Editing Operational Security (OPSEC) (section)

== <span id="opsec-failures"></span>Notable Failures ==

{| class="wikitable sortable" style="width:100%; background:#1c1c1c; color:#e0e0e0;"
! Year !! Case !! Description !! OPSEC Failure
|-
| 2011 || [[LulzSec (2011)]] || [https://www.theguardian.com/technology/2011/jun/24/inside-lulzsec-chatroom-logs-hackers Members of LulzSec] were exposed through leaked IRC chat logs and consistent online behaviors, such as static nicknames, linguistic patterns, and time zone metadata. || Members reused handles across platforms, failed to anonymize IRC sessions via Tor or VPN, and maintained consistent writing styles and time zone habits that enabled cross-correlation and attribution.
|-
| 2011 || [[Hector Monsegur ("Sabu") (2011)]] || [https://www.theregister.com/2012/03/07/lulzsec_takedown_analysis/ LulzSec leader] operated as a high-profile figure in both LulzSec and AntiSec, coordinating attacks via IRC. || He connected to IRC without anonymization, exposing his real IP address. Investigators monitoring the IRC server captured the IP, traced it to his New York residence, and identified him. One slip in anonymization was enough to dismantle the wider operation.
|-
| 2013 || [[Silk Road (2013)]] || [https://www.bbc.com/news/technology-24371894 Ross Ulbricht], operating under the alias "Dread Pirate Roberts," created and operated the darknet marketplace Silk Road, which facilitated anonymous drug and weapon sales via Tor and Bitcoin. || In the earliest days of Silk Road, he posted promotional messages using his real Gmail address ("rossulbricht@gmail.com") under the alias "altoid" on public forums like BitcoinTalk. This alias was later linked to the creation of the first Dread Pirate Roberts account, allowing investigators to pivot from metadata to identity.
|-
| 2013 || [[Eldo Kim (2013)]] || [https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/harvard-student-charged-with-bomb-hoax Harvard student] used Guerrilla Mail and Tor to send bomb threats in an attempt to delay a final exam. || He used Tor from Harvard’s campus network. Investigators correlated the timestamp of the bomb threat email with local network logs showing Tor usage. Since he was the only user of Tor on the Harvard network at that time, attribution was straightforward.
|-
| 2020 || [[Vastaamo Hack (2020)]] || [https://www.bbc.com/news/articles/c97znd00q7mo Aleksanteri Kivimäki], known as "Zeekill," hacked a Finnish psychotherapy provider and leaked records of over 30,000 patients, attempting to extort both the company and individual victims. || He accidentally uploaded his full home directory, including identifiable SSH keys and configs. Combined with historical links to other breaches, this led to conclusive attribution and arrest.
|-
| 2021 || [[ANOM (2021)]] || [https://en.wikipedia.org/wiki/Operation_Trojan_Shield Operation Trojan Shield] was a sting operation where the FBI and international partners distributed ANOM, a backdoored encrypted messaging app, to criminal networks. This allowed law enforcement to monitor communications, leading to over 800 arrests worldwide. || Criminals adopted a closed-source messaging platform that was distributed through unverified criminal referrals, without performing code audits, infrastructure validation, or origin vetting. Trusting a proprietary system with no transparency enabled full real-time surveillance by law enforcement.
|-
| 2023 || [[Pompompurin / BreachForums (2023)]] || [https://www.justice.gov/usao-edva/united-states-v-conor-brian-fitzpatrick Conor Brian Fitzpatrick], known as "Pompompurin," operated BreachForums, a cybercrime marketplace for stolen data and hacking tools. He was arrested in March 2023 and charged with conspiracy to commit access device fraud. || Fitzpatrick used VPN services, but reused the same VPN IPs across personal accounts—including email, crypto, and Zoom—linking his real identity to his online activity. On June 27, 2022, he accessed BreachForums without Tor or VPN, exposing his home IP address. This, combined with long-term reuse of the "Pompompurin" alias and associated email accounts, led to his identification and arrest.
|-
| 2025 || [[Florida Student (2025)]] || [https://www.wcjb.com/2025/05/16/13-year-old-arrested-threatening-bomb-pk-yonge-school-ufpd-says/ A 13-year-old student] at P.K. Yonge Developmental Research School posted a bomb threat on social media, prompting evacuation and police investigation. || The student used a personally identifiable account and device connected to a known network. Law enforcement traced the threat via IP address, account metadata, and device logs, enabling swift identification and arrest.
|-
| Unknown || [[Blockchain Deanonymisation]] || [https://en.bitcoin.it/wiki/Privacy Taint analysis techniques] have been used to trace cryptocurrency transactions through mixers, linking them back to KYC-compliant exchange accounts. || Users failed to sufficiently break the link between clean and tainted coins, often reusing wallets or interacting with KYC exchanges after inadequate mixing. This allowed investigators to reconstruct transaction chains using clustering heuristics and trace funds to real identities.
|}