On April 13th, VICE News' Joseph Cox revealed a startling exposé, unearthing a nefarious Telegram group that performed swatting services for payment. For those unacquainted with the term, "swatting" refers to the malicious act of placing a fabricated call – often involving a violent crime – to a target's home, with the intent of provoking an armed police response.

Cox's article states that a series of false 9-1-1 calls and bomb threats have been made across the United States, allegedly by this individual or group. The unsettling implication is that, since these criminals operate through Telegram, a messaging platform once based in the Russian Federation but now based seemingly nowhere, they seemingly remain beyond the reach of U.S. authorities.

Telegram, a widely-used messaging app, was introduced in August 2013 by Russian siblings Nikolai and Pavel Durov, who were also the brains behind the Russian social media platform VKontakte. In 2014, the Durov brothers left Russia after a series of disagreements with the government regarding user data privacy. VK is now controlled by the Russian government, while the Durovs appear to operate Telegram from multiple locations through the use of shell companies in business-privacy-friendly (read: crime-friendly!) locales such as the British Virgin Islands, supposedly to stay "one step ahead" of data subpoenas.

Telegram has come under frequent scrutiny for facilitating communication among criminals, terrorists, and extremist groups, as well as for its role in spreading disinformation and promoting hateful ideologies.

From Slate:

Telegram is fast becoming a preferred platform of last resort for users who run afoul of other sites’ terms of service. Evolving from a peer-to-peer messaging service into one of the world’s largest social media platforms, Telegram takes a hands-off approach to content moderation.

This has made it a haven for groups that are routinely deplatformed from other sites such as white supremacists, anti-government militias, and anti-vaccine activists. While the site’s users skew toward India, Indonesia, Iran, and Russia, Telegram has seen robust worldwide growth in recent years, reaching 700 million users worldwide in June. In many parts of the world, it’s used by basically everyone.

In the course of investigating crimes committed against science fiction author Patrick Tomlinson over the past several years, I began researching the swatting group on Telegram on April 15th, two days after the article was published.

The Telegram chat was abruptly shut down, seemingly due to the increased scrutiny brought about by the media attention wrought by VICE's reporting.  As I reviewed the changed Telegram landscape, I captured a few screenshots, downloaded some audio files, and assessed the recent landscape of swatting services offered for sale.

What I eventually found was a garden-variety cybercriminal.

This individual, who could be the one person responsible for a months-long, nationwide campaign involving dozens, and potentially hundreds, of threats is allegedly one Petter Janse of Stockholm, Sweden, the subject of this investigative report. His unique username, possible connection to the swatting incidents, as well as his online activities and expertise in computer science all circumstantially point towards his potential involvement in this extensive campaign of threats.

The journey to uncovering this individual's identity and connecting the dots forms the crux of this investigative report.

The person who may have been orchestrating these swattings leads a seemingly ordinary life: a devoted partner and father to two young children, a girl and a boy, with the youngest being a recent addition to the family. He works as an application developer, but is currently on parental leave, taking advantage of Sweden's generous family policies. His partner, adopted from Thailand as a child, embarked on a quest to locate her birth parents a few years ago.

Professionally, he is a skilled computer scientist and software engineer with a serious penchant for gaming of various types. His LinkedIn profile boasts a Master's degree in Computer Science, professional proficiency in the English language, and expertise in Artificial Intelligence and Machine Learning. A versatile gamer, he enjoys both PC and tabletop games, meeting up regularly with his friend group in person to compete in a fantasy world.

However, aside from any potential inclination to exploit authorities for personal gain, what distinguishes Janse is his family ties to the realm of diplomacy.

Diana Janse, is a notable Swedish diplomat with an extensive 30+ year career serving the Swedish state and taking on assignments across the globe. The senior Janse has held positions such as Sweden's Deputy Director of the Ministry of Foreign Affairs and as the Swedish Ambassador to the countries of Georgia, Lebanon, and Mali. She is married to a notable security expert and military veteran.

Are Petter Janse and Diana Janse related?

After coming across the VICE article, I decided to search for swatting services on Telegram using the keyword "swat" (global discoverability is a major feature of the platform). Due to Telegram's lax approach to Trust & Safety and moderation, searching for criminal activities often yields results.

It appeared all relevant searchable accounts had already been deleted, except for the one I had found and joined that day, which, in hindsight appears based on timestamps to have been a "reboot" using a similar group name–not the original group.

This can be an example of a type of "watering hole attack", in which attackers take advantage of, say, a news article exposing a dicey Telegram service to set up their own attracting infrastructure for those who might go looking for the original.

You'll note in the below recent screenshot of a search of "torswats" on Telegram that some other individual(s) attempted to impersonate the original group using slight variations on its name, and that the "Torswats Announcements" group I joined on April 15 had been created on that same day.

The new group, @swatsontelegram1, attempted a strategic redirection, shifting attention away from their previous activities and towards a likely victim of their swatting service: Patrick Tomlinson.

The group's "Kanye/Hitler" theme was also notable.

The screenshot below, captured from a message in the Telegram group I joined on April 15, shows an attempt to dissociate the group from an earlier account.

The bio section claims that the account had been hacked in the past—this assertion could potentially be a diversionary tactic intended to mislead and deflect suspicion.

I was able to identify further detailed evidence of their swatting services sales:

"I can do US and Canada calls. EU is possible (case-by-case basis)"

This suggested to me, for various anecdotal  that the individual involved is likely based in the European Union.

"I accept XMR"

XMR is the symbol for Monero, a low-traceability cryptocurrency which has strong cryptographic protections for anonymity. For other currencies, they wanted to be paid through a decentralized middleman.

Therefore, we can conclude our threat actor is familiar with cryptocurrencies.

"If the target is in the US I can send you a link to listen to dispatch"

Here they appear to be referring to publicly-accessible radio airwaves, and a website which can be used to listen to the police/fire department frequencies in the target's geographic area.

"Prices will be negotiated if it's a major target like a semi-famous streamer or a government building"

They also claim not to record calls using their own voice, and instead use Text-To-Speech technology. However, this could be another attempt to mislead. In reality, a basic voice-changing mobile app can effectively disguise one's voice, enabling successful anonymous phone calls. This is despite VICE's reporting, which suggests that Artificial Intelligence may have been employed in making some of these malicious calls.

I have acquired two audio recordings posted by the individual behind these threats, which offer a glimpse into their methods for accomplishing their nefarious goals: dispatching armed officers with weapons drawn to the unsuspecting homes of innocent people, all the while struggling to suppress laughter.

These recordings serve as important evidence, and it's worth paying attention to any potential traces of a Swedish accent.

Warning: Disturbing content.

In this second recording, shared here with its original filename as uploaded by Patrick Tomlinson's harassers, a chilling call for service is made.

This malicious act not only wastes critical emergency response resources but also serves the sinister purpose of instilling fear in an innocent individual through the digital realm.

Tomlinson has been swatted nearly 40 times over the past 5 years.

A prevalent characteristic among those who are highly active online is the tendency to use the same identifiers and usernames across multiple digital platforms. This habit inadvertently leaves behind a trail of digital breadcrumbs, which can be instrumental when attempting to link disparate accounts around the Internet.

In the case of Petter Janse, this observation holds particularly true. He has maintained a linked network of accounts across the web, each providing valuable insights into who he might be. By meticulously examining these accounts, I was able to piece together some understanding of the man who appears to be consistently behind the username "Dushatar", all around the web.

On Reddit, for example, we can find a few other clues through his active /u/Dushatar account and previously active /u/Janse account:

• Invests in the Shiba Inu ($SHIB) cryptocurrency,

• Claimed their parent worked for the Swedish state for more than 30 years,

• Chats about gaming and tabletop gaming in Sweden, linking directly/multiple times, to the community gaming Discord in the screenshot further below this page in which his name is shown as Janse with the username "Dushatar#2472".

Through his YouTube channel, which has garnered over 300,000 views mostly for his videos on gaming, we come to understand his feelings for his partner as evidenced by a heartfelt video tribute posted to his channel.

On his public Steam and World of Warcraft accounts, he proudly showcases gaming achievements and prowess across many games.

His involvement with the local tabletop gaming community in Stockholm becomes evident through his interactions on Discord, where he actively engages in discussions and organizes meetups.

I found this comment on a gaming forum, which clearly shows a Petter Janse with the Swedish flag using the username "@Dushatar".

As you can see, there is much consistency with this online persona, and I was able to eliminate any other major users of this username.

It seems likely we have connected the identity of "Dushatar" to Petter Janse, whose skillset and profile of a person with technical skill who trades cryptocurrency and lives in the E.U. are directly aligned with the "Dushatar" identity from the Telegram swatting group chat.

Lastly, I sought to make a visual confirmation that Petter Janse was likely to be related to Diana Janse in some capacity.

By allegedly engaging in criminal activities, Janse may have inadvertently drawn attention to himself and exposed his own identity in connection to the swattings, ultimately jeopardizing the very privacy he might have once leveraged to allegedly conduct swatting attacks on U.S., Canadian, and European soil.

As cases of technology-enabled abuse like these continue to surface, it becomes increasingly evident that the battle against cybercrime is far from over, and our collective response must evolve to counter the ever-changing tactics of malicious actors.

It is my hope that my reporting will contribute to the resolution of these issues. The victims of such crimes do not deserve the suffering they've endured, in part due to the unethical, illegal, and immoral actions taken online and in part due to the failure of policymakers and law enforcement to effectively address both the root causes and consequences of these offenses.

Thank you for reading.

Please share this widely with your network, as raising awareness and initiating conversations about these issues can contribute to finding solutions and supporting the victims of such crimes.

Together, we can work toward a safer and more responsible online environment.

UPDATES

26-April-2023 0200 AM ET

The threat actor spent several hours tweeting at me today from the account @Dushatar_, which was not previously identified in this report, and was repeatedly offered an opportunity to provide a statement. He denied his involvement but did not contact me as suggested.

In response, the admin of the Telegram group @swatsontelegram1 posted three separate recordings targeting me personally and describing their "illegal" weapons.

The voice on the following recordings sounds identical to the voice which swatted Patrick Tomlinson in the recording above.

Audio Files (Original .ogg format): https://drive.google.com/drive/u/1/folders/1gr4C2b3PsE5FU6KvoKs_HYPgS4ZdTMQ2

Transcript:

"What if I do something to every Jackie Singh in the United States to prove that someone with the same name doesn't equal some with eh, the same person behind it, same identity"

"And you know what, you should probably have better evidence before you go out accusing random people of being me, you know. I'm, I'm not Dushatar"

"I mean, I don't think you give a fuck about (?) being fucked over considering your ethnicity. And that really sucks. And you know what. You can arrest Dushatar, you can try to do whatever you want with the Swedish guy, and, um, as for me, I do have an AR-15 at home and a Glock-17 that I got illegally, so, you gotta contend with that"