Skip to content

Here are the rules:

Never break the law

Avoid reporting to the police unless someone is in physical danger

Don't do this from home: use a VPS, shell account, or bouncer

Never reveal any personally identifiable information

If you make a phone call, use a company phone to hide your number

If you send an email, use a disposable email or company email

If you visit a shady website, disable all javascript

Setting up irssi to connect via tor:

$ tmux
$ doas pkg_add tor torsocks irssi
$ doas rcctl enable tor
$ doas rcctl start
$ torsocks irssi
/set real_name <realname>
/set user_name <username>
/set nick <nick>
/set ctcp_userinfo_reply mIRC 7.61
/set ctcp_version_reply mIRC 7.61
/set autolog on
/save

You can use something besides mIRC 7.61 for the ctcp reply. Just pick something realistic looking besides irssi.

In order to infiltrate a criminal network, you will need to do some research. Figure out what they are interested in (ddos attacks, phishing, credit card fraud, spamming). Try to understand what language they speak, what they are passionate about, and see if you can strike up a conversation with them. This helps build trust so they will be willing to share more information.

Use a little creativity. Don't commit any illegal crime, don't suggest they commit any crimes. However, feel free to chat with them, ask them how they are doing, what hobbies they enjoy etc. Try to ask them for information to learn more about them, but...be subtle, be subtle# I recommend you avoid lying. However, you are welcome to change your persona. Use a new dialect. If you normally chat using formal English, use lots of slang. Talk like someone their age. Spell things wrong on purpose if it helps you fit in. Go ahead and use bad grammar if it helps. Feel free to use Google translate for the conversation. Have fun!

First, make sure you have proof they have committed a real crime. If there is no evidence, then stop collecting logs. If there is proof, then collect as much data as you can. Make sure you have logging turned on. Figure out what networks they join, what software they use, what servers are their hubs. Data you want to collect:

Real legal name

Age, date of birth, phone number, home address, social media accounts

Business, education background, what software they use (irc daemons, irc clients, irc bots)

What crime networks they collect to. IP addresses, domain names

Their criminal friends

Source code of the software they use

Document everything.

Your biggest tool is your brain. Look for clues. For example, use /list to figure out what are the channels inside the network. Join some of them and see who is around. Are there any bots? What are their IP addresses? Who hosts them? Type /who #channel to list all the users within a channel. Type /names to see all the users in a channel. Type /whois username to get more info about a user. However, be careful, as some ircds may notify the admin when a user runs the /whois command. It helps to hang around in a channel for a few weeks.

For example, suppose you found the IP 1.2.3.4 is hosting an IRC command and control botnet for crime. You can run:

$ whois 1.2.3.4
VPS Hosting Generic VPS-INC (NET-1.2.3.4) 1.2.3.0 - 1.2.6.0

This tells you that the server is hosted with Generic VPS, inc. So, head over to Generic VPS's website and go to their abuse page and contact them. Send them an email to support@ or abuse@example.com, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.

Suppose you realize that the domain example.com is being used for the illegal botnet:

$ whois example.com
Domain Name: EXAMPLE.COM
Registry Domain ID: D1234567890
Registrar WHOIS Server:
Registrar URL: http://www.genericregistrarexample.com
Updated Date: 2020-05-06T00:41:36Z
Creation Date: 2018-04-15T05:08:12Z
Registry Expiry Date: 2021-04-15T05:08:12Z
Registrar Registration Expiration Date:
Registrar: Generic Registrar Ltd
Registrar IANA ID: 12345678
Registrar Abuse Contact Email: feedback@genericregistrarexample.com
Registrar Abuse Contact Phone: +1234567890
Reseller:
Domain Status: ok https://icann.org/epp#ok
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registrant Organization: Hacker Inc
Registrant State/Province: CA
Registrant Country: US
Name Server: NS1.EXAMPLE.COM
Name Server: NS2.EXAMPLE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2020-05-07T13:23:58Z <<<

This tells us that the domain example.com was registered by Hacker Inc with the registrar http://www.genericregistrarexample.com, and that abuse should be reported to feedback@genericregistrarexample.com. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call -- do whatever it takes to get their attention to take the server offline. In one particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.

Suppose you see one of the criminals joining like this:

14:25 -!- hacker [thief@shell.example.com] has joined #illegal

Based on his vhost mask, you can tell that he's connecting from shell.example.com . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case thief) and not just the nick (hacker). The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:

$ dig shell.example.com
; <<>> DiG 9.4.2-P2 <<>> shell.example.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39025
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;shell.example.com.       IN      A
;; ANSWER SECTION:
shell.example.com. 300    IN      A       192.168.0.1
;; Query time: 295 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May  7 22:01:41 2020
;; MSG SIZE  rcvd: 57

This tells you that the IP address for the server is 192.168.0.1. So you then run:

$ whois 192.168.0.1
OrgName:        Cloud
OrgId:          CLD
Address:        123 Nowhere St
City:           Nowhere
StateProv:      NY
PostalCode:     12345
Country:        US
RegDate:        2008-04-24
Updated:        2019-06-28
Comment:        http://www.completelyrandomcloudexample.com
Ref:            https://rdap.arin.net/registry/entity/LINOD
OrgNOCHandle: LN1234567-ARIN
OrgNOCName:   Cloud Network Operations
OrgNOCPhone:  +1-234-567-8900
OrgNOCEmail:  support@completelyrandomcloudexample.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/LN1234567-ARIN
OrgAbuseHandle: LAS1234567-ARIN 
OrgAbuseName:   Cloud Abuse Support
OrgAbusePhone:  +1-234-567-8900
OrgAbuseEmail:  abuse@completelyrandomcloudexample.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/LAS12-ARIN
OrgTechHandle: LNO1234567-ARIN
OrgTechName:   Cloud Network Operations
OrgTechPhone:  +1-234-567-8900
OrgTechEmail:  support@completelyrandomcloudexample.com
OrgTechRef:    https://rdap.arin.net/registry/entity/LNO21-ARIN

This shell provider uses a Cloud VPS. So, contact Cloud's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Cloud and the shell provider close the guilty accounts.

Sometimes you have an IP but you don't know who owns it. You can run this:

$ dig -x 192.168.0.1
; <<>> DiG 9.4.2-P2 <<>> -x 192.168.0.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6039
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1.0.168.192.in-addr.arpa.     IN      PTR
;; ANSWER SECTION:
1.0.168.192.in-addr.arpa. 86400 IN     PTR     criminal.example.com.
;; Query time: 4943 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May  7 22:05:55 2020
;; MSG SIZE  rcvd: 80

This tells you that the domain name is criminal.example.com.

Once you get this basic information, use a search engine to gather more. Search their name, their network, their websites -- look for any software they might have written, anything about them that might be useful. Their nicknames might show up on old logs, they might have malware associated. This research is very important for proving someone is guilty of a crime.

In your email, make sure to document the crime clearly and provide clear evidence. Use screenshots, videos, chat logs, whatever is most effective.

Make sure that any screenshots or videos you send do not contain any of your personal information# Double check for your own safety. If you want, you can first email to abuse@ircnow.org so our team can take a look.

When you start filing reports, make sure you go in this order:

Take down domains

Take down irc servers

Take down shell accounts / bouncers used by admins/criminals

Finally, take down stolen servers and bots used for stealing

There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and IRC servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.

The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the IRCd for further spying. Afterwards, we can cause netsplits by taking down the IRC servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.