The following is a Daily Beast report by Kevin Poulsen:
The suspect arrested today for a wave of bomb threats against Jewish Community Centers in the United States employed an array of technologies, including Bitcoin and Google Voice, to make himself virtually untraceable for months, The Daily Beast has learned. But in the end, it only took one careless slip-up to lead police to his door.
Police arrested 19-year-old Michael Kaydar, who has joint Israeli-U.S. citizenship, at his home in Ashkelon, a coastal city in southern Israel. He’s suspected of phoning in over 100 bomb threats to JCCs and Jewish day schools in 33 states since January, with the most recent calls made two weeks ago. Police also suspect him of making similar threats in Israel, Europe, Australia, and New Zealand.
The arrest followed an international probe that began with the first U.S. threats in January, and quickly hit its first roadblock, according to sources close to the investigation. The FBI traced the phone calls back to a service called SpoofCard that allows users to mask their caller ID, so their phone calls can appear to come from any number they choose.
The FBI sent a subpoena to the company that runs the service, New Jersey-based TelTech, in the hope of obtaining the caller’s real number. But that phone number turned out to be a disposable Google Voice line established under an alias.
The server logs from both TelTech and Google weren’t much more helpful. They showed that the suspect routed his Internet connection through anonymous proxy servers overseas. Even the caller’s voice was anonymous—he used Spoofcard’s voice-changing option to make himself sound like a voice synthesizer imitating a woman. And rather than use a traceable credit card or PayPal, the perpetrator paid for his Spoofcard in Bitcoin—another dead end.
Meanwhile, the bomb threats continued, coming in six separate waves. Jewish centers and day schools began evacuating with almost routine regularity. The threats were generally seen as evidence that anti-Semitic fringe groups were feeling emboldened by the election of Donald Trump. Then in March , a St. Louis man was arrest for a handful of copycat bomb threats he allegedly staged in an effort to frame an ex-friend.
But in his rush to reach as many Jewish institutions as possible, the original bomb hoaxer grew careless. On at least one occasion, he neglected to route his Internet connection through a proxy server, leaving behind a real IP address in the server logs. The address was in Israel, where police traced it to a WiFi access point that Kaydar was allegedly accessing through a giant antenna pointed out a window in his home.
A motive for the suspect, who is himself Jewish, hasn’t been established, but his lawyer reportedly said Kaydar has suffered from a brain tumor since age 14. The tumor affects his behavior, the lawyer claims.
The U.S. Justice Department declined to comment on whether the suspect will face U.S. charges and possible extradition. In statement, Attorney General Jeff Sessions commended the FBI and the Israeli National Police on the arrest.
“The Department of Justice is committed to protecting the civil rights of all Americans,” he said, “and we will not tolerate the targeting of any community in this country on the basis of their religious beliefs.”
SpoofCard and services like it have plenty of legitimate users, such as undercover cops, or domestic abuse victims who use it to conceal their phone numbers from an ex. But the JCC calls aren’t the first time SpoofCard has been used for evil either. In one example, in 2007 a gang of malicious phone hackers in Texas were arrested for using the service in a “swatting” campaign against their enemies. They would call the police and claim to be holding hostages in their home, while spoofing the victim’s phone number. The result: the police storm the victim’s house with guns drawn.
But normally spoofing isn’t much of an impediment to law enforcement, and sometimes even incidentally helps build a case. The Texas swatters voluntarily used SpoofCard’s recording option during their calls to police, allowing the FBI retrieved the recordings with a search warrant. It’s unclear whether the JCC caller used that feature. Reached by The Daily Beast, TelTech emphasized that it cooperates with law enforcement when its service is abused.
“SpoofCard is aware of the investigation regarding phone-based bomb threats to schools and organizations,” the company wrote in a statement. “We take great pride in the fact that for over 10 years we have helped people protect their privacy and that we have always held a consistent position against any misuse of our services. When requested, we comply quickly and responsibly with lawful requests from all levels of law enforcement, and we have built specific tools to prevent abuse.”