Feds nab tech-savvy cyberstalker with help from VPN provider

Can you say psycho? At least that is what a person might think after learning about a cyberstalking campaign that seems more like something out of a horror flick than real life.

However, an affidavit shows what a technically savvy, yet twisted mind can do. The cyberstalking lasted for more than a year and a half, with the person using TOR, VPN and anonymous overseas texting and email services, until the FBI was able to recover forensic artifacts from a work computer and determine overlapping service providers thanks to help from VPN service provider PureVPN.

According to the Department of Justice press release, 24-year-old Ryan Lin allegedly waged “an extensive, multi-faceted campaign of computer hacking and cyberstalking that began in April 2016 and continued until the date of his arrest [Oct. 5].”

He “allegedly carried out a relentless cyberstalking campaign against a young woman in a chilling effort to violate her privacy and threaten those around her. While using anonymizing services and other online tools to avoid attribution, Mr. Lin harassed the victim, her family, friends, co-workers and roommates, and then targeted local schools and institutions in her community.”

Craigslist>roommate from hell>victim’s lack of security to protect privacy

The whole thing started with a Craigslist ad by the victim, referred to as Jennifer Smith, and her roommates, who were looking for another roommate. That is how Ryan Lin entered their lives.

According to the affidavit, which was posted on New England Cable News, Smith unfortunately had no lock on her bedroom door. Plus, her MacBook was not password-protected and contained a document with all the passwords to her online accounts. One of those accounts was Google, and Google Drive was where she stored her diary.

Spoofed emails contained explicit photos and diary entries

Lin, the feds said, spoofed emails, making it appear as if Smith sent them. The emails contained a sexually explicit collage of her photos and private diary entries about her “medical, psychological and sexual history.” The spoofed emails were sent to “hundreds of individuals connected to Smith,” such as her co-workers, 13-yr-old sister, roommates, parents, parents’ work colleagues, former teachers and school administrators.

That’s not all. Lin allegedly also sent the email that appeared to be from her to the car dealership where she leased her car and even to some faculty members where she attended university. Additionally, Lin is accused of spoofing the victim’s father’s email address and sending the sexy photos and four diary entries to about 50 school email addresses.

Besides texting Smith with intimate details from her online diary, Lin also flushed her meds — or it seemed that way after a plumber found one of the missing bottles stopping up the toilet. A month after Smith moved out, she came back to retrieve the rest of her belongings and found her diary “printed and strewn around her bedroom.”

Lin didn’t just victimize Smith, although she was the primary target. He also allegedly snooped on her other roommates’ computers and claimed to have installed hidden cameras in the apartment. He allegedly sent child porn to one roommate’s mom, her former roommate and two college classmates. The feds were told that Lin had a history of harassing his former classmates and having “disturbing interactions” with a former roommate.

Other “threatening and harassing communications” sent to Smith encouraged her to commit suicide. He sent messages to those she knew that threatened to rape and/or kill Smith and her friends.

Bomb and shooting threats, doxing, sockpuppet accounts

Additionally, Lin — pretending to be other people associated with Smith — allegedly sent online threats to blow up or shoot up local schools and residences. Prosecutors said the bomb threats to public and private schools and daycare centers began in July and continued into October.

After a year of cyberstalking, Lin allegedly started a doxing campaign with details such as Smith’s name, address, date of birth, phone numbers, online accounts, passwords and so on.

Lin reportedly set up fake profiles using the victim’s name and filled them with rape fantasies and solicited men for BDSM fantasies. “At least three” men showed up at her house in response.

After Smith moved out, locked down the privacy settings, and blocked Lin on Facebook, he created sockpuppet accounts. He allegedly tried to “friend” her friends and family and then her after some accepted. When she didn’t fall for that, he then supposedly set up four different Instagram profiles and tried to “friend” her through those.

Lin even allegedly setup a fake profile on the petting sitting site Rover.com and sent her as many as 29 messages on her new phone in one day, messages associated with the anonymous texting service TextNow and the fake pet owner account. The affidavit claimed he sent porn and Smith’s journal excerpts to 10 other pet owners. Claiming to be Smith, he told one person for whom she was pet sitting that she had killed their pet.

Busted thanks to forensics and help from PureVPN

Lin was a graduate of a technical university and had obtained a degree in computer science. Prosecutors said he managed to conceal his identity using overseas encrypted email providers, such as using the service to register social media accounts under fake names with email accounts specifically set up to create those accounts. He sent anonymous messages from “burner” temporary phone numbers and used an anonymous texting service. By also using a VPN and TOR, he managed to evade detection for over a year.

Eventually, the feds uncovered overlapping service providers. The FBI found artifacts on the PC Lin had used at his former software company employer even though Windows had been reinstalled on the computer. In the unallocated space, the FBI found Chrome artifacts referencing the bomb threats, the username for TextNow, Lin’s name on Protonmail, artifacts showing Lin had visited Rover.com (pet sitting site) and FetLife.com, which were used in the cyberstalking campaign, as well as artifacts showing repeated access of Lin’s personal email account.

The feds also found artifacts for PureVPN, the VPN service used in the cyberstalking campaign. PureVPN determined “that their service was accessed by the same customer from two originating IP addresses: the RCN IP address from the home Lin was living in at the time and the software company where Lin was employed at the time.”

Harold Shaw, FBI special agent in charge, said Lin “orchestrated an extensive, multi-faceted campaign of computer hacking and online harassment that caused a huge amount of angst, alarm, and unnecessary expenditure of limited law enforcement resources. This kind of behavior is not a prank, and it isn’t harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession. No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today’s arrest will deter others from engaging in similar criminal conduct.”

Lin was arrested Oct. 5. The DOJ release stated, “The charging statute provides for a sentence of no greater than five years in prison and three years of supervised release.”