Tracking Bad Actor

Not long ago, I needed to track down someone. Private investigators had proven useless (and expensive), spending more time talking to me about their terms of service and less time listening to the situation and the fact that a bad actor was getting away. Law enforcement was...well...Williamson County, Texas Sheriff Chody and his people are more focused on their social media presence than on doing their jobs. We will just say that. I had recordings from a phone call to a call center. I had more evidence than the average person who asks law enforcement for help, but I guess if my problem had been speeding down IH35, Sherriff Chody would have been interested. The problem? How do I find the exact location of a bad actor to serve the person with legal documents and pull the person back into jurisdiction? This means I had two problems:

(1) I had no law enforcement backing (see above), and thus no capacity to physically compell the person to return. Felony or not, Sheriff Chody wasn't willing to do his job in this case. This means I had to convince the person to return voluntarily.

(2) Private investigators had turned over comprehensive reports on all persons involved. But each of the three private investigators could only cover three locations (because private investigators, it turns out, still haven't caught up with how the world works in this century). This means I couldn't cover all of the physical locations all the time. I needed the bad actor to help me.

So, rather than track someone down, how can you convince a bad actor to (a) tell you their location and (b) voluntarily return to your jurisdiction to face the music in a court of law without violating the law yourself? Quite simply, it turns out. You just need some technical skills and an understanding of human nature. In this case, by the time the private investigators had finished talking to me about agreements and contracts and had actually started hitting locations where we believed the bad actor was possibly located, the person in question had absconded to Europe. Crap! This meant (a) I had to deal with a different country and (b) I had to deal with European privacy laws. The problems had just increased significantly.

Step 1: I fired the private investigators.

Why did I do this? Well, because while they were slow-walking those billable hours, I had actually taken some of my own time to visit the apartment complex where the bad actor had last lived. I started talking to neighbors, asking questions, and people told me that the bad actor had moved out recently. I stopped by another place one of those nieghbors had suggested and someone else helpfully told me that the bad actor had left an employer high and dry (along with some other business dealings). But it was the bad actor's ex wife that did him in. Ex-wives tend to do this (especially when you have dirt on the person that helps them). That woman cursed more than a sailor, and she told me about how her ex had allegedly run off to Europe with some woman. All of this took me a day to discover, and by late evening, I had achieved more than the private investigators I had hired.

Step 2: Make the Bad Actor Want to Talk to You (or your servers)

I own several domains, and one of these has only ever been used as a honey pot. Ironically rather than a honeypot for spam, this was going to be a honeypot for a human. The honeypot site actually has a lot of good content on it. Years ago I paid someone on odesk a bit to write a bunch of content. The site itself gets pretty good SEO and if you find it there's a lot of great short stories, poems and other stuff. What can I say? I was supporting an artist. She needed money and an outlet for writing. I needed a site where /admin and tcp/22 could capture password attack attempts from asshats on the internet with nothing better to do than victimize businesses. But I digress. In this case, I knew that if I could write up a dossier of factual information about the bad actor in question and carefully word things well enough, I could use it as bait. The page with the dossier was buried deep in the site, but it was included on the sitemap.xml file so search engines would index it.

First, I suspected that the bad actor had an ego. Second, I suspected he would be looking for references to himself. The first suspicion was based on talking to people and looking at his social media, and the second suspicion was because some of that social media had been deleted and seemed to be disappearing quickly. I added links to other sites where I knew it would help increase the likelihood the bad actor would land on my honeypot site. I also sent emails to known associates asking about the bad actor's whereabouts and explaining that I was working on having him served with legal papers. Each of those emails had links to the dossier on the honeypot site. Those links where contained unique URL queries so I would know which recipient had clicked which link and visited the dossier site. It took three days to get a bite.

From the private investigators I had the known associates of bad actor, from which I was able to send the emails. But I also knew where each of them lived. Several lived in the upper northwestern United States, where Bad Actor was from. I'll be honest and say that by this point my house looked like an NSA operation. I wanted to settle this quickly, and I had dived into resolving this situation without delay. Behind the honeypot site I had google analytics running, but given the delay of Google Analytics, I needed something more responsive. So I had wired up a bit more code into the honeypot site to notify me if I had a hit. Welcome to the Internet, folks. If you hit a site, you give up a lot of information about yourself (necessary to make the network work). ...and that is what happened.

Three days after the site went up and the emails went out, I had a small number of hits from Bad Actor's hometown. I knew from the unique URLs hit that I was seeing clicks from Bad Actor's immediate family. Google Analytics confirmed this, and I knew I just had to wait. Within 24 hours, a user in northern Europe viewed the dossier. This gave me the IP address of a hotel. I now knew the Bad Actor's location down to the IP address. Using whois, I knew the IP address belonged to a well known hotel chain. A call to the network operations center for that hotel chain confirmed the location of the hotel down to the specific hotel building.

Now I had a location on bad actor, but how do you make someone voluntarily come back?

Step 3: Sometimes you need a little help from your friends.

The best part of my career is that from time to time I get to work with people around the world. While this unfortunately is limited by certain travel restrictions my government has placed on me, I have managed to build some really good friendships with people over video conferencing, etc. Some of these people have stayed in my home and enjoyed a little Coopers BBQ and beer when they have visited Texas. Only once have I ever really asked any of these people for a significant favor. But given the situation, which everyone in my life knew at the time, it wasn't hard to ask them to do this one. I had a friend, a guy who is a little intimidating if you don't know him personally take his girlfriend for a weekend trip to see this Bad Actor. I covered the cost of their trip and provided specific instructions: (1) At no point were they to be confrontational and (2) when my friend approached Bad Actor, his girlfriend would record it so they were covered if anyone said otherwise. This is what they did, and while the unannounced meeting in the lobby of the hotel definitely surprised the Bad Actor, it went rather well. A clear message was given and some documents were handed to this individual that painted the situation very clearly. Other documents would be provided to the hotel's management, the local government and the US Embassy, though through different means. It wasn't much, but it was all I could do, and it wasn't enough. But the last stroke proved more rewarding. This individual had travelled to Europe with his new girlfriend (on her dime, I suspected correctly). It was when I managed to get the documents describing the situation to the new girlfriend that I got what I wanted. She left him, and returned to the U.S. This meant Bad Actor was now isolated, identified and broke. Financially staying in Europe was not tenable. A 90-day visa would expire, and there was no hope of a longer visa without resources. Eventually this person would return to the U.S. and land at Austin's Bergstrom Airport. By this point I knew roughly when and where, and papers were served.

Lessons Learned

This entire effort was successful because I chose to take the initiative rather than let the bureaucrats make me into another statistic. Law enforcement and the courts in many cases are overwhelmed, cynical or incapable of doing what needs to be done. In those cases, they just needed a little help. Here's what I learned from the perspective of Bad Actor:

  1. Bad Actor should have used Tor or a hotspot. The Hotel wifi gave him away.

  2. If you're gonna hide, people will go to those you know. It's just a fact.

  3. If you're dumb enough to run, run from it all. Turning back to clean up online is a temptation to connect to your old self and give up your location. See #1.

  4. Most importantly...don't do bad things, and if you do own them and accept responsibility.

Happy Hacking!

--Sam

social