Cyber tormentor leaves a trail that lands him 17.5 years

He, along with others he’d recruited into his cyberstalking campaign, sent lewd pictures of pre-pubescent females to her mother, her former roommate, and two former college classmates. They sent messages encouraging her to kill herself and threatening to rape and/or kill her and her friends. They posed as her and contacted somebody to claim that she’d killed the animal she was pet sitting, triggering a confrontation with police.

They pretended to be her roommate and her mother and called in over 120 hoax bomb threats to schools and residences. They broke into her iCloud account, laptop and iPhone to steal her photos; videos; and medical, psychological, and sexual history. They pieced it all together in a collage and sent it to hundreds of people, including her roommates, co-workers, 13-year-old sister, parents, parents’ work colleagues, and former teachers and school administrators. They put up bogus profiles of her on adult sites and directed interested men to her home address. She said that three men, unknown to her, showed up.

The main cyberstalker behind all this thought the IP address-anonymizing TOR service would protect him. He thought virtual private networks (VPNs) would hide him. He also seemed to put his faith in anonymous overseas texting services and overseas encrypted email providers that don’t respond to law enforcement and/or don’t maintain IP logs or other records.

On Friday, the Department of Justice (DOJ) announced that the man conducting this cyberstalking campaign has been sentenced to 17.5 years in prison and 5 years of supervised release.

Ryan S. Lin, 25, of Newton, Massachusetts, pleaded guilty in April 2018 to seven counts of cyberstalking, five counts of distribution of child abuse imagery, nine counts of making hoax bomb threats, three counts of computer fraud and abuse, and one count of aggravated identity theft. Lin was arrested in October 2017 and has been in custody since.

The woman Lin tormented for 17 months, from May 2016 through October 2017, was his housemate. He’d found his way to her through a Craigslist ad. Lin hacked into her online accounts and devices, stole her private photos, PII and private diary entries, and spread it all far and wide.

The victim said she moved out of the house she shared with Lin after a few months, but the harassment kept right on coming, also targeting family members, friends, co-workers, and two other housemates. It followed her into her new home in Waltham when Lin, posing as a pet owner looking for a pet sitter on the dog-walking service, managed to trick the woman into contacting him, thereby revealing her new phone number.

In the criminal complaint, FBI Agent Jeffrey Williams noted that while investigators identified Lin as the original perpetrator and primary antagonist behind the doxing of the woman’s personal information and the subsequent crimes that followed, it could well be that much of her torment came from others on the forums that Lin frequented, as he may have egged others on in organized, ongoing harassment.

Lin, a computer science graduate from Rensselaer Polytechnic Institute, worked at a software company based in Waltham, Massachusetts from January 2017 until on or about 24 July, 2017, when he was fired. The company put aside his computer, denying Lin’s request that he be allowed to log out of accounts on it before being shown the door. As the criminal complaint tells it, Lin’s bosses had reinstalled Windows and planned to reassign the computer to another employee, but the FBI got to it first.

Some of the data had been deleted by the operating system reinstall, but there was still plenty left, including:

  • Forensic data that showed multiple references to school bomb threats in and around Waltham.
  • Web browsing history that showed that the anonymous texting service used to cyberstalk Smith and her friends and relatives – TextNow – was one of the most visited online services on the machine.
  • Evidence that Pure VPN, a VPN service used “repeatedly” in the cyberstalking scheme, had been installed on the computer.
  • Evidence of an account in Lin’s name with Protonmail, a Swiss-based encrypted email provider that was used repeatedly in the cyberstalking.

Lin had good cause to try to hide his tracks, but fortunately for the FBI, he did a terrible job at it. When investigators got access to his Gmail account, they found that he’d sent himself two screenshots of what looked to be his iPhone. The images showed what apps were installed, including several apps for anonymous texting, encrypted email, and free burner telephone numbers.

Lin had also openly discussed on his Twitter account the use of such anonymizing services: for example, he re-tweeted a tweet from “IPVanish” that read: “Your privacy is our priority. That’s why we have a strict zero log policy.” Lin criticized the tweet, saying:

There is no such thing as VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.

He was savvy enough to use a two-pronged approach to protecting anonymity: both a VPN and an anonymizing service to mask his true IP address. He was smart enough to know that VPNs keep logs.

Regardless of knowing all that, he left a trail documenting his own crimes. That’s fortunate: if he hadn’t, his obsessive tormenting may well have kept on for even longer than the year he managed to terrorize a woman, her family, her friends, and the multiple schools and homes that were evacuated, locked down or SWATted because of him.