Federal authorities arrested a 58-year-old Colorado Springs man after unravelling the origin of a "Declaration Of War" that threatened harm or death to Elon Musk, owners of his Tesla vehicles, and members of President Donald Trump's Cabinet.
Investigators were alerted to his accounts after finding an unusually high number of log-ins and failed log-ins from an unfamiliar devices, locations, or networks
I really don’t get that part. How did they make the connection?
I think the article is telling us in reverse order of discovery which makes it VERY confusing to parse:
As in:
Investigators from the Federal Bureau of Investigation’s Joint Terrorism Task Force retraced the roots of the digital messages Payne allegedly sent to the media outlets.
Okay, so where did the “digital messages” come from?
According to the affidavit, Payne used a Proton email address,
Okay, they knew the source of the message was Proton email. One subpoena of Proton later, they know the IP address(s) of the email client/app logging into Proton. So now they have a whole bunch of IP addresses of VPN exit nodes. So they reach out to the VPN provider:
Other unusual activity was traced through Payne’s VPN
So they ask the VPN provider to provide the origin address of the VPN logins, and come back to a cell phone (network) provider
or network provider.
So they ask the network provider to provide the info on the owner, except its a burner, so the provider doesn’t know. Hmm, okay so they know its coming from Burner Phone X, but not who owns Burner Phone X. Mr Google, Mr Microsoft, etc, do you have any activity from these Mobile phone company IP addresses at this time?
That information is tracked by Google
Ah! So Mr Google does. Anything stand out to you with the activity you’re seeing?
Investigators were alerted to his accounts after finding an unusually high number of log-ins and failed log-ins from an unfamiliar devices, locations, or networks. That information is tracked by Google, per the affidavit.
Okay, so its more than just than Burner Phone X accessing these Google accounts/sessions. Yes, the same web sessions/cookies were also used by devices belonging to another Google account, that of Payne.
Okay we’ve arrested Payne, could this just be an account/device hijacking and Payne be innocent? Well we also seized a rando cell phone with incriminating evidence on it. Could this have been planted?
Messages from his burner phone, too, matched the number Payne had listed in his personal contact info while applying for unemployment benefits in February.
So someone texted something at some point to text Burner Phone X. Who was that origin texter sending to Burner Phone X? Payne. So unlikely it was planted and more confirmation it was Payne sending the original threats.
I really don’t get that part. How did they make the connection?
You try to login to your google account with the right credentials from several different locations? Yeah that’s suspicious.
1-3 regular locations per account is a bit more normal
Are you saying we all need to install a continually rotating VPN when we’re surfing the internet? As chaff?
deleted by creator
I don’t know…seems like an impossible task.
But some people could do with a good murdering though tbh.
Suspicious to Google sure, but I don’t see how the authorities would get involved.
I think the article is telling us in reverse order of discovery which makes it VERY confusing to parse:
As in:
Okay, so where did the “digital messages” come from?
Okay, they knew the source of the message was Proton email. One subpoena of Proton later, they know the IP address(s) of the email client/app logging into Proton. So now they have a whole bunch of IP addresses of VPN exit nodes. So they reach out to the VPN provider:
So they ask the VPN provider to provide the origin address of the VPN logins, and come back to a cell phone (network) provider
So they ask the network provider to provide the info on the owner, except its a burner, so the provider doesn’t know. Hmm, okay so they know its coming from Burner Phone X, but not who owns Burner Phone X. Mr Google, Mr Microsoft, etc, do you have any activity from these Mobile phone company IP addresses at this time?
Ah! So Mr Google does. Anything stand out to you with the activity you’re seeing?
Okay, so its more than just than Burner Phone X accessing these Google accounts/sessions. Yes, the same web sessions/cookies were also used by devices belonging to another Google account, that of Payne.
Okay we’ve arrested Payne, could this just be an account/device hijacking and Payne be innocent? Well we also seized a rando cell phone with incriminating evidence on it. Could this have been planted?
So someone texted something at some point to text Burner Phone X. Who was that origin texter sending to Burner Phone X? Payne. So unlikely it was planted and more confirmation it was Payne sending the original threats.
A non-logging VPN provider should not be able to assist with this step.