Cyberstalker thwarted by VPN logs gets 17 years in prison

Access logs from two VPN providers and Chrome forensic data recovered from a formatted PC send cyberstalker to prison.
Written by Catalin Cimpanu, Contributor

Connection logs retrieved from two VPN providers were crucial in identifying and later sentencing a 25-year-old man for an extended cyberstalking campaign that also included hacking and bomb threats.

The man's name is Ryan S. Lin, 25, of Newton, Massachusetts, who was sentenced this week to 17 years in prison and five years of supervised release.

According to the US Department of Justice, Lin carried out an extensive cyberstalking campaign against his former housemate, her family members, co-workers, friends, and others.

He also hacked into the former housemate's online accounts, posted sexual solicitations in her name, sent images of child pornography, and made over 120 hoax bomb threats.

All of the cyberstalking, hacking, and harassment, happened after Lin answered a Craigslist ad and moved in with the victim and two of her housemates in March 2016. The prosecution said Lin developed an infatuation with one of his new housemates.

They said he abused the fact the victim didn't lock her room door, nor did she password-protect her computer, to gain access to her digital life.

Court documents say Lin accessed the victim's Apple iCloud account, her Google Drive account, and various other online profiles, from where he stole data, such as her online journal and personal photos, and also posted messages on her behalf.

According to an affidavit, Lin was accused of sending excerpts of the victim's journal to other persons, revealing personal details such as a past medical, psychological, and sexual history.

He hacked into the victim's account on the Rover pet sitting service and sent a message to a pet's owner, alluding that the victim intentionally killed their pet, which resulted in police showing up at the victim's house.

Lin also created accounts on the victim's behalf on adult portals and invited people at her house to enact a slew of sexual fantasies. The victim said three people showed up.

Court documents also said Lin spoofed the victim's identity to send bomb threats to nearby schools. He also sent messages to the victim's family members and friends, urging the victim to commit suicide.

Lin also harassed the victim with anonymous SMS messages sent via the textnow.com service and bombarded her with constant Facebook friend requests.

The victim said she moved out of the house shared with Lin after a few months, but the harassment continued afterward, also targeting family members, friends, co-workers, and the two other housemates. The house landlord kicked Lin out in August 2016, but the harassment continued for more than a year, until October 2017, when authorities arrested the suspect.

During that time, Lin continued to harass both the victim and her family, friends, co-workers, and former housemates. But the suspect didn't stop here. The DOJ says Lin also sent over 100 bomb threats to local schools, private homes, businesses, and other institutions, being particularly busy on one day when he sent out 24 bomb hoaxes.

The DOJ also said Lin created a false social media profile in one of the housemate's name and posted online that he was going to "shoot up" a school in Waltham.

And if this wasn't enough, he also sent sexually explicit images of young children to the victim's mother, co-workers, former housemates, and even to his own former classmates, for reasons unknown.

For all his hacking, cyberstalking, and harassment, Lin masked his identity by using Tor, a ProtonMail anonymous email account, and VPN services.

But according to court documents, this didn't help. Investigators said they found a trove of evidence when they visited with his former employer, who provided authorities with access to Lin's former work computer.

Even if the workstation had been formatted, authorities said they recovered enough forensic data from the hard disk's unallocated space. Most of the data were Chrome files which revealed that Lin had accounts on ProtonMail and textnow.com, and that he also visited online profiles for the victim and her family and friends. The Chrome files also revealed that Lin had read about the bomb threats he sent to local schools.

But the biggest find came when investigators discovered artifacts suggesting Lin had used two particular VPN services --PureVPN and WAN Security.

After obtaining connection logs from the two VPN providers, authorities were able to link Lin to many of his activities. Lin's error was that he used the same VPN accounts to access both his real accounts and the fake social media profiles he created to harass or follow the victim.

All of this amount to a solid case and the suspect pleaded guilty in May 2018. The plea agreement he signed guaranteed a prison sentence ranging from seven to 17 and a half years. The judge sentenced Lin to 17.

The best VPN services: Our 10 favorite vendors for protecting your privacy

Previous and related coverage

Editorial standards