Swatting: When Online Hate Goes Offline

In recent years, the once obscure abuse tactic of swatting has gained popularity. But while the FBI estimates over 1000 attacks each year, little is known about where these attacks originate and what the online ecosystem can teach us about them. ActiveFence research uncovers how swat attacks have become a core abuse tactic for white supremacist groups, and the role of various online platforms in their planning and execution.

The evolution of swatting

Swatting, an act which has already caused the death of innocent people, is concerning many, from law enforcement agencies, to religious institutions, hospitals, journalists, protected minorities, educational institutions, and more.

But in order to assess the risk, it is first important to understand what swatting is. The US Department of Justice defines swatting as “a harassment tactic that involves deceiving emergency dispatchers into believing that a person… [is] in imminent danger… causing dispatchers to send police and emergency services to an unwitting third party’s address.” Targets of swatting attacks generally include schools and universities, journalists, politicians, and minority cultural and religious centers (like Black churches, Islamic centers, and Synagogues).

This phenomenon is not new – it’s been documented as far back as 2008, but it’s on the rise. According to the FBI, between 2011 and 2019, the number of swatting attacks has more than doubled – from 400 to over 1000 annual attacks. That number is only growing, illustrated by the fact that in just one day, on March 28, 2023, over 24 schools in Massachusetts were targets of hoax calls.

While this topic has been thoroughly researched in the past, research has mostly been on the concern of swatting as a new domestic terrorism threat, and less has been written on the online-offline nature of these actions and the role of online threat detection in stopping it. This blog aims to shed some light on that.

Tracking swatters

While the targets of swatting attacks vary, law enforcement officials believe that many swatting attacks actually originate from a single person or group. This belief is supported by ActiveFence’s own research, which traces much swatting activities to online forums and messaging channels affiliated with white supremacist groups. Additionally, while swatting attacks have traditionally been conducted by lone individuals, our research is pointing to the increased involvement of ‘groups’ rather than ‘individuals’ as a new phenomenon.

The below case study highlights some of the tactics of a swatting group:

The European Culture and Heritage Protection Group

In late July 2023, a group called the “European Culture and Heritage Protection Group” (ECHPG) launched a new X (then Twitter) account. The group used the account to share a PDF document in which they describe themselves as a “bunch of dudes tired of k*kes f***ing up their countries and culture which is why we have decided to band together and swat Jewish institutions, synagogues, black churches, Lutheran churches and public buildings.” The group made two specific demands: that the Anti-Defamation League (ADL) delete its Twitter and YouTube accounts, and that the Ohr Ha’Torah Synagogue in Los Angeles close as well.

ActiveFence’s research has identified at least one person who appears to be involved in this group. “Buck Breaming2000” (@Braol2233 on Telegram) has claimed to be French in several instances and Brazilian in others, is a member of several neo-Nazi chat groups. This individual shares photos of identical objects and pets featured in many of the ECHPG posts – establishing their connection to the ECHPG. Three days after the launch of ECHPG’s X account, @Braol2233 posted about Jewish religious institutions streaming their “satanist sermons,” stating that he would “…swat them all. The jews will face my wrath. The adl will also face my wrath. Bc they ignored my demands,” while referencing the ECHPGs tweet.

On that same day, Congregation Bnai Israel in Millburn, New Jersey, was swatted and consequently evacuated. The ECHPG claimed responsibility for this and another attempted attack on a synagogue, promising that “synagogues will continue to be swatted until the demands in the pdf posted are met.”

According to The New York Post, 26 synagogues and two ADL offices were targeted by this group. This is again supported in @Braol2233’s tweets, claiming he had “swatted over 20 synagogues, black churches, news offices and attempted swatting the holohoax museum” over the last two weeks, while sharing videos of his calls to police and livestreamed evacuations on Telegram.

New threats

Since these attacks have taken place, the associated X account[s] have been suspended, and a Telegram channel by the same handle was created. While the channel is currently quiet, a few messages have been posted, one containing an operational security (OPSEC) guide authored by a neo-Nazi group, and another suggesting that the next wave of attacks will target museums: “After the incredibly successful attack in Atlanta. I think museums are definitely the way to go. it might take 1-2 trys to get a successful swat. but shit when it works it f*cking works.” This message references a recent attack on the Atlanta’s Breman museum. Another message provided more details on the swatting process and necessary tools, claiming all that is needed are “a vpn, bluestacks and textme.”

Multi-platform abuse

A core component of this dangerous online-to-offline abuse is the importance of multiple platforms in executing a successful attack. The cross-platform nature of these attacks often means that without access to multiple sources of information, it is hard for trust & safety teams to uncover the activities taking place using their platforms, especially in cases where swatters try to hide their involvement:

1. Messaging platforms: Attacks are promoted, discussed, and planned via various chat groups and 1-1 messages. These generally rely on encrypted messaging to avoid detection.
   Without specialist knowledge and in-group access, it is impossible to identify an attack using public platforms alone.
2. Payment platforms: In cases of swat-for-hire services, payments are made via online payment platforms, primarily cryptocurrency exchanges. Again, taking advantage of the anonymity afforded by such payment methods allows these attacks to go undetected.
3. Livestreaming services: In many cases, attackers insist upon the existence of livestreaming broadcasts in order to conduct an attack. These video streams are used by attackers to monitor their target, collect intelligence, watch the attack take place, and subsequently share the videos in their promotional materials. Religious institutions that broadcast their services live, are therefore at greater risk of a swat attack.
4. VPN services: Allow swatters to either mask their location as they pretend to be near the site of the swat attack, or alternatively, access local-access only domains, if they are abroad. VPN services also help swatters to hide their online footprints and thus, avoid detention.

Identifying swatters online

While ActiveFence’s intelligence-fueled process of identifying swatters and other harmful content online relies on deep threat intelligence and subject-matter expertise, it is possible for platforms to identify swatting using more traditional methods and indicators:

• Cross-platform linking: In order to hide their activities, swatters will move conversations from one online platform to another. For example, information about the ECHPG was shared in a Telegram chat group of 86 members, which has been since deleted. Buck Breaming2000’s content, such as records of live-streaming footage of swatting, was later shared on other Telegram channels.… […]. For this reason, cross-platform linking is an important indicator of potentially harmful activity
• Keywords and keyword combinations: Frequently, swatters post claims of responsibility and promotional materials online. So, identifying the use of indicative keywords and keyword combinations is one way to find these attackers. These include “swatting” and its variations in English and non-English languages (like the French term “alertes a la bombe”), racial slurs, and specific names of schools and places of worship, and presumed dates for planned swatting attacks.
• Use of non-local language: Swat attacks can, and often are, planned internationally – such that the target of an attack may be in the United States, while discussions of the attack take place in French. An indicator of this type of abuse may be non-English discussions of local religious or educational institutions.
• Affiliation with specific Telegram groups and X accounts: ActiveFence has uncovered several channels engaged in swat attacks, all promote far-right extremism, some with thousands of subscribers. Accounts that are actively engaged with these groups are therefore likely to also be engaging in swat attacks.

ActiveFence researchers use deep threat intelligence and research to identify novel online and offline abuses. By monitoring threat actor chatter, we can alert our customers of novel abuses taking place on their platform, and assist them as they work to keep users safe – both online and off.

Take a look at our deep threat intelligence resources to learn more about how ActiveFence research supports a safer online world.