Improve your detection and simplify moderation - in one AI-powered platform.
Stay ahead of novel risks and bad actors with proactive, on-demand insights.
Proactively stop safety gaps to produce safe, reliable, and compliant models.
Deploy generative AI in a safe and scalable way with active safety guardrails.
Online abuse has countless forms. Understand the types of risks Trust & Safety teams must keep users safe from on-platform.
Protect your most vulnerable users with a comprehensive set of child safety tools and services.
Our out-of-the-box solutions support platform transparency and compliance.
Keep up with T&S laws, from the Online Safety Bill to the Online Safety Act.
Over 70 elections will take place in 2024: don't let your platform be abused to harm election integrity.
Protect your brand integrity before the damage is done.
From privacy risks, to credential theft and malware, the cyber threats to users are continuously evolving.
Stay ahead of industry news in our exclusive T&S community.
In recent years, the once obscure abuse tactic of swatting has gained popularity. But while the FBI estimates over 1000 attacks each year, little is known about where these attacks originate and what the online ecosystem can teach us about them. ActiveFence research uncovers how swat attacks have become a core abuse tactic for white supremacist groups, and the role of various online platforms in their planning and execution.
Swatting, an act which has already caused the death of innocent people, is concerning many, from law enforcement agencies, to religious institutions, hospitals, journalists, protected minorities, educational institutions, and more.
But in order to assess the risk, it is first important to understand what swatting is. The US Department of Justice defines swatting as “a harassment tactic that involves deceiving emergency dispatchers into believing that a person… [is] in imminent danger… causing dispatchers to send police and emergency services to an unwitting third party’s address.” Targets of swatting attacks generally include schools and universities, journalists, politicians, and minority cultural and religious centers (like Black churches, Islamic centers, and Synagogues).
This phenomenon is not new – it’s been documented as far back as 2008, but it’s on the rise. According to the FBI, between 2011 and 2019, the number of swatting attacks has more than doubled – from 400 to over 1000 annual attacks. That number is only growing, illustrated by the fact that in just one day, on March 28, 2023, over 24 schools in Massachusetts were targets of hoax calls.
While this topic has been thoroughly researched in the past, research has mostly been on the concern of swatting as a new domestic terrorism threat, and less has been written on the online-offline nature of these actions and the role of online threat detection in stopping it. This blog aims to shed some light on that.
While the targets of swatting attacks vary, law enforcement officials believe that many swatting attacks actually originate from a single person or group. This belief is supported by ActiveFence’s own research, which traces much swatting activities to online forums and messaging channels affiliated with white supremacist groups. Additionally, while swatting attacks have traditionally been conducted by lone individuals, our research is pointing to the increased involvement of ‘groups’ rather than ‘individuals’ as a new phenomenon.
The below case study highlights some of the tactics of a swatting group:
In late July 2023, a group called the “European Culture and Heritage Protection Group” (ECHPG) launched a new X (then Twitter) account. The group used the account to share a PDF document in which they describe themselves as a “bunch of dudes tired of k*kes f***ing up their countries and culture which is why we have decided to band together and swat Jewish institutions, synagogues, black churches, Lutheran churches and public buildings.” The group made two specific demands: that the Anti-Defamation League (ADL) delete its Twitter and YouTube accounts, and that the Ohr Ha’Torah Synagogue in Los Angeles close as well.
ActiveFence’s research has identified at least one person who appears to be involved in this group. “Buck Breaming2000” (@Braol2233 on Telegram) has claimed to be French in several instances and Brazilian in others, is a member of several neo-Nazi chat groups. This individual shares photos of identical objects and pets featured in many of the ECHPG posts – establishing their connection to the ECHPG. Three days after the launch of ECHPG’s X account, @Braol2233 posted about Jewish religious institutions streaming their “satanist sermons,” stating that he would “…swat them all. The jews will face my wrath. The adl will also face my wrath. Bc they ignored my demands,” while referencing the ECHPGs tweet.
On that same day, Congregation Bnai Israel in Millburn, New Jersey, was swatted and consequently evacuated. The ECHPG claimed responsibility for this and another attempted attack on a synagogue, promising that “synagogues will continue to be swatted until the demands in the pdf posted are met.”
According to The New York Post, 26 synagogues and two ADL offices were targeted by this group. This is again supported in @Braol2233’s tweets, claiming he had “swatted over 20 synagogues, black churches, news offices and attempted swatting the holohoax museum” over the last two weeks, while sharing videos of his calls to police and livestreamed evacuations on Telegram.
Since these attacks have taken place, the associated X account[s] have been suspended, and a Telegram channel by the same handle was created. While the channel is currently quiet, a few messages have been posted, one containing an operational security (OPSEC) guide authored by a neo-Nazi group, and another suggesting that the next wave of attacks will target museums: “After the incredibly successful attack in Atlanta. I think museums are definitely the way to go. it might take 1-2 trys to get a successful swat. but shit when it works it f*cking works.” This message references a recent attack on the Atlanta’s Breman museum. Another message provided more details on the swatting process and necessary tools, claiming all that is needed are “a vpn, bluestacks and textme.”
A core component of this dangerous online-to-offline abuse is the importance of multiple platforms in executing a successful attack. The cross-platform nature of these attacks often means that without access to multiple sources of information, it is hard for trust & safety teams to uncover the activities taking place using their platforms, especially in cases where swatters try to hide their involvement:
While ActiveFence’s intelligence-fueled process of identifying swatters and other harmful content online relies on deep threat intelligence and subject-matter expertise, it is possible for platforms to identify swatting using more traditional methods and indicators:
ActiveFence researchers use deep threat intelligence and research to identify novel online and offline abuses. By monitoring threat actor chatter, we can alert our customers of novel abuses taking place on their platform, and assist them as they work to keep users safe – both online and off.
Take a look at our deep threat intelligence resources to learn more about how ActiveFence research supports a safer online world.
Learn how violent extremists thrive online, using various attacks and evasion techniques. Read our report "Cracking The Terrorist Code"
The decision to build or buy content moderation tools is a crucial one for many budding Trust and Safety teams. Learn about our five-point approach to this complex decision.
Recognized by Frost & Sullivan, ActiveFence addresses AI-generated content while enhancing Trust and Safety in the face of generative AI.
Building your own Trust and Safety tool? This blog breaks down for Trust and Safety teams the difference between building, buying, or using a hybrid approach.