Arrow-right Camera
The Spokesman-Review Newspaper

The Spokesman-Review Newspaper The Spokesman-Review

Spokane, Washington  Est. May 19, 1883
Rain 52° Rain
News >  Washington

Fallout begins for far-right trolls who trusted Epik to keep their identities secret

UPDATED: Sun., Sept. 26, 2021

Jacob Chansley, right with fur hat, shown at the Capitol riot of Jan. 6 in Washington. Chansley pleaded guilty Sept. 3 to a felony obstruction charge. He carried a flagpole topped with a spear into the insurrection, yelled into a bullhorn as officers tried to control the crowd, posed for photos on the Senate dais and wrote a note to then-Vice President Mike Pence that prosecutors have said was threatening.  (Manuel Balce Ceneta)
Jacob Chansley, right with fur hat, shown at the Capitol riot of Jan. 6 in Washington. Chansley pleaded guilty Sept. 3 to a felony obstruction charge. He carried a flagpole topped with a spear into the insurrection, yelled into a bullhorn as officers tried to control the crowd, posed for photos on the Senate dais and wrote a note to then-Vice President Mike Pence that prosecutors have said was threatening. (Manuel Balce Ceneta)
By Drew Harwell, Hannah Allam,</p><p>Jeremy B. Merrill and Craig Timberg Washington Post

In the real world, Joshua Alayon worked as a real estate agent in Pompano Beach, Fla., where he used the handle “SouthFloridasFavoriteRealtor” to urge buyers on Facebook to move to “the most beautiful State.”

But online data revealed by the massive hack of Epik, an Internet-services company popular with the far right, signaled a darker side. Alayon’s name and personal details were found on invoices suggesting he had once paid for websites with names such as racisminc.com, whitesencyclopedia.com, christiansagainstisrael.com and theholocaustisfake.com.

The information was included in a giant trove of hundreds of thousands of transactions published this month by the hacking group Anonymous that exposed previously obscure details of far-right sites and launched a race among extremism researchers to identify the hidden promoters of online hate.

After Alayon’s name appeared in the breached data, his brokerage, Travers Miran Realty, dropped him as an agent, as first reported by the real estate news site Inman. The brokerage’s owner, Rick Rapp, told The Washington Post that he didn’t “want to be involved with anyone with thoughts or motives like that.”

Alayon told the Post that he does not own the ‘racisminc,’ Holocaust-denial or other web addresses but declined to say if he had owned them in the past; the records were hacked earlier this year. But in a screenshot of his Epik account, which he sent to the Post, the information for four other domains he currently owns matches the private records that can be found in the Epik breach.

Asked why his name, email address and other personal information were listed in company invoices for the ‘racisminc’ and Holocaust-denial domains, Alayon said the data was “easily falsifiable,” that he was the possible victim of extortion and that the Post was “fake news.”

The breach of Epik’s internal records has cast a spotlight on a long-hidden corner of the Internet’s underworld, and researchers expect it could take months before they can process the full cache – the equivalent of tens of millions of pages. Many are digging for information on who owns and administers extremist domains about which little was previously known.

Epik, based outside Seattle, said in a data-breach notice filed with Maine’s attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed. An earlier data-breach letter from the company, filed to comply with Montana law, was signed by the “Epic Security Team,” misspelling the company’s name. An Epik spokesperson said it was a simple typo.

Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing “the detective work” trying to decipher who is behind a single extremist domain. The Epik data set, she said, “is like somebody has just handed you all the detective work – the names, the people behind the accounts.”

“This is like the mother of all data lodes because Epik was at the center of so many of the extremist websites and organizations that people like me study. Epik was the place of last refuge for a lot of these sites,” said Beirich, co-founder of the nonprofit Global Project Against Hate and Extremism. “And as the data is analyzed and looked at more deeply, we’re going to see this ecosystem in a way that was simply not possible before.”

Beirich said the identities of administrators and web developers and “the money flow” – how the sites stay afloat – are the kinds of details that for years have challenged even the most veteran hate trackers. The Epik hack might help connect the dots, she added.

Epik’s founder, Robert Monster, who did not respond to requests for comment, said the company’s data was hijacked and urged people not to use it with “negative intent.”

An Epik spokesperson said in emailed statements to The Post this week that the company has handled hundreds of thousands of domains over the years and some are bound to be offensive. The company declined to attribute the statement to a named spokesperson.

The Epik spokeperson called the hack “an egregious violation against our users” and said the breached data included up to 38,000 credit card numbers.

The spokesperson said the company “offers its services to everyone” and that “domains affiliated with right-wing politics comprise less than 1 percent of users.” Epik said it is not aware of its users’ intents and “does not consider its role to be censors of free citizens.”

“Our long-held policy of content neutrality has made our platform appealing to some in an increasingly polarized landscape,” the spokesperson said. “We do not endorse or condone any one particular ideology, and we feel uncomfortable with calls to censor those who use our services.”

Though domain registrars, such as Epik, encourage customers to use accurate information when buying a new website address, it is fairly easy to register a domain in somebody else’s name, and many registrars don’t demand independent proof or confirmation of identity.

Buyers wanting privacy commonly ask their registrar to conceal their information, including, in Epik’s case, through an add-on service called Anonymize.

Some basic details about a website domain’s owner are publicly available in what’s known as a “WHOIS” database. But the Epik breach revealed far more than that information. Materials from the hack reviewed by The Post include not just names and home addresses but full credit card numbers, unencrypted passwords and other highly sensitive data. Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous.

The Post publicizes material obtained through hacking with caution, only after verifying its authenticity and ascertaining that there is news value in bringing such information to light.

Epik provides web services to many prominent right-wing fixtures online, including the media group One America News, the video site Bitchute, the social media site Gab and the message board Patriots.win. Other domains show links to targeted harassment campaigns of journalists or activists, including by falsely linking them to allegations of heinous acts.

The company was used last month to register the domain for Strikebackforfreedom.com, a campaign that attorney Lin Wood, a supporter of former president Donald Trump, has said on Telegram was bought by his FightBack Foundation. The site says it is affiliated with Sidney Powell and other prominent purveyors of false conspiracy theories about election fraud and the coronavirus vaccine, and it urged people to “STOP doing business with the enemy,” such as companies mandating that employees get vaccinated.

A huge proportion of the 1.8 million domains shown in the breached data appear ordinary, with web addresses for people interested in real estate, home improvement, vegan cooking, various types of spirituality – as well as the occasional domain devoted to pornography, gaming and cryptocurrency. Many do not appear to connect to active websites.

Hacked documents showing details from nearly a million Epik invoices over the last several years underscore the high-volume, low-dollar nature of the domain registry business. While there are dozens of domains worth hundreds or even thousands of dollars, most are worth far less: Only about 2% of the invoices since 2019 were for more than $10; nearly half were for less than a dollar.

Among the more expensive ones was the domain Patriots.win, now used for the pro-Trump site that sought to replicate a message board, known as TheDonald, after its domain owner shut it down following the Jan. 6 attack on the U.S. Capitol. A man listing an address in Louisville paid $413 for the Patriots.win domain in January, the invoice records show. He did not respond to requests for comment and his identity could not be independently confirmed.

Aubrey “Kirtaner” Cottle, a security researcher and co-founder of Anonymous, declined to share information about the hack’s origins but said it was fueled by hackers’ frustrations over Epik serving as a refuge for far-right extremists.

“Everyone is tired of hate,” Cottle said. “There hasn’t been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now … the tide is turning, and there’s a swell moving back in their direction.”

Shireen Mitchell, founder of Stop Online Violence Against Women, a group that has tracked online extremism since 2013, said the Epik hack is forcing a long overdue examination of Internet-service companies that haven’t drawn the same scrutiny or talk of regulation as social media giants.

While many researchers are using the data to look forward, including to push for consequences for the people behind the most toxic sites, Mitchell said she’s left asking questions about why Epik for so long helped give a platform to extremist content on the Web.

“We don’t even have a true measurement of it,” Mitchell said of the scope of online hate. “We don’t know how it started, how small it was, how it is amplified and how big it is. Which would also tell us how big it could get unless we do something about it.”

The role of Epik and other alternative Internet-services companies drew mainstream attention in the aftermath of the “Unite the Right” rally in 2017, when white supremacists who organized online converged on Charlottesville Until then, domain registrars and web hosts had traditionally taken a hands-off approach to content unless it involved explicitly criminal activity, Beirich said, but the weekend’s deadly violence sparked calls for tech companies to more aggressively police what they kept online.

One year later, Epik’s founder – whose last name, Monster, is confirmed to be real in Washington state voting records and a 1991 court judgment in New York – further involved himself in the debate following a mass shooting at the Tree of Life synagogue in Pittsburgh.

As the nation recoiled at the attack that left 11 dead, Monster was mulling a different problem: deplatforming. He was deeply concerned that a right-wing social media site, Gab, had been knocked offline because the Pittsburgh shooter had been active there, sharing and spreading anti-Semitic hate until moments before the attack.

In a blog post eight days after the shootings, Monster praised Gab as a “haven for free speech” and said its embattled founder, Andrew Torba, had acted “courageously.” Monster pledged that Epik would help Gab get back online, adding, “Let Freedom Ring.”

The move – similar to stands Epik would later take after other tragedies, including the livestreamed murders of 51 people in two New Zealand mosques in 2019 – elevated the little-known domain registry in suburban Seattle to the center of a roiling national debate over Big Tech and Internet freedom. It also made Epik a hero to many on the right and a target for many on the left.

The result of this can be seen plainly in the celebratory tone used by the hacker collective Anonymous when it announced the breach, as well as in the excitement of critics – both political opponents and extremism researchers – as they began attempting to reconstruct Epik’s business from the vast quantity of stolen data that includes 843,000 transactions over more than 10 years, plus nearly a million invoices. The data, which is hosted online for public download, totals more than 150 gigabytes.

The data includes internal memos describing apparent subpoenas from law-enforcement agencies for information about Epik-registered websites, including two domains, Thedonald.win and Maga.host, in the weeks after the Capitol riot on Jan. 6. The notes do not include details of the subpoenas’ targets, the investigating agencies or any alleged crimes.

One of the internal notes, which appeared to have been written by an Epik employee, mentions a grand jury subpoena, a request to preserve records for 90 days and a nondisclosure order – a court-approved document that law enforcement can secure to prohibit tech companies from telling customers what information they’d shared as part of an investigation. “DO NOT tell Registrant,” read the note, which did not include further details of the investigation.

Some activists online also pointed to data showing that Monster’s name and an Epik email address used for purchasable domains were included on Web addresses such as robmonsterenablesnazis.com and sexynazis.com. The Epik spokesperson said the company has used an automated system to add Monster’s name to domains marked for sale or deletion, even though he has never owned the individual domains.

Epik also has a corporate overlap with VanwaTech, a company that, according to online records, has provided Internet services to the neo-Nazi site Daily Stormer and 8kun, the central node for spreading conspiracy theories central to the QAnon ideology.

Epik bought BitMitigate, a cybersecurity service that was protecting the Daily Stormer from online attacks, from VanwaTech’s owner, Nick Lim, in 2019. Though Epik reportedly severed its relationship with the neo-Nazi site, Lim became chief technical officer of Epik for a time while maintaining his ownership of VanwaTech, based in Vancouver, Wash.

Lim told The Post he remains a partial owner of Epik, and in a Bloomberg profile of Lim, he called Monster “a kind of mentor.” But an Epik spokesperson said the company “does not currently have a relationship with VanwaTech or its owner.”

VanwaTech’s data was not part of the Epik breach, Lim said. Asked if he still considers Monster a mentor, Lim told The Post: “Everyone in my life is a mentor, whether that is what to do or not to do – you can always learn something from everyone. And not everything about everyone is good or bad. People can do both good and bad things, nobody is perfect.”

The domains listed in the Epik hack represent a broad spectrum of far-right extremism, including white supremacists, xenophobic groups and anti-government agitators. Some users appear to have relied on Epik to lead a double life, with several revelations so far involving people with innocuous day jobs who were purportedly purveyors of hate online.

Others, however, belong to high-profile extremist trolls who were “deplatformed” and found their way to Epik, where they continued to harass leftist activists, mainstream journalists and other targets.

Melissa Lewis, a self-described anti-fascist activist and writer in Portland, Oregon, said her family spent months feeling “hunted” by far-right troll and convicted hacker Joseph “Joey” Camp, whose name was listed on domain registrations with Epik and who has claimed publicly to have done freelance work for Monster.

Lewis said Camp – whose targets have included not just far-left activists but also conservative favorite Rep. Lauren Boebert, R-Colorado – sent her harassing emails, posted her home address and disseminated photos of her online, resulting in Lewis being added to extremist hit lists. She said Camp also went after her father, an emergency room doctor, by posting the human resources number to his hospital and spinning tales about her dad “letting cops and patriots die” in the ER. Lewis said her father, too, began receiving death threats, prompting the hospital to take security precautions.

Lewis complained to Epik last year with a rundown of Camp’s alleged violations of the platform’s terms of service. The company responded largely by dismissing her, explaining that there wasn’t enough information to identify the harasser and suggesting that she was aligned with militant leftists who have marched “in the street for the past year burning down buildings and celebrating anarchy,” according to email exchanges reviewed by The Post.

All of this is why Lewis greeted news of the Epik breach with relief – and a measure of glee. The satisfaction, Lewis tweeted, was “better than any orgasm.”

An Epik spokesperson said the company condemns “persecution or targeted harassment” and that it investigates and takes appropriate action after reports of abuse.

The spokesperson said Monster hired Camp for “an unrelated matter in early 2020” and that Epik had no knowledge of Camp’s actions. But the spokesperson also said the company had reviewed reports of Lewis’s claims and “did not find a violation at that time.”

In a phone interview, Camp said he had no comment on whether he had domains registered on Epik and that such information was easily falsified. Camp also denied harassing Lewis or her father. After the call, which Camp recorded and posted online, he boasted of “lying to the Washington Post” and began harassing a Post reporter via text and social media.

The Spokesman-Review Newspaper

Local journalism is essential.

Give directly to The Spokesman-Review's Northwest Passages community forums series -- which helps to offset the costs of several reporter and editor positions at the newspaper -- by using the easy options below. Gifts processed in this system are not tax deductible, but are predominately used to help meet the local financial requirements needed to receive national matching-grant funds.

Active Person

Subscribe to the Coronavirus newsletter

Get the day’s latest Coronavirus news delivered to your inbox by subscribing to our newsletter.