Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI


VPN providers often advertise their products as a method of surfing the web anonymously, claiming they never store logs of user activity, but a recent criminal case shows that at least some, do store user activity logs.

The case in question is of Ryan Lin, a 24-year-old man from Newton, Massachusetts, arrested on Thursday, October 5, on charges of cyberstalking.

According to an FBI affidavit published by the US Department of Justice, Lin is accused of harassing and cyberstalking an unnamed 24-year-old woman — referred to under the generic name of Jennifer Smith — between April 2016 and up until his arrest.

It all started with a Craigslist ad

The two met after Lin answered a Craigslist ad and moved in with Smith and her two other roommates. The FBI says that soon after Lin moved in with Smith, she was the victim of multiple hacking, harassing, and cyberstalking incidents.

Investigators believe that Lin got access to passwords of some of Smith’s online profiles because Smith didn’t have a lock on her room door, and didn’t password-protect her computer.

Authorities say that Lin allegedly accessed Smit’s Apple iCloud account from where he downloaded personal photos, and also her Google Drive account from where he took her private journal.

Smith was the victim of a wide range of harassment campaigns

According to the affidavit, Lin is the prime suspect behind a multi-faceted and unyielding harassment campaign that spanned months. In no particular order, below are some of the FBI’s accusations:
⧐ The suspect allegedly created a collage of Smith’s personal photos and non-related sexually explicit images and sent it to Smith’s friends, classmates, teachers, co-workers, roommates, and family friends (including a minor). The emails were spoofed to make them appear as coming from Smith’s email address.
⧐ The suspect allegedly sent excerpts of Smith’s private journal to other persons, revealing personal details such as a past medical, psychological, and sexual history.
⧐ The suspect allegedly created online accounts in Smith’s name on adult portals asking people to show up at her house to enact BDSM, gangbang, rape, and other sexual fantasies. At least three people showed up.
⧐ The suspect allegedly harrassed Smith using SMS messages sent via an anonymous text messaging service (
⧐ The suspect allegedly spoofed Smith’s identity to send bomb and other threats to nearby schools and lone individuals.
⧐ The suspect allegedly sent threatening communications to Smith’s friends, associates, and family (including a minor), urging Smith to commit suicide, or threatening to kill and rape Smith and associates.
⧐ The suspect allegedly bombarded Smith with friend requests on Facebook, even after getting blocked.
⧐ The suspect allegedly hacked Smith account (pet sitting service) and told pet owners that Smith intentionally killed one of their pets, resulting in the pet owners sending police officers to their house to deal with Smith.
⧐ The suspect brought up the fact that Smith had an abortion, even if the suspect did not tell anyone about it, and only recorded the event in her private journal.

Smith told authorities the abusive behavior began soon after Lin moved in, and continued even if she moved out two months later, scared by his actions.

Lin’s abusive behavior was then redirected to the other two roommates, and following complaints to the landlord and police, Lin was kicked out from the shared apartment in August 2016. The cyberstalking and harassing behavior continued, again, mainly directed at Smith.

Suspect hid behind VPNs, Tor, ProtonMail

For all of these actions, the suspect used ProtonMail, VPN clients, and Tor to hide his identity. After local police investigated all the victim’s complaints for almost a year, they called in the FBI to help.

The FBI found their first evidence at one of Lin’s former employers. The company had reinstalled Lin’s work computer after he left, but the FBI was able to find various artifacts in the hard drive’s unallocated disk space. Evidence includes:
⧐ Google Chrome artifacts that Lin had read about the bomb threats against local schools.
⧐ Google Chrome artifacts that Lin had an account on
⧐ Google Chrome artifacts that Lin had an account on ProtonMail
⧐ Google Chrome artifacts that Lin had visited
⧐ Google Chrome artifacts that Lin had visited the Smith’s Spotify profile, but also the profiles of Smith’s brother and one of her best friends.
⧐ PureVPN artifacts suggesting Lin was using the company’s VPN client.

VPN activity logs tie Lin to Smith’s harassment

Yet, the most conclusive evidence came after the FBI managed to obtain logs from two VPN providers — PureVPN and WANSecurity.

The logs showed how within the span of minutes the same VPN IP address had logged into Lin’s real Gmail address, another Gmail address used for some of the threats, and a account Lin created to discover Smith’s real phone number. PureVPN was later able to link the stalking activity with Lin’s home and work IPs.

Ironically, FBI agents also found tweets in which Lin was warning other users that VPN providers store activity logs, advice he didn’t follow himself.

Investigators became sure they identified the right man after they interviewed some of Lin’s past classmates, who recounted a similar pattern of harassment and cyberstalking from a man they described as a computer “genius.”

“As alleged, Mr. Lin orchestrated an extensive, multi-faceted campaign of computer hacking and online harassment that caused a huge amount of angst, alarm, and unnecessary expenditure of limited law enforcement resources,” said FBI Special Agent in Charge Shaw.

“This kind of behavior is not a prank, and it isn’t harmless. He allegedly scared innocent people, and disrupted their daily lives, because he was blinded by his obsession,” the agent added. “No one should feel unsafe in their own home, school, or workplace, and the FBI and our law enforcement partners hope today’s arrest will deter others from engaging in similar criminal conduct.”
October 7, 2017