Federal prosecutors in the Central District of California charged two suspects with swatting attacks that used hacked Ring cameras to live-stream armed police responses.
Authorities said the alleged crimes occurred in Flat Rock, Michigan; Redding, California; Billings, Montana; Decatur, Georgia; Chesapeake, Virginia; Rosenberg, Texas; Oxnard, California; Darien, Illinois; Huntsville, Alabama; North Port, Florida; and Katy, Texas.
The attacks forced the FBI to warn about swatting attacks live-streamed from Ring cameras in December 2020, urging owners to use complex passwords and enable multifactor authentication.
Ring LLC., a subsidiary of Amazon, acknowledged that unauthorized third parties had taken over customers’ accounts, but the company was helping the victims recover their accounts. Additionally, the Santa Monica, California-based smart home solutions company cooperated with the FBI in identifying attackers and forced customers to enable two-factor authentication.
Suspects taunted police on Ring cameras during swatting attacks
Authorities said Kya Christian Nelson, 21, of Racine, Wisconsin, and James Thomas Andrew McCarty, 20, of Charlotte, North Carolina, allegedly hacked into victims’ Yahoo email accounts and identified which ones were associated with Ring cameras.
The duo then targeted individuals who used the same password on their Ring accounts to initiate swatting attacks, taunt the police, and live-stream the incidents on social media. Most Ring cameras have speakers that allow operators to communicate with visitors at the door.
According to federal prosecutors in the District of Arizona, McCarty carried out 18 swatting attacks in November 2020. He used Telegram and Discord aliases “Aspertaine” and “Couch” that matched several cybercrime accounts used in SIM swapping fraud and social media account takeover attacks.
Aspertaine also bragged about amassing $330,000 worth of cryptocurrency. However, his accomplices accused him of ripping them off by taking more than he deserved after successful SIM swaps. One SIM swapper had put a hit on Aspertaine for $1,000 to $50,000 worth of Bitcoin.
McCarty faces one count of conspiracy to intentionally access computers without authorization, while Nelson faces two counts of intentionally accessing computers without authorization and two counts of aggravated identity theft.
If convicted, the suspects would spend a maximum of 5 years in prison for intentional access to unauthorized computer charges, while Nelson would spend another two years on aggravated identity theft charges.
Nelson, alias “ChumLul,” was already in custody for a separate charge and had pleaded guilty to reporting a fake shooting incident and making a bomb threat to a Kentucky high school.
Authorities did not disclose how the suspects gained access to the victims’ Yahoo accounts to take over Ring cameras. Likely, they purchased login credentials from hacker forums or extracted them from previous data breaches.
“Unfortunately, bad actors using tools against victims isn’t just restricted to swatting; it happens everywhere to both individuals and enterprises,” said David Maynor, Senior Director of Threat Intelligence at Cybrary. “This also means there is no silver bullet to fixing the problem. Education about the threats is really the only way to combat the trend of miscreants weaponizing your own devices against you.”
Maynor advised users to observe “basic security hygiene” by setting new and unique passwords routinely and enabling Multi-Factor Authentication.
Disastrous outcomes of previous swatting attacks
Criminals use swatting attacks to settle scores or cause harm to innocent people by tricking police into responding forcefully to non-existent dangerous situations.
In June 2021, an 18-year-old suspect initiated a swatting attack that caused the death of a 60-year-old man in Tennessee. The culprit was sentenced to a five-year prison sentence.
In 2019, another serial swatter from California, Tyler Barriss, was sentenced to 20 years in prison after making a fake 911 call that led to a fatal shooting of a Kansas man. Barriss had also threatened to kill his grandmother if he reported him for making a false bomb threat.
However, none of the convicts used hacked Ring cameras to broadcast their crimes, making the alleged incidents one of a kind.
Source: CPO Magazine
