ProtonMail has helped law enforcement identify one of the members of the Apophis Squad, a group that has made bomb threats and launched distributed denial-of-service (DDoS) attacks against many organizations.
The U.K. National Crime Agency (NCA) announced this week that a 19-year-old from Hertfordshire was arrested on August 31. The teen, George Duke-Cohan, remains in custody after he pleaded guilty to three counts of making hoax bomb threats.
Duke-Cohan is said to be the leader of Apophis Squad, which has sent bomb threats to thousands of schools in the United Kingdom and the United States. The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.
While the charges in the U.K. focus on the hoax bomb threats, Apophis Squad is also known for launching DDoS attacks against encrypted email provider ProtonMail, cybersecurity journalist Brian Krebs, the DEF CON hacking conference, and government agencies in several countries. Its attacks and DDoS-for-hire services have apparently been inspired by the notorious Lizard Squad, whose members were also identified and charged by authorities.
ProtonMail reported in late June that it had been hit by a significant DDoS attack that caused some delays in the delivery of emails. The organization initially said a group linked to Russia had been behind the attack – Apophis Squad’s Twitter account claims the group is from Russia – but Radware, which helped ProtonMail mitigate the attack, later clarified that the attackers were actually based in the U.K.
In a blog post published on Thursday, ProtonMail Founder Andy Yen revealed that his organization helped authorities identify Duke-Cohan and other members of his group after learning that they had all been using ProtonMail.
It turns out that while Duke-Cohan and others claimed law enforcement would never be able to find them, they actually had poor operational security (opsec) practices and they even allowed their own servers to be breached.
Evidence collected from its own systems by ProtonMail and information from Brian Krebs helped identify Duke-Cohan as a member of Apophis Squad in the first week of August. However, British police only arrested him in late August after he threatened to make more bomb threats once school started in September.
The Twitter account used by Apophis Squad has not been active since August 31.
“We believe further charges are pending, along with possible extradition to the US,” Yen said.
ProtonMail aims to protect the privacy of its users, but warned that it does not protect individuals involved in criminal activities.
“That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” Yen said. “In recent weeks, we have further identified a number of other individuals engaged in attacks against ProtonMail, and we are working with the appropriate authorities to bring them to justice.”