Wednesday, August 03, 2011

Blackmail Tweets - The Dark Side of Social Media

I'm a fan of Duncan Bannatyne OBE. That's right - he was awarded the Order of the British Empire for services to charity, especially children's charities. He's done a skydive for a little-known charity for amputee servicemen. He's not just a dour Dragon, he's a man who demonstrates integrity, passion and drive.

As a parent, I fully share and understand his anger and his reactions when some semi-evolved cretin decides to have a bit of fun at his expense by tweeting threats to his daughter and demanding cash.

Unfortunately for Duncan, the police and anybody else hit by this type of demented publicity seeking, this seems to be one of those cases where nobody in the tweetosphere has stopped to engage brain before putting Google into gear.

There is little to go on; a Moscow "internet cafe" IP, a few uploads, the name "Yuri Vasiliev".

From that, the public, possibly egged on by the thought of a share in a sizeable reward, have "found" the culprit. With the accuracy and lack of bias generally demonstrated by a torch and pitchfork wielding lynch mob, they have thrown real identities to the wolves.

Now, I have no idea if the freelance artist/web designer Yuri Vasiliev or the basketball player Yuri Vasiliev is the individual involved in the threatening tweets. But somehow, I doubt it.

Firstly, internet cafes are not secure. Key loggers, trojans and bots have a welcome home on internet cafe PCs and not all cafes have a system adminstrator devoted to their computers' wellbeing. It's possible that the Moscow IP is a proxy IP and is being used by others as part of an anonymised route through t'Interweb.

Secondly, how many blackmailers traditionally sign their real name to a very public blackmail threat? That's on the same evolutionary scale as posing for the security camera when you rob a bank.

Thirdly, look at the source of the blackmail notes. is the repository used by lulzsec, anonymous and others to promulgate hacked datasets. Would that be the first choice for a basketball player turned blackmailer? Or would it be the first choice of a spotty script kiddie with minimal emotional intelligence?

Fourthly, and with no disrespect to Duncan Bannatyne, that's a paltry sum of money to demand from somebody capable of offering £30,000 as a reward for information. I credit Duncan with the brains to work out that he's dealing with amateurs here; I think the £30k reward was deliberately chosen to lure this infantile blackmailer's mates out into the open.

Next, the email address. Despite the "" domain being used in the blackmail notes, most amateur detectives went hunting for email addresses. Oops. is one of the alternative domains offered by for a free email address. is, in turn, owned by EDN Sovintel. Guess what? There's an English signup too. You don't need to live in Russia to get an address.

Why do I think the English signup important?

Take a look at the wording of the threats, and then look at the metre. There is a certain metric inevitability about the English which is not there in Russian.

The metre appears to be similar (perhaps deliberately so) to some of the statements made by the Anonymous group via either "open letters" or their Twitter account @Anon_Central. "You should have expected us" was tweeted by Anonymous after the Sony hack in March 2011 and can be seen in this open letter to BMI. "We do not give up" is a quote from a video allegedly posted by a member of Anonymous on YouTube. "Expect us" is seen as Anonymous's calling card quote.
Then there's the copycat syndrome. A developer called Andrew Fairbairn demonstrated how easy it was to clone a pastebin item by replacing the words "Yuri Vasiliev" with the words "Brett Williams", thus adding to the whole mess. Brett Williams is one of the more inflammatory contributors on a facebook wall page. Judging by Mr. Fairbairn's tweets, Brett reacted in a predictably irate manner. It seems @AndrewFairbarn did the same with the cloned item using the name "Jack Hundley".

Finally, the style of the tweets intrigues me. If you send tweets via, it doesn't add in random quotation marks. If you tweet via your phone, it doesn't add in random quotes either.

But if you submit each part of the message via a command line script, it would be easy to add in one set of double quotes too many.

Looking at the tweets from that standpoint, each double quote marks the start of a new command line submission. Creating a tweetable command line version of a twitthis short url requires some basic OAuth scripting knowledge, then just put the following code in front of the url you want to shorten or mask: All in all, you're looking at some sort of shell script with typos.

I'd hazard a guess that we're looking at another young hacker. Of course, I could be wrong. I'm not a programmer myself, but this looks more like the work of a techie than any of the proposed "suspects".

In the meantime, there appear to have been no more actual threats; I sincerely hope that this means the police are closing in on the charmer who thinks this is an easy way to get an income online.

My best wishes to Duncan and his family. I hope they get this guy soon.