The hacker who targeted Claus posed as a security employee warning her of a breach.
Natalie Claus was getting accustomed to her sorority and preparing for winter break one evening in December 2019 when people she knew began receiving unusual messages from her. These Snapchat messages, which contained nude photographs of Claus, went to her friends, a cousin, an ex-boyfriend, and dozens of others she knew, more than 100 people in all. Some of the recipients responded with enthusiasm, others with confusion, as if Claus had played a bad joke. But one of her friends, Katie Yates, immediately recognized the messages as an online attack-and knew just how Claus should respond.
Yates was also a student at the State University of New York College at Geneseo, 40 miles south of Rochester, where Claus was a sophomore. Several months earlier, after Yates reported being sexually assaulted, someone had begun sending her abusive messages on social media. Feeling like she wasn’t getting enough support on campus, Yates began researching ways to identify her harasser.
This kind of vigilante work, she thought, could be useful to Claus. When Claus reached out asking for help, the two friends got together, tried to calm down, and got to work. “It was like a scene from a movie,” Claus later said, according to court documents. “You know they say everything around you slows? My ears were ringing, and I felt like I couldn’t breathe, and honestly I don’t think I was.” Yates walked Claus home and removed scissors and razor blades from her dorm room so Claus couldn’t hurt herself. “She wanted to see if I wanted to catch this guy,” Claus recalls. “Of course I said, ‘Yeah.’ ”
“Sextortion,” the broad term for a scenario in which an attacker uses intimate content for blackmail or abuse, takes various forms. Although it’s hard to quantify how often it happens, it’s clearly becoming more common. Last year the National Center for Missing & Exploited Children received 44,000 reports of online enticement, the category that includes sextortion, up from 17,000 two years earlier. The FBI said it received 18,000 sextortion-related complaints in 2021, with victims paying attackers a reported $13.6 million. In September the bureau said almost half the complaints it received in the first seven months of the year came from victims 20 to 39 years old.
Law enforcement agencies tasked with confronting such attacks are hindered by budgetary constraints and a lack of experience dealing with digital crimes. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, says even simple techniques-such as using a fake phone number-are usually enough to stump investigators. As a result, many agencies focus on simply discouraging young people from sharing pictures of themselves in a way they might later regret, according to Mac Hardy, director of operations at the National Association of School Resource Officers, which investigates many crimes. “We’ve been going through this for years, and it’s always a nightmare,” he says.
Such advice may be counterproductive, because it further stigmatizes people targeted in these attacks. “Victims sometimes have a hard time coming forward, not only because they feel a lot of guilt and shame internally, but because they feel that from society,” says Martha Finnegan, a child and adolescent forensic interviewer at the FBI.
Tech companies are also often slow to respond. Many sextortion schemes start on dating apps, but for Claus the vulnerability was Snapchat. The app has been particularly scrutinized and is the subject of a class-action lawsuit filed by a 16-year-old girl who alleges Snap Inc., the company behind the app, has done almost nothing to prevent sexual exploitation of minors. A Snap spokesperson said in an email that the company has taken steps to stop intruders from taking over accounts and that it works to prevent devices from logging in to many accounts.
The hacker who targeted Claus posed as a security employee warning her of a breach, then tricked her into sharing a code that allowed him to take over her account. Once in, he locked her out. Snap said it ejected the hacker from Claus’s profile within 24 hours of learning of the breach. As of late July, Claus says she still hasn’t regained access to her account.
The intruder broke into a private section of Claus’s app called “My Eyes Only,” which contained naked photographs she’d taken for herself as she tried to recover from a rape. He distributed those images in a message with the text “Flash me back if we’re besties.” Prosecutors say this seemed to be a way to gather compromising material to use against other victims. He never asked Claus for anything.
Many of Claus’s contacts thought the message was real, including members of a sorority that she says she’d tried to join, only to become a target of bullying by the group. An ex-boyfriend called her and yelled at her, asking why she put herself in such a situation.
When Claus reported the incident to campus police, two male officers came to speak with her. One rolled his eyes throughout the interview, according to Claus. “He was acting like, ‘You asked for it,’ ” she says. Both officers left her crying in a classroom when the conversation was over. She called Geneseo town police, who directed her back to the university cops.
The investigatory dead ends made the situation doubly traumatizing. “If it hadn’t been for my emotional support animal and a couple friends I knew at the time, we wouldn’t be having this conversation,” says Claus. “I had the pills in my hand to kill myself.”
In an emailed statement, Geneseo university police Chief Scott Ewanow said “the university police treat reporters of alleged crimes with respect and officers take reported crimes seriously.” When cybercrime cases exceed the capacity of the department’s resources, he added, the university seeks assistance from other agencies.
With Yates’s help, Claus came up with a plan. Yates contacted Claus’s account from her own profile, suggesting she had nude images to share and sending a link. The URL, made to look like a porn site, actually collected the IP address of anyone who clicked it, using a website called Grabify IP Logger. The hacker could’ve circumvented the plan by using a virtual private network, a step so rudimentary that it’s surprising anyone involved in online crime wouldn’t be taking it at all times. But he didn’t. It turned out to be a crucial mistake.
In addition to gathering information, the link was set up by Claus and Yates to direct the attacker not to a porn site but to the Wikipedia page for the word “gotcha.” “I got a message back from him saying, ‘What the hell is this?’ and then I blocked the account,” says Yates. “But that was once we realized he was in Manhattan and using an iPhone without a VPN.”
Claus followed up with the campus police days later, and Geneseo officers forwarded her police report to New York state law enforcement, where one detective had a contact with the FBI. The tip led to an arrest. “It was him being an idiot that did it,” Claus says of the hacker. “When I passed all that information to the FBI, they said, ‘There’s a really good chance that we wouldn’t have caught him without this.’ ”
The person who received the taunting message from Claus and Yates was David Mondore, a 29-year-old chef living in Harlem. He admitted to gaining unauthorized access to at least 300 Snapchat accounts and eventually pleaded guilty to hacking-related charges and acting with the intent to defraud, for which he received a sentence of six months in jail.
Mondore was a complete stranger to Claus, she says. She believes his punishment was too light, but she adds that she doesn’t think he was a monster. “He’s a human,” she says. “That’s what makes it scary.”
