FBI catches swatter who said “you can’t catch a hacker”

SwattingIf you can’t do the time then you shouldn’t do the crime. And if you’re going to boast that you can’t get caught, you probably ought to be good at covering your tracks.

At least, that’s the lesson I assume one Zachary Lee Morgenstern has learned.

The Texan teenager has pleaded guilty to one count of threats to kill, after an investigation by the FBI pinpointed him as the source of several hoax bomb threats and “swatting” calls to police in Minnesota, Ohio and Massachusetts – acts described by US Attorney Andrew M. Luger as “dangerous to victims and a significant drain on scarce law enforcement resources” and a threat which could not be allowed to go unanswered.

Morgenstern, 19, allegedly made threats via anonymous Twitter and email accounts to “shoot up” a high school in Marshall, Minnesota, and claimed to have planted a bomb at another Marshall school; Morgenstern also sent harassing text messages and threatened to kill a police officer and her family.

According to Morgenstern’s guilty plea, his reign of terror began on or around 7 October 2014 when he called Marshall police and claimed to have taken two people hostage at a local residence, intending to “swat” a minor living at the address. Morgenstern told police he had already shot one of the hostages in the knee, he said he would kill both unless he was furnished with a duffel bag containing half a million dollars, adding a further threat to kill any armed responders.

Later, in a 6 January 2015 call, Morgenstern called the Marshall police dispatch centre and claimed to be “D.R.,” a 17-year-old boy Morgenstern intended to swat. Using an untraceable web-based telephone service, he said he had planted bombs around Marshall High School that were due to explode within the hour.

The next day, using a program called SMS bomb, he peppered the young girlfriend of one of D.R.’s friends with 222 text messages in less than an hour with the intention of disabling her mobile phone.

Between 8 and 29 January, Morgenstern made further hoax calls in which he variously stated there was a hostage situation at D.R.’s residence and made yet more bomb threats against the school, all in the same boy’s name.

On 16 February he made a further swatting attempt, this time against a 13-year-old boy identified as “I.W.” He told the police dispatcher that his mother had been shot and that gunmen were holding her and his three-year-old sister hostage.

On 20 April, just three weeks before his arrest, Morgenstern got cocky and called a police officer working at Marshall High School. Identifying himself as “Florian the Bomb Threat God of Marshall,” he left a voicemail in response to the officer’s claims that his capture was imminent, saying that was “not possible” because he was a “hacker” and “you can’t catch a hacker.”

In a continuing tirade, Morgenstern derided the officer and said he wanted her to watch as he killed her family, finishing the one-sided conversation by saying:

How does that make you feel? How does it make you feel to know that I am a hacker?

Finally, on 26 April, he left an anonymous voicemail on a police officer’s phone in which he claimed he had their Social Security number and was deliberating how best to use it to commit fraud.

Following his arrest on 14 May in Texas, Morgenstern was transferred to Minnesota where, on 7 August, he pleaded guilty to one charge of threats to kill.

In return for his guilty plea, Morgenstern may face a period of supervised release – rather than the maximum penalty of 10 years in prison and a fine of up to $250,000, or double the value of all losses caused by his actions – due to his apparently previously-clean record.

Marshall Police Chief Rob Yant explained how Morgenstern’s actions had affected the force, identifying the additional challenges posed by the internet:

The multiple calls to law enforcement and the Marshall High School spread fear and taxed the resources of the Police Department and the school.

Even after the first couple of threats, when it appeared that they were being done as a hoax, we had to take them seriously because what if we hadn't and they turned out to be real?

The internet has made us vulnerable to these types of threats, even when the perpetrator turns out to be halfway across the country, and it has also made it easier for people making the threats to conceal their location and identity.

Local police departments do not have the time or the expertise to investigate these cases. That is why we are so grateful for the assistance of the FBI and the US Attorney's Office in locating and bringing the perpetrator to justice in this case.

But just how did the Bomb Threat God of Marshall (Morgenstern actually lives over 1,000 miles away and it is unclear why he targeted the city) get caught?

Via the power of Google search, local authorities were able to determine that he had once been in control of the @ZackL337H4XoR Twitter handle. Subpoena in hand, the FBI were able to persuade both Twitter and Google to give up the IP addresses behind the @RIURichHomie and anonymously.lulzsec@gmail.com accounts – both of which were then later matched up to a Comcast account linked to Morgenstern’s address in Cypress, Texas.

Morgenstern joins a small but growing list of people who have been arrested for swatting.

Last year we reported on just two such incidents, one involving a Canadian teenager who may have been responsible for targeting security journalist Brian Krebs, and a second which saw an Australian teen’s hoax call lead 20 police officers to an address in Arncliffe.

Image of SWAT equipment courtesy of Shutterstock.