IRCNow

Here are the rules:

  1. Never break the law
  2. Avoid reporting to the police unless someone is in physical danger
  3. Don't do this from home, use a VPS, shell account, or bouncer
  4. Never reveal any personally identifiable information
  5. If you make a phone call, use a company phone to hide your number
  6. If you send an email, use a disposable email or company email
  7. If you visit a shady website, disable all javascript

Setting up irssi to connect via tor:

$ tmux
$ doas pkg_add tor torsocks irssi
$ doas rcctl enable tor
$ doas rcctl start
$ torsocks irssi

/set real_name <realname>
/set user_name <username>
/set nick <nick>
/set ctcp_userinfo_reply mIRC 7.61
/set ctcp_version_reply mIRC 7.61
/set autolog on
/save

You can use something besides mIRC 7.61 for the ctcp reply. Just pick something realistic looking besides irssi.

In order to infiltrate a criminal network, you will need to do some research. Figure out what they are interested in (ddos attacks, phishing, credit card fraud, spamming). Try to understand what language they speak, what they are passionate about, and see if you can strike up a conversation with them. This helps build trust so they will be willing to share more information.

Use a little creativity. Don't commit any illegal crime, don't suggest they commit any crimes. However, feel free to chat with them, ask them how they are doing, what hobbies they enjoy etc. Try to ask them for information to learn more about them, but…be subtle, be subtle! I recommend you avoid lying. However, you are welcome to change your persona. Use a new dialect. If you normally chat using formal English, use lots of slang. Talk like someone their age. Spell things wrong on purpose if it helps you fit in. Go ahead and use bad grammar if it helps. Feel free to use Google translate for the conversation. Have fun!

First, make sure you have proof they have committed a real crime. If there is no evidence, then stop collecting logs. If there is proof, then collect as much data as you can. Make sure you have logging turned on. Figure out what networks they join, what software they use, what servers are their hubs. Data you want to collect:

  1. Real legal name
  2. Age, date of birth, phone number, home address, social media accounts
  3. Business, education background, what software they use (irc daemons, irc clients, irc bots)
  4. What crime networks they collect to. IP addresses, domain names
  5. Their criminal friends
  6. Source code of the software they use

Document everything.

Your biggest tool is your brain. Look for clues. For example, use /list to figure out what are the channels inside the network. Join some of them and see who is around. Are there any bots? What are their IP addresses? Who hosts them? Type /who #channel to list all the users within a channel. Type /names to see all the users in a channel. Type /whois username to get more info about a user. However, be careful, as some ircds may notify the admin when a user runs the /whois command. It helps to hang around in a channel for a few weeks.

For example, suppose you found the IP 70.39.99.207 is hosting an IRC command and control botnet for crime. You can run:

$ whois 70.39.99.207
Sharktech SHARKTECH-INC (NET-70-39-64-0-1) 70.39.64.0 - 70.39.127.255
Sharktech ST-DEN (NET-70-39-64-0-2) 70.39.64.0 - 70.39.127.255

This tells you that the server is hosted with Sharktech. So, you head over to Sharktech's website and go to their abuse page and contact them. Send them an email to support@ or abuse@sharktech.net, call their phone, chat with them on live chat, fill out a support ticket. Do whatever it takes to let them know that their customer is using the VPS for illegal purposes and needs to be shut down.

Suppose you realize that the domain merantau.org is being used for the illegal botnet:

$ whois merantau.org
Domain Name: MERANTAU.ORG
Registry Domain ID: D402200000005816262-LROR
Registrar WHOIS Server:
Registrar URL: http://www.planetdomain.com.au
Updated Date: 2020-05-06T00:41:36Z
Creation Date: 2018-04-15T05:08:12Z
Registry Expiry Date: 2021-04-15T05:08:12Z
Registrar Registration Expiration Date:
Registrar: PlanetDomain Pty Ltd
Registrar IANA ID: 240
Registrar Abuse Contact Email: feedback@netregistry.com.au
Registrar Abuse Contact Phone: +61.299340501
Reseller:
Domain Status: ok https://icann.org/epp#ok
Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod
Registrant Organization: sem
Registrant State/Province: samarinda
Registrant Country: ID
Name Server: NS1.NETREGISTRY.NET
Name Server: NS2.NETREGISTRY.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2020-05-07T13:23:58Z <<<

This tells us that the domain merantau.org was registered by sem with the registrar http://www.planetdomain.com.au, and that abuse should be reported to feedback@netregistry.com.au. So, go to that website, file an abuse report, send them an email, go on live chat with them, make a phone call – do whatever it takes to get their attention to take the server offline. In this particular case, I had to email the registrar 6 times, filed 6 tickets, made 3 phone calls, and went on live chat twice. It took me over two weeks. But finally the domain got suspended.

Suppose you see one of the criminals joining like this:

14:25 -!- jasad [jasad@gprs1.telecom.ronsor.pw] has joined #meRANTAU

Based on his vhost mask, you can tell that he's connecting from gprs1.telecom.ronsor.pw . Use a browser with Javascript turned off (perhaps using noscript or umatrix) and visit the site on your web browser. You find out that this is a free shell hosting provider. So contact that shell provider's email, phone, and IRC until he closes the account. Make sure you notify him of the ident (in this case jasad) and not just the nick. The ident is the word that comes right before the @ sign. If the shell provider doesn't respond, then you can do this:

$ dig gprs1.telecom.ronsor.pw
; <<>> DiG 9.4.2-P2 <<>> gprs1.telecom.ronsor.pw
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39025
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gprs1.telecom.ronsor.pw.       IN      A

;; ANSWER SECTION:
gprs1.telecom.ronsor.pw. 300    IN      A       45.79.78.155

;; Query time: 295 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May  7 22:01:41 2020
;; MSG SIZE  rcvd: 57

This tells you that the IP address for the server is 45.79.78.155. So you then run:

$ whois 45.79.78.155
OrgName:        Linode
OrgId:          LINOD
Address:        249 Arch St                                                             
City:           Philadelphia                
StateProv:      PA                          
PostalCode:     19106                       
Country:        US                                                                      
RegDate:        2008-04-24                  
Updated:        2019-06-28                  
Comment:        http://www.linode.com       
Ref:            https://rdap.arin.net/registry/entity/LINOD                             
OrgNOCHandle: LNO21-ARIN                                                                
OrgNOCName:   Linode Network Operations                                                 
OrgNOCPhone:  +1-609-380-7304               
OrgNOCEmail:  support@linode.com                                                        
OrgNOCRef:    https://rdap.arin.net/registry/entity/LNO21-ARIN                          
                                            
OrgAbuseHandle: LAS12-ARIN                                                              
OrgAbuseName:   Linode Abuse Support
OrgAbusePhone:  +1-609-380-7100
OrgAbuseEmail:  abuse@linode.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/LAS12-ARIN

OrgTechHandle: LNO21-ARIN
OrgTechName:   Linode Network Operations
OrgTechPhone:  +1-609-380-7304
OrgTechEmail:  support@linode.com
OrgTechRef:    https://rdap.arin.net/registry/entity/LNO21-ARIN

This shell provider uses a Linode VPS. So, contact Linode's abuse and support email, phone number, and go to their IRC channel. I spent about two hours chatting over IRC and sent around 4 emails. Do what it takes to make sure Linode and the shell provider close the guilty accounts.

Sometimes you have an IP but you don't know who owns it. You can run this:

$ dig -x 45.79.78.155
; <<>> DiG 9.4.2-P2 <<>> -x 45.79.78.155
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6039
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;155.78.79.45.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
155.78.79.45.in-addr.arpa. 86400 IN     PTR     gprs1.telecom.ronsor.pw.

;; Query time: 4943 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May  7 22:05:55 2020
;; MSG SIZE  rcvd: 80

This tells you that the domain name is gprs1.telecom.ronsor.pw.

Once you get this basic information, use a search engine to gather more. Search their name, their network, their websites – look for any software they might have written, anything about them that might be useful. Their nicknames might show up on old logs, they might have malware associated. This research is very important for proving someone is guilty of a crime.

In your email, make sure to document the crime clearly and provide clear evidence. Use screenshots, videos, chat logs, whatever is most effective.

Make sure that any screenshots or videos you send do not contain any of your personal information! Double check for your own safety. If you want, you can first email to rahab@ircnow.org so our team can take a look.

When you start filing reports, make sure you go in this order:

  1. Take down domains
  2. Take down irc servers
  3. Take down shell accounts / bouncers used by admins/criminals
  4. Finally, take down stolen servers and bots used for stealing

There are reasons why we must follow this order. Many times, when you report abuse, the providers won't trust your logs and will want to verify the crime in person. If you take down the bots and irc servers before the admin can log in, he will be unable to see any evidence and he may think you are lying. Therefore, you want to preserve as much evidence as possible until the last moment.

The reason we take down domains first is because it causes the most disruption while still allowing you to connect to the ircd for further spying. Afterwards, we can cause netsplits by taking down the irc servers, and then take down his shell accounts / bouncers to cause confusion. We save bots and stolen servers for last because this is your evidence. Once you take these down, you will be unable to do anything else.