Full Report
A man pleaded guilty to his involvement in a string of swatting and bomb threat incidents that allegedly impacted at least 25 members of Congress or their family members, as well as law enforcement officials and members of the federal judiciary.
Analysis Summary
# Incident Report: Romanian National Pleads Guilty in Swatting and Bomb Threat Campaign
## Executive Summary
A 26-year-old Romanian national, Thomas Szabo, pleaded guilty to conspiracy and making threats involving explosives following a widespread campaign of "swatting" and bomb threats targeting at least 25 members of the U.S. Congress, multiple cabinet-level officials, and senior law enforcement personnel. The malicious activity spanned from late 2023 through early January 2024, culminating in legal action that resulted in a guilty plea against Szabo in June 2025.
## Incident Details
- Discovery Date: Ongoing throughout the campaign, with specific incidents like the CISA Director’s swatting occurring in late December 2023.
- Incident Date: Spanning from late 2023 through early January 2024.
- Affected Organization: Scores of senior U.S. government officials, federal judiciary members, state officials, religious institutions, and journalists.
- Sector: Government/Public Sector, Law Enforcement.
- Geography: Primarily affecting residences in the U.S. (e.g., Arlington County, Virginia, for the CISA Director).
## Timeline of Events
### Initial Access
- Date/Time: Starting in late-2023.
- Vector: Anonymous phone calls (phone spoofing/VOIP likely, though not explicitly stated) used to report false serious crimes.
- Details: The calls prompted large-scale, armed police (SWAT) responses to the victims' residences.
### Lateral Movement
Not applicable to this type of social engineering/physical threat campaign. The focus was on external initiation targeting specific physical locations.
### Data Exfiltration/Impact
The primary impact was the execution of high-risk, physical law enforcement deployments (swatting) and the disruption caused by bomb threats. No data exfiltration related to network compromise was documented in this summary.
### Detection & Response
- Detection: The authorities identified the source and coordinated nature of the attacks across multiple victims.
- Response Actions: The Department of Justice investigated and charged Thomas Szabo, who subsequently pleaded guilty to one count of conspiracy and one count of threats involving explosives.
## Attack Methodology
- Initial Access: Making false calls reporting serious crimes (e.g., a shooting) to emergency services, prompting a SWAT response.
- Persistence: Szabo allegedly led a group, encouraging members to follow his example in ongoing harassment. He also had a history of similar threats, including a threat against the President-elect in January 2021.
- Privilege Escalation: Not applicable (physical/social engineering attack).
- Defense Evasion: Use of anonymous calling methods to mask the true source of the threats.
- Credential Access: Not applicable.
- Discovery: The attacker aimed to cause a physical response from law enforcement.
- Lateral Movement: Not applicable.
- Collection: Not applicable to cyber data, but the intent was to identify and target high-profile government officials.
- Exfiltration: Not applicable.
- Impact: Deployment of emergency services, fear, intimidation, and disruption to the lives and work of dozens of high-ranking officials.
## Impact Assessment
- Financial: Not specified, but response costs for law enforcement agencies responding to numerous false alarms would be substantial.
- Data Breach: None reported (the attack was executed via phone/physical threat, not network intrusion).
- Operational: Significant operational disruption to government officials, CISA included, due to high-stress physical confrontations or evacuations resulting from bomb threats.
- Reputational: Negative impact on the security profile of targeted officials and public perception surrounding political harassment.
## Indicators of Compromise
- Network indicators: None specified (attack relied on public telephone infrastructure).
- File indicators: None specified.
- Behavioral indicators: Repeated, coordinated anonymous reporting of violent or explosive threats targeting high-profile government figures.
## Response Actions
- Containment measures: Identifying and isolating the perpetrator (Thomas Szabo).
- Eradication steps: Successful prosecution resulting in a guilty plea.
- Recovery actions: Sentencing scheduled for October 23rd, intended to provide judicial closure to the criminal activity.
## Lessons Learned
- Key takeaways: Coordinated swatting campaigns motivated by ideological or harassing intent pose a significant threat to public safety, requiring intense inter-agency coordination to trace originating points.
- What could have been done better: The article implies the response was successful via prosecution, but the spree lasted several months (late 2023 to early 2024) before the subject pleaded guilty, indicating a lag time between the peak activity and legal resolution.
## Recommendations
- Prevention measures for similar incidents: Enhancement of emergency services call screening and verification protocols, particularly when threats target protected officials. Increased international cooperation to trace malicious actors operating globally from countries like Romania when targeting U.S. officials.