Federal authorities arrested a 58-year-old Colorado Springs man after unravelling the origin of a "Declaration Of War" that threatened harm or death to Elon Musk, owners of his Tesla vehicles, and members of President Donald Trump's Cabinet.
Investigators were alerted to his accounts after finding an unusually high number of log-ins and failed log-ins from an unfamiliar devices, locations, or networks. That information is tracked by Google, per the affidavit. Other unusual activity was traced through Payne’s VPN or network provider.
So, Google stopped him, and his VPN provider. I’d like to know who his VPN provider was.
Investigators were alerted to his accounts after finding an unusually high number of log-ins and failed log-ins from an unfamiliar devices, locations, or networks
I really don’t get that part. How did they make the connection?
I think the article is telling us in reverse order of discovery which makes it VERY confusing to parse:
As in:
Investigators from the Federal Bureau of Investigation’s Joint Terrorism Task Force retraced the roots of the digital messages Payne allegedly sent to the media outlets.
Okay, so where did the “digital messages” come from?
According to the affidavit, Payne used a Proton email address,
Okay, they knew the source of the message was Proton email. One subpoena of Proton later, they know the IP address(s) of the email client/app logging into Proton. So now they have a whole bunch of IP addresses of VPN exit nodes. So they reach out to the VPN provider:
Other unusual activity was traced through Payne’s VPN
So they ask the VPN provider to provide the origin address of the VPN logins, and come back to a cell phone (network) provider
or network provider.
So they ask the network provider to provide the info on the owner, except its a burner, so the provider doesn’t know. Hmm, okay so they know its coming from Burner Phone X, but not who owns Burner Phone X. Mr Google, Mr Microsoft, etc, do you have any activity from these Mobile phone company IP addresses at this time?
That information is tracked by Google
Ah! So Mr Google does. Anything stand out to you with the activity you’re seeing?
Investigators were alerted to his accounts after finding an unusually high number of log-ins and failed log-ins from an unfamiliar devices, locations, or networks. That information is tracked by Google, per the affidavit.
Okay, so its more than just than Burner Phone X accessing these Google accounts/sessions. Yes, the same web sessions/cookies were also used by devices belonging to another Google account, that of Payne.
Okay we’ve arrested Payne, could this just be an account/device hijacking and Payne be innocent? Well we also seized a rando cell phone with incriminating evidence on it. Could this have been planted?
Messages from his burner phone, too, matched the number Payne had listed in his personal contact info while applying for unemployment benefits in February.
So someone texted something at some point to text Burner Phone X. Who was that origin texter sending to Burner Phone X? Payne. So unlikely it was planted and more confirmation it was Payne sending the original threats.
Perhaps. I’ve always wondered if the VPN providers were playing games with semantics. It would be possible to not log, but still see events happening in real-time and report those. In the IT world “logging” is the capturing of events that occurred in the past. “Monitoring” is seeing events that are happening in real-time".
So a request could come in saying “when we see activity from IP X let person Y know what is happening”. The VPN provider would technically not be logging, but the activity of the user could still be tracked. Again, I’m not saying this is what happens at any of these VPN companies, I’m simply posing a series of events that could occur while the VPN companies statements would still be factual to their advertising claims yet result in the outcomes that customers specifically want to avoid. This is just a thought exercise. I have no evidence any of this happened.
Thanks for the clarification. I read that paragraph several times and couldn’t make sense of it.
As someone who uses Proton, Signal and a VPN (always), it is concerning how easy it seemed to track this guy down. Granted I’m not doing stupid shit like this guy, but authoritarians have a broad definition of “stupid shit”.
Isn’t Proton based in Switzerland and could just tell them to shove the subpoena?
My guess is that he was using his phone for tethering to a laptop, and he had a google account associated with his browser. So even though he was going through a VPN, it would show THIS SET OF CREDENTIALS logging in from all the different exit nodes of his VPN provider.
Alternatively, he could have logged into his Google account from the burner phone (not a good idea), or even just created a new Google account, which again, would show logins from a bunch of different exit nodes of his VPN provider.
I don’t know enough to know how severe a problem that is. Mainly I just see it as another added layer of obfuscation, nothing is perfect if it connects to the internet.
So, Google stopped him, and his VPN provider. I’d like to know who his VPN provider was.
This is a VERY good question.
https://en.m.wikipedia.org/wiki/Parallel_construction
They found it with shady shit and invented how they could have done it afterwards
I really don’t get that part. How did they make the connection?
You try to login to your google account with the right credentials from several different locations? Yeah that’s suspicious.
1-3 regular locations per account is a bit more normal
Suspicious to Google sure, but I don’t see how the authorities would get involved.
I think the article is telling us in reverse order of discovery which makes it VERY confusing to parse:
As in:
Okay, so where did the “digital messages” come from?
Okay, they knew the source of the message was Proton email. One subpoena of Proton later, they know the IP address(s) of the email client/app logging into Proton. So now they have a whole bunch of IP addresses of VPN exit nodes. So they reach out to the VPN provider:
So they ask the VPN provider to provide the origin address of the VPN logins, and come back to a cell phone (network) provider
So they ask the network provider to provide the info on the owner, except its a burner, so the provider doesn’t know. Hmm, okay so they know its coming from Burner Phone X, but not who owns Burner Phone X. Mr Google, Mr Microsoft, etc, do you have any activity from these Mobile phone company IP addresses at this time?
Ah! So Mr Google does. Anything stand out to you with the activity you’re seeing?
Okay, so its more than just than Burner Phone X accessing these Google accounts/sessions. Yes, the same web sessions/cookies were also used by devices belonging to another Google account, that of Payne.
Okay we’ve arrested Payne, could this just be an account/device hijacking and Payne be innocent? Well we also seized a rando cell phone with incriminating evidence on it. Could this have been planted?
So someone texted something at some point to text Burner Phone X. Who was that origin texter sending to Burner Phone X? Payne. So unlikely it was planted and more confirmation it was Payne sending the original threats.
A non-logging VPN provider should not be able to assist with this step.
Perhaps. I’ve always wondered if the VPN providers were playing games with semantics. It would be possible to not log, but still see events happening in real-time and report those. In the IT world “logging” is the capturing of events that occurred in the past. “Monitoring” is seeing events that are happening in real-time".
So a request could come in saying “when we see activity from IP X let person Y know what is happening”. The VPN provider would technically not be logging, but the activity of the user could still be tracked. Again, I’m not saying this is what happens at any of these VPN companies, I’m simply posing a series of events that could occur while the VPN companies statements would still be factual to their advertising claims yet result in the outcomes that customers specifically want to avoid. This is just a thought exercise. I have no evidence any of this happened.
Thanks for the clarification. I read that paragraph several times and couldn’t make sense of it.
As someone who uses Proton, Signal and a VPN (always), it is concerning how easy it seemed to track this guy down. Granted I’m not doing stupid shit like this guy, but authoritarians have a broad definition of “stupid shit”.
Isn’t Proton based in Switzerland and could just tell them to shove the subpoena?
Nice summary. Thank you for taking the time to create it.
That makes much more sense, I appreciate the explanation.
deleted by creator
Oh fair. I guess Google peeked into a suspicious account, saw messages, and alerted the police. Yeah dark.
My guess is that he was using his phone for tethering to a laptop, and he had a google account associated with his browser. So even though he was going through a VPN, it would show THIS SET OF CREDENTIALS logging in from all the different exit nodes of his VPN provider.
Alternatively, he could have logged into his Google account from the burner phone (not a good idea), or even just created a new Google account, which again, would show logins from a bunch of different exit nodes of his VPN provider.
Are you saying we all need to install a continually rotating VPN when we’re surfing the internet? As chaff?
Yeah but I think Tor and…not using big corporate USA internet services to begin with would help.
Would mullvad VPN have given up that information? Which VPN matters too.
I was under the impression most Tor exit nodes are suspected of being run by government entities.
Also, does Tor protect anonymity when browsing the Clear Web, or only while fetching .onions?
I don’t know enough to know how severe a problem that is. Mainly I just see it as another added layer of obfuscation, nothing is perfect if it connects to the internet.
Or you could just not threaten to murder people
But some people could do with a good murdering though tbh.
I don’t know…seems like an impossible task.
If you use a VPN for official or login services, access those services from the same VPN endpoint.
If you use it for anonymous stuff, go nuts.