know what happens to people like you?
Dissent: People like me? Journalists? Retired doctors?
[email protected]: I dare you to come to the airport
[email protected]: I will make sure you are taken care of
[[email protected] is typing…] [email protected]: You will end up like jamal, I will personally feed you to your family
[[email protected] is typing…]
At that point, I just disconnected from the chat.
But as if that wasn’t ugly and confusing enough, things became more confusing more a week later, when my source contacted me on his usual Telegram account and told me that he had something to confess to me — that HE was “Sheriff” and this had all been a campaign he had been ordered to do by his bosses. I am not posting the transcript of that chat at this point, but the significant point is that he claimed he was Sheriff. At the end of that chat, he said goodbye and I didn’t expect to hear from him again.
But I did hear from him again. He would contact me with all kinds of requests, and like the offer of dirty money, I wasn’t the only journalist or researcher he was contacting. Some of the things he said to DataBreaches will remain off-the-record for now. But because he has threatened me and even more importantly, my children, I decided to write this post.
So let’s fast forward past March to earlier this month to when Sheriff and “MandiantLover123” started trying to get people to “neg rep” me on Breached.co, where I had registered forthrightly as “Dissent Doe,” not hiding that I am a journalist. Why Sheriff would be publicly attacking me made no sense, particularly since he had sought — and received — my help in trying to find a way to return ransom to some victims — something he said he and some affiliates wanted to do for various reasons. I had spent time contacting contacts to inquire if there was any way they could do that without the FBI trying to investigate them or track them, and had been told that there was, in fact, a way. I relayed the information to Sheriff but he never followed up, always coming up with new excuses why he wanted to speak to the FBI directly to get some assurances. Once again, as with the donation offers and Iranian state actor story, it seemed like Sheriff was trying to get information or intel but what was his end game this time? It wasn’t clear to me, but I refused to relay his request for direct contact after he had already been told the procedures to use. By then, I was convinced he wasn’t seriously going to be returning victim funds.
Parenthetically, I note that I wasn’t the only one he contacted, allegedly seeking help returning ransoms. He contacted at least two other people that I already know about, telling each one that no researcher had been willing to help him (but of course, I already had agreed to help and had gotten him the information he needed). So what was he doing testing others? What was his game? And does he really think we don’t talk to each other when we are suspicious?
Sheriff Gets Banned, and His Email Address is Made Public
In any event, and unrelated to DataBreaches, Sheriff’s account on Breached.co was banned for scamming. As is their policy on Breached.co, Pompompurin (the owner) posted the email address that had been used to register the scammer’s account and their IP address. The email address that was listed for Sheriff’s account was [email protected]
When I searched for info on email address, I was surprised to find that that email address showed up in reporting by BleepingComputer last year about a seizure of a bitcoin wallet.
On April 18, I posted a thread on Breached.co raising the question that based on the federal affidavit cited by BleepingComputer, could Sheriff be the ransomware affiliate known as Lalartu, aka “Aleksandr Sikerin, a/k/a Alexander Sikerin, a/k/a Oleksandr Sikerin.”
In a follow-up post, I noted that this might be a ruse, just like the Iranian actor story where Sheriff had used an email address from a federal affidavit to register for RaidForums. Was the engfog1337 account really his, or had Pompompurin listed it at Sheriff’s orders? And was Pompompurin really helping Sheriff or taking orders from him and other Russian threat actors? Sheriff had repeatedly told DataBreaches that Pom was a good friend to them and would do what they told him to do. I don’t know if Pompompurin is aware of those statements by Sheriff about him. Nor do I know whether there is any truth to them at all. But the existence of those claims made some things less certain than they otherwise would have been.
In any event, a few things happened after I started that thread. First, I got a private message from someone on Breached.co, asking to talk to me off-forum. Suffice to say, it wasn’t to wish me a Happy Birthday.
Second, a new user called “Deborah” suddenly appeared on Breached.co, and tried to dox me. That dox post (which I never got to see) was quickly removed and the account was quickly banned for impersonation, but “Deborah” had already sent me a private message that was still waiting for me. That message gave me 24 hours to “retract your doxxing of me or your kids are getting harassed!!!”
So Sheriff was “Deborah.” He didn’t claim that the dox post was inaccurate. He just threatened to harass my kids if I didn’t retract it.
As I mulled over what I would do in response to that threat, @ido_cohen2’s account disappeared and so did DarkFeed.io, I posted something, and then things blew up thanks to @Pancak3lullz’s tweets. And that was how I learned that yet another person had been threatened for months by someone who appeared to be Sheriff. And he, too, started receiving escalated threats after @Pancak3lullz aggravated the situation. Until then, most of the threats dealt with his daughter and how she would be affected by the threat actor’s intended actions. Now Sheriff was threatening other attempts to harm this man’s reputation by planting articles that he’s a pedophile, etc.
Enough was enough.
The Time for Silence is Over
Last night, Sheriff threatened me in anticipation of this post. He made it clear to me that he was holding me responsible for what researchers were tweeting about him or doing to him. He doesn’t seem to realize that I really do not know Pancak3lullz or have any influence over him.
Nor do I have any control over other researchers who have reportedly now more fully doxxed Sheriff. They will be releasing their dox at some point. That, too, is not under my control and attempting to threaten me will not help Sheriff or his colleagues at all.
But what is under my control is my refusal to remain silent when someone threatens my children.
I am not the only one speaking up. The @radvadva account was suspended after its owner blew up at @Pancak3lullz for publicly escalating things with Sheriff. Rad, too, is speaking up now as he is tired of being threatened and intimidated. I’ve included one of the emails he has received in this post, above. I have seen many others he has received. The threats are ugly.
But if you are a journalist or researcher who is receiving attempts to intimidate you or chill your research or reporting, you are not alone and do not need to remain silent. Contact the FBI or your relevant law enforcement.
If this site disappears, this post will appear on mirrors.