Nixon’s skill at looking ahead in this way has served her throughout her career. On multiple occasions a hacker or hacking group would catch her attention—for using a novel hacking approach in some minor operation, for example—and she’d begin tracking their online posts and chats in the belief that they’d eventually do something significant with that skill.
They usually did. When they later grabbed headlines with a showy or impactful operation, these hackers would seem to others to have emerged from nowhere, sending researchers and law enforcement scrambling to understand who they were. But Nixon would already have a dossier compiled on them and, in some cases, had unmasked their real identity as well. Lizard Squad was an example of this. The group burst into the headlines in 2014 and 2015 with a series of high-profile DDoS campaigns, but Nixon and colleagues at the job where she worked at the time had already been watching its members as individuals for a while. So the FBI sought their assistance in identifying them.
“The thing about these young hackers is that they … keep going until they get arrested, but it takes years for them to get arrested,” she says. “So a huge aspect of my career is just sitting on this information that has not been actioned [yet].”
It was during the Lizard Squad years that Nixon began developing tools to scrape and record hacker communications online, though it would be years before she began using these concepts to scrape the Com chatrooms and forums. These channels held a wealth of data that might not seem useful during the nascent stage of a hacker’s career but could prove critical later, when law enforcement got around to investigating them; yet the contents were always at risk of being deleted by Com members or getting taken down by law enforcement when it seized websites and chat channels.
Nixon’s work is unique because she engages with the actors in chat spaces to draw out information from them that “would not be otherwise normally available.”
Over several years, she scraped and preserved whatever chatrooms she was investigating. But it wasn’t until early 2020, when she joined Unit 221B, that she got the chance to scrape the Telegram and Discord channels of the Com. She pulled all of this data together into a searchable platform that other researchers and law enforcement could use. The company hired two former hackers to help build scraping tools and infrastructure for this work; the result is eWitness, a community-driven, invitation-only platform. It was initially seeded only with data Nixon had collected after she arrived at Unit 221B, but has since been augmented with data that other users of the platform have scraped from Com social spaces as well, some of which doesn’t exist in public forums anymore.
Brogan, of the FBI, says it’s an incredibly valuable tool, made more so by Nixon’s own contributions. Other security firms scrape online criminal spaces as well, but they seldom share the content with outsiders, and Brogan says Nixon’s work is unique because she engages with the actors in chat spaces to draw out information from them that “would not be otherwise normally available.”
The preservation project she started when she got to Unit 221B could not have been better timed, because it coincided with the pandemic, the surge in new Com membership, and the emergence of two disturbing Com offshoots, CVLT and 764. She was able to capture their chats as these groups first emerged; after law enforcement arrested leaders of the groups and took control of the servers where their chats were posted, this material went offline.
CVLT—pronounced “cult”—was reportedly founded around 2019 with a focus on sextortion and child sexual abuse material. 764 emerged from CVLT and was spearheaded by a 15-year-old in Texas named Bradley Cadenhead, who named it after the first digits of his zip code. Its focus was extremism and violence.
