Here are the rules:
- Never break the law
- Avoid reporting to the police unless someone is in physical danger
- Don't do this from home: use a VPS, shell account, or bouncer
- Never reveal any personally identifiable information
- If you make a phone call, use a company phone to hide your number
- If you send an email, use a disposable email or company email
Setting up irssi to connect via tor:
$ tmux $ doas pkg_add tor torsocks irssi $ doas rcctl enable tor $ doas rcctl start $ torsocks irssi /set real_name <realname> /set user_name <username> /set nick <nick> /set ctcp_userinfo_reply mIRC 7.61 /set ctcp_version_reply mIRC 7.61 /set autolog on /save
You can use something besides mIRC 7.61 for the ctcp reply. Just pick something realistic looking besides irssi.
In order to infiltrate a criminal network, you will need to do some research. Figure out what they are interested in (ddos attacks, phishing, credit card fraud, spamming). Try to understand what language they speak, what they are passionate about, and see if you can strike up a conversation with them. This helps build trust so they will be willing to share more information.
Use a little creativity. Don't commit any illegal crime, don't suggest they commit any crimes. However, feel free to chat with them, ask them how they are doing, what hobbies they enjoy etc. Try to ask them for information to learn more about them, but...be subtle, be subtle! I recommend you avoid lying. However, you are welcome to change your persona. Use a new dialect. If you normally chat using formal English, use lots of slang. Talk like someone their age. Spell things wrong on purpose if it helps you fit in. Go ahead and use bad grammar if it helps. Feel free to use Google translate for the conversation. Have fun!
First, make sure you have proof they have committed a real crime. If there is no evidence, then stop collecting logs. If there is proof, then collect as much data as you can. Make sure you have logging turned on. Figure out what networks they join, what software they use, what servers are their hubs. Data you want to collect:
- Real legal name
- Age, date of birth, phone number, home address, social media accounts
- Business, education background, what software they use (irc daemons, irc clients, irc bots)
- What crime networks they collect to. IP addresses, domain names
- Their criminal friends
- Source code of the software they use
Your biggest tool is your brain. Look for clues. For example, use /list to figure out what are the channels inside the network. Join some of them and see who is around. Are there any bots? What are their IP addresses? Who hosts them? Type /who #channel to list all the users within a channel. Type /names to see all the users in a channel. Type /whois username to get more info about a user. However, be careful, as some ircds may notify the admin when a user runs the /whois command. It helps to hang around in a channel for a few weeks.
For example, suppose you found the IP 22.214.171.124 is hosting an IRC command and control botnet for crime. You can run:
$ whois 126.96.36.199 VPS Hosting Generic VPS-INC (NET-188.8.131.52) 184.108.40.206 - 220.127.116.11
This tells you that the server is hosted with Generic VPS, inc. So, head over to Generic VPS's website and go to their abuse page and contact them. Send them an email to support@ or email@example.com, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.
Suppose you realize that the domain example.com is being used for the illegal botnet:
$ whois example.com Domain Name: EXAMPLE.COM Registry Domain ID: D1234567890 Registrar WHOIS Server: Registrar URL: http://www.genericregistrarexample.com Updated Date: 2020-05-06T00:41:36Z Creation Date: 2018-04-15T05:08:12Z Registry Expiry Date: 2021-04-15T05:08:12Z Registrar Registration Expiration Date: Registrar: Generic Registrar Ltd Registrar IANA ID: 12345678 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1234567890 Reseller: Domain Status: ok https://icann.org/epp#ok Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Registrant Organization: Hacker Inc Registrant State/Province: CA Registrant Country: US Name Server: NS1.EXAMPLE.COM Name Server: NS2.EXAMPLE.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/) >>> Last update of WHOIS database: 2020-05-07T13:23:58Z <<<
This tells us that the domain example.com was registered by Hacker Inc with the registrar http://www.genericregistrarexample.com, and that abuse should be reported to email@example.com. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call -- do whatever it takes to get their attention to take the server offline. In one particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.
Suppose you see one of the criminals joining like this:
14:25 -!- hacker [firstname.lastname@example.org] has joined #illegal
$ dig shell.example.com ; <<>> DiG 9.4.2-P2 <<>> shell.example.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39025 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;shell.example.com. IN A ;; ANSWER SECTION: shell.example.com. 300 IN A 192.168.0.1 ;; Query time: 295 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 7 22:01:41 2020 ;; MSG SIZE rcvd: 57
This tells you that the IP address for the server is 192.168.0.1. So you then run:
$ whois 192.168.0.1 OrgName: Cloud OrgId: CLD Address: 123 Nowhere St City: Nowhere StateProv: NY PostalCode: 12345 Country: US RegDate: 2008-04-24 Updated: 2019-06-28 Comment: http://www.completelyrandomcloudexample.com Ref: https://rdap.arin.net/registry/entity/LINOD OrgNOCHandle: LN1234567-ARIN OrgNOCName: Cloud Network Operations OrgNOCPhone: +1-234-567-8900 OrgNOCEmail: email@example.com OrgNOCRef: https://rdap.arin.net/registry/entity/LN1234567-ARIN OrgAbuseHandle: LAS1234567-ARIN OrgAbuseName: Cloud Abuse Support OrgAbusePhone: +1-234-567-8900 OrgAbuseEmail: firstname.lastname@example.org OrgAbuseRef: https://rdap.arin.net/registry/entity/LAS12-ARIN OrgTechHandle: LNO1234567-ARIN OrgTechName: Cloud Network Operations OrgTechPhone: +1-234-567-8900 OrgTechEmail: email@example.com OrgTechRef: https://rdap.arin.net/registry/entity/LNO21-ARIN
This shell provider uses a Cloud VPS. So, contact Cloud's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Cloud and the shell provider close the guilty accounts.
Sometimes you have an IP but you don't know who owns it. You can run this:
$ dig -x 192.168.0.1 ; <<>> DiG 9.4.2-P2 <<>> -x 192.168.0.1 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6039 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;18.104.22.168.in-addr.arpa. IN PTR ;; ANSWER SECTION: 22.214.171.124.in-addr.arpa. 86400 IN PTR criminal.example.com. ;; Query time: 4943 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu May 7 22:05:55 2020 ;; MSG SIZE rcvd: 80
This tells you that the domain name is criminal.example.com.
Once you get this basic information, use a search engine to gather more. Search their name, their network, their websites -- look for any software they might have written, anything about them that might be useful. Their nicknames might show up on old logs, they might have malware associated. This research is very important for proving someone is guilty of a crime.
In your email, make sure to document the crime clearly and provide clear evidence. Use screenshots, videos, chat logs, whatever is most effective.
Make sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to firstname.lastname@example.org so our team can take a look.
When you start filing reports, make sure you go in this order:
- Take down domains
- Take down irc servers
- Take down shell accounts / bouncers used by admins/criminals
- Finally, take down stolen servers and bots used for stealing
There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and IRC servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.
The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the IRCd for further spying. Afterwards, we can cause netsplits by taking down the IRC servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.