Apple, Facebook and Coinbase coughed data to finger alleged pirate king
Kickass Torrents suspect caught when he bought something on iTunes
The United States case against alleged Kickass Torrents (KAT) boss Artem Vaulin is built on data obtained from Apple, Facebook and Coinbase.
The criminal complaint (PDF) against Vaulin details how the U.S. Department of Homeland Security, Immigration and Customs Enforcement conducted a lengthy online probe into the alleged pirate king's activities. The complaint says that investigators were able to use “Records provided by Apple” to access an email account, firstname.lastname@example.org, used by Vaulin.
Me.com email addresses were issued by Apple as one service of its MobileMe platform. 31 emails stored in the account appear to have been chatter between Vaulin and other Kickass team members discussing bugs on the site and progress towards fixing them.
Apple also appears to have provided IP addresses, as the complaint says the records Apple coughed “showed that email@example.com conducted an iTunes transaction using IP Address 220.127.116.11 on or about July 31, 2015. The same IP Address was used on the same day to login into the KAT Facebook Account. Then, on or about December 9, 2015, firstname.lastname@example.org used IP Address 18.104.22.168 to conduct another iTunes transaction. The same IP Address was logged as accessing the KAT Facebook Account on or about December 4, 2015.”
You read that right: an alleged pirate king seemingly brought low by the act of buying something on iTunes. Oh, the irony!
A bug report allegedly relating to Kickass Torrents naming Artem Vaulin
Investigators were also able to search Vaulin’s Apple iCloud account, and in it claim they “discovered that Vaulin has an instant message account he uses with the username 'nike'”.
The complaint also mentions “Records received from the bitcoin exchange company Coinbase” that list email@example.com as a backup email account.
So much for Bitcoin as the ultimate in anonymous fungibility, at least when exchanged at Coinbase.
A Chicago web hosting company also coughed data, but isn't named in the complaint.
LinkedIn also helped the investigation, but not by spilling anything: investigators were able to look up profiles of people who worked at an outfit called Cryptoneat that Vaulin founded. Those profiles suggested people with skills and experience required to run a large torrent site. Tellingly, some of those whose LinkedIn profiles say they worked at Cryptoneat are named in emails to and from firstname.lastname@example.org.
A job ad on LinkedIn is also cited as evidence, as the ad mentions Cryptoneat was founded in 2008 at about the same time some of Vaulin registered domains associated with KAT.
When the United States Federal Bureau of Investigation asked Apple to unlock the San Bernardino killer's iPhone, the company made a point of saying it complies with court orders when they don't involve handing over personal data from iPhones. That position seems not to extend to me.com email accounts.
Facebook's policy says: “We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.”
Coinbase's fine print also says it coughs when presented with a court order.
To The Register's eye, the complaint looks to do a very decent job piecing together an individual's online activities and raises the question: if the Feds can do this for a piracy suspect, what can they do for a really bad guy? ®
Sponsored: Becoming a Pragmatic Security Leader