Natalie Claus got used to her sorority and was preparing for winter break one evening in December 2019, when people she knew started receiving unusual messages from her. These Snapchat posts, which contained nude photos of Claus, went to her friends, a cousin, an ex-boyfriend and dozens of others she knew, totaling more than 100 people. Some recipients reacted enthusiastically, others confused, as if Claus had played a bad joke. But one of her friends, Katie Yates, immediately recognized the messages as an online attack and knew exactly how Claus should respond.
Yates was also a student at the State University of New York College in Geneseo, 40 miles south of Rochester, where Claus was a sophomore. Several months earlier, after Yates reported that he had been sexually assaulted, someone started sending her abusive messages on social media. Feeling she wasn’t getting enough support on campus, Yates began exploring ways to identify her bully.
This kind of vigilante work, she thought, could help Claus. When Claus asked for help, the two friends got together, tried to calm down, and got to work. “It was like a scene from a movie,” Claus later said, according to court documents. “You know they say everything around you slows down? My ears were ringing and I felt like I couldn’t breathe, and frankly I don’t think so.’ Yates walked Claus home and got a pair of scissors and razor blades from her dorm room so Claus couldn’t hurt himself. “She wanted to see if I wanted to catch this man,” Claus remembers. “Of course I said, ‘Yes.’ “
“Sextortion,” the broad term for a scenario in which an attacker uses intimate content for blackmail or abuse, takes various forms. While it’s hard to quantify how often it happens, it’s clearly becoming more common. Last year, the National Center for Missing & Exploited Children received 44,000 reports of online temptation, the category that sextortion falls under, up from 17,000 two years earlier. The FBI said it received 18,000 sextortion complaints in 2021, with victims reportedly paying the attackers $13.6 million. In September, the agency said nearly half of the complaints it received in the first seven months of the year came from victims ages 20 to 39.
Law enforcement agencies dealing with such attacks are hampered by budget constraints and lack of experience with digital crimes. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, says that even simple techniques, such as using a fake phone number, are usually enough to catch researchers off guard. As a result, many agencies focus on simply discouraging young people from sharing pictures of themselves in ways they later regret, said Mac Hardy, director of operations for the National Association of School Resource Officers, which investigates many crimes. “We’ve been going through this for years and it’s always a nightmare,” he says.
Such advice can be counterproductive, as it further stigmatizes the people targeted by these attacks. “Victims sometimes have a hard time coming forward, not only because they feel a lot of guilt and shame internally, but also because they feel it from society,” said Martha Finnegan, a forensic interviewer for children and youth at the FBI.
Tech companies are also often slow to respond. Many sextortion schemes start on dating apps, but for Claus, the vulnerability was Snapchat. The app has been scrutinized and is the subject of a class-action lawsuit filed by a 16-year-old girl who alleges that Snap Inc., the company behind the app, has done almost nothing to prevent the sexual exploitation of minors. A Snap spokesperson said in an email that the company has taken steps to prevent intruders from taking over accounts and is working to prevent devices from logging into many accounts.
The hacker who targeted Claus pretended to be a security guard who warned her about a breach, then had her share a code that would allow him to take over her account. Once inside, he locked her out. Snap said it removed the hacker from Claus’s profile within 24 hours of learning of the breach. Since the end of July, Claus says that she still cannot access her account.
The intruder broke into a private area of Claus’s app called “My Eyes Only,” which contained nude photos she had taken for herself while trying to recover from a rape. He distributed those images in a message that read “Flash me back if we’re besties.” Prosecutors say this seemed like a way to collect compromising material to use against other victims. He never asked Claus for anything.
Many of Claus’s contacts believed the message was genuine, including members of a sorority she says had tried to join, only to be the target of group harassment. An ex-boyfriend called her and yelled at her and asked why she put herself in such a situation.
When Claus reported the incident to the campus police, two male officers came to speak to her. One rolled his eyes during the interview, according to Claus. “He was pretending, ‘You asked for it,'” she says. Both officers left her crying in a classroom when the conversation ended. She called the Geneseo city police, who referred her back to the university police.
The dead ends of the investigation made the situation doubly traumatizing. “Without my emotional support animal and a few friends I knew at the time, we wouldn’t be having this conversation,” Claus says. “I had the pills in my hand to kill myself.”
In an emailed statement, Scott Ewanow, chief of police at the University of Geneseo, said that “University police treat reporters of alleged crimes with respect and that officers take reported crimes seriously.” When cybercrime cases exceed the capacity of the department’s resources, he adds, the university seeks help from other agencies.
With the help of Yates, Claus devised a plan. Yates contacted Claus’ account from her own profile, suggested she had nude photos to share and sent a link. The URL, made to look like a porn site, actually collected the IP address of everyone who clicked on it, using a website called Grabify IP Logger. The hacker could have sidestepped the plan by using a virtual private network, a move so rudimentary that it’s surprising anyone involved in online crime wouldn’t always do it. But he didn’t. It turned out to be a crucial mistake.
In addition to gathering information, the link was set up by Claus and Yates to direct the attacker not to a porn site, but to the Wikipedia page for the word “gotcha.” “I got a message back from him saying, ‘What the hell is this?’ and then I blocked the account,” Yates says. “But that was when we realized he was in Manhattan using an iPhone without a VPN.”
Days later, Claus contacted the campus police, and Geneseo agents forwarded her police report to the New York State Police Department, where a detective contacted the FBI. The tip led to an arrest. “He was an idiot who did it,” Claus says of the hacker. “When I gave all that information to the FBI, they said, ‘There’s a very good chance we wouldn’t have caught him without this.’ “
The person who received the mocking message from Claus and Yates was David Mondore, a 29-year-old chef who lives in Harlem. He admitted to gaining unauthorized access to at least 300 Snapchat accounts and eventually pleaded guilty to hacking-related charges and acting with intent to defraud, for which he was jailed for six months.
Mondore was a complete stranger to Claus, she says. She thinks his sentence is too light, but she adds that she doesn’t think he is a monster. “He’s human,” she says. “That makes it scary.”