Just before 3 p.m. on a sunny Friday in September, police in Chillicothe, Ohio, received a message from dispatch: an active shooter had reportedly injured 24 students at Chillicothe High School and was still on scene.
Bodycam video shows the fraught minutes that ensued. Officers rushed to the school, some entering with their rifles and pistols drawn, running breathlessly through the hallways to find the right classroom.
But there was no shooter.
Students had been placed on lockdown, police units deployed and school staff were plunged into minutes of terror as a hoax unfolded. After finding no threat at the school, the officers regrouped in a school hallway. One said to the others, "Did you see the email we got today? Swatting. Somebody's swatting the schools."
Similar scenes have played out at schools across the country in recent weeks.
NPR has found local reports indicating 182 schools in 28 states received false calls about threats between Sept. 13 and Oct. 21. These have prompted a response known as "swatting," where law enforcement swarms a location where a crime is reportedly in progress. Swatting incidents can be particularly dangerous, as officers often enter with force, guns drawn.
But in some of these places, the pattern behind this wave of hoax calls has felt familiar. Authorities in Minnesota have said it echoes what they saw in March and April, when a caller falsely reported bombs at schools in several states.
Now, NPR has obtained records that suggest that there may, indeed, be a connection.
Audio from one of those springtime hoax bomb alerts sounds markedly similar to the voice, accent and narrative behind recent active shooter calls that NPR has listened to from Virginia, Minnesota, Ohio and Florida.
Through an open records request, NPR has obtained detailed information about the phone number behind that call, made about a high school in Louisiana. The records shed further light on the person or entity behind these schemes, and how they systematically target local institutions.
'A suspicious backpack'
On the morning of April 21, the Bossier Parish Sheriff's Office in Louisiana received a call from someone saying there was "a suspicious backpack" in a classroom at Benton High School.
The caller, who sounded like a grown man with a North African accent, claimed to be a student. Students were evacuated from the school, the parish fire department deployed and the grounds were searched. No bomb was found.
An investigation and report by the sheriff's office, obtained by NPR through an open records request, found that the call came from an internet, or VOIP, phone number. It also found that the VOIP account was tied to IP addresses in Ethiopia owned by the AFRINIC network, and specifically to the Ethiopian state-owned phone and internet service called Ethio Telecom, based in Addis Ababa. On the day that Bossier Parish received a call from this number, so, too, had 79 other places across Louisiana, Arizona and New Mexico.
An NPR analysis of the number's call logs between March 12 through April 21 offers a snapshot of how a mass hoax threat campaign may be conducted.
During a 40-day period, the VOIP number received or made 437 calls — all of them on just 10 of those days. But the usage pattern suggests that this phone number was really created with the purpose of making phone calls, because 80 percent of that activity was outgoing calls. The incoming traffic appeared to be mostly return dials from individuals or institutions that this VOIP user had called.
An examination of the number's outgoing calls details a curious pattern of activity.
More than three-quarters of the calls placed were made on just three days: March 15, April 5 and April 21. On those days, the VOIP user spent between 6 and 8 hours systematically dialing — and often re-dialing — phone numbers. Sometimes with as few as four seconds between hanging up one call and dialing the next, the number reached 125 places.
The rapid-fire dialing of numbers also indicates that the user had a list of targets at the ready, and a specific focus on schools, law enforcement agencies, fire departments and emergency dispatchers. Together, these accounted for 92% percent of the places that the VOIP number called. And while the caller blanketed 19 different states, they tended to focus on a small number of states on the days they were most active. On April 5, the number made outgoing calls only to North Carolina and Ohio. On April 21, it was only calls to Louisiana, New Mexico and Arizona.
NPR has reached out to Ethio Telecom for comment, as well as to the email address that was used to create the VOIP account. So far, neither has responded. NPR also called the VOIP number tied to this activity and reached the automated voicemail recording for the service carrier, a Canada-based company called TextNow.
For experts in VOIP and telephony fraud, the connection to TextNow is unsurprising.
TextNow and VOIP fraud
For several years, Fred Posner has been tracking call center scams, technical support scams, fake threatening calls from the IRS, and more in his spare time.
Posner, a retired police officer from Florida who is now a VOIP consultant, says those numbers often end up being TextNow numbers. He's been sending them to the TextNow company, sometimes tweeting in frustration. He sometimes hears back, but he worries it's never fast enough.
TextNow is one of many free or low-cost Internet based calling platforms, similar to Zoom, Skype, or WhatsApp. It is easy to sign up for a new TextNow number. Using an NPR email address, it took less than a minute to choose an area code and generate a new number capable of making calls or texts from an Internet browser or phone.
But that facility in creating a number means the service is prone to fraud and abuse. Scammers have been known to use these numbers to make spam calls that ultimately aim to persuade targets to wire money. The numbers are also disposable. Users can sign up, use the number for a while, and make a new one if it gets reported. Posner said that while TextNow is a favored carrier for these scammers, it's an industry-wide problem.
TextNow spokesperson Nick de Pass told NPR that "we place a high value on customer safety and privacy." Specifically, he continued, "our internal security team works diligently to identify and disable accounts that are being used for illegal activity or violate our terms of service." The company declined to comment on the specific false bomb alert in Louisiana.
But according to the investigative files obtained by NPR, Bossier Parish did receive records from TextNow detailing the email address, username, registration date, original IP address, and IP logs of the person behind the spring bomb scares.
"We quickly identified that he had a Gmail account and the registration IP address, along with a consistent IP address on the day that this occurred, [and that it all came] out of Ethiopia," said Captain Shannon Mack, an investigator with the Bossier Parish Sheriff's Office.
The Ethiopia Connection
To Mack, the evidence that the caller was operating out of Ethiopia was clear.
The IP addresses tied to both the TextNow activity, as well as the caller's Gmail account, were all based in that country. She and other experts said it doesn't appear that the caller was using a Virtual Private Network, or VPN, to disguise their location. For instance, Mack noted that on the day her office received the false bomb alert, the caller stayed on the same IP address through hundreds of calls they made over several hours.
"A VPN will generally change by itself, whether you log in or out, about every 30 seconds," she said.
Additionally, TextNow has publicly said that it doesn't allow its users to use its service if it detects they're on a VPN.
But that doesn't mean that the caller wasn't using other techniques to make it falsely appear that they were in Ethiopia. For instance, it's possible the caller hacked or found other means to access digital infrastructure in Ethiopia, in order to route their calls through the compromised network.
"I did find a fair amount of compromised Ethio Telecom IPs that are out there on various markets like Genesis and Russian Market," said Keven Hendricks, referring to two online marketplaces on the so-called darknet, where illicit goods and services tend to be sold. Hendricks, an expert in cybercrime who has investigated swatting calls and VOIP abuse, said the activity of the caller behind the bomb hoaxes is not unprecedented.
"I have seen similar call patterns from swatters and people who abuse Voice Over IP services to create mass panic," he said.
Ultimately, it may be difficult to track down exactly where this caller is located and who they are. But this is a key reason that experts like Fred Posner are calling for additional regulations or safeguards to allow VOIP providers to better detect fraudulent and abusive call schemes on their networks.
One major step TextNow took last Friday was to ban the entire country of Ethiopia from use of its service, to cut down on a high amount of fraudulent activity.
""Our dedicated Trust & Safety team is taking aggressive action and proactively working with law enforcement to respond to these incidents, including banning all accounts associated with these calls," wrote Nick de Pass, TextNow spokesperson in an email to NPR. "We have also added Ethiopia to our list of unsupported countries to help eliminate this activity from our platform, which means that all calling and texting from the country has been banned from our service."
According to an industry source, VOIP services have chosen to ban other countries from their platform in the past when a pattern of abuse is established. Even so, criminals can find ways around measures like these.
TextNow publishes a scam round-up to alert users to potential fraud, and there are third party providers that work to automatically detect fraud which many voice and text providers work with--though they're not infallible. (Without being able to listen in to calls, it's difficult to clearly establish malicious behavior.)
Ultimately, there are challenges, and, perhaps, a lack of incentive, to proactively monitor for fraud on VOIP platforms before law enforcement serves a search warrant. Ultimately, the companies' goal is to make it easier for people to communicate, not harder.
The challenge of investigating
Mack of the Bossier Parish Sheriff's Office said she took the investigation in the Benton High School hoax bomb alert as far as she could.
"Because obviously we can't go to Ethiopia," she said, "and I have never had, in my personal experience as a police officer, anybody from Ethiopia co-operate with an investigation in United States."
Mack said when she investigated the false bomb alert in April, there was no indication that federal authorities were paying attention to the scheme. But with the recent wave of hoax active shooter calls, police at the state level in several places and the FBI are taking an interest. The agency has said "we will continue to work with our local, state, and federal law enforcement partners to gather, share, and act upon threat information as it comes to our attention."
Several localities denied open records requests from NPR, citing pending investigations by higher authorities. Nonetheless, information that others have released has shown that the active shooter scheme may be much wider-reaching than the bomb hoax was in the spring.
Between Sept. 19 and 23, at least eight different phone numbers were used to make false calls about active shooters. Of those, NPR confirmed that six numbers are offered through TextNow. Calls to the other two numbers either failed or were not returned.
Although it's understood that swatting can have dangerous, and sometimes even fatal, results, experts say it's too often left to local agencies to investigate. In a widespread, and seemingly coordinated, scheme such as the current wave of active shooter threats, that approach may not be sufficient. Hendricks said it is heartening to see that federal authorities are taking an interest.
"I really feel that it's something we view more of a nuisance versus something that can be investigated and hold these people accountable," he said. "That's something that hopefully changes."
In all this, the motive itself remains a mystery.
"I don't know. [Maybe it's] some type of what they think is an assault on the American way of life," Mack said. "Especially disrupting schools, scaring parents and teachers and children. So I don't know if that is what their gain is, just to cause that chaos."
NPR's Daniel Wood and Kaitlyn Radde contributed to this story.
Transcript
A MARTINEZ, HOST:
In the last two weeks, even more schools around the country have gotten hoax calls claiming that active shooters were on their campuses. It's a continuation of a pattern that NPR has reported on. And now NPR has obtained new information that suggests this is not the first time that a scare campaign like this was conducted against U.S. schools. NPR's Odette Yousef and Jenna McLaughlin join us now.
Odette, let's start with you. Remind us what's been going on.
ODETTE YOUSEF, BYLINE: Well, A, someone has been calling schools and law enforcement agencies claiming that there's an active shooter at a school. And this has been prompting what's known as a swatting response, where police and SWAT teams immediately deploy in large numbers to those locations. And when they get there, they find out that the call was hoax. But this can be pretty terrifying for all involved. So the last time we reported on this just over two weeks ago, we had counted at least 113 instances of calls that fit a particular pattern since mid-September. Now that number has reached nearly 200 across at least 28 states.
MARTINEZ: All right. So tell us about the new information. Was something like this happening before?
YOUSEF: Yes, some local authorities have suggested that these calls echo a similar hoax from the spring. And now we've obtained information through an open records request suggesting they might be right. I want you to listen to some audio. Here's a clip from a hoax swatting call made about four weeks ago in Findlay, Ohio.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED DISPATCHER: Findlay Police Department. Seller.
UNIDENTIFIED PERSON: Hello. There is an active shooter at Findlay High School. Hello. There is an active shooter at Findlay High School. Twenty-four students got injured. Hello. Hello. Findlay High School.
YOUSEF: Now, A, I want you to listen to another call that was made five months earlier to the sheriff's office in Bossier Parish, La.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED PERSON: Hello. Suspicious backpack has been left in the high school. Hello. Benton High School, No. 205. Hello. Suspicious backpack has been left in the high school.
YOUSEF: Now, lots of schools and states across the country received similar false bomb alerts in the spring. And as you could hear, it sounds like the same person who's behind the swatting calls. So we obtained additional records from the investigation that the Bossier Parish Sheriff's Office conducted back in April. And it's provided a really interesting snapshot of how this hoax caller operates.
MARTINEZ: Yeah. They sounded exactly alike. So tell us more. What has it shown?
YOUSEF: Well, one piece of information that the sheriff's office obtained was a detailed call log of the phone number that had called in this false bomb alert. Captain Shannon Mack of the Bossier Parish Sheriff's Office was the one conducting the investigation.
SHANNON MACK: You could see that he was using this phone number specifically to call schools or the dispatch to the sheriff's office or police department where the school was. And it looks like this was his thing to do all day, every day.
YOUSEF: And our analysis found that this was indeed the case. On certain days, the caller started making calls at an hour that was morning time for the place they targeted. And they just keep dialing numbers, sometimes with as few as four seconds between hanging up and dialing the next one until they were finished with their day, six to eight hours later. Our analysis also found that in the roughly six weeks that these records covered, this caller targeted 162 places. More than 90% of those were schools, police or sheriff's departments, dispatch centers and fire departments.
MARTINEZ: We're going to bring in Jenna McLaughlin. Jenna, let's start with that technology question. How would this work?
JENNA MCLAUGHLIN, BYLINE: Hi, A. So, yeah, this caller was using voice-over IP, and that basically means he was making a call over the internet rather than the phone lines, like Zoom or WhatsApp. He was using TextNow, which is a specific free, easy-to-sign-up-for service. You can get a new number. I made one using only my NPR email address, and it took me about 10 seconds - no verification needed. One really interesting thing, though, is that all of the IP addresses in the investigation log were actually tracing back to Ethiopia.
MARTINEZ: Oh, Ethiopia - so have investigators been able to confirm that?
MCLAUGHLIN: So it's still a bit of a mystery. Experts and investigators that we spoke with said that based on the evidence, they don't think that it's likely that the perpetrator used digital disguises to make it look like they're in Ethiopia when they're not. Even so, they could be using a local virtual private network to hide their exact location. And it's still a possibility that they hacked into Ethiopian internet infrastructure or bought access. One source actually shared with us that they found some Ethio Telecom IPs - some local IP addresses that had been compromised and were being sold on the dark web. So they really could be anywhere.
MARTINEZ: Wow. Jenna, is there anything that can be done about this?
MCLAUGHLIN: So regardless of where these people are, it's extremely difficult to hunt down and stop these perpetrators individually because law enforcement doesn't necessarily get cooperation in places like Ethiopia. Actually, some people think that the solution should lie with the providers instead. Experts that track this kind of thing said that a lot of scams lead back to TextNow. And they want the company to do more to monitor for fraudulent behavior, verify people's identity when they sign up, you know, maybe even get agencies like the FCC to step in and require them to do more. From TextNow's side, we can actually report that they banned the entire country of Ethiopia on Friday. And that was to try and cut down on all fraudulent activity there.
MARTINEZ: What about a new - or a motive actually? Any of the new information shed light on that?
MCLAUGHLIN: So typically, we see these scams as trying to make money, but that doesn't seem to be the case here.
YOUSEF: And so far, you know, we've still seen no indication, A, that this ties to any extremist or political agenda. So this remains a mystery. And meanwhile, these swattings continue to happen.
MARTINEZ: NPR's Odette Yousef and Jenna McLaughlin. Thanks you two.
MCLAUGHLIN: Thanks.
YOUSEF: Sure thing. Transcript provided by NPR, Copyright NPR.
300x250 Ad
300x250 Ad