How Authorities Found the Alleged Akron Hacker

Court documents are offering new insights into how federal agents identified the man they say is responsible for a series of online attacks.

by Amanda Garrett, Akron Beacon Journal / June 18, 2018
Shutterstock

(TNS) — The hunt was on for who attacked the city of Akron, Ohio’s websites last year.

Someone on Twitter who identified himself as AkronPhoenix420 — a person who was part of the international activist movement Anonymous — had already claimed credit online.

But investigators didn’t know who was behind the Guy Fawkes mask.

Security staff at an Akron tech firm, eyemg, suspected the attacker did digital surveillance before unleashing a barrage of internet traffic that crippled the city’s websites.

And when they started analyzing IP addresses, they quickly zeroed in on 24.93.205.42. Whoever was behind that IP address appeared to be doing reconnaissance July 6-July 30, testing to see how vulnerable the city sites were before launching the attack Aug. 1.

Now that they had an IP address, investigators started the “legal process” with private companies to find the attacker’s identity, court records said.

They began with Charter Communications, which does business as Spectrum. The company reported the IP address 24.93.205.42 belonged to a customer named James E. Robinson who had a contact phone number that began with 989, an area code from central Michigan.

Investigators next went to that phone number’s provider, Verizon, and learned that the Michigan phone number matched a James E. Robinson of Akron.

Twitter, meanwhile, pulled IP connection records for AkronPhoenix420 and revealed the same name — James E. Robinson — to investigators, court records said.

Investigators thought they had their man, but waited and watched as attacks hit websites connected to the National Institutes of Health, the U.S. Department of Treasury, the U.S. Department of Defense and others around the world.

“These attacks bear many similar characteristics such as the method of attack and the targeted domains were specifically mentioned by twitter moniker AkronPhoenix420,” FBI Agent Michael G. Gerfin wrote in an affidavit.

How could Robinson — a factory supervisor who couldn’t hold on to a legal driver’s license — be so internet savvy?

Experts say he didn’t have to be. There’s an app for that.

The biggest was Europe-based webstresser.org. It marketed itself as a benign testing service that companies could use to see how well their own websites could stand up to a distributed denial of service attack, or DDoS.

But European law enforcement, who shut down the business in April, said the company in reality knowingly sold nefarious internet tools to people like Robinson, who used them to launch cheap, effective attacks that shut down websites by overwhelming them with traffic.

Americans, Forbes reported, made up the majority of webstresser.org’s customers — and their targets.

Packages cost between $18.99-$49.99 per month.

Once international law enforcement rounded up the administrators of webstresser.org, police around the globe began following up with their clients.

“The message here is that people who use these services will not stay anonymous,” Gert Ras, head of the Netherlands National High Tech Crime Unit, told Forbes.

On the day news broke about the webstresser.org raid and shutdown, AkronPhoenix420 tweeted that a “stressor” he used in all of his attacks “had been wiped out.”

“Always remember to protect yourself for the safety of your own life and others. we do not play games … this is not a joke … it is not a click … it is not a gang,” he tweeted. “it’s a way of life. we are who we are because we believe in something better for the world, for everyone.”

In a separate tweet, AkronPhoenix420 seemed determined to battle on despite the loss of webstresser.org.

“You cannot kill an idea as long as one person still believes..because ideas are bulletproof,” he said. “I myself would gladly put my name in my life at risk if it meant saving the lives of others.”

Anonymous tells their side

Casper Fawkes, Zerocool and Mindydoll are men in their 20s and 30s.

They — along with others, including James “Eddie” Robinson — are Akron Anonymous.

The three men, along with a fourth member, reached out to a reporter after Robinson’s arrest, saying they wanted to tell their story.

The Beacon Journal agreed to withhold the legal names of Akron Anonymous members so this story could be told. They made the request to avoid potential problems with employers, landlords or others who may disagree with their ideology or methodology.

They work at a mobile phone store, a coffee shop and in computers in Summit and Stark counties.

Each found Akron Anonymous in different ways and for different reasons.

For Casper, it was a 2014 series in the Beacon Journal about allegations of sexual abuse and other improprieties at Grace Cathedral under the leadership of the Rev. Ernest Angley.

Zerocool said he came aboard after learning that a relative in local government was corrupt and hassling people in poor neighborhoods to leave.

And Mindydoll said Anonymous’ philosophy — which has never been firmly established since it’s a decentralized movement, but is generally libertarian — fits his “moral code, truth and honor in a nonviolent way.”

How many others are part of Akron Anonymous fluctuates between 10 and 30.

It’s low now, Casper said, because about half the group broke off to join Great Lakes Antifa.

Antifa, which is short for antifascist, is also a worldwide collective of people, but their target is the far right movement and their actions at rallies and marches can get aggressive.

“They’re pro-violence and we want peace,” Casper said. “Their aim is political … and they smash windows, light stuff on fire.”

Akron Anonymous is against fascism, too, along with racism and oppression. But the members’ missions vary and they’re often quiet, Casper said.

Mindydoll pulled out his first-aid certification and said he often attends rallies as a medic to help anyone, including Antifa, who is injured.

He’s not a computer guy, so he uses other skills to help abused women plot their escapes from relationships and find their way to safety in shelters.

Casper and Zerocool, meanwhile, said they use their web-sleuthing skills to help find missing or abducted children, methods they say are not available to police.

They’ve also marched outside of Grace Cathedral protesting Angley, joined with University of Akron students protesting the former administration and handed out carloads of food to the needy.

If they are launching computer attacks, these Akron anons aren’t talking about it.

But they made clear they don’t believe what Robinson did was wrong.

“The feds have stated before that we’re cyberterrorists,” Casper said. “It’s not accurate.”

Blocking access to websites of churches, governments or others they disagree with is a modern form of protest, like a digital sit-in, they said.

If one of Robinson’s attacks prevented the Ohio State Highway Patrol from accessing a database used to check for criminal history, warrants and possible threats involving suspects, as the U.S. attorney claims, then Robinson did the patrol a favor by exposing a dangerous weakness in its computer system, Casper said.

“Names are forgotten over time, but our actions stay,” Casper said. “My name does not matter. I want peace, light and justice as my legacy.”

Case moves forward

Fourteen days after international authorities took down webstresser.org, Akron-based U.S. Magistrate Judge Kathleen B. Burke authorized a warrant for the FBI to search the Akron house where Robinson lived.

Agents arrived on Edison Avenue in Summit Lake the following day. Inside Robinson’s house, they found a Guy Fawkes mask and a mobile phone with a unique cracked screen.

It appeared to match a photo of a phone AkronPhoenix420 tweeted in April when he proclaimed victory in another DDoS attack aimed at Akron police.

FBI agents didn’t intend to arrest Robinson that day. They had gone there only to search for evidence in the website attacks.

“Robinson was told that he was free to leave but [he] indicated that he wanted to cooperate with authorities any way he could,” FBI agent Gerfin said in court records.

Robinson — perhaps bragging as a “hacktivist” or knowing he’d be caught — confessed to at least some of the attacks, court records show.

He told agents he had used webstresser.org to attack multiple sites, including the city of Akron, the U.S. Department of Defense and others he could not recall, Gerfin said in court records.

Robinson also admitted to being AkronPhoenix420 and said he was the author of tweets, photos and videos online under that name, court records show.

Robinson, for now, faces a single charge under the federal law that deals with fraud and related activity in connection with computers.

But that could change.

A judge has given the prosecution and defense until Aug. 8 to work out a deal or move forward with an indictment.

His attorney, Brian Pierce, declined to discuss details of the case.

News of Robinson’s arrest traveled quickly to Akron Anonymous, whose members took to social media with the hashtags #OpFreePhoenix and #Free Phoenix.

Earlier this month, Akron Anonymous finally tracked Robinson to the Northeast Ohio Correctional Center in Youngstown.

Casper and Zerocool went to visiting hours hoping they could see him, only to be turned away.

A guard told them that Robinson hadn’t put their names on his visitor’s list, a requirement at federal facilities.

How could he? They’re anonymous.

©2018 the Akron Beacon Journal (Akron, Ohio), Distributed by Tribune Content Agency, LLC.