Full Report
Alan Filion, believed to have operated under the handle “Torswats,” admitted to making more than 375 fake threats against schools, places of worship, and government buildings around the United States.
Analysis Summary
# Incident Report: Nationwide Swatting Spree and Hoax Threats by "Torswats"
## Executive Summary
An 18-year-old California resident, Alan Winston Filion (operating as "Torswats"), pleaded guilty to making hundreds of interstate threats via false bomb and shooting hoaxes targeting schools, religious institutions, and high-profile officials across the US between August 2022 and January 2024. The incidents caused widespread panic, required massive law enforcement responses, and resulted in federal charges related to making threats of violence. The perpetrator was initially identified and tracked by a private investigator hired by victims.
## Incident Details
- **Discovery Date:** Ongoing investigation, initial federal charges announced in early 2024 (related activity spanned from August 2022).
- **Incident Date:** Approximately August 2022 to January 2024.
- **Affected Organization:** Numerous high schools, courthouses, religious institutions (including Masjid Al Hayy Mosque), law enforcement agencies, and prominent government officials (e.g., Secretary Mayorkas, Director Easterly, Senators/Representatives).
- **Sector:** Multi-sectoral (Education, Government, Religious, Law Enforcement).
- **Geography:** Nationwide (spanning multiple states, including Florida, Georgia, and California).
## Timeline of Events
### Initial Access
- **Date/Time:** Began around August 2022.
- **Vector:** Telephone/VoIP communications used to place hoax distress calls (swatting calls).
- **Details:** Filion, as "Torswats," initiated over 375 swatting calls, often fabricating detailed scenarios involving armed individuals, pipe bombs, and hostages.
### Lateral Movement
*Not applicable in the traditional sense of network intrusion; the "lateral movement" here refers to the geographical and target expansion of the threat calls.*
- **Progression:** Started with localized incidents (e.g., Florida) and escalated to target high-profile national political figures (US Senators, DHS Secretary) between December 2023 and January 2024.
### Data Exfiltration/Impact
- **Impact:** Law enforcement resources were heavily diverted responding to credible-sounding threats of mass violence, creating profound fear and chaos among victims and the public.
- **Stolen Data:** Not the primary outcome, but digital artifacts (IP addresses, usernames) were crucial in the investigation against Filion.
### Detection & Response
- **Detection:** The activity was initially tracked by private investigator Brad Dennis ("Cafrozed"), hired by Twitch stars targeted by Torswats. Dennis used social engineering tactics on platforms like Telegram and Tox to capture Filion's IP address and digital identifiers.
- **Response:** An FBI raid occurred following the "Grand Offensive" in January 2023 after identifying devices. Filion was arrested and extradited to Florida. Federal charges were subsequently brought against Filion and two European associates (Tomasz Szabo and Nemanja Radovanovic).
## Attack Methodology
- **Initial Access:** Social engineering and use of VoIP/phone systems to impersonate perpetrators claiming responsibility for immediate violence.
- **Persistence:** Continued activity even after the January 2023 FBI raid, as demonstrated by a bomb threat in November 2023.
- **Privilege Escalation:** Not applicable (non-network breach).
- **Defense Evasion:** Operating under several aliases ("Torswats," "Paimon Arnum") and utilizing encrypted/peer-to-peer services (Tox, Telegram) to obscure identity.
- **Credential Access:** Not the primary vector, though Filion admitted to orchestrating attacks and supplying target information obtained online.
- **Discovery:** Targeted reconnaissance likely involved gathering public or semi-public information (addresses, phone numbers) of specific politicians and institutions.
- **Lateral Movement:** Geographic expansion across the US.
- **Collection:** Gathering target data (names, addresses) to formulate convincing swatting calls.
- **Exfiltration:** Information regarding the schemes was often shared internally within the underground Telegram/Discord groups.
- **Impact:** Massive deployment of emergency services, psychological trauma to victims, and endangerment of first responders.
## Impact Assessment
- **Financial:** Not explicitly detailed, but implied massive costs due to the response required for hundreds of high-level law enforcement deployments nationwide.
- **Data Breach:** No large-scale data exfiltration reported; the impact was operational and physical disruption.
- **Operational:** Significant disruption to operations at targeted schools, government offices, and residences.
- **Reputational:** Damage to the public image of targeted officials and institutions due to perceived vulnerability.
## Indicators of Compromise
*As this was a threat-based, non-network intrusion, traditional IoCs are limited, focusing on the perpetrator's digital footprint:*
- **Network indicators (Defanged):** IP addresses associated with the Torswats account linked to Tox/Telegram activity (as captured by the PI).
- **File indicators:** None specified in the context.
- **Behavioral indicators:** Placing emergency calls containing specific, highly detailed threats of mass violence (e.g., confessing to killing a spouse with an AR-15, demanding ransom).
## Response Actions
- **Containment:** Arrest and extradition of Alan Filion; federal charges filed against co-conspirators.
- **Eradication:** Takedown of the Torswats online infrastructure through digital evidence gathering coordinated by law enforcement (utilizing data gathered by the PI).
- **Recovery:** Victims receiving post-incident support; authorities reaffirming commitment to prosecuting swatting incidents.
## Lessons Learned
- **Key Takeaways:** The scale and coordination involved in modern swatting operations can cross international lines and involve ideological motivations (alleged link to O9A cult seeking to disrupt "the system").
- **What could have been done better:** Earlier federal intervention might have stopped the activity sooner, although the private investigator played a crucial role in exposing the digital footprint quickly.
## Recommendations
- **Prevention Measures for Similar Incidents:** Enhance monitoring and rapid verification protocols for high-threat emergency calls targeting critical infrastructure or officials. Improve inter-agency communication regarding threats identified in private social media channels (like Telegram groups dedicated to illicit activities).