Skip to content

xnhl/fan-mail

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
encrypted
encrypted
 
 
images
images
 
 
messages
messages
 
 
twitter_fakes
twitter_fakes
 
 
README.md
README.md
 
 

Repository files navigation

Fan Mail: Amusing selections from my hate/spam mail.

An Adorable Attempt at Extortion

Introduction

"Be careful what you fish for."

  • On April 20 2022 I logged into GitHub and saw a notification that on April 18 MrXyfir had begun following my account.

    • Screenshot
  • A few days later after logging in again I noticed that MrXyfir had unfollowed me.
  • I thought nothing more of this until 19 days later on May 7 when I received an e-mail from a truly dizzying intellect.
    • Message Received:

      • For full text see: ./messages/MrXyfir.txt

      • Screenshot of e-mail
    • The first thing which struck me about the e-mail was the sender/return address: mwtheta@mwtheta.net
      • Address does not exist which reveals that the skillset of the sender includes spoofing addresses and anonymously sending e-mail.
      • Address is a variation on my main Protonmail address which likely indicates that I was targeted personally rather than being just an address in a list.
      • Recalling the recent and strange follow/unfollow of MrXyfir I checked out their GitHub page and found that one of their pinned repositories is ptorx which is owned by xyfir (which they also presumably operate).

        • Screenshots

           ptorx (GitHub) ptorx contributors (GitHub)
        • ptorx enables users to: "Send and receive mail without using your real email address", "Anonymously forward and send mail with email forwarding and aliases".
      • No other e-mail was received at this Protonmail address for months before/after this message, so it seems reasonable to believe that these events are connected.
  • Previous versions of this document show how I went down false paths searching for the likely source, but I am now quite certain that I have found the culprits.
  • I felt that it would be amusing to publicize this information in the hope that the suspects shit themselves if/when they see this and realize that they dun goofed.
  • Some information has been publicly omitted but selections are available in encrypted files included in the /encrypted directory.
    • If you would like the decryption key then e-mail me with a short message explaining your intentions: mwtheta@protonmail.com
  • I will continue gathering information and updating this document as long as strange events / attacks continue to occur.
  • Updates:
    • September 17, 2023
      • On September 11 I received two new obvious phishing e-mails.
        • Same day of previous update to this document.
        • Two days after first update of this document in nearly a year.
        • There is a high probability that they came from those who are watching this document for updates.
        • Screenshots have been added to the Attacks / E-mail section of this document.
      • I remade the screenshot for the initial message in order to show it in full.
    • October 20, 2023
      • On October 10 I received another phishing e-mail to my main Protonmail address.
        • Due to its close proximity to other attacks I chose to include it in the other/newer main section of this document, but it could be related to past attacks by MrXyfir (& comrade(s)).
        • The e-mail address is similar to those of two other phishing e-mails I have received: _@_.biglobe.ne.jp.
          • BIGLOBE is a Japanese internet service provider.
          • Recall that Koichi Matsumoto, the only other contributor to xyfir/MrXyfir's ptorx GitHub repository, is Japanese and may currently live there.

Search

Attacks / Reactions to this Document

  • Summary: Many attacks which could be easily created by someone with experience in cybersecurity, creating bots, etc. as Rinaldo and/or Eric have.
  • There have been other attacks which could be related to this document but I've decided to omit them for now.
  • I can think of other methods of attack which could be utilized with MrXyfir's skillset but I don't want to give anyone ideas.
  • GitHub
    • Many clones of all of my public repositories across three accounts since I first published this document, and many which occur soon after I have updated this repository.
    • Given the failure of other methods I'm guessing that they could attempt to claim and use my code and/or images as their own (a clear violation of copyright laws).
    • Possible connection with past unusual numbers of project clones:
      • 3+ sources consistently cloning all of my projects when I update them (I have since made most of my projects private).
      • Unusual numbers of clones which I would sometimes get on repositories like cata-list (repo made private late August / early September 2023 after having moved to another website):

        Examples:
        • February 13, 2023: 554 (4 unique sources)
        • February 9, 2023: 901 (3 unique sources)
        • January 28, 2023: 607 (2 unique sources)
        • January 24, 2023: 34,599 (4 unique sources)
        • June 6, 2022: 33,955 (5 unique sources)
        • June 2, 2022: 38,978 (4 unique sources)
        • March 25, 2022: 32,270 (4 unique sources)
        • March 19, 2022: 37,051 (4 unique sources)
  • E-mail
    • Many obvious phishing attempts, etc.
      Screenshots of some messages:
  • Twitter
    • ~50-100 bots have followed my @cata_lyze account before being reported, removed, and blocked. They seem to be most active after I post or comment.
      • Recall from information above that MrXyfir/xyfir are able and willing to create bots.
    • I have received over a dozen messages from obviously fake accounts.
      Screenshot of some messages:
    • The posts of many fake accounts contain language which appears to be Bahasa Indonesia and the women in their profile images look as if they could be Indonesian.
      • Recall that both Eric and Rinaldo are of Indonesian descent, and Eric currently lives there.
    • Several fakes have been impersonations of people I follow which would seem to suggest a targeted attack.
      • Screenshots are on an external hard drive and are not worth retrieving just for this.
      • One immediately blocked me after being publicly exposed and embarrassed.
  • Facebook
    • On September 3 2023 at 11:36 p.m. I received an e-mail from Facebook about someone trying to log in to an old and deactivated account of mine which I haven't used in at least 7 years.
      • The e-mail address used for this Facebook account is the same one that I used to sign up for this GitHub account which strongly suggests a connection.
      • This event occurred a day after I had chosen to finally make my cata-list GitHub repository private after having moved to another website a few months ago.
      • The next day there were clones (1 each) of this repository and the main xnhl repo, and there were 8 views (from 2 unique sources) of the sole repository of a newer GitHub account of mine which has also been cloned many times recently.

Gone Phishing

Introduction

I recently created a repository which contains thousands of examples of anti-white racism. Soon after this there was a significant increase in attacks / notable events and I suspect that they are related. There may also be connections with past attacks which I have omitted until now. While these could be related to the attacks by MrXyfir (& comrade(s)?) I've decided to put them in their own section.

Timeline of Events

  • October 5, 2023

    • Anti-white racism respository created.
      • I chose the title "racism" because:
        • Contrary to trendy leftist / woke / social justice warrior / black lives matter dogma anti-white racism is racism.
        • I wanted to trigger/anger/expose any woke leftists and so-called "anti-racists" who may be watching my activity.
        • I'd like anyone searching on GitHub for BLM and "anti-racist" stuff to be exposed to their hateful and ironic rhetoric.
        • Legacy / corporate media, in their ongoing attempts to destroy Elon Musk and X for opposing the woke mind virus and supporting free speech, recently ran false stories (disinformation) about increasing anti-semitism and other racism on X (formerly Twitter).
          • They have predictably chosen to completely overlook the anti-white racism which thrived on Twitter, and which still occurs frequently on X, because as they have been captured by leftist ideology they believe that White people can't experience racism and racial minorities can't possibly be racist.
          • It is quite ironic now that leftists have gone full mask-off due to recent events in Israel, and have declared support for Hamas/Palestine's barbaric attacks and attempts at "decolonization" which include eradication of Jews (and other successful races).
      • I deleted and remade the repository on the evening of October 12, 2023.
        • While pushing a new version to GitHub I encountered an error which I didn't know how to fix so I simply decided to start over.
    • GitHub project clones:
      • racism: 1
      • new portfolio: 5, 3 unique sources
  • October 6
    • GitHub project clones: racism: 5, 5 unique sources
  • October 7
    • GitHub project clones: racism: 4, 3 unique sources
  • October 9
    • LinkedIn profile view from a someone using private mode so as not to reveal their identity.

      • Screenshot (October 13)
    • Phishing attempt received via phone / text message.

      • Screenshot
      • Possible connection with many other phishing texts received in past which I will document below.
    • GitHub project clones:
      • riots: 2, 1 unique source
      • fan-mail: 2, 1 unique source
      • racism: 1
      • new portfolio: 3, 2 unique sources
  • October 10
    • Phishing attempt received at main Protonmail address.

      • Screenshot
      • The e-mail address is similar to those of two other phishing e-mails I have received : _@_.biglobe.ne.jp.
        • See Attacks/Reactions section of the first main section of this document for screenshots of other e-mail phishing attempts.
        • BIGLOBE is a Japanese internet service provider.
        • Recall that Koichi Matsumoto, the only other contributor to xyfir/MrXyfir's ptorx GitHub repository, is Japanese and may currently live there.
    • GitHub project clones:
      • racism: 3, 3 unique sources
      • xnhl: 5, 2 unique sources
      • LCn4urFq0ADxwpGPyYdCi: 2, 1 unique source
  • October 11
    • GitHub project clones: xnhl: 1
  • October 12
    • Racism repository remade ~8pm.
    • GitHub project clones:
      • riots: 1
      • new portfolio: 1
  • October 13
    • Phishing attempt received via phone / text message.

      • Screenshot
    • GitHub project clones: racism: 1
  • October 20
    • This repository was updated.
    • GitHub project clones: fan-mail
      • Before repository updated: 2, 1 unique source
      • After repository updated: 2, 2 unique sources
  • October 21
    • GitHub project clones: fan-mail: 1
    • Phishing attempt received via phone / text message.

      • Screenshot

         Full sender e-mail address not visible on screen: my-jpchaseusercenter-msgaxfxmco@careers.mn.gov
      • Full sender e-mail address not visible on screen: my-jpchaseusercenter-msgaxfxmco@careers.mn.gov
        • E-mail address suffix (careers.mn.gov) is interesting.
          • careers.mn.gov redirects to offical government website for careers in Minnesota state and its government.
          • If this e-mail address isn't faked then the sender could be someone who is part of Minnesota's government, and it would be no surprise if they were a radical leftist activist.
          • Potential BLM / antifa connections:
            • Judging from information I've seen antifa and BLM types have a significant presence in Minnesota, and they surely have supporters and infiltrators in government.
            • Minneapolis, Minnesota was one of the central places where the insane riots, looting, and destruction started after drug addict and violent career criminal George Floyd (now a saint of the far-left cult) famously died of a drug overdose (though activists and their presstitutes falsely claim that it was police brutality which killed him).

              • George Floyd autopsy report
            • BLM / antifa types who have seen my riots repository have probably been seething and eager for revenge because I shared the information which I scraped: tons of social media posts and terabytes of images / videos which document the carnage of the various riots and other insanity which occurred.
  • November 5
    • It has been two weeks since the previous update to this document and I have received no new phishing e-mails or text messages.
      • This unusual silence may reveal some things:
        • Watchers have finally accepted that their risible efforts are futile and they've made a mistake by targeting someone like me.
        • Recent additions to this document are close to revealing those who have been targeting me and the attackers are worried/afraid.
          • Possibility 1: Note in October 21 update above regarding latest phishing attempt via text message from my-jpchaseusercenter-msgaxfxmco@careers.mn.gov and its probable connection to someone working in Minnesota state government.
          • Possibility 2: Note in October 10 update above regarding several phishing e-mails from _@_.biglobe.ne.jp and their possible connection to Koichi Matsumoto who is close to xyfir/MrXyfir (Eric Digo Ritonga).
            • See first main section of this document for more information.
      • I have since made a new repository on October 28th (lehDpvE_w4T9KegAyt8wNqw) with the intention of determining whether my repositories are still being watched.
        • Success:
          • First commit: 5 clones (5 unique sources)
          • Second/third commits: 6 clones (5 unique sources) over the span of 3 days
  • November 17-22
    • Four new phishing e-mails received roughly a month after previous phishing attempt (October 21).
    • Two received November 17th, another on the 21st, and another on the 22nd.

      • Screenshots
    • Content of messages seems to be identical.
    • Translations:

      • Titles
        • 1. Identificatie vereist, het gebruik van uw Card is tijdelijk beperkt.
          • Identification required, the use of your Card is temporarily limited
        • 2. Identificatie vereist, het gebruik van uw Card is tijdelijk beperkt.
          • Identification required, the use of your Card is temporarily limited
        • 3. Het gebruik van uw Card is tijdelijk beperkt.
          • The use of your Card is temporarily limited
        • 4. Uw heeft een nieuw bericht ontvangen van card alerts
          • You have received a new message from card alerts

      • Content (see also: ./images/phishing_emails/spam_dutch_content.txt)

        Your account statement is ready.
        View the web version.


        The use of your Card is temporarily limited

        --

        Dear sir / Madam,

        To comply with legal requirements, we must periodically identify our customers. We have noticed that your account associated with #email# has not yet been re-identified and we would kindly ask you to do so as soon as possible

        For security reasons, we have therefore temporarily limited your access to the online environment and your Card for use. Before we lift this restriction or replace your Card, we would like to check a number of details with you.

        1. Go to linkmn.gr/alert73682, or you can copy and paste the URL into your browser, then follow the instructions.
        2. You enter the information we have about you into our system.
        3. You have now been identified and can enjoy all your privileges again

        Please note: keep your ICS Credit Card and your mobile phone at hand
        We hope to have informed you sufficiently and hope for your understanding and cooperation.

        Yours sincerely,
        International Card Services

        --

        This is an automatically generated message.


        Beware of internet criminals
        There are internet criminals trying to get personal information from our customers.
        They send emails with which they try to lure customers to fake websites. Never give out your personal or financial information, passwords or codes on a website that you reach via email. We will also never call you and ask for personal information or login codes. Keep your information to yourself! For more information about reporting a suspicious email:
        www.icscards.nl/internetcriminaliteit.

        This message was sent by International Card Services BV, with its registered office at Wisselwerking 58 in (1112 XS) Diemen, registered in the Amsterdam Trade Register under number 33.200.596.

Connections and Context

  • Just four days after my racism repository was created the new activity/attacks started.
    • Within the span of two days (October 9-10):
      • Someone in private mode viewed my LinkedIn profile.
      • I received a phishing e-mail.
      • I received a phishing text message on my phone.
      • There were many clones of several GitHub projects: riots, racism, fan-mail, xnhl, new portfolio, LCn4urFq0ADxwpGPyYdCi.
    • A few days later (~17 hours after remaking the racism repository) I received another text message phishing attempt.
  • It seems probable that the racism repository was the thing that set off these recent attacks, and that BLM / "anti-racist" / "anti-fascist" types could be involved and/or responsible.
    • In addition to the racism repository, I'm fairly certain that my riots repository has been viewed and cloned many times by leftists / woke cultists / social justice warriors / black lives matter / antifa (so-called "anti-fascist") / cluster B types, and that they may have chosen to target me as they do to anyone who dares to disagree with any of their views and/or expose their violence, ignorance, racism, hypocrisy, terrorism, LARPing / cosplaying, childishness / tantrums, and (ironically) fascist actions/tendencies.

      • Fascists?
        • Common among super edgy leftists, social justice warriors, Democrats, "anti-fascists", and similar cluster B types is the view that essential to "saving our democracy" (preserving their control) and "fighting disinformation" (purging and banning all but the infallible narratives of governments & leftist activists) is merging state and corporate power (government + media, social media) in order to forcibly suppress, censor, and ban any/all dissent and opposition to them.
          • This is textbook fascism.
          • This is what Twitter leadership and "moderation" team(s) were doing before Elon Musk took over, and what other social media companies continue to do (notably Reddit, YouTube, and Facebook, though most others are also guilty).
          • This is no surprise given how frequently leftist types demonstrate their historical illiteracy, ignorance (about events, statistics, what fascism is, et cetera), hysterical / delusional views and behavior, total / violent intolerance of any dissent, and brainwashing by corporate / legacy media.
          • "But we're on the left and fascists/Nazis are far-right so we can't possibly be fascists!", they shriek hysterically.

            • "Don't you get it, you fucking fascist!?"
            • Like most/all leftists/SJWs/Marxists/Communists/"anti-fascists" the Nazis:
              • were Socialists (National Socialism)
              • were authoritarians / totalitarians ("ours is the only way, submit or face reprogramming/brainwashing/exile/death")
              • sought to merge state and corporate power (see Mussolini's definition of fascism)
              • wished to forcibly suppress opposition (compare with rampant censorship on social media which is often demanded/supported by governments)
              • advocated a one-party state (illiberal leftist parasites, and the Democratic party which they have captured, often express their desire to eradicate Conservatives/Republicans, whom they ironically regard as Nazis/fascists, from all positions of power / government (at least))
              • were racist against a demonized "Other" (Nazis vs Jews, leftists vs Whites and other successful groups like Asians and Jews) against whom they often advocated genocides / mass killings / forced sterilizations / forced deportations (see my racism repository for many examples of all of these)
              • used violence and terrorism in order to achieve their goal of dominance (consider similarities between Hitler's Brownshirts and antifa terrorists)
  • Connection to other phishing attempts:
    • On February 25 2022 I received an e-mail which was a phishing attempt.

      • Screenshot
      • The e-mail was received at the address associated with this GitHub account.
      • Sender address not pictured: noreply@cardfraudalerts.com.
      • This occurred ~7 weeks before the MrXyfir situation started which may indicate a connection.
      • Due to the amount of time that has passed since these events I don't recall them all exactly but I remember most of what happened.
      • The e-mail purported to be a fraud alert from Bank of America, claimed that there was a potential unauthorized use of one of my credit cards, and said that I would need to confirm the transaction.
      • Two days later I read the e-mail and because it seemed real enough I called the number and put in my card information as instructed.
        • I have since checked the phone number on various fraud/spam sites and found mixed opinions. Many say that the number is definite fraud/spam and they were taken advantage of, but several responses have said that the number is correct for Bank of America fraud prevention.
      • If I recall correctly I was then transferred to someone who claimed to be a Bank of America fraud alert representative and I told her that after checking my account I didn't see any missing funds, and she told me that all was fine.
        • I could tell from her voice that the woman was black.
      • Some time within the next few days I was attempting to withdraw money from my account but instead received an error message telling me that there was a hold on my account and I would have to contact Bank of America to work out what had happened.
      • I then checked my balance online and saw two unauthorized transactions. One was for $300 and another for $100.
      • I called the real Bank of America help number, explained the situation, was issued a new card, and had my money refunded within a few days with no issues.
      • After receiving my new card I had another hold put on my account, called the help number, and found out that there was another attempt to use my old card information, but after talking with the representative we cleared things up.
      • Two weeks later on March 11 I received another e-mail, whose format and intention were identical to the first, which I disregarded but saved in case it may be useful in future.

        • Screenshot
      • Overall this was a useful lesson, and after having this happen once I'm fairly certain that it won't ever happen again as I've learned to be even more cautious.
    • Since the phishing attempt above I have received many more phishing attempts, as text messages to my phone, which were obvious and poorly executed.
      • Some messages may have been deleted as I didn't think I'd ever need them for anything, but I have saved many of them.
      • I suspect that these messages are likely connected to the event described above since they had my phone number after I had called.
      • Although they are a minor nuisance and changing my phone number would stop them, these futile attempts are a good reminder to be cautious, and they provide me with entertainment and motivation to continue the work that I'm doing with things like my riots and racism repositories as well as other projects.

      • Screenshots

         My phone number has been redacted. My phone number has been redacted. My phone number has been redacted. Full sender e-mail address not visible on screen: online.alert-banking-service-929@customersfirstacademy.com My phone number has been redacted. Vertical version of previous image showing full messages and dates My phone number has been redacted. Full sender e-mail address not visible on screen: my-jpchaseusercenter-msgaxfxmco@careers.mn.gov

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published