Full Report
The ICE-tracking service says it doesn't store usernames or addresses ICE-reporting service StopICE has blamed a US Customs and Border Protection (CBP) agent for attacking its app and website and sending users text messages warning them that their information had been "sent to the authorities."…
Analysis Summary
This is a summary of the security incident involving the StopICE mobile application and website, based on the provided context.
# Incident Report: Sabotage of StopICE App and Website by Alleged CBP Agent
## Executive Summary
The anti-ICE reporting service, StopICE, suffered a coordinated attack targeting its application and website, resulting in malicious text messages being sent to users falsely claiming their data was transmitted to authorities. The service administrators traced the source of the attack to a personal server linked to a US Customs and Border Protection (CBP) agent. While the attackers claimed to have exfiltrated user names and addresses, StopICE asserts it does not store such personally identifiable information.
## Incident Details
- Discovery Date: Sometime around Friday, February 1st (based on user reports from "Friday"). The administrative notification confirming the attack source was on Saturday, Jan 31st (if we interpret the dates provided contextually against the publication date of Mon, Feb 2nd, 2026). We will use the date provided in the source for the main attack notification.
- Incident Date: Attack confirmed on January 30th (Server attack attempt). Malicious SMS campaigns occurred around February 1st and 2nd.
- Affected Organization: StopICE (ICE-tracking/reporting service)
- Sector: Activism/Immigration Monitoring Technology, Non-Profit Adjacent
- Geography: US (Source traced to SoCal CBP agent)
## Timeline of Events
### Initial Access
- **Date/Time:** January 30th (Server attack attempt). Texts reported by users around February 1st/2nd.
- **Vector:** Server Attack/Targeted Disruption. The initial event was described as a "server attack" attempting to disrupt services and queue false text alerts.
- **Details:** Attackers targeted the `stopice.net` infrastructure, which appears to have been partially routed through a downstream carrier platform utilized for sending text message alerts. The attack was quickly isolated and neutralized.
### Lateral Movement
- Not explicitly detailed. The focus appears to be on service disruption and unauthorized messaging rather, rather than deep internal network compromise, though the perpetrators gained unauthorized access to initiate external communications impersonating the service.
### Data Exfiltration/Impact
- **Impact:** Unauthorized sending of alarming text messages to users, falsely claiming their personal information was shared with law enforcement. Claims were made by hackers on social media that user names and login information were sent to government agencies.
- **Developer Impact:** The developer, Sherman Austin, was personally targeted in the malicious messages, which included defamatory statements about his coding abilities.
### Detection & Response
- **Detection:** Admins detected the attack attempt on Jan 30th and confirmed user reports of malicious texts shortly thereafter.
- **Response Actions:**
1. The attack was "quickly isolated and neutralized."
2. StopICE traced the source of the attack to a personal server linked to a CBP agent in Southern California.
3. Admins utilized "bait" (phony data and fake API keys) to reveal the intruders' locations, names, phone numbers, and network information.
4. StopICE published an alert detailing the attack and provided a list of associated IP addresses and network details to the public/authorities.
5. Admins denied claims of stolen user data (names/addresses), stating this information is not stored.
## Attack Methodology
- **Initial Access:** Direct server targeting, potentially exploiting misconfigured infrastructure or compromised credentials related to the text messaging carrier/platform.
- **Persistence:** Not explicitly detailed, but the ability to send mass texts suggests some sustained control over the outbound communications channel.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** The perpetrators allegedly hid their tracks poorly, allowing StopICE tracing efforts using "bait."
- **Credential Access:** Claims were made by attackers regarding stolen "login information," but this claim is refuted by StopICE regarding core user account data.
- **Discovery:** Reconnaissance was likely involved to identify the text message platform vulnerability.
- **Lateral Movement:** Not detailed.
- **Collection:** Attackers claimed to collect user names and addresses, which StopICE denies possessing.
- **Exfiltration:** Data theft claims are unverified; the primary confirmed data action was **sending unauthorized data/messages** to the user base.
- **Impact:** Sabotage, reputational damage, and user fear/distress achieved via mass SMS spamming.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** StopICE claims *no* sensitive PII (names, addresses) was compromised because it is not stored. Claims of stolen names/login info circulating on social media are unverified and refuted by the developer. The primary impact relates to the misuse of the communication platform.
- **Operational:** Temporary disruption to the message queueing/alert system, requiring isolation and cleanup.
- **Reputational:** Significant reputational damage stemming from the false claims spread to users ("information sent to authorities") and public accusations against the developer.
## Indicators of Compromise
- **Network Indicators (Defanged):** IP addresses and network details shared by StopICE concerning the CBP agent and associates (Specific IPs not extracted, but confirmed to be shared by StopICE).
- **File Indicators:** None specified.
- **Behavioral Indicators:** Mass queuing and sending of unauthorized, alarming text messages impersonating the StopICE service to subscribers; coordinated social media disinformation campaign regarding data exfiltration.
## Response Actions
- **Containment:** The malicious server event was "quickly isolated and neutralized." The communication platform used for spam texts was disconnected or cleaned.
- **Eradication:** Tracing the source to the CBP agent's personal server and gathering intelligence on the attackers (IPs, names, phone numbers).
- **Recovery:** Restoration of trusted service operation and public issuance of alerts to users clarifying the falsehood of the text messages and the source of the attack.
## Lessons Learned
- **Reliance on Third Parties:** The integrity of the user notification system (SMS service) is a critical dependency that, if compromised, allows immediate, high-impact disinformation delivery.
- **Data Minimization Success:** The decision not to store PII like names and addresses mitigated the most severe potential fallout (i.e., identity theft).
- **Counter-Intelligence Value:** The use of "bait" (phony data) proved effective in identifying and gathering actionable intelligence on the threat actors who were ostensibly internal/state-affiliated.
## Recommendations
- **Fortify Outbound Communications:** Implement multi-factor authentication or strict whitelisting/API key rotation for the SMS gateway to prevent unauthorized message queuing, even if traced to a platform used by the service.
- **Enhance Logging/Auditing:** Strengthen logging around administrative and communication endpoints capable of triggering mass user alerts.
- **Legal/Official Reporting:** Immediately follow up on intelligence gathered (IPs, names) by coordinating with relevant federal oversight bodies, given the accusation against a CBP agent.