О нас
Коллекция
Для исследователей
Волонтёрам
Рассылка
Наш Telegram
Дата
15.08.2017
Автор
Павел Мерзликин
Источник
Медуза
Сохранённая копия
Internet Archive
Original Material

Russian police are investigating a man for allegedly emailing bomb threats. He says he's just an ordinary Tor user

g0d4ather / Shutterstock.com

The unidentified man in this case has asked Meduza not to reveal his name or the city where he lives.

In October 2016, local officials in a Russian city received an email threatening an impending terrorist attack. Sent at 2:20 a.m. on October 17, the note described alleged plans to set off an explosion at a local shopping center. According to local court records obtained by Meduza, officials determined that the bomb warning was an intentional hoax, and on October 19 police launched a criminal investigation into the matter.

The investigation was carried out in part by Russia’s Federal Security Service (FSB). According to court records, FSB agents established that the email about the supposed terrorist attack was sent from the IP-address 163.172.21.117 (which is registered in Paris, according to a RIPE network database query). Agents say they’ve learned that this IP-address is actually a “service for disguising and substituting addresses,” claiming that it started operating as a Tor exit node in September 2016.

The FSB thinks it knows who sent the email: a Tor user living in Russia who accessed the French exit node around the time that the bomb threat was emailed. Russian officials say the IP-address 163.172.21.117 was accessed within the city from 1:30 a.m. to 3 a.m. on October 17. The FSB says it's identified a Tor user who could have sent the email. The man in question is currently being treated as a witness in the case. After this discovery, the FSB apparently ended its involvement in the investigation, according to court documents.

The man in question confirms that he is a Tor user, telling Meduza that he has several anonymizers installed and operating on his computer. He says he uses the software to access websites blocked in Russia: most often torrent trackers and websites about anime. The man says he can’t remember if he was using Tor at the time the bomb threat was transmitted, but he insists that he never sent any such email. He maintains that thousands of other Tor users could have been using the same exit node when the message was sent, arguing that any of them could be responsible for the email.

Police raided the man’s home and seized all his computer equipment. He told Meduza that officers came to his door at 7 p.m. on December 29, 2016. “They handed me a court order. Then they started rummaging through all my things in my room, and sealing up my computer equipment. They only looked at the other rooms. In total, they took all my equipment: two computers, all my phones, all my flash drives, and even a broken film camera. They even thought about taking my monitor, but then they reconsidered,” he said. That same day, police officers interrogated him. “They asked if I’d installed anonymizers on my computer, why I’d done it, and what sites I visited,” the man said.

Police also read him the email sent to officials about the terrorist attack, asking him if he wrote it. The man says the email is “complete madness,” paraphrasing its contents as: “I’m on my way to your city. Soon I’ll blow everything sky high, and all around there will be nothing but blood and pieces of meat.”

In the nine months since the raid, the case has been silent. The man told Meduza that he wasn’t summoned for further questioning after December 29, and he’s received no new information about the investigation, though he says he expects police will change his status in the case from witness to suspect. “I’m apolitical. I’m not campaigning for [opposition politician Alexey] Navalny. I’m basically a nobody. I’ve never even been charged with a misdemeanor. I’m just a guy on the Internet, always at my computer and never leaving the house. Without any money or connections, I’m the ideal target to pin this on. I can’t do anything to resist,” he said. Local police refused to discuss the case with Meduza.

On August 15, the man went to the police station on his own to inquire about the investigation’s progress. Officers told him that the case materials are still under examination, but they promised that the review would be completed by early September.

On October 17, 2016, administration offices in several cities across Russia received emailed bomb threats. According to court documents, phony threats were uploaded to city government websites in St. Petersburg, Yekaterinburg, Kaliningrad, and Yaroslavl. Police say the message sent through the Yekaterinburg city website was emailed from the address vzriv.terrorist@yandex.ru (“explosion terrorist” at yandex.ru). The city’s online interface requires no email verification, meaning that any Internet user in the world could have registered the bomb threat using this address. None of the other cities that received the bomb threats (including the unnamed city discussed above) require email verification, either. The court documents obtained by Meduza do not specify what email addresses were used to deliver the bomb threats in other cities.

After an examination of vzriv.terrorist@yandex.ru, police identified a second person involved in the case. The email address was registered using a private paid server that investigators say belongs to “CloudPro,” which rents server space. Police learned that this server’s services were purchased for the email address through a Yandex e-wall registered to a phone number that belongs to a Megafon subscriber named Dmitry Chechikov. Court documents state that the payment was made “to register the email address,” but investigators are presumably saying that the payment was to rent server space to use as a VPN when registering the email address on Yandex.

Court records show that Chechikov, who refused to speak to Meduza, was convicted of sending out emails with fake terrorist threats 17 years ago in Vladimir, though it’s unclear if he was ever punished for the crime. The witness in the case who spoke to Meduza says he’s never met Chechikov.

On July 30, Vladimir Putin signed legislation banning services that allow Russians to circumvent blocked websites. The president signed a series of laws banning the use of tools to evade Internet censorship. The new measures take effect in November 2017, empowering the police and Federal Security Service to identify certain online services (anonymizers, VPN, and other instruments) that help Internet users gain access to blocked websites in Russia. If the owners of these services refuse to block access to websites banned in Russia, the services themselves will be blocked.

Um, that’s a pretty confusing story. Can you explain it again, but without so many details?

(1) In October 2016, somebody emailed bomb threats to the City Hall websites in several cities across Russia, including St. Petersburg, Yekaterinburg, Kaliningrad, and Yaroslavl.

(2) With each of these bomb threats, the perpetrator(s) apparently used some kind of anonymizing software to send the emails.

(3) There’s at least one criminal investigation into these emails, and we know of two people the police consider to be involved. One man was singled out because he accessed the Tor network at the same time that his local City Hall received a bomb threat. The second individual was identified through the email address used to send the fake bomb threat to officials in Yekaterinburg.

(4) The first man singled out by investigators accessed the implicated Tor exit node at a time when thousands of other Tor users could have been using the same node, and any of these people could have sent the bomb threat. The second man could have been set up, insofar as Yekaterinburg’s City Hall website doesn’t require email verification when submitting messages to its website, meaning that anyone on Earth could have registered the bomb threat with his email address.

Russian text by Pavel Merzlikin, translation by Kevin Rothrock