May be attacked by zero days

I am wondering how I will do just this, since Whonix on Qubes seems solid but from my understanding if I strip the VM of TOR and only use a VPN then I might as well create a different HVM

Thus, now I al wondering “well if I have to have Whonix go out to TOR anyway???” then why not


My reason isn’t so much anonymity, it is actually functionality. Many clear net sites block TOR, and for security purposes it is unrecommended to surf clear net on TOR especially when passing credentials like account logins. Yet, it would be nice to retain the hardening of Whonix as well as the triple layered obfuscation of IP origin by staying on TOR yet utilizing a VPN exit onto the clear net so to mitigate TOR security risks.

The reason for this self imposed insanity consideration is:
I need to log into actively targeted Google accounts, which means I have to protect my IP Address as much as possible but also I must mitigate the malicious injection Zero Days possibility thrown at me upon re-touching such compromised Google account(s). I must do this eventually to complete the migration of important contacts/data from off of Google. I am aware this sounds hard to believe, but some previous Zero Days were discovered and published in January 2024 which was 1 of the Session stealers my current attacker was using. He likely has more Zero Days and I am trying not to find out the hard way again … in this Threat Model not only do I not want my attacker to find my real digital IDs such as IP Address or Session tokens but also I don’t want to sacrifice security for such anonymity either in that I must have shields remain up in defense even while still being anonymous as he has malicious payloads of which may or may not have been imbedded into various Google Suite products or even spoofing certificates etc I don’t know yet the breath of all his capabilities and I don’t have the $ to keep find out how extensively well versed him covering across attack vectors is

So it is possible, especially via the Whonix gateway VM in Qubes to direct that TOR connection through a hardware VPN set up I have on my LAN while then still instructing that same TOR traffic to end up at a different VPN at the end of the TOR tunnel so that way I can use TOR to access Google without Google blocking it since it will see the VPN instead. Also, I might use this for my banking too
(my attacker knows my physical geographical location as well as the banking thus might be able to pick my traffic out on clear net if I only used a VPN but with TOR and a VPN he should lose the trail from all the hops)

Is this doable? If so where’s the guide for this?

Is there a QubesOS guide of how to use Lokinet on the Whonix VM?

Opinions on the following:

Me on Whonix → [optional] Tor Bridge → Tor → VPN1 → Tor → VPN2 → Clearnet


Me on Whonix → [optional] Tor Bridge → Tor → VPN1 → proxy → Clearnet


Me on Whonix → [optional] Tor Bridge → Tor → VPN1 → Clearnet

Yes. They do. If anyone’s ever tried to load their banking website in the Tor Browser, they’ll know exactly what happens.

Honestly, if you think about it, it shouldn’t be any different than accessing them directly, in terms of “security”. HTTPS ensures that deciphering or tampering with data packets while they’re in transit is extremely difficult (assuming the end web server has actually done due diligence…).


Hahaha. Good one.

What you’re describing doesn’t involve unicorns, goblins, “the ether”, magic, or , so trust me, it’s very believable :slight_smile:

Ok, there’s a lot to unpack here…

Please correct me on any of these points that I have misunderstood.

  • You say that zero-days have been discovered on Google’s servers.
    • Happens very frequently.
      • …and are also patched very frequently. Keeps coders in a job :slight_smile:
  • You say you have been a victim of these zero-days on Google’s servers.
    • So it’s safe to assume that your attacker has access to the back-end of Google’s servers, or is able to inject things into data packets that are sent to you, wherever you are…
      • Tor, a VPN, IP address obfuscation, etc. will not help you with any of this. If the malicious data packet is meant for you, it will be sent to whatever IP address you told Google’s servers to send to.
      • All this will do is prevent Google or people passing on your data packets back to you from knowing where your end-point is on the internet :slight_smile:
        • I mean, if that’s what you want, or if you genuinely don’t trust the people helping you communicate with Google, then sure, obfuscate this. But it won’t make a difference if your attacker has compromised Google :frowning:
  • You say you have “things” (contacts, etc.) that are stored on Google’s servers.
    • Fair enough
  • You wish to be able to retrieve these “things” that are stores on Google’s servers.
    • Fair enough
  • You are concerned that your attacker will be able to “find you” if you log into these accounts to retrieve these “things” that are stored on Google’s servers.
  • You are worried that your attacker might be able to inject malicious “things” into your interactions with Google’s servers
    • Legitimate concern, for sure. But you have to have some idea of how and where these injections take place
      • Having them take place while in transit (so, not on Google’s servers or on your client machine) is very difficult (near impossible) to do because of the way HTTPS is designed to work
        • Either the hash of the packet would change, the origin/route of the packet wouldn’t match the certificate, the decryption would throw an error because the decryption key wouldn’t work on what was sent to you. Almost all browsers check this stuff constantly, and absolutely freak out if there is a mismatch on any of this :slight_smile:
      • Having the injection take place on Google’s servers is also reasonably unlikely, at least, not in the long-term…
        • The number of eyes that Google has watching their servers round-the-clock would mean that things like this are usually detected fairly quickly. I said “detected”, not “fixed”. They might not be able to be patched quickly, but it’s overwhelmingly likely that they know about them. Also, the fact that a researcher was able to publicly talk about the exploits so openly, usually means that Google has already patched them, and they are fixed :stuck_out_tongue:
      • Having the injection take place on your local machine is far more likely, because everything is already decrypted on your local machine
        • If this is the case, then you probably need to be aware of what you have running on your machine, inside your VM, or whatever you are using to access Google’s servers…
  • You are concerned that this attacker likely has other zero-days
    • This is probably true. Even if it is not, it’s still a good idea to assume they do, just in case.
  • You are concerned that your attacker will "find your real digital IDs such as IP address or session tokens
    • So, go to your local place with public Wi-Fi and access them on a device/VM you’ve never used before, and don’t have anything sensitive on. Simple :sunglasses:

It all comes down to understanding:

  • How the interactions between client and server work (protocol)
  • What information is exchanged during these interactions (network traffic)
  • What each party lets the other see on their own end (file permissions)
  • What each party lets the other do on their own end (RCE)
  • How each attack exploits how the process of interaction between client and server (vulnerability)
  • How the exploit can allow each party to get the other to do something the protocol didn’t intend to be possible (exploit)
  • What an attacker can do with that exploit to you (exposure)

Yes, this is possible. Route sys-whonix via sys-vpn (if you haven’t got one, set one up, making it route all traffic), and in your AppVM with sys-whonix set up at your network VM, set up a second VPN connection to VPN 2.

Won’t help you at all with Session IDs, though, because they’ll remain the same, regardless of how many hops your network traffic goes through…

So, change your physical location, your machine, your VM, your VPN nodes, etc?

Wide-net listening to WAN traffic requires a HUGE amount of resources and a full (or decently-sized) view of the network. Usually governments and ISPs are the only ones with the resources to be able to do it, and usually governments are the only ones who can do it with any meaningful attempts…

Botnets being used as spies only work if they can see enough information on whatever they’re running on (home routers cannot decrypt the contents of web browsers of their LAN devices, for example, because that’s how HTTPS was intended to work), and they’re not very effective if traffic comes in from a node that they don’t have coverage on. It doesn’t really tell them anything useful :stuck_out_tongue:

A sys-lokinet would be an interesting idea. It wouldn’t be too difficult to set up. Clone sys-firewall or sys-whonix, install it in there, and it should work as expected.

You’ll confuse the crap out of whoever is in the chain of forwarding your data packets for sure, but the end server will still know who you are because you’re logging into a user account :rofl:


Thank you, please don’t misread the following with any attitude as all I am doing is trying to clarify stuff but I appreciate the help so far


  1. he stole all my $ prior to his campaign attack upon me
    (via Social Engineering in a Romance Scam, not by technical ability as everything was on offline hardware wallets)
    … so the whole “go get a burner laptop” or “single use case laptop” is not ideal as I have already gotten a loan from a family member for all new equipment and to rebuild out a home network in two households — of which did not include a “single use case laptop(s)” for my mom and I given that we were already buying 2 brand new laptops to replace our compromised daily drivers.

(with this I have only budgeted for 2 laptops, 1 for my mom, 1 for me of which has QubesOS for our security against this Threat Model — because if our IP Address is ever found again I hope the firewalls and Qubes will mitigate the rest of the attack especially since some of his malware and spyware are persistent within network cards and even Firmware. Also, a clean fresh Linux install on an old Microsoft laptop that wasn’t online at all during the duration of the hack is the only one with an Ethernet port so I will be using that 3rd laptop to administrate the LAN only without it touching the 2 daily driver laptops and without that LAN admin machine touching the internet except MAYBE during updates and testing/troubleshooting if absolutely needing to but I will try to work around this yet I might cave-in for “ease of use” to resort to troubleshooting on the same machine I will admin the LAN with so then it will be briefly online during those times with and without firewalls if I need to troubleshoot the firewall ports during this elaborate setup rebuild)

With that all said,
I am considering your proposal in that:

Maybe I could salvage my mom’s Chromebook as it was not [yet] obliterated like my MacBook and ADT system was [when he knew that I knew with proof of his intrusion], though I am assuming since many of his exploits relied upon Google to the point that he literally installed Google Suite onto my MacBook after breaking in so to use it in escalating privileges somehow — that alone tells me that there is a good chance my mom’s Chromebook is infected just not noticeable unless I install monitoring stuff and/or start poking around and logging activity to find out for certain. He has targeted my mom too btw so to retarget me it seems, as he sent the same spyware to her Android phone that he hit my Android with prior to attacking my MacBook on my home network (this I have indeed confirmed, and have kept as evidence for any who can run more in-depth forensics). However, there is a chance that he never found my mom’s home network as she claims to have not been on her wifi [with her phone] most of the time between June 2023 to present, but there is also a chance he did find her home IP Address especially after finding her phone through my phone being hacked and/or by using simple OSINT to track down her IP Address after stealing all the info off of my phone and/or doing a public records search to find my mom’s full name based upon my public records info; so from there he could find her ISP service and account if any of that was in data breach leaks and/or if he has a backdoor from a Zero Day accessing such client databases like he seems to have had with various US cellular companies)

So I don’t know, my mom’s home network may or may not be infected. I am assuming it is given how skilled he was in all the ongoing attacks deployed upon me at my home network and cellular data accounts too.

Unlike many other previous targets I took notice. He in the past hit an attorney with his spyware and turned her life upside down by leaking her medical condition which made her lose her Bar license. She eventually got her license to practice Law back, but it hurt her for months and unlike me she had no idea wtf had happened and how or why her medical info suddenly was even known to the Legal community. It was via his spyware he unleashed on her and her Law Practice, since he was a client in 2019 of hers to file divorce papers only to then use her phone number against her and deploy spyware and then instead of blackmailing her apparently just wanted to ruin her career so leaked her medical condition which my guess is she was on medical prescribed w33d

maybe just maybe if I actually wanted to leave my house and pay for a sit-in restaurant like Panera Bread, I could take [my mom’s] possibly infected Chromebook and plop it onto public wifi (risking spreading nasty spyware to others btw if it is infected) to then log into my GMail to finish migrating everything off those Google account(s) (which also might risk spreading his malware and spyware too btw)

a.) I am unsure how I feel ethically in knowingly placing others like “public libraries” or “coffee shops” or “Panera” at risk of such an intrusive persistent attacker — but since the FBI call center hotline is brainless enough to tell me to go infect a public library just to submit evidence to iC3 then maybe I should negligently put everyone else at risk sure, JFC, why did I pay half a million in taxes during 2022 on 2021 tax bill for a Nation State full of fools that are seemingly useless in 2023 to do cyber crime cases even when someone like me has evidence to hand over (wtf)

b.) I would really prefer NOT to have to leave my home or my mom’s place to access my Google again safely

(I prefer to use my down time to clean up and migrate off of Google, in that I have a physical health condition that keeps me bed ridden for 5 days out of every month so doing this during that down time from my bed is most ideal for me otherwise doing all this any other time would massively suck my actual productive uptime)

c.) maybe I could toggle it onto a burner phone hotspot (so to stay home lol), but this is not ideal given my limited budget plus the threat model includes him finding that cell number and SIM swapping or SIM jacking my number(s) which would drain more $ each instance; not to mention the slow speed of doing any of this on LTE cellular data in my home area (omg please no, it is so slow I might as well be on a multi-TOR-proxy-chain)

here are the other points:

• he can NOT be legally backed any western gov, because if he was then slapping a FIDO passkey onto my Google Accounts when initially detecting the breach would have never stopped him yet it did; it was literally the ONLY thing that stopped him since he had used the then Zero Day to steal my Session permanently which didn’t kick him out even when all log-in-sessions were killed, all devices’ access revoked, and the password and backup codes was all changed btw yet he still remained logged-in (and yes that Zero Day has since been patched by Google). Literally the only thing that successfully ended his intrusion was turning on MFA with a FIDO passkey.

• he also can’t be a literal insider at Google, at least not with significant enough level of access, because again if he had that insider access to its full capacity then again a FIDO passkey would have never initially stopped him (yet it was the ONLY thing to stop him)

I am certain most western govs as well as many corporate levels of Google employees are able to bypass the passkey, just as Twitter/X had once demonstrated that they had a “God Mode” that overrode account passkeys when people with Twitter accounts got taken over despite having a passkey such as YubiKey on their account — the Twitter “God Mode” made all such security efforts moot.

I am most certain that even with his spyware blackmail extortion campaigns likely having certain types of corporate and government people in his pocket there is still not enough access to bypass passkeys it appears as of from October 2023 to December 22nd 2023

(December, the last time I was able to access all my main online accounts, since he remotely did a kill switch to brick my then one and only computer the MacBook Pro … the issue is all my passkeys were at that time all on a USB C stick so are unfortunately useless while I remain stuck on a mobile phone until I rebuild and can once again use my FIDO passkey to re-login once safe enough to do so — which is one of many reasons why I been setting up Qubes)

With that said,
here are other points:

• I saw on the ETH blockchain he is apparently sitting on multi-millions, likely all stolen or at least scammed through ill gotten gains

• These were listed on his X profile bio as his specialties, outside of his hosting service offering and AI business chat bot website promotion:


• he is also skilled in Python, OpenBSD, Unix servers, Linux servers (for sure Apache), Shell (SSH), JavaScript, Web Hooks using said JavaScript of which he is specifically using the merchant Stripe “web hooks” to automate his theft from bank accounts btw (as he tried to drain the business checking account I opened yet it was already at $0 which left him noticeably upset lol I have that reaction of his voice recorded as evidence too it was a bit hilarious hearing his disappointment in learning there was $0), Google and Amazon APIs maybe other APIs too I don’t know (prior to realizing he was out to ruin me, he tried to get me to hand over a Google API key claiming he needed it for map integration — thankfully I never did that out of sheer terror of the auto-billing I heard so many stories about)

• he also claimed he knew how to do “Signal Intelligence” (I asked if this came from involvement in gov and he denied any gov connections btw, though maybe this was a lie as well); yet he mentioned the French international-recruitment military group The Legion or whatever tf it is called yet went on to again claim he had never joined it (but I have no idea other than why would he even bring up such a spooky para-military gov backed group full of misfits running away needing new identities issued by the French gov then, odd he would even mention their name let alone bring it up in conversation as I never even knew this military group existed prior to him telling me their official name which I queried for more info on search engines and asked ChatGPT of course)

• he claimed all HTTPS traffic is now easily broken, I didn’t really believe him then nor when he was hacking me I still didn’t believe HTTPS in transit could be broken; but then I started looking into it while dealing with all this hacking bs, and found in various research publishings that it can be done specifically either by like you said leveraging vulnerabilities on the servers and/or by altering certificates somehow either server or client-side (all without any fancy Quantum Computing breaking the actual encryption). Some of the yet to be patched ongoing vulnerabilities especially on RAM and chip sets make an elaborate chain of executing exploit privilege escalation possible on nearly all servers worldwide, so there is that too now. Not to mention the vastly reaching GPU vulnerability in the wild unpatched (though likely the GPU exploit is not ideal as an attack vector given the tiny amounts of leakage that exploit yields). So maybe that is why he boasted about HTTPS being completely broken easily according to how he defines as “easy”, I still am not sure how he claimed and is bypassing HTTPS/SSL data in transit.

• Maybe you are right, and he has other methods making HTTPS appear broken but it is not. The reason I say this is since my MacBook was the only machine I had after he robbed me, I found out eventually that he was unable to spy and even intercept my Brave Browser incognito TOR connections (unlike my clearnet Opera, Brave, Firefox, and Safari connections). I knew this for sure eventually because he then attacked my system to specifically corrupt the TOR file used by Brave. The Brave team on Twitter/X were perplexed in how that even happened (but at the time I hadn’t gone public about the hack, so they didn’t know it was due to a hack yet). Despite the Brave team on Twitter being perplexed in not being able to reproduce the corrupted file they still helped me restore the file that enabled TOR to work in my Brave browser (as restoring the browser by uninstalling and reinstalling didn’t even work, as it didn’t repair that TOR file — it had to be manually repaired by going into the directory every time). Once I restored TOR within Brave my attacker then kept corrupting that TOR file Brave relied upon, again and again; while I kept restoring TOR on Brave again and again LMAO. As it was my then only safe way to get a backup on Mega dot io website of the evidence as well as contact key supportive contacts to hand off copies of the evidence to them and was my only way of communicating still especially retaining my access to my Twitter account communications

(which I slapped a passkey on to Twitter as well at the time preemptively the same day he took over my Google accounts which could have reset my Twitter but I beat him to it)

• in hindsight the reason I think he was originally physically positioned in [redacted] France is because there is a huge internet backbone there, so since he was targeting others not just me in deploying pervasive persistent spyware, such as French pop stars, International journalists (especially from Israel) and US journalists, and even US Senators in office and those running for US offices for the Senate & House this election cycle — he somehow has a way to monitor the traffic (especially email type traffic) to sniff out anything he wants as a flag such as “viewing” packets in transit associated to my name as a target. While he has exploits for Google to compromise their email and all that, he doesn’t have exploits for all email providers because he was frustrated and called me “clever” for moving my critical accounts over to my RiseUp of which he apparently cannot access and/or hack for whatever reason unlike Google services and even iCloud services too btw

(I don’t usually go through any French nodes, but if he has been doing that to French internet infrastructure then maybe he has zombie servers he has taken over elsewhere around the globe — and yes he has botnets too btw including an entire annoying account bot farm on Twitter that he spams people with including my account now ever since I went public about his attack on me he pointed his “s3xb0t” Twitter bot farm at my account and has been degrading my algorithm ranking ever since using that bot farm against me
(As for the iCloud thing, get this, I set my mom up with a fresh brand new iPhone and used that iPhone to make a new iCloud account; within 3 days — without contacting anyone yet btw or logging into any accounts yet other than iCloud and the cellular carrier payment portal — of doing so he brazenly somehow found and then accessed her iCloud as the log was emailed as an alert to us of a successful log-in at the time we were both asleep (mind you Apple had already patched Pegasus by now and we got these new iPhones AFTER the Pegasus patch). Luckily I put on “advanced data protection”, plus all that was on that iCloud at that time was a backup image of a fresh new phone without any personal data. Needless to say we ended all device log-ins by revoking all, ended all sessions, redid the iCloud passphrase and phone password, factory reset everything, and again reset the phone and reset the iCloud passwords again back to back; have since NOT had another attempt or successful iCloud login occur by any intruder)

My main guess is, since he tried to look for dirt on me (and found nothing lol I am such a dork lol), he does that to most of his targets and therefore if they are in any positions of power and/or access he uses Blackmail to get them to do his bidding (since many people often have at least one thing to hold over them as a bargaining threat imho; but ha I do not and I don’t have any kids ha no one to threaten me with ha). Which was/is maybe how he has backbone internet access to international cables and processing computational power through compromised data centers and how he is able to also monitor AT&T cellular traffic as well in given geographical locations where he has targets being manipulated through Blackmail extortion.

The horrible thing was my contact list on my Google account being stolen, now he has a vast range of various key people in groups across political spectrum from stuffy regular politics to grass root politics and even US military contacts due to the connections I have through my two veteran parents of which my dad works at [redacted - military rocket manufacturing weapon facility] which should be protected given what goes on there

(because some of the phones he SIM jacked from me should have never been found other than I was too lazy to leave the geolocation of my house, yet only cellular companies and gov should have that access as I used a prepaid card to load prepaid minutes and registered it under a bogus name and address so I figured I didn’t have to leave my actual geolocation oh but apparently I should have left fml I am a homebody these days I don’t want to leave)

regarding my scheme to get back onto the internet in full capacity and log into my Google accounts again too …

I do NOT care if the exit node of a VPN or TOR knows that it is I logging into Google

(I don’t care if Google and the US gov know either, ffs my main Google is my IRL name as my email anyway LMAO)

What I care about is:

  1. the entry node need not know my REAL IP address and/or need not see I am logging into Google services (thereby also not having my account log-in info); as I cannot risk having my new network found by my attacker so he can then re-target me ruthlessly again

  2. the exit node need not be able to intercept and/or alter my log-in credentials, thereby I wish to keep data integrity intact (prevent injection, and man-in-the-middle); but I don’t care if the exit node sees that [my name] is accessing [my] Google account from a VPN and/or TOR so long as they cannot alter the data and so long as they can’t see my real IP Address

(as I don’t care if they or even my attacker knows that I am logging in, so long as I am behind multiple layers of VPNs and TOR nodes so none of them find my real IP Address as that is the worst thing to reveal to my attacker along side any real phone number of mine)

  1. I need however many layers in transit so this criminal can’t sniff my traffic to and from nodes, as he likely has something set-up to alert him upon my Google account being logged into (despite him not having access to get into it, he is watching my known Gmail accounts through the traffic email protocol somehow seen on clearnet)

(I am just guessing he would do an alert, but I haven’t found out yet if that is the case; the point is I don’t have the resources to keep finding out his capabilities as I can’t risk replacing equipment again as I am now on loaned money with $0 in savings and $0 in income currently due to his scam lies, sabotage, and attack on me)

  1. I prefer to do this at home on my Qubes in a disposable VM hopefully hardened against all things Google and Google-DNS and spyware related payload mitigation through containers and compartmentalization

(as I have to retrieve at least 1 infected LLC incorporation PDF as it is part of the evidence I should have included but couldn’t when first reporting this to iC3 FBI … but I also need that PDF to make a sanitized copy so to file reports with other places too like the FTC and IRS as he stole and misused the business EIN tax ID along with doing identity theft on me as well which was how he bypassed all the security to get into my USAA insurance account likely thinking I also banked there but I do not … and he went on to target the servers of my Credit Union though was thankfully unsuccessful as he resorted to a week long brute force attempt that was eventually shut down by the banking IT department)

  1. do I really have to take my butt to a coffee shop on a dedicated pawned laptop solely for moving my data off Google accounts he is watching but no longer has access to (last I knew as of December 22nd 2023 he still remained locked out due to me placing a passkey on it); I really can’t safely do all this from home at all even using Whonix on Qubes? Really???


That’s not as foolproof as it might seem, depending on the adversary.

For example, they might track your location from your cell phone (assuming they have hacked that) and know the IP in the coffee shop. That may allow them to identify your pawned computer, and even break in, e.g. the NSA using Intel ME.

Even if you turn off your mobile phone (and pull out the SIM too!). A government agency may still be able to track your location from cameras which are everywhere in most places.

if I was being hunted by a gov or remotely worried about a gov having such a close eye on me
I would NOT be mulling over a plan to log back into Google with my IRL name all over it.
Yet I am plotting exactly that lol!

Anyway, with that said …
You do bring up an interesting point since I still don’t know all of my attacker’s abilities nor know exactly how he found some of my burner phones. I am certain he is not gov, or at least he is not of any legitimate allied gov of the West, because if he was as said then the FIDO keypass would have not stopped gov from still accessing my Google account(s) yet it was the ONLY thing that finally stopped him as he had used that previous Google Zero Day session stealer against me.

(e.g. glimpse of the burner phone drama:
there was 1 AT&T prepaid phone that I activated on cellular network not my pawned wifi with an in-store purchased card to load minutes from and within the address field and name input online activation form I gave bogus info — it was a semi-dumb flip phone in that it wasn’t “smart” but it still had an antiquated OS with minimal app support lol not that I used any of it, as I did not — plus I did not contact anyone on it nor did I log into any previous account; what I did do eventually was I used its REAL number to sign-up on a different cellular smart phone with apps that was presumably clean too from being just as “new” to get a fresh new Google Voice VoIP then I took that Google Voice VoIP and went and got a new Signal app account but didn’t contact anyone just yet … within 24 hours of getting the semi-dumb flip phone device he SIM jacked it but how? That Google account was new and created on a new clean device that wasn’t even the real device of the number being used? Or was he watching new sign-ups to the Signal servers for my State’s area code registering? Unless he somehow was sniffing cellular traffic on the local cell towers remotely somehow — stingray is not remote — so to utilize a “geofence” of the known cell towers in my area in order to watch for new phone activation activity, as the only thing I did NOT do was leave my known physical location which he does know btw and no I can’t move to a new living spot, also I am a bit lazy about leaving my house even when I am well enough to do so lol I prefer to keep my home body privileges regardless of this ongoing cyber stalking and cyber attack drama)

while I doubt he has such capabilities to track my newest phone let alone pin point it among others if nearby devices are linked into a pawned wifi connection such as in a coffee shop … let’s say for argument sake maybe he could do that since I am unaware how far his cellular tracking capabilities go.
As far as I know he doesn’t know my newest number, and has yet to break into my newest phone. So then that leaves a so called “single use case laptop” to then correlate my phone for him to gain my new phone number by correlation among devices at said coffee shop when I use said laptop to go onto my Google which he is certainly keeping an eye on likely using his AI Python skills to automate alerts and has premade scripts ready for it to deploy against me.
Alright, but if I either don’t bring my phone
even if I did bring my phone but I keep every toggle “off” except the cellular data, then without it ever touching the machine or broadcasting a Bluetooth or Wifi ID how would anyone other than gov ever be able to use the laptop to find my phone?

I say other than gov,
while he has demonstrated breaking into IoT devices on my home network it isn’t like he has gov abilities to simultaneously monitor all city wide CCTVs and IoTs. Thus he would not be searching every coffee shop cam system all day every day.
I would like to know how you came to such a conclusion?

Like outside of gov,
is correlation from the laptop on the wifi make it possible to somehow “see” devices even if those devices are NOT on wifi or bluetooth and had never connected to said laptop?

if this is indeed possible outside of only Nation State Actors then the simple solution here would be to leave my main new phone home while I go to said coffee shop and/or dump my phone into a faraday bag (which I do have).
If so,
then I might as well leave the phone at home if I resort to using a “single use case laptop” for my Google so to backup my info from those Google accounts before eventually shutting them down as they are pretty useless now that Google is not at all secure to highly skilled criminals.

There is another possibility,
in that my vehicle has a SIM card in it and was connected to both my wifi and my 1st phone that was hacked during time of the initial hack by him. So it isn’t too far fetched that he maybe tracking the location of my vehicle, but even so I could park it in a shopping center with many public wifi spots so he would have to guess where I would go to log on — granted as soon as I log into Google or if I am on long enough he could then figure out which one I am in inside of that shopping center I have chosen to log in from. Again, this is presumably why I would be using a throw away “single use case” laptop dedicated for only Google things until I migrate off of Google.
(and no I am not selling my car, but when I get $ I do plan on asking the dealership to replace the SIM with a new one)

How would he use that to obtain my new number or find my new phone, if I don’t plan on entering my new updated contact credentials into my Google?

I just can’t fathom how your scenario would truly apply since he is obviously not legitimately backed by any western gov it seems. Am I missing something I am unaware of that highly skilled organized crime elite hacker criminals have the technical ability to do?


Sorry I am no expert so I cannot give advice. And I was not suggesting you missed anything in your particular case

I was responding to @alzer89 's otherwise excellent response. That his coffee shop idea is not as simple as he may think. Though a careful version is probably your best bet (no guarantees though).

You raised some interesting points to think of though. Sorry but my opinion is that your complex solution may not be effective if you don’t clearly understadn the attack vector.


Thank you for clarifying, my apologies for the attitude

Sad but true

I have more clarity on how he attacked my home network on high speed AT&T fiber, than I do of how in the world he kept finding stock Android phones on cellular networks repeatedly — even on various cellular network carriers and even through psudo-anon account sign-ups. Like he even ended up cracking 2 of the prepaid account passwords on the prepaid AT&T cellular (though it isn’t that difficult given that AT&T prepaid portal doesn’t allow for complex passwords and their prepaid activation & login portal is such trash that it is only HTTP lol what a joke in 2020s).

So, the question remains how did he find the cellular account(s) in the first place? That is what I don’t understand, as it was a fresh new sign-up on a fresh new device that had a new ID and everything and was not even registered in my name nor linked/synced to any previous. The only constant was I had stayed home during the activation process, and he does know my exact location — physical address and all — yet he is not a local attacker he is a remote attacker, across the sea in France.

So :woman_shrugging:t2: I am at a loss at how this was accomplished unless he has spyware on the AT&T peering-stations or something :woman_shrugging:t2:

What about a cloud based “Thin Client” with a virtual desktop infrastructure (VDI)?

I could use QubesOS as my “Fat Client” home PC laptop to then tunnel in through a local VM using a VPN and/or TOR connection to then connect remotely to a “Thin Client” hosting a VDI!

What yall think?

Ok, I’m going to put a series of questions to you. I don’t necessarily want you to post the answers here for all to see, but you do need to have a think about them yourself, because they will likely answer all your questions:

  1. Are you absolutely certain that you do not have anything in your home that is spying on you?
    a. Any software you might have installed?
    b. Any devices that you might have on your network that might be snitching on you?
    c. Any router settings that may be present that you did or did not configure, like DNS server choice, etc?
  2. Are you absolutely certain that you have changed all your passwords/login credentials?
  3. Why is hiding your WAN IP so important, especially if you’re behind a firewall on another device, and you likely haven’t got any open ports on your machine? What will it achieve, knowing that WAN IPs are often dynamically allocated and change quite frequently (unless you opted for a static WAN IP)?
  4. Why do you believe that using hardware/software/logins with never-before-seen identifiers/configuration/IP addresses would not allow you to simply log in and obtain your contacts, knowing that it’s impossible/very difficult to detect something that you’re not “looking for”, especially if you’ve never seen it before?

Again, I feel for you and your situation, but I feel that this is all easily solvable, especially if all you want to do is obtain data from a compromised account…

1 Like

Absolutely certain prior to January 2024
(the attack occurred from mid-June 2023 to December 22nd 2023; of which I didn’t even notice anything until September 2023 when the 1st SIM Clone happened yet didn’t realize with 100% certainty where it was coming from nor whom was doing it until October 3rd/4th 2023)

To what I currently have access to, yes
(I have always used strong passwords where allowed, and have never used the same password — except in bs throw away accounts I do have a fav quick password but that does not apply here)

I don’t have the $ to risk finding out any further how skilled he is, I underestimated him twice already — once before I realized who was behind it thinking it was just a common SIM Swap, the 2nd time thinking having a clean cellular phone on a different network under a bogus registered prepaid would be enough but it wasn’t enough to escape …

While he does not have access anymore to my Google accounts since I placed a FIDO keypass on the critical accounts, he somehow remains still “watching” the email traffic to and from them; thus would be able to know when I log in as his system likely has an alert set for when that happens. Also, he is somehow watching email traffic in general for whenever my real name (and maybe also when my LLC name) is used within an email which is crazy — though I guess with his automation skills in AI it must not be as daunting of a task as such would usually be to pull off
(but still IMHO wouldn’t that imply he has infiltrated an internet backbone server or chock point as I can’t think of any other convenient way to pull such off in a timely fashion other than being at a chock point or backbone of where bulk internet traffic flow through)

I too thought some of it was “easily solvable”, I was wrong then and I don’t have the $ to be wrong again now.

I know less about smart phone security. I’m not sure why you are sure he was cracking your passwords (though I read your story about iCloud).

I wouldn’t be surprise if nsa has the capability to access any stock smart phone given the geo-location, but I would be more skeptical about cybercriminals having such powers.

1 Like

I will repeat this again

If he was gov even illegal rogue gov, it makes ZERO sense as to why he would not be able to bypass a FIDO passkey on a Google account (the passkey was the final and only thing to stop his access with his then Zero Day session stealer)

I am fairly certain FIDO passkeys are meaningless on Google when it comes to a gov, especially US gov, still accessing the accounts.

Therefore, I am certain he is not gov — at least not of any western gov which would have such privileges to abuse.

I don’t know why people keep jumping to the conclusion this guy is some gov agent, at first I thought maybe too when it started happening but after he failed to bypass the FIDO passkey I calmed down and realized this wasn’t some crazy crooked gov plot against me at all and was just a very experienced and skilled criminal Black Hat hacker who has done this before as I am not his 1st ever target

I have not read through all these. Seems to me that OP is more knowledgeable than myself about the technical part of this.

Some webpages which might be interesting to you.

Neal Rauhauser has one posting of a scammer who appears to be from overseas, but is local. They just use Overseas Servers as part of hiding.

If these guys took money from you. Then, I would guess, they are either not the government. Or if they were the government, they would have taken your money as cover for some other purpose. so what else do you know, or you are that they might be concerned with?

For myself. If the government ever heard of me. I am just obnoxious, I might want say I know something that I really know nothing about. I do not keep weapons. I do not live close to where important people are, or go near them. I do not make threats.

There was once a story of a Journalist, who found a geo-locator on his auto. This was years ago, before the easy to use Apple Pods and such. As a Journalist, he had gone to protests against Atomic Reactors, and the radioactive waste they produce.

On a scale of the government being evil. That is not much evil at all. They did not threaten him. Or harm him. Well, except one way.

He offered to give the device back to the FBI, they just had to say it was theirs. When they did not acknowledge it was theirs. He offered it for Sale on Ebay. Feds accused him of --selling -however they termed it, property of the US government. Then again. Might be the guy who wrote the story made it all up.

Unless your family is super rich like Elon Musk, Bill Gates, and who might refresh your bank accounts with huge sums of money. They are probably gone, as they do not want to be caught by some Cyber Crime division of the government who might be watching your accounts.

You did not say if you gave your complaint to -whoever the government has that investigates this type of Cyber Crime. (FBI, or ----)

If you really felt it could be the US government, you could file a FOIA request of any information that pertains to you. I would guess, could help with that. Of course, that might put you on their suspiciously weird person list. I probably would not file an FOIA.

I would also guess it is possible that those who got into your electronic devices, are not one person, but a team of hackers. They might be back after several months with a new pitch, crafted towards a person already burned.

I do recall a story about how Cell phones, can somehow have, indirectly have their cell services downgraded to earlier Networks, which had less protection against the cell phone having malware installed. Like forcing the 5G to 4G, then 3G, to 2G. Just long enough to install malware.

Only thing I can be sure of, “I am gullible.” just I am too poor for anyone to find it valuable to mess trying to empty my bank accounts. All risk, and no financial benefit to them.

I recall a quote about a Police Detective; He said, he “could be talking to a suspect. and the guy was so good, that he wanted to believe the suspect had done nothing wrong. While at the same moment he had a file in the next room with absolute proof that the guy was a crook. when he finally showed the file to suspect. The suspect would admit he had done it, and start working a new line. Like my grandma needed medical care.”

What I am saying, it is easy, even for those who are not gullible, like me, to be taken in with by a confidence man, scammer. Who would not find Robert Redford in, “The Sting” to be believable?

1 Like

Wanted to add:

Might OP want to comment on how their experience/knowledge intersects with SIM Swap $17,300 Loss - by Neal Rauhauser

I guess you know of this fellows comments on Security.

here is the TLDR cliff notes

• I know who it is
(assuming it is just him and not him plus a team)

• He was at time of the active scam and hack in a major coastal city of France
(I am pretty certain of this due to various facts)

• However, he is US born thus an US citizen

• yes he 1st scammed me for over $100K USD, prior to unleashing a relentless ongoing cyber attack against me
(no I am not rich but I think due to the CoinTracker leak the darknet must have assumed all leak data was accurate when it is actually inaccurate at the time of leak so I have never in my life had $22M USD yet at time of hack that the impression it gave due to a DeFi bug in CoinTracker)

• I repeat for another time:
he is likely NOT government

• Yes, I already filed a iC3 report through their impersonal God knows when they see it web portal

• his “AI” skillset can make him seem like a team, yet there still is a possibility that he is part of a team but he is very capable by himself too and is an “OG” hacker from as far back as the 1990s:
(For example other than his tech knowledge he knows various foreign languages too and he spoke these live in-person on Twitter Spaces and over a real non-VoIP number so like he isn’t using a translator as he is fluent enough to argue with people in these languages:

  • English
  • Spanish
  • French
  • Arabic
    possibly a couple more I am unaware of)

No offense but I did the basics and medium type stuff like what you cited here:

Did you know there are SIP exploits to port SIP numbers?
Oh yeah I didn’t know either so just like Neal in his article I thought surely moving the accounts he compromised onto a VoIP would stop it
this attacker ported my Google VoIP(s) to a French carrier.

I learned about the existence of SIP port exploits the hard way.

He has SIM and SIP exploits, so this cited source given is useless for me and provides nothing additional as you admit you are giving advice without reading what my Threat Model even is — no offense. But thanks for trying

New user but long time lurker of this forum. I’ve seen a lot of @Lace posts the last few weeks and I had to create an account.
Your stories makes ZERO sense.

In one of your message on this forum, you told that you were going to install hardware firewalls on your network, which would require some minimum knowledge to be able to set them correctly based on your super Snowden CIA based threat model, but you don’t have any capabilities on this matter since you have been asking things for weeks, even for things that are considered basics in UNIX based systems.

Your “attacker”, based on your previous messages, is able to find you with “crawlers”, but you keep doing detailed monologues about your life and how you got completely robbed by a single guy that seems to have all the digital super weapons in the world. Based on the “crawler” fact, he would already know you are here with all the details you told, wouldn’t he?

Robbed of +$100k with a “romance scam”, but still the attacker literally burns millions worth of “zero day” to track and steal things from a single random internet guy while he can get the same thing by multiple other means with no investments at all. It’s funny and all, but you have to stop this madness. You are no one of value and if you were your place would be in the shadows, not on a public forum talking about how you somehow fell in love with some random person online who was able to rip you off of your money.

If you are really into that kind of story telling, you should probably move to Dread, lot of people would love to talk about their fictional stories all day long with you.

I don’t even know why this category exist to be honest, this seems to be only about people thinking they are high targets but are in reality nobodies like everyone else on this forum.

I’ll stop my rant there. That’s sad this forum even allowed this kind of things to exist in the first place.

1 Like

Sorry I am not doxxing myself from a gaslighter victim blaming me for not compromising what my attacker looks for most = my IRL name

I have left out many details that would have him pick up on this as an alt ID of mine. From the looks of it, I understand it still looks TMI; this is merely the tip of an iceberg I assure.

You either believe it or you don’t, feel free to ignore me. I don’t have time for misogynistic victim blaming. You will hear about it in the news later, how about that?