Four times in the past year, the parents, teachers, and police officers of the small, neighboring Minnesota cities of Cloquet and Esko briefly believed that their children were about to be murdered in their classrooms. The calls began in the spring with two bomb threats. In the first, a man claimed to have seen a suspicious backpack with wires coming out of it at Cloquet and Esko high school. In July, he called again, this time reporting a bomb in a red backpack at Fond du Lac Tribal and Community College, according to police records. Then, in September, the same man, described by the Midwestern dispatchers as having a thick Middle Eastern accent, reported that a gunman, armed with an AK-47, had killed 10 people at Cloquet High School.
All of these calls turned out to be hoaxes. But according to Derek Randall, Cloquet’s chief of police, each time they came in, it was “all hands on deck” for his department. Officers sprinted to their squad cars, threw on their extra body armor, and chambered rounds in the squad rifles. They may have blasted through stop signs and traffic signals while racing as fast as they could to face what might have been the worst thing they would ever see in their lives. “It’s dangerous, frustrating. It’s a waste, and we feel helpless,” says Randall. “Our job is to hold people accountable, and when there’s a person or group on the other side of the world able to take advantage of us and exploit our systems like this, they are taking away our power and control.”
According to the Minnesota Department of Public Safety, at least 26 schools in the state have received false reports of bomb threats or active shootings from the same individual or group since spring. The calls are part of an ongoing spree of hoax calls that police say are likely coming from overseas and have sent hundreds of thousands of students nationwide into lockdown. According to police records WIRED obtained, the hoax caller began their spree in March, earlier than previously reported, and could also be linked to bomb threats called into dozens of colleges during the summer. Earlier this month, WIRED tracked more than 90 false reports of active shooters made to K-12 schools in 16 states around the country during the second half of September, and NPR found that the number may be even higher. The calls haven’t stopped. Scores of schools in New Jersey, Florida, California, South Carolina, South Dakota, Wisconsin, and Connecticut have been targeted in the past three weeks.
“The biggest frustration amongst parents is why no one can do anything to stop it,” says Haley Kachinske, whose job includes sending messages to parents when there's an emergency at Cloquet Public Schools. “Why did it happen to us again, why can’t this be traced, and why can’t it be stopped?”
State and federal law enforcement are working to answer these questions. They believe they know how the person carried out these dangerous hoax calls, WIRED has found. But they have yet to discover who is behind this string of attacks and, crucially, why they are doing them. The answers will determine what, if anything, law enforcement can do to stop it.
In an October memo the FBI sent to schools in New York that WIRED obtained, the agency describes a single subject—a male “with a heavy accent described as Middle Eastern or African”—behind many of these hoax calls. Federal and local law enforcement in several states say that the caller appears to be located internationally, perhaps in Ethiopia, and is using VoIP technology to systematically call in threats to targeted schools.
WIRED traced six phone numbers used in the hoax calls to a service called TextNow, a platform that allows users to anonymously place calls using US phone numbers. Unlike with traditional cellular service, where a provider might need a credit card and address to sign up for service, TextNow customers need to provide only an email address to begin making calls. That drastically limits the information the company is able to provide to law enforcement.
According to the October FBI memo, TextNow has provided investigators with subscriber information. The memo also says that an email account behind at least one of the hoax calls was linked to previous hoax 911 calls and that the account had connected to TextNow through the Ethiopian Telecommunications Company, which is owned by the Ethiopian government.
Nick de Pass, a spokesperson for TextNow, declined to comment on “ongoing investigations.” But in a statement, he says the company has not only banned all the accounts associated with the calls but any users in Ethiopia. “We have also added Ethiopia to our list of unsupported countries to help eliminate this activity from our platform, which means that all calling and texting from the country has been banned from our service,” de Pass says.
But just because the caller connected to TextNow with an Ethiopian IP address doesn’t mean the caller is in Ethiopia. James Turgal, a former executive assistant director for the FBI Information and Technology Branch who is now the vice president of cyber risk and strategy at Optiv Security, says an IP address isn’t the most trustworthy of signals. He pointed out that if the caller was using a VPN or Tor, the Ethiopian IP address that TextNow gave the FBI might not be the origin of the call, but simply as far back as they could currently trace it. “There are mechanisms to investigate whether or not the caller was using a VPN, but it’s labor-intensive, time-consuming, and is sometimes classified,” Turgal says. (TextNow claims to not allow users to connect via VPN.)
The more pressing question for Turgal is motivation. “The fact that no one has taken credit leads me to believe that this isn’t just kids on Twitch,” he says. “Is it political, is it anti-police, is it because of Uvalde? This is just so wide-reaching that you have to do a behavioral analysis here. What’s the end game here, and what are their motivations?”
WIRED used TextNow to contact six numbers associated with recent false reports, which were obtained either through law enforcement officials or public records requests. We left voicemails and texted each number multiple times, asking what their motivations were for the hoax calls. On October 14, a phone number associated with a hoax call in Ohio responded, saying, “FUCK YOU UNITED STATES OF FUCKING AMERICA.” A minute later adding, “FUCK YOU, FUCK YOU.” The message was sent the same morning that schools in at least eight districts across New Jersey were put into lockdown due to hoax calls. On October 20, a number used in a swatting call in Minnesota responded with the exact same message. An hour prior to the October 20 correspondence, at least 14 schools in Wisconsin had been targeted.
Without clear evidence of motivation, officials are grasping at straws—and terrorism is one that several latched onto. Officials in Cloquet speculated that the attacks could be related to the town’s paper mill or nearby hydroelectric dams. A state law enforcement agent not authorized to speak with WIRED suggested that Russians could be behind the attacks, pointing out that Russia allegedly placed thousands of fake bomb threats against schools and critical infrastructure in Ukraine ahead of its February invasion. In September, Lieutenant Lane Windham of the Alexandria Police Department in Louisiana told WIRED simply, “It’s terrorism.”
According to federal prosecutors, however, just because an individual is terrorizing a community doesn’t necessarily mean they are committing a “terrorist act” under the law—a crucial distinction. If a crime is found to be an act of terrorism, it has implications not just for the potential charges the hoax caller could face but also for how the FBI is able to investigate the calls in the first place.
Anthony Mattivi, a former federal prosecutor who served as the antiterrorism and national security coordinator for the District of Kansas, says that, for a person to be charged with a crime related to terrorism, the individual or group behind the call needs to be acting on behalf of a designated terrorist group like Al-Shabbab or ISIL, or they need to have indicated that they had an explicitly political motivation. Vulgar chat messages denouncing the United States aren’t enough. “No matter how much these guys are terrorizing their victims, I haven’t heard anything so far that indicates that the political element is met in these calls,” Mattivi says.
If the investigation does turn into one about terrorism or national security, Mattivi says, the FBI would likely be able to utilize more advanced surveillance techniques that could help to trace these hoax calls to their source. While Mattivi declined to comment on the specifics of the tools, he is likely referring to the kinds of surveillance that can be authorized only by the United States Foreign Intelligence Surveillance Court, a secretive federal body that approves surveillance orders in cases involving national security that Edward Snowden made famous through his leak of NSA documents in 2013. The FBI declined WIRED’s request to comment about whether the hoax calls are being investigated as terrorism.
Even if the FBI is able to identify the caller, US law enforcement’s ability to apprehend them could largely be determined by where they are located. “It’s not a simple situation if the caller is abroad,” says Stephen McAllister, another former federal prosecutor who has worked on scores of swatting cases. He says the ability to arrest the caller hinges on whether the US has an extradition treaty with the perpetrator’s country of origin or whether officials in that country will otherwise work with the US. “Maybe we could consider bringing charges just as a signal to try and deter their behavior if we can’t physically get them,” he says. “But who knows whether that would work.”
In the meantime, that leaves millions of students vulnerable to even more lockdowns due to these hoax calls. Don Beeler is the CEO of TDR Technology Solutions, a company that builds a suite of school surveillance tools that are primarily meant to mitigate false reports of threats at schools. One of their products is called the School Access Manager, software that claims to use artificial intelligence to filter out phoned-in bomb threats. Beeler provided WIRED with a report his company put out that estimates that more than 1 million students were affected by hoax calls from August 1 until October 6 this year. The hoax calls, his report claims, have cost taxpayers more than $31 million in lost instructional time. “We try to quantify the costs of each hoax call for a school, but the reality is that this is only part of the picture,” Beeler says. “This doesn’t even include the psychological costs to these kids.”
Officials in Cloquet talk about the possibility of more hoax calls as if they are inevitable. “We know these calls are coming in, and nothing has changed,” Randall says. “So what are the things that we can do to make this less traumatic for everyone?” Most officials declined to detail their work to mitigate future hoax calls out of concerns for public safety. However, Cloquet has at least one plan.
“We prepared ourselves this year with scripts for every safety scenario that could come up,” says Kachinske, the Data Information Specialist who works at Cloquet Public Schools. “Shooters, bomb threats, gas leaks, you name it. We probably have 20 scripts we’ve written out, so when the emergency happens we are at least prepared to communicate with parents.”
