27: Who Crashed the X Party?

Happy Tuesday and I hope you all had a merry and lucky Saint Patrick’s Day yesterday. If you hadn’t figured out by my last name, I’m Irish and a pint of Guinness was a Monday must. This issue of Spies, Lies & Cybercrime is packed! I lead off with thoughts on who the heck brought X to its knees last week. Then we dive into a worrisome penetration of Massachusetts’ local power grid by Chinese cyber spies. To keep things weird, I tell the story of an 11 year old trapped in his home by (alleged) abusive parents for 20 years! He finally set fire to his home to escape. Lastly, we take a hard look at why you should NEVER click on those constant toll charge texts flooding our phones. We’ll wrap with a great deepfake reel of the Mona Lisa that I hope will make you smile. Read on and May the road rise up to meet you and may the wind be always at your back. 🍀🍀

Who Crashed the X Party? Inside the Wild DDoS Attack That Rocked Elon Musk’s Social Platform

When X (formerly Twitter) went dark on March 10, Elon Musk wasted no time sounding the alarm. The disruption, he said, was the result of a “massive cyberattack” by “either a large, coordinated group and/or a country.” Then, he doubled down during a Fox Business interview, fingering “IP addresses originating in the Ukraine area.”

Not exactly a minor accusation—especially since Ukraine relies heavily on U.S. support in its ongoing conflict with Russia. Plus, the idea that a country embroiled in defending its own power grids (against real Russian cyberattacks) could spare the bandwidth to sock Musk’s platform is a stretch. A separate curveball came when a pro-Palestinian outfit called Dark Storm Team hopped onto Telegram to claim responsibility. They promptly deleted their post, which only made the story murkier. So who’s telling the truth here?

The Impact on X

For a few hours on March 10, X users found themselves locked out—or stuck with painfully long load times. At one point, 40,000 people complained on DownDetector, making this X’s worst service interruption in ages. Musk insisted the sheer resources thrown at his platform were off the charts. Security researchers, on the other hand, pointed to something decidedly less exotic: some of X’s main servers were sitting wide open, lacking proper DDoS protection. Attackers simply pummeled them with junk traffic until the poor machines keeled over.

What the Heck Is a DDoS Attack, Anyway?

Picture an interstate in rush-hour traffic, but some prankster’s stuffed it with thousands of extra cars crawling along at five miles per hour. Legitimate drivers can’t get anywhere. In cyberspace, those extra cars are actually a “botnet”—an army of compromised devices like hacked cameras, DVRs, and routers. Millions of these gadgets start blasting the target with junk requests all at once, and boom: chaos.

Some folks call DDoS a blunt instrument—just hurl more trash traffic than your rival’s servers can handle. But modern DDoS is getting craftier. Attackers hop between networks, spoof IP addresses, or coordinate waves of traffic so quickly that only top-tier defenses can cope. While it may not be the James Bond of cyber intrusions, it’s absolutely the raging Godzilla, able to trample a site’s infrastructure if left unchecked.

So… Who Can Pull Off This Kind of Attack?

Honestly, any group with decent funding or ingenuity. We’re talking:

• Nation-States: Russia, China, North Korea—you name it. Governments with resources to spare can muster monstrous botnets. Russia, in particular, has used DDoS in its ongoing conflict with Ukraine, so they’ve earned a reputation for it.

• Hacktivists: Groups with a political or social axe to grind. Dark Storm fits this mold, and so does KillNet, which famously attacked pro-Ukraine targets.

• Criminal Syndicates: Cybercrime groups offer “DDoS-for-hire” services. Have Bitcoin? They’ll rent you the keys to a botnet.

• Ambitious Amateurs: Occasionally, a small band of troublemakers will stumble on an unsecured server or code exploit. They might not be fancy, but they can still cause big headaches.

The Attribution Game: When IP Addresses Lie

Musk’s logic about Ukraine-based IP addresses sounds neat on TV—except it’s not exactly bulletproof. Attackers can bounce traffic through VPNs, compromised machines, or proxy networks in any country. If an army of botnet devices in, say, Argentina or Germany are unwittingly involved, you might still see a “Ukrainian IP” pop up in the logs. That doesn’t mean some hacker in Kyiv is chortling while pressing the big red “Attack X” button.

False flags abound in the cyber world. One day, you’ll see a group claiming they’re behind an attack just to flex. The next, you’ll see evidence they were never actually involved. Dark Storm might be taking a victory lap for someone else’s hack. Or maybe they really did do it, borrowing bots in Ukraine (or who knows where). Without inside data from X’s security team—detailed logs, traffic patterns, and an avalanche of forensic analysis—any finger-pointing is more guesswork than gospel.

Does Ukraine Have Bigger Fish to Fry?

Considering that Ukrainian officials are currently locked in a brutal war with Russia, and heavily rely on U.S. cybersecurity expertise, it’s tough to picture them retaliating against a platform that remains, ironically enough, a hub for their own communications. If the Ukrainian government or related cyber units wanted to lash out, they’d likely choose more strategically valuable targets than X’s chatty user base. DDoS attacks consume huge resources, plus they’re not typically super stealthy. Launching one right now might be an odd choice for a nation fighting for survival.

The Bottom Line

Despite Musk’s claim, we lack conclusive proof that Ukraine had anything to do with the Monday meltdown. A pro-Palestinian group says they’re the culprit, but that’s also unconfirmed. Meanwhile, IP addresses are about as good at revealing true attackers as reading tea leaves.

Let’s face it: DDoS is the perfect cyber-smokescreen. It’s noisy, destructive, and leaves behind a messy trail that’s easy to fake. That’s why these attacks are notoriously hard to pin on anyone for sure.

What Comes Next?

1. More Investigation: Until X or a credible third-party auditor coughs up ironclad data, the real culprit remains a mystery.

2. Better Defenses: If even a social media titan like X can be toppled, others should take note. Lock down those servers!

3. Higher Stakes: As DDoS becomes more complex and accessible, we can expect future attacks to pack even bigger punches—often at politically sensitive moments.

At the end of the day, the story around X’s outages feels like a detective thriller. We’ve got intrigue, finger-pointing, and multiple suspects waving their hands in the air. And just like in any good whodunit, we might never get a smoking gun. Until we do, stay wary of bold claims without evidence—and if you own a connected device, keep it patched so you don’t become just another cog in the next big botnet.

Keep your seatbelts fastened, friends—cyber drama is here to stay. And who knows? Next time it might be your favorite streaming service or banking app that gets jammed in the digital slow lane.

Read on! The stories get stranger from here!

How China Camped Out in a Massachusetts Power Grid

If you had “Chinese hackers squatting in a Massachusetts power grid for almost a year” on your 2025 Cyber Doomsday Bingo Card, congrats—you win nothing, because this was entirely predictable.

The Volt Typhoon APT (Advanced Persistent Threat) has been lurking in U.S. infrastructure like a shadow nobody noticed. Their latest hangout? Littleton Electric Light and Water Departments (LELWD) in Massachusetts. They weren’t there to shut down power or demand Bitcoin. This was recon—spying, mapping, and staying hidden for over 300 days.

It wasn’t LELWD that caught them—it was the FBI. One Friday in November, the assistant general manager got an unexpected call:

"Hey, just FYI, you’ve had Chinese state-sponsored hackers inside your systems for almost a year."

At first, they thought it was a scam. It wasn’t.

By Monday, FBI agents and CISA reps were on-site. Cybersecurity firm Dragos swooped in and confirmed what nobody wanted to hear: Volt Typhoon had burrowed deep into the utility’s operational technology (OT) network. They weren’t just poking around—they were studying layouts, network infrastructure, and security gaps. Not to break things now, but to know exactly how to break them later.

And here’s the kicker: LELWD is a tiny, local utility. Not exactly a high-value target—unless you’re testing tactics before moving on to bigger fish. If they were in Littleton, where else are they?

Volt Typhoon is playing a long game. They’ve already been caught inside U.S. telecom networks, Guam’s military infrastructure, and emergency management systems. Their MO is stealth—hiding in normal traffic, piggybacking off hijacked home-office routers, and avoiding flashy cyberattacks. They don’t just infiltrate; they settle in. When the FBI shut down part of their botnet last year, it barely slowed them down.

After the breach, LELWD kicked them out and hardened its defenses. But Volt Typhoon isn’t done. If anything, this was a test run. They’re not just watching the grid—they’re rehearsing for when it really matters.

If you're still betting that a major infrastructure cyberattack is a distant threat, rethink your backup power plans. Maybe get solar panels, a generator, and a few candles while you’re at it.

The lights might not go out today. But someone is practicing for the day they do.

How a Man Used Fire and Desperation to Escape a Life Stolen from Him

While this next story doesn’t fall directly into the rubric of Spies, Lies or Cybercrime, it is so bananas that I had to check whether it was a Stephen King short story. For 20 years, a man in Connecticut was locked away in a single room, hidden from the world. His only company? Hunger, isolation, and the radio outside his door that helped him track time. His stepmother (talk about wicked stepmothers!) allegedly kept him there, feeding him just enough to survive, while his father—now deceased—was complicit in his captivity.

His escape plan wasn’t some grand Hollywood jailbreak—it was printer paper, hand sanitizer, and a lighter.

On February 17, the man set his own prison on fire. Emergency responders arrived to find the home in flames and the stepmother safe outside. But inside, they discovered the 32-year-old victim, emaciated, covered in soot, weighing just 69 pounds at 5’9”. He confessed immediately: he had started the fire—on purpose. It was the only way he saw to finally end his nightmare

Police were stunned. The man described decades of cruelty—locked away since he was 11 years old, allowed out only for brief moments, given two small sandwiches and water per day, forced to relieve himself through a makeshift straw system. His teeth broke apart from malnutrition, his hair matted, his body wasting away.

Officials missed every warning sign. Schoolmates had raised concerns years ago, teachers reported his starvation, and police even visited the home twice in 2004. But each time, the stepmother brushed it off, and records of child welfare investigations had long since been erased.

After his father’s death in 2024, his conditions worsened. He was locked in 22-24 hours a day, let out only for a minute to let the family dog out. He had no access to a bathroom, no human interaction, no way to escape. Until he found an old lighter in his late father’s jacket.

What’s shocking isn’t just the horrific cruelty—it’s that nobody noticed for two decades. His stepmother, Kimberly Sullivan, is out on $300,000 bail, denying all charges of kidnapping, cruelty, and assault. Meanwhile, the man she allegedly imprisoned is in a hospital, recovering from years of starvation, PTSD, and total isolation.

Police officers, shaken by the case, took up a collection to buy him clothes, books, and basic necessities. The first possessions of his new life. Here’s hoping when his name is released, and he learns about the Internet, he starts a GoFundMe and racks in millions.

He spent 20 years erased. But now, finally, he’s free.

🚨 Cybersecurity ALERT: The Toll Road Scam is Out of Control! What You Need to Know NOW! 🚨

I hate emojis! But this Cybersecurity Alert is a must read! Millions of Americans are receiving fake toll payment texts claiming they must pay immediately to avoid fines or license suspension. The messages look official, create a sense of urgency, and are fooling many into handing over their personal information. Here’s one I got last week:

How the Scam Works

Cybercriminals, likely from Chinese cybercrime gangs, send messages impersonating state toll systems like Peach Pass, Sun Pass, or Texas Tag. The texts claim a small unpaid toll—usually $3 to $5—hoping victims will pay quickly without questioning it.

But the real goal is not the money. If you click the link, you are directed to a convincing fake website designed to steal your payment details, personal information, and login credentials. That data is then used for fraud, sold on the dark web, or leveraged for further scams.

A Growing Threat

Cybersecurity firm Trend Micro reported a 900 percent increase in toll scam searches in the past three months. With AI-generated messages making scams harder to detect, this threat is only growing.

What Happens If You Click?

1. You enter payment details, and scammers charge your card or drain your account.

2. You submit personal information, which is sold to criminals or used for identity theft.

3. You are flagged as an easy target, leading to more scam attempts.

Your Phone Won’t Protect You

Apple does not block scam links, and while Android flags some messages as spam, scammers change numbers frequently to evade detection.

How to Stay Safe

• Never click links in toll payment texts. Always visit your state’s toll website directly.

• Do not reply. Even sending "STOP" confirms your number is active.

• Block and report the number to slow the spread.

• Warn friends and family, especially elderly or less tech-savvy individuals who are prime targets.

Scammers rely on fear and urgency to trick people. Staying cautious and skeptical is the best defense. If you receive a suspicious toll message, delete it immediately.

AI Video of the Month - What Makes the Mona Lisa Smile?

Like What You're Reading?

Sign up for Spies, Lies & Cybercrime newsletter for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive!

Are you protected?

Recently nearly 3 billion records containing all our sensitive data was exposed on the dark web for criminals, fraudsters and scammers to data mine for identity fraud. Was your social security number and birthdate exposed? Identity threat monitoring is now a must to protect yourself? Use this link to get up to 60% off of Aura’s threat monitoring service.

What do YOU want to learn about in my next newsletter? Reply to this email or comment on the web version, and I’ll include your question in next month’s issue!

Thank you for subscribing to Spies, Lies and Cybercrime. Please comment and share the newsletter. I look forward to helping you stay safe in the digital world.

Best,
Eric

Let's make sure my emails land straight in your inbox.

Gmail users: Move this email to your primary inbox

On your phone? Hit the 3 dots at top right corner, click "Move to" then "Primary."

On desktop? Close this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users: Tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

For everyone else: follow these instructions