Full Report
He now faces four years in federal prison.
Analysis Summary
# Incident Report: Voluminous Swatting Campaign and Self-Targeting Hoaxes
## Executive Summary
An individual, Alan Filion, operated an organized "swatting as a service" for profit, executing 375 malicious hoax calls (threats of gas leaks, fires, bomb threats, and mass shootings) across the US, UK, and Canada between August 2022 and January 2024. The incident escalated when Filion tested his methods by targeting his own home multiple times to study and optimize law enforcement response severity. The primary impact was significant public safety resource drain, civilian terrorization, and potential operational shutdowns of targeted locations, leading to the perpetrator's identification and pending federal sentencing.
## Incident Details
- **Discovery Date:** Implicitly discovered through law enforcement tracking and subsequent investigation leading to arrest (Specific date not provided).
- **Incident Date:** August 2022 – January 2024 (Period of active service).
- **Affected Organization:** Numerous private residences, schools (e.g., Skagit County School), and public locations across the US, UK, and Canada.
- **Sector:** Not applicable (Targeting individuals/institutions via public safety threats).
- **Geography:** US, UK, and Canada.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting August 2022.
- **Vector:** Unknown initial access to platforms allowing for anonymous VoIP and text-to-speech services.
- **Details:** Filion began offering "swatting as a service" via social media advertisements, ranging from $40 for a gas leak to $75 for a bomb threat.
### Lateral Movement
- **Details:** The incident focuses on the execution of subsequent external attacks rather than internal network intrusion. Movement involved leveraging various VoIP services, VPNs, and text-to-speech applications to mask the true origin of the malicious calls made to emergency services.
### Data Exfiltration/Impact
- **Details:** The primary impact was the massive deployment of emergency services (police, bomb squads, fire/EMS) based on credible-sounding threats (e.g., school shootings, bomb threats). Filion aimed to create extreme scenarios to ensure police extracted victims and searched homes aggressively. He specifically targeted a school multiple times, falsely naming a student as the perpetrator. In late 2022, he executed **self-swatting** calls to perfect his attack methodology.
### Detection & Response
- **Details:** The volume and pattern of hoaxes eventually led to an investigation, resulting in the identification and subsequent prosecution of Alan Filion. He faces four years in federal prison.
## Attack Methodology
- **Initial Access:** Use of commercial VoIP services and text-to-speech applications to anonymize the source of the calls.
- **Persistence:** Maintenance of service offering across social media platforms over an extended period (17 months).
- **Privilege Escalation:** Not directly applicable; focused on exploiting emergency response systems.
- **Defense Evasion:** Extensive use of VPNs and anonymized communication channels to prevent traceback by law enforcement.
- **Credential Access:** Not applicable; no indication of typical network credential theft.
- **Discovery:** The perpetrator conducted reconnaissance by performing "self-swatting" calls to gauge and document the precise level of police reaction to his specific "scenarios."
- **Lateral Movement:** Moving between geographic jurisdictions (US, UK, Canada) to execute calls.
- **Collection:** Gathering requirements and pricing for various threat levels from his customer base ("swatting for hire").
- **Exfiltration:** Not applicable in the traditional sense; the activity was execution, not theft.
- **Impact:** Terrorization of victims, massive waste of public safety resources, operational shutdowns (schools).
## Impact Assessment
- **Financial:** Costs related to the deployment of police, fire, and EMS resources for 375 incidents. Monetary gain for Filion from service fees.
- **Data Breach:** No customer/organizational data breach reported; impact was operational disruption and threat to life based on false information.
- **Operational:** Multiple instances of school lockdowns and building searches, significant disruption to public services.
- **Reputational:** Significant negative impact on the reputation and feeling of safety for targeted victims and communities.
## Indicators of Compromise
Due to the nature of the attack (VoIP calls), specific technical IoCs are limited to TTPs:
- **Network indicators:** Repeated use of anonymizing services (VoIP, known VPN exit nodes) originating calls to US, UK, and Canadian emergency services lines.
- **File indicators:** None specified in the context.
- **Behavioral indicators:** The pattern of escalating threats (gas leak $\rightarrow$ bomb $\rightarrow$ mass shooting) offered commercially; self-testing of attack methodology against own address.
## Response Actions
- **Containment measures:** Identification and apprehension of the perpetrator, Alan Filion.
- **Eradication steps:** Disruption of his "swatting as a service" operation following his identification.
- **Recovery actions:** Not specified, but implied remediation for the numerous agencies and victims affected by the 375 false reports.
## Lessons Learned
- **Key takeaways:** Organized crime can form around exploiting 911/emergency service infrastructure disguised as "services for hire." Testing methods against oneself is a key step in refining disinformation tactics for maximum impact.
- **What could have been done better:** Improved cross-jurisdictional cooperation between LE agencies to rapidly identify and shut down serial, low-effort but high-impact malicious communications operations.
## Recommendations
- Enhance monitoring and tracing capabilities for high-volume, voice-based threats originating from commercial VoIP/TSS platforms to expedite identification of malicious actors.
- Implement stricter Know Your Customer (KYC) protocols for VoIP services that allow rapid, anonymous mass dialing.
- Conduct regular training drills simulating extreme, coordinated swatting events to test emergency response readiness and traceback procedures.