Today we will look at tactics and techniques used by threat actors as reported in “Anti-trans stalkers at Kiwi Farms are chasing one victim around the world. Their list of targets is growing” by Ben Collins and Kat Tenbarge for NBC News on 02 Sep 2022.
The intention of this post is to make it easier to understand why the article has been tagged with particular tactics or techniques. Associating reporting of real-world attacks with DISARM tactics and techniques helps us get a better understanding of how they have practically been used, who’s used them, and who they’ve been used against. To do this a relevant quote from the article will be provided under the title of the associated technique. If the technique exists in DISARM, then its identifier will be included too.
- Decide to Act: Harass People Based on Identities (T0048.002)
- Position: Archive sensitive information on targets of harassment
- Position: Prevent removal of harmful content using CDN providers
- Produce: Harassment (T0048)
- Produce: Harassment > Swatting
- Produce: Harassment > Doxxing (T0048.004)
- Amplify: Direct online community to participate in Harassment
- Impact: Suicide of Target
Decide to Act: Harass People Based on Identities (T0048.002)
Alejandra Carabello, an attorney at Harvard Law School’s Cyberlaw Clinic, worries that Kiwi Farms’ typical “playbook” — in which trolls weaponize years of online data against various individuals because of their stances on a constellation of culture war issues — will be opened up to more and more private citizens as political rhetoric heats up before the 2024 election.
“This is stochastic terror that’s being implemented as part of the culture war,” said Carabello, adding that Sorrenti has faced every tactic in Kiwi Farms’ information war playbook. “Kiwi Farms’ goal is a world where LGBTQ users are not going to be as out and open on social media — they’re going to live in fear of threats and harassment.”
Sorrenti fears Kiwi Farms’ harassment techniques will soon be duplicated by far-right trolls to advance larger culture war goals.
Position: Archive sensitive information on targets of harassment
The forum is a massive archive of sensitive information on their targets, which has been used to repeatedly harass them. Kiwi Farms’ most notorious section is titled “lolcows” and targets transgender people.
The archive often features social media pictures of their targets’ friends and family, along with contact information of their employers. The information is used in an effort to get their targets fired or socially isolated by spreading rumors that they are pedophiles or criminals.
Position: Prevent removal of harmful content using CDN providers
Organisations such as Cloudflare provide strong, secure infrastructure, which decrease the technical capabilities required by threat actors to host content online.
Cloudflare provides protection for websites like Kiwi Farms against distributed denial-of-service (DDoS) attacks, which attempt to take sites offline by overloading them with traffic. If Cloudflare stopped protecting Kiwi Farms, the site would be vulnerable to such attacks.
Update: As of 03 Sep 2022 Cloudflare stopped providing services to KiwiFarms:
Produce: Harassment (T0048)
Kiwi Farms has become synonymous with doxxing (the release of an individual’s identifying information with malicious intent), swatting (a term for when an anonymous person sends an urgent, false tip to the police about a violent crime in a victim’s home in the hopes that law enforcement will raid it and potentially harm the person inside), and archiving controversial materials such as manifestos by mass shooters and recordings of their livestreams.
Produce: Harassment > Swatting
Sorrenti, known to fans of her streaming channel as “Keffals,” says that when her front door opened on Aug. 5 the first thing she saw was a police officer’s gun pointed at her face. It was just the beginning of a weekslong campaign of stalking, threats and violence against Sorrenti that ended up making her flee the country.
Police say Sorrenti’s home in London, Ontario, had been swatted after someone impersonated her in an email and said she was planning to perpetrate a mass shooting outside of London’s City Hall. After Sorrenti was arrested, questioned and released, the London police chief vowed to investigate and find who made the threat. Those police were eventually doxxed on Kiwi Farms and threatened. The people who threatened and harassed Sorrenti, her family and police officers investigating her case have not been identified.
Produce: Harassment > Doxxing (T0048.004)
After her swatting, Sorrenti fled to a nearby hotel. Within hours, stalkers determined which hotel in her city had matching bed sheets from a photo Sorrenti tweeted of her cat. Trolls then sent dozens of pizzas to Sorrenti’s hotel in an apparent effort to make her aware that her hotel had been identified.
Sorrenti said her Uber account was then hacked. Hundreds of dollars worth of groceries arrived at her hotel. Through Uber, Sorrenti said that hackers were able to obtain her phone number, home address and email address, as well as the addresses and numbers of her family members.
According to Uber, the company has taken steps to secure Sorrenti’s account and is working to get in touch with her to issue a refund for unauthorized charges.
Sorrenti then fled to Europe, but Kiwi Farm users were able to identify her hotel using small hints from her streams. A Kiwi Farms user took a picture outside of what their userbase believed to be Sorrenti’s temporary home base in Europe on Tuesday.
“It’s been a nightmare,” Sorrenti said. “I constantly have this lingering thought in the back of my head, ‘What are they up to? Are they planning something? Is there going to be another escalation?”
Sorrenti shared an example of one of the calls she received harassing her. In the call, a computer-generated voice warns that “someone special has it out for you.”
The same tactic was used when Rep. Marjorie Taylor Greene, R-Ga., was swatted just days later, according to a police report from the incident obtained by NBC News. The caller identified themselves as a Kiwi Farms user and used a computer-generated voice, the report said. It’s not clear if the person who swatted Sorrenti also swatted Greene. Greene’s representatives did not respond to a request for comment.
Amplify: Direct online community to participate in Harassment
Brennan [Founder of 8chan] said that, while websites like 4chan and 8chan can pose substantial national security risks, “what Moon is doing is worse, because he’s actually targeting specific people” on a more organized website.
Unlike sites like 4chan, where administrators have little direction over the harassment campaigns of its userbase, Brennan said Moon’s power over Kiwi Farms is different. Moon is himself a frequent poster and moderator on Kiwi Farms, under the username Null.
“Kiwi Farms is extremely centralized, with Josh Moon right at the top deciding who is the target and who’s not,” said Brennan. “He can delete any thread for any reason.”
Moon [owner and operator of Kiwi Farms] frequently participates in discussion threads about individuals who are being targeted on the site, posting personal email correspondences and encouraging the discussions. On Friday, Moon replied in a thread dedicated to posting personal information of “trans-identified activists” that he does “regularly curtail posts which detract from the overall quality of the site.”
This technique may align with DISARM’s “Recruit malign actors (T0091)“.
Impact: Suicide of Target
At least three people have died by suicide after becoming targets of Kiwi Farms harassment campaigns, according to Vice. In 2016, the family of a trans person who died by suicide, Lizzy Waite, was harassed by Kiwi Farms trolls for weeks after her death. She had posted a suicide note on Facebook.