Deanonimization of email owner

There are several ways how law enforcement agencies or hackers identify the owner of an email. As a rule, this happens by obtaining an IP address, which then helps them to identify the identity of the owner.

The IP address is not the only tool for identifying the owner of an email, modern mail services often have information about the user's phone and billing information, all this can lead to de-anonymization, as well as the contents of an electronic mailbox, which, when analyzed, can accurately indicate the owner.

Official request

Many people believe that only law enforcement officials and special services have the opportunity to send a formal request and obtain data, but this is a delusion. Frauds often skillfully disguise their requests for law enforcement agencies’ ones, fake court decisions and get information about the victims. I came across similar cases. "Copying" the judgment in the darknet is inexpensive and not every owner of the postal service is able to verify its authenticity.

This trick is unlikely to work with such giants as Google or Protonmail, but it is still worth keeping this in mind. The only recommendation in this case is to use verified postal services that have a qualified legal department.

The Protonmail service has the ability to manage data storage and almost completely disable it. I do not know that the Protonmail service was deceiving users by storing more data than is allowed in the settings, but this should not be excluded.

It often happens that in a response request postal services provide law enforcement agencies with not only information on the requested account, but also with information on other user accounts. Cyber criminals who make one account for "work" and the other for themselves often give themselves away on it. At first, they strictly separate accounts, but over time they lose their vigilance and log into these accounts from the same IP address.

Search

Sometimes to determine the identity of the owner it is enough to put an email address in the search. It doesn’t happen often, but I could not omit this method.

Request to social networks

Law enforcement agencies often check whether email is registered on social networks. Sometimes the page can tell more about the owner than is required for identification.

Account hacking

In the similar way Fly, the hacker, was deanonymized, who was remembered for buying heroin on SilkRoad and sending it to Brian Krebs, a journalist investigating hacker crimes. Previously, he informed the police about the illegal "purchasing" of drugs, apparently hoping for Brian’s arrest.

So how was the hacker deanonimized? His work mail was hacked, where reports came from spyware installed for his victims. The mail was anonymous and did not contain data indicating the owner, but one of the victims, who reports came from, was his wife. So it was possible to establish not only the identity, but also the current location of the couple. In 2014, Fly was arrested in Italy and later extradited to US authorities.

Active de-anonymization

Active de-anonymization involves sending a link or a file, the opening of which is for an attacker to get the victim's IP address. The easiest option is to send a link, when you click on it, the IP address of the person who followed it will be displayed.

However, if the victim hides their IP, for example using a VPN, this method will not work, it is necessary to use spyware or methods of deanonymizing the VPN user.

A few years ago the Hacking Team was hacked, an Italian company that develops spyware for law enforcement agencies and special services. An anonymous hacker posted 400 GB of data containing not only the company's development, but all its correspondence with customers.

One of the correspondences contained the FBI employee’s communication with a company’s technical support representative. The FBI employee was interested in the possibility of establishing the true IP address of the user, there was only the IP address of the output node of the Tor network from the information about the one.

As a result, it was decided that their identity can be identified by sending an email with an attached file containing spyware software developed by the Hacking Team. Similarly, they deanonymize email users.

To protect against the attacks any received files and links should be opened exclusively in the sandbox or in the virtual operating system. This does not provide an absolute guarantee of protection against getting the viruses, since advanced detractors are more likely to have tools to go beyond the limits of the virtual system, but this is incomparably more difficult than just infecting the victim.

Getting an IP Address from Mail Metadata

This method requires an incoming letter from the victim. Few people know that by sending an email, you send your IP address with it and the recipient can always see it.

If you have a Protonmail mailbox, then in order to receive information about the sender's IP address, select View headers in the mail management menu.

In the opened link at the very top you will have Received: from and the sender's IP address, in the case of using the web service there will be the IP address of the web service.

In other mail services or clients metadata can almost always be found in the email management menu. There will be a separated chapter of the course, as except for IP addresses there is still a lot of interesting information.

Here you are one important point: some users on the network claim that the method described above does not work, others claim that it works always and everywhere. And both are wrong. This method works when an email is sent from an email client installed on a computer or mobile device, and does not work when an email is sent from a web client, for example from https://protonmail.com. According to the statistics we have, nowadays about 30% of all emails are sent via installed on the device clients.

Protection against this method of obtaining an IP address is the use of VPN, Tor or proxy, which can be registered in many installed mail clients.