Full Report
The inside story of the teenager whose “swatting” calls sent armed police racing into hundreds of schools nationwide—and the private detective who tracked him down.
Analysis Summary
# Incident Report: Spokane School Swatting Attack
## Executive Summary
On a Wednesday morning in May 2023, emergency dispatchers in Spokane, Washington, received a highly credible hoax call reporting an active school shooter ("Wayne") at Central Valley High School. The call, characterized by immediate threats and audible automatic gunfire sounds, triggered a massive, real-time law enforcement response involving over 50 units and a lockdown for the high school and a nearby daycare. The incident was ultimately determined to be a sophisticated swatting attack, causing severe operational disruption, significant panic, and subsequent professional distress to the responding personnel.
## Incident Details
- **Discovery Date:** May 2023 (Specific date not provided, based on the report)
- **Incident Date:** Wednesday morning, May 2023, around 10:00 AM
- **Affected Organization:** Spokane Regional Emergency Center (911/Emergency Dispatch) and Central Valley High School.
- **Sector:** Government / Emergency Services (Public Safety)
- **Geography:** Spokane, Washington (Veradale area)
## Timeline of Events
### Initial Access
- **Date/Time:** Wednesday morning, May 2023, ~10:00 AM
- **Vector:** Telephone call via publicly listed regional emergency line.
- **Details:** Caller identifying as "Wayne" reported being armed with an AK-47 and intending to kill everyone at Central Valley High School and responding police officers.
### Lateral Movement
*Not applicable or explicitly detailed in this incident, as the primary action was the immediate dispatch based on the initial, urgent communication.*
### Data Exfiltration/Impact
- **Details:** The primary impact was the generation of fear, immediate deployment of emergency resources (50+ units), and lockdown procedures implemented at Central Valley High School and a nearby daycare facility. No actual physical harm or shooting occurred; the incident was a hoax.
### Detection & Response
- **How it was discovered:** An emergency dispatcher (Sarah Jones) received the call, realized the high probability of a threat, and heard sounds resembling automatic gunfire.
- **Response actions taken:**
1. Immediate alert broadcast to all regional police units.
2. Dispatcher Jones attempted to de-escalate and confirm the shooter's location.
3. Supervisor Andrea Lombard concurrently alerted a nearby daycare center to initiate lockdown.
4. Over 50 law enforcement units converged on Central Valley High School for an active shooter response.
5. Subsequent physical search of the school revealed no shooter or evidence of gunfire.
## Attack Methodology
- **Initial Access:** Social engineering via a direct voice call to an emergency dispatch line.
- **Persistence:** Not applicable, the impact was immediate.
- **Privilege Escalation:** Exploiting the inherent trust and urgent nature of 911/emergency services.
- **Defense Evasion:** Simulating distress and the sound of automatic gunfire to force a full-scale response.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable, the attacker initiated contact.
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable.
- **Exfiltration:** Not applicable.
- **Impact:** Causing mass casualty event mobilization (swatting).
## Impact Assessment
- **Financial:** Significant costs associated with the deployment of over 50 emergency law enforcement units, though specific figures are not provided.
- **Data Breach:** None reported.
- **Operational:** Severe disruption to the Spokane Regional Emergency Center and high levels of stress/trauma experienced by dispatchers (Jones and Lombard). Physical lockdown of a high school and nearby daycare.
- **Reputational:** Damage to the dispatcher's sense of security and trust, and potential damage to public confidence if the nature of the attack became widely known quickly.
## Indicators of Compromise
- **Network indicators:** Publicly listed regional emergency telephone line utilized.
- **File indicators:** None reported from the actual attack; however, the attacker may have hidden their true location via standard VoIP spoofing techniques (implied by the nature of the swatting).
- **Behavioral indicators:** Caller ("Wayne") used an unnaturally deep, slow voice; made explicit, detailed threats; and introduced auditory evidence (simulated gunfire).
## Response Actions
- **Containment measures:** Immediate broadcast of the high-level threat alert; physical response by law enforcement presence exceeding 50 units.
- **Eradication steps:** Discovery that the threat was false allowed for the termination of the active response phase.
- **Recovery actions:** Personnel counseling/debriefing implied due to the traumatic nature of the event (especially for Jones).
## Lessons Learned
- **Key takeaways:** Traditional emergency dispatch systems remain critically vulnerable to sophisticated social engineering combined with auditory deception (simulated gunfire) to induce massive resource deployment (swatting).
- **What could have been done better:** The article notes the FBI was aware of the perpetrator ("Torswats") but failed to prevent the attack, indicating a failure in proactive threat mitigation against known actors engaged in swatting sprees.
## Recommendations
- Enhance pre-screening protocols for calls reporting active violence, especially those involving unique vocal characteristics or staged evidence, perhaps requiring secondary verification methods where feasible without delaying response to genuine emergencies.
- Improve cross-agency information sharing and proactive intervention regarding known actors engaged in widespread swatting campaigns to prevent recurrence.
- Provide robust, immediate psychological support for emergency services personnel who handle events perceived as life-or-death confrontations.