‘BlueLeaks’: Massive 269 Gigabyte Searchable Archive of Highly Sensitive Files From Over 200 Police Departments and Fusion Centers Leaked Online

On Friday (June 19, 2020) of last week, the Juneteenth holiday, a “transparency collective” of activists known as Distributed Denial of Secrets (DDoSecrets) published a 269-gigabyte indexed archive containing 24 years worth of sensitive police data including names, email addresses, phone numbers, images, PDF documents, videos, emails, web pages, text files, audio files, intelligence documents, and more, consisting of over a million files in total which are searchable by badge number.

Screenshot of the “BlueLeaks” collection of police files published on the DDoSecrets website, located at https://hunter.ddosecrets.com/datasets/102.

The DDoSecrets group has often been categorized as “an alternative to Wikileaks,” but with a commitment to make secrets public that even WikiLeaks chose to withhold. The group’s previous leaks have exposed major government corruption scandals across the world, and DDoSecrets’ work has been cited in the New York Times, CNN, The Daily Beast, and other major publications.

DDoSecrets co-founder Emma Best tells WIRED that the hacked files came from Anonymous—or at least a source self-representing as part of that group, given that under Anonymous’ loose, leaderless structure anyone can declare themselves a member. Over the weekend, supporters of DDoSecrets, Anonymous, and protesters worldwide began digging through the files to extract frank internal memos about police efforts to track the activities of protesters. The documents also reveal how law enforcement has described groups like the antifascist movement Antifa.

“It’s the largest published hack of American law enforcement agencies,” DDoSecrets’ Best wrote in a series of text messages. “It provides the closest inside look at the state, local, and federal agencies tasked with protecting the public, including [the] government response to COVID and the BLM protests.”

After publishing the BlueLeaks files, DDoSecrets was permanently banned from Twitter. A Twitter spokesperson told Business Insider the site was banned for breaking Twitter’s policy against posting hacked material, but did not clarify why other news outlets that covered BlueLeaks were not similarly banned.

The Hack

According to a law enforcement memo obtained by Kreb On Security, the massive internal data trove that DDoSecrets published was originally exfiltrated from a Houston-based web development firm called Netsential, which provides web hosting services to hundreds of U.S. law enforcement and government agencies. That memo, issued by the National Fusion Center Association (NFCA), says that much of the data belonged to law enforcement “fusion centers” across the US that act as information-sharing hubs for federal, state, and local agencies.

Fusion centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners — like Interpol, except only for the United States.

“With this volume of material, there are bound to be compromises of sensitive operations and maybe even human sources or undercover police, so I fear it will put lives at risk,” Stewart Baker, an attorney at the Washington, D.C. office of Steptoe & Johnson LLP, told Krebs On Security. “Every organized crime operation in the country will likely have searched for their own names before law enforcement knows what’s in the files, so the damage could be done quickly. I’d also be surprised if the files produce much scandal or evidence of police misconduct. That’s not the kind of work the fusion centers do.”

In a statement, NFCA confirmed the data’s validity, saying that the “dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.” (bolded for emphasis by author)

“Additionally, the data dump contains emails and associated attachments. Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports,” the NFCA alert reads. (bolded for emphasis by author)

“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise. Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

Best declined to comment on whether the information was taken from Netsential, but noted that “some Twitter users accurately pointed out that a lot of the data corresponded to Netsential systems.” As for their source, Best would say only that the person self-represented as “capital A Anonymous,” but added cryptically that “people may wind up seeing a familiar name down the line.”

Mike Riemer, a former Department of Defense employee and currently the Global Chief Security Architect for cybersecurity company PulseSecure, told Digital Trends that it is not uncommon for government entities to have a lower level of security on their systems.

“Budgetary constraints stop them from going to full-blown security solutions,” Riemer said. “They’re often working with legacy systems and don’t have the resources to patch them 24/7. So you have an easy target, and hackers have a tendency to look for these. Governments need to take a serious look at how they’re storing data and who has access to it.”

The hack comes amid widespread protests against police brutality and racism following the brutal murder of George Floyd by Minneapolis police officers, the entirety of which was caught on film in a now-viral video showing Minneapolis veteran police officer Derek Chauvin kneeling on Floyd’s neck, trapping him under his knee in a lethal chokehold, while the other officers sat on his back and legs for nearly 9 minutes as Floyd slowly suffocated to death, desperately pleading “I can’t breathe” and crying for his dead mother before he went unconscious and passed away.

DDoSecrets has published the files in a searchable format on its website, and supporters quickly created the #blueleaks hashtag to collect their findings from the hacked files on social media. Some of the initial discoveries among the documents showed, for instance, that the FBI monitored the social accounts of protesters and sent alerts to local law enforcement about anti-police messages. Other documents detail the FBI tracking bitcoin donations to protest groups, and internal memos warning that white supremacist groups have posed as Antifa to incite violence.

According to Business Insider, the leaked documents show how law enforcement is using social media to keep tabs on protesters.

Police departments and federal law enforcement agencies including the FBI and the Department of Homeland Security exchanged information about protesters gleaned from social media, the documents show. Police monitored RSVP lists on Facebook events, shared information about Slack channels protesters were using, and cited protesters’ posts in encrypted messaging apps like Telegram.

How Police Used Social Media To Track Protesters

As protests against the death of George Floyd expanded globally at the beginning of June, police in the US turned to social media to predict upcoming actions and identify the people organizing them.

One document from a California fusion center lists dozens of protests that police anticipated beginning on June 2. The document notes that information about several protests was gleaned from Facebook pages, and lists the URL of one organizer’s Facebook account (the account appears to have since been deleted).

In other instances, law enforcement agencies shared social media posts that they deemed threatening. On May 29, the FBI sent Los Angeles area police departments an alert about a tweet that read, “See a blue lives matter flag, destroy a blue lives matter flag challenge,” arguing it could pose a risk to officers.

Law enforcement also said they were aware of private messaging channels used by protesters. In at least two alerts, first highlighted by The Intercept, the FBI cites messages sent in closed groups. One alert says protesters “used the Slack messaging app to pass intelligence to the Antifa portion of the group,” and another cites messages sent in a private chat in the encrypted messaging app Telegram, citing a “sensitive source.”

In another warning sent to police departments on June 6, the FBI says it’s been tracking “individuals using Facebook, Snapchat, and Instagram” who post about organizing protests. The warning adds that “some protesters and possible ‘ANTIFA’ members” may be planning a “purge … to kill law enforcement.” While some protesters did vandalize police precincts at various points during the protests, no such purge materialized.

While the millions of files span over two decades, many on social media quickly focused on those tracking the ongoing protests against police brutality. On r/blueleaks, a subreddit thread created to parse through the data, users shared examples of local law enforcement using Facebook events and other social media to track protest organizing and organizers in recent weeks.

Internal documents from two different departments show police creating lists detailing Facebook events in their jurisdictions, including the anticipated number of attendees and even the names of some organizers.

Training materials list Juggalos as an Aurora street gang:

Though there was at least one document dedicated to a group on Telegram, the majority of files citing social media posts appeared to be from Facebook and Twitter.

After the leaks, Twitter began shutting down information about the data, permanently suspending the DDoS account and temporarily suspending those who post content from the leak in accordance with its distribution of hacked materials policy.

Anarchist media platform “It’s Going Down” claims it was forced to delete three tweets in order to “unlock” its account after tweeting a screenshot from the leak.

Even before the BlueLeaks release, fusion center surveillance was the source of scrutiny and even a lawsuit in Maine. In a New York Times article, Mike Sena, the president of the National Fusion Center Association, told the paper the centers are “not geared toward” tracking protester data.

“Anytime there is a mass gathering of people, special events, or whatever it may be, a fusion center’s role is to make sure that there are no known threats to the people that are attending,” Sena said.

DDoSecrets notes that none of the files appear to be classified, and Best concedes that they may not show illegal behavior on the part of police. But the group argues that the documents instead reveal legal but controversial practices, as well as the tone of police discussions around leftist anti-establishment groups like Antifa—for instance, describing notorious white nationalists like Proud Boys founder Richard Spencer as ”anti-Antifa,” rather than acknowledging that Antifa expressly opposes right-wing extremist groups like those who follow Spencer.

“The underlying attitudes of law enforcement is one of the things I think BlueLeaks documents really well,” Best writes. “I’ve seen a few comments about it being unlikely to uncover gross police misconduct, but I think those somewhat miss the point, or at least equate police misconduct solely with illegal behavior. Part of what a lot of the current protests are about is what police do and have done legally.”

Who’s Affected, and How Serious Is This?

DDoSecrets counts the data of more than 200 state, local, and federal agencies in the leak. Some of the agencies with the most sheer quantity of information in the leak’s dataset do appear to be intelligence fusion centers. The group also includes a handful of regional FBI Academy alumni associations and Infragard, a San Francisco–based group devoted to sharing information between the FBI and the private sector.

Some of the agencies exposed in the BlueLeaks data dump include:

Alabama Fusion Center
Austin Regional Intelligence Center
Boston Regional Intelligence Center
Colorado Information Analysis Center
California Narcotic Officers' Association
Delaware Information and Analysis Center
FBI Houston Citizens Academy Alumni Association
FBI National Academy Association Arkansas/Missouri Chapter
FBI National Academy Association Michigan Chapter
FBI National Academy Association of Texas
Fort Worth Intelligence Exchange
Minnesota Fusion Center Intelligence Communications Enterprise For Information Sharing and Exchange
Illinois Crime Reporting and Information - Metro East
Iowa Law Enforcement Academy
Iowa Fusion Center
Faith-Based Information Sharing and Analysis Organization
Missouri Information Analysis Center
Northern California Regional Intelligence Center
Nevada Cyber Exchange
New Hampshire Information and Analysis Center
Northern Nevada Regional Intelligence Center
North Texas Fusion Center
Nevada Threat Analysis Center
Orange County Intelligence Assessment Center
South Carolina Information and Intelligence Center
San Diego Crime and Intelligence Analysis Association
South Dakota Fusion Center
Southeast Florida Fusion Center
Southeastern Michigan Association Chiefs of Police
Infragard (San Francisco Bay Area)
Texas Narcotic Officers Association
Utah Statewide Information and Analysis Center
Virginia Law Enforcement National Security Network
Wisconsin Statewide Intelligence Center

For those organizations and their members and employees, the effects could in some cases amount to more than mere embarrassment. The NFCA memo obtained by Krebs on Security warns that leaked files include “highly sensitive information” such as bank account routing numbers and other personally identifiable information, as well as images of criminal suspects.

The files, which can be downloaded as a torrent, also contained intelligence on the recent Black Lives Matter and Defund the Police protests that erupted across the country and around the world to demand justice for the tragic and senseless officer-involved murders of George Floyd, Ahmaud Arbery, and Breonna Taylor

DDoSecrets’ Best says that the group spent a week prior to publication, however, scrubbing the files for especially sensitive data about crime victims and children, as well as information about unrelated private businesses, health care, and retired veterans’ associations.

“Due to the size of the dataset, we probably missed things,” Best concedes. “I wish we could have done more, but I’m pleased with what we did and that we continue to learn.” Best adds that the group pruned more than 50 gigabytes of data out of the files before publication out of what they describe as an abundance of caution, and will continue to scour that data for anything in the public interest that the group may publish later.

Best notes, however, that DDoSecrets published the financial information knowingly, arguing that it could be correlated with other information to further expose police behavior in ways that serve the public interest. “The potential of the data, especially in the long run and when correlated with other datasets, outweighs any downsides to allowing the public to examine it,” Best argues.

The group also has no qualms about publishing the personally identifiable information of police officers. “The public has an interest in the identities of public servants,” they write.

While the millions of files span at least a decade, many on social media quickly focused on those tracking the ongoing protests against police brutality. On r/blueleaks, a subreddit created to parse through the data, users shared examples of local law enforcement using Facebook events to track protest organizing and organizers in recent weeks.

Internal documents from two different departments show police creating lists detailing Facebook events in their jurisdictions, including the anticipated number of attendees and even the names of some organizers.

For Anonymous, meanwhile, the BlueLeaks release represents perhaps the most significant action the group has undertaken in the US in years. The group’s targeting of police harks back to the 2011 operations of the Anonymous subgroup Antisec, whose members—including prolific hacktivist Jeremy Hammond, known for the Stratfor hack—stole and leaked data from a wide array of law enforcement targets in support of Occupy Wall Street protesters. “The closest thing I can think of to a precedent is some of Jeremy Hammond’s hacks,” Best says of BlueLeaks.

Hammond himself is still serving a 10-year sentence for his hacking crimes. On Friday, a group of supporters known as the Jeremy Hammond Support Committee tweeted out a link to the BlueLeaks data dump. It read, simply, “Fuck the police. #BlueLeaks.

Be the first to comment

Leave a comment: