Prominent bitcoin security professional and social media influencer Jameson Lopp was targeted in a potential assassination attempt when an armed police team was sent to his house. Someone targeting Lopp phoned local police claiming to be a gunman with hostages inside Lopp’s home. The practice, known as “SWATting,” has claimed many lives in the past.
Since then, Lopp has beefed up security measures immensely, making every effort to hide all trace of his activities without sacrificing his online life as a bitcoin advocate.
Lopp bought an entire house just as a decoy. He registered an anonymous, limited liability company as a corporate identity to conduct his personal affairs through, and has taken numerous other online and offline precautions until even hired professionals were unable to find him.
He has since appeared in occasional interviews on the subject and has written about it, leaving us with an incredibly thorough guide on how to hide from prying eyes in the digital age.
Bitcoin Developer Jameson Lopp Amps up Security Following SWAT Attack
Law enforcement has failed me, so I'm offering a reward to anyone who helps bring the perpetrator to justice. This message https://t.co/VuIwzOU80H is signed with my PGP that can be found at https://t.co/1MadRyqpMv pic.twitter.com/bYsOptuCfe
— Jameson Lopp (@lopp) July 28, 2018
The fact that someone online could find where Lopp lived was problematic, but not unusual. In the digital age, all kinds of information can be found legally and without any kind of sophisticated software or expertise. Often a simple Google search is enough to find out the workplace or residential address of another person.
If that fails, there are more advanced methods – OSINT tools like Recon-ng can be used to trawl the web for domains, addresses, and email accounts associated with a business, website, or person. There are also tools for scraping the deep web to access info that cannot be found on the surface web.
Lopp works in a very tech-savvy field. As a contributor to the Lightning Network and an outspoken, opinionated figure with a strong stance on the controversial Bitcoin Core vs. Bitcoin cash debate, there is any number of people who may hold a grudge against him.
Q: Can't all you crypto people get along? You want the same thing.
A: While we generally have similar goals, we have fundamentally conflicting visions of the path to get there and the trade-offs we're willing to make. It's an adversarial environment whether you like it or not.
— Jameson Lopp (@lopp) December 29, 2018
Lopp was SWATted on October 16, 2017, with the assailant demanding $50,000 in BTC. Lopp responded by publicly offering a $100,000 reward for information leading to the capture of the SWATter whose call was traced to a throwaway server in Texas.
He also installed 4k resolution security cameras and made a point of showing off his AR-15 on Twitter – but eventually, his security measures would go much, much further than that.
Bitcoin security pro tip: protect your software with hardware. pic.twitter.com/R4KeRGRcTP
— Jameson Lopp (@lopp) October 26, 2017
Lopp’s Security Measures: Fully Incognito
The security pro thought long and hard about his strategy to obfuscate his affairs from prying eyes. He consulted with lawyers who specialized in privacy and was advised to carry out all future dealings as a limited liability company.
Lopp registered in one of the three US states that do not require corporations to file the name of the owner or director, either Nevada, New Mexico, or Wyoming. The prominent bitcoin influencer has not disclosed which state for operational security (OPSEC) purposes.
He then opened a corporate bank account complete with a credit card which was not linked to his name or personal identity in any way to handle any online transactions. He also carries the most untraceable medium, cash, for any in-person transactions, although would not state how much.
It’s unclear what kind of communication he has with the federal government regarding his identity or finances, although it can be implied from his Medium post on the subject that he is working in compliance with the law.
Sure, we enjoy some freedom, but we're free as in "free range human on a tax farm."
— Jameson Lopp (@lopp) January 20, 2019
Acquiring a Fake Identity – and a Decoy House
A new corporate identity wasn’t enough – Lopp got himself a brand new name as well.
He bought himself a new house, making sure to go through the LLC and paying in full to avoid being listed on a mortgage. Not stopping there, he bought himself a second “decoy” property to allow him to register his car at the DMV without disclosing his real address.
“It’s the crappiest, cheapest hole in the wall I could find that has a physical mailbox.”
He has been introducing himself under a false pseudonym to his new neighbors and anyone else he comes into contact with. He sold his motorcycle and Lotus Elise sports car and traded in his BITCOIN license plates for something a little bit less conspicuous. He also wears a hat and sunglasses in public and trimmed his beard to avoid being recognized.
“It’s a more manageable length now so that I can blend into a crowd more.”
He also commented on the use of “Justice Caps” fitted with LEDs to obfuscate public CCTV footage of the wearer’s face.
Lopp now uses throwaway phone numbers generated at random by a paid service to prevent being traced through his area code or phone activity – he has also stopped using geolocation services on all cellphone apps and uses a dedicated, unregistered GPS service if he needs directions.
Securing Your Online Activity and Home Deliveries
Lopp only appears online through a virtual private network (VPN) service which encrypts his online activity and masks his real computer IP address and corresponding location. He recommends using the following browser extensions for privacy purposes:
“You can also provide protection for all devices on your network including smart TVs and mobile apps by configuring your router to use a local DNS server that is running Pi-hole. It will block any network requests for known advertisers and trackers.”
Lopp even points to the practice of physically removing microphones and cameras from devices, quoting Edward Snowden who described the method as a “pain in the ass” and posting Snowden’s video on it.
Lopp has any physical packages sent to a private mailbox at a shipping center to avoid having his home address tied to a mailing list, despite the home already being registered under the name of his company.
Lopp had previously expressed concerns that people would target him by sending illegal items to him home under his name via the dark web in a bid to have him arrested and prosecuted.
Lopp only works online as well now, meeting clients remotely via video conference and taking precautions that the visible background of any footage gives no clues as to his whereabouts. For situations when he needs to travel abroad, he shuts down digital devices and encrypts all data to prevent customs officers from accessing and leaking any data.
If In Doubt, Hire Someone to Find You
After taking so many precautions, there was only one way to be sure that he was truly hidden. Disappearing under a false identity is one thing, but doing so while continuing to maintain an online presence and work with pre-existing clients complicates things.
Lopp hired private investigators to try and find him and was only satisfied with his work when they couldn’t pinpoint where he was. It was at the suggestion of a PI that Lopp bought a second property to eliminate the vulnerability of his DMV registration.
Of course, an argument could be made that Lopp’s security measures aren’t as effective if we know about them. Lopp told the New York Times that he views his efforts as something of an experiment. Lopp has previously commented on the rise of physical attacks in the crypto space, which was part of the reason for his disappearing act.
While he worked to prevent he’s satisfied that he’s now much safer from targeted attacks, part of the motivation for his OPSEC measures was to test possible methods of hiding in the digital age.
“I wanted to push the envelope and see what could be done.”
In a post on Medium about his experiment, the bitcoin developer cites four major levels of privacy protection:
- Protection against the average person who knows how to search the web
- Protection against someone with resources to hire a cheap private investigator
- Protection against someone willing to indefinitely fund a top-tier private investigator
- Protection against agents of nation states with nearly unlimited funds
Lopp pointed out that his particular approach wasn’t feasible for everyone, commenting on the costs and the difficulty he had in convincing lawyers that he wasn’t trying to break the law.
“Before we begin, I want to be clear that many of the techniques come at a cost. I had to fill out hundreds of pages of paperwork, spend around $30,000 in legal/banking/service fees, and endure a four-month process to achieve my goals. I estimate annual recurring costs of over $15,000 for my extreme setup.”
“I had to speak to half a dozen attorneys before I found one that was even comfortable helping me. Once I did have an attorney, this made it easier for me to work with bankers because they were more assured that my intentions were legal and I wasn’t trying to cover up criminal activity.”
However, he stresses that people can increase their online and offline privacy at little to no cost as well, depending on requirements.
His experiment serves as a reminder that even in the age of modern surveillance, those with the determination to live privately or even anonymously can do so with some sacrifices.
Perhaps a healthy dose of paranoia too.