Nixon’s skill at looking ahead in this way has served him well throughout his career. On many occasions a hacker or hacking group will catch her attention – for example, for using a new hacking approach in some small operation – and she will begin tracking their online posts and chats with the belief that they will eventually do something important with that skill.
They usually did this. When they later made headlines with some showy or impressive operation, it seemed to others that these hackers appeared out of nowhere, sending researchers and law enforcement scrambling to figure out who they were. But Nixon had already compiled a dossier on them and, in some cases, even exposed their true identities. Lizard Squad was an example of this. The group came into the spotlight with a series of high-profile DDoS campaigns in 2014 and 2015, but Nixon and her coworkers at the job she worked at at the time had already been observing its members as individuals for some time. So the FBI asked for his help in identifying him.
“The thing about these young hackers is that they … keep going until they get arrested, but it takes years for them to get arrested,” she says. “So a huge aspect of my career is simply based on this information that has not (yet) been acted upon.”
It was during the Lizard Squad years that Nixon began developing tools to scrape and record hacker communications online, although it took several years before he began using these concepts to scrape COM chatrooms and forums. These channels contained abundant data that might not seem useful during the early phase of a hacker’s career, but could prove important later, when law enforcement prepared to investigate them; Yet there was always the risk of content being removed by com members or law enforcement seizing websites and chat channels.
Nixon’s work is unique because she engages with actors in chat spaces to obtain information from them that “would not otherwise be normally available.”
Over the years, he has explored and preserved every chatroom he has investigated. But it wasn’t until early 2020, when she joined Unit 221B, that she got a chance to explore Com’s Telegram and Discord channels. He aggregated all this data into a searchable platform that other researchers and law enforcement could use. The company hired two former hackers to help build the scraping tools and infrastructure for this work; The result is eWitness, a community-driven, invite-only platform. It was initially combined only with data that Nixon collected after arriving in Unit 221B, but has since been augmented with data that other users of the platform have also removed from the Com social space, some of whom no longer exist on the public forums.
The FBI’s Brogan says it’s an incredibly valuable tool, created with Nixon’s own contributions. Other security companies also scour online criminal spaces, but they rarely share the material with outsiders, and Brogan says Nixon’s work is unique because she connects with actors in chat spaces to get information from them that “wouldn’t otherwise be normally available.”
The conservation project she began when she arrived at Unit 221B could not have been better timed, as it coincided with the pandemic, a surge in new COM memberships, and the emergence of two troubled COM branches, CVLT and 764. As soon as these groups first appeared, she was able to capture their chats; This content went offline after law enforcement arrested the groups’ leaders and took control of the servers where their chats were posted.
CVLT—pronounced “cult”—was reportedly founded around 2019 with a focus on sextortion and child sexual abuse material. 764 emerged from the CVLT and was pioneered by a 15-year-old boy in Texas named Bradley Cadenhead, who named it after the first digits of his zip code. Its focus was extremism and violence.
