Cat collar gives away hacker

02:48, Feb 14 2013
Cat collar
RIDDLER OR CATWOMAN? A hacker who sent clues to media organisations, was identified after police found evidence attached to a cat's collar.

Security camera footage helped investigators identify a man suspected of sending online threats via remotely controlled computers, law enforcement sources said.

Yusuke Katayama, 30, of Koto Ward, Tokyo, was arrested Sunday (local time) and accused of interfering with the activities of a major Tokyo comic book show.

Police accused Katayama, who works in the technology industry, of sending a murder threat by remotely using a Nagoya firm's computer. Katayama has denied the accusations.

During the investigation, police learned from erroneous arrests of men whose computers were used to make threats, sources said.

Katayama's arrest came about four months after police mistakenly arrested four men in a string of separate incidents in which online threats were sent via virus-infected, remotely controlled computers.

Early on January 5, e-mails claiming responsibility for the online threats were sent to media organisations. They contained puzzles that, when solved, showed an image of the cat and a message that said the sender put a memory device on its collar.


Katayama was identified as a suspect after police found evidence attached to a cat's collar on Kanagawa Prefecture's Enoshima island, where security cameras were increased last year. Sources said one camera clearly captured a man putting a pink collar on a cat. Another camera captured the man riding on a motorbike, sources said, adding that investigators traced the bike to a condominium in Koto Ward, based on traffic records and other evidence.

A senior investigator of the Metropolitan Police Department, which formed an investigation task force with the Osaka, Kanagawa and Mie prefectural police, was excited when he heard the good news about the footage.

"He's finally got out of cyberspace and came into the real world. We'll surely get him now," the officer said.

Since starting an investigation on the online threat cases last autumn, the task force struggled to find a suspect because a software program enabling online anonymity, "The Onion Router" or Tor, was used to post messages and send e-mail via several servers overseas.

The task force was so confused by e-mails the perpetrator sent to claim responsibility that investigators searched a mountain early last month, only to find no evidence there.

After tracing the motorbike, police identified Katayama as a suspect on Jan. 11, six days after investigators collected the memory device from the collar of the cat, as suggested by the e-mails.

The task force identified the internet protocol (IP) address of Katayama's computer. The IP address was then cross-checked against about 9 billion logs collected from Japan and abroad as part of the investigation. The task force eventually found evidence that the computer at the Nagoya company was remotely controlled by Katayama.

The Tor program was not used when the Nagoya computer was controlled remotely.

Members of the task force were ecstatic when they discovered this, as Katayama had "made a mistake," the sources said.

Another senior investigator said the finding might have prompted the task force to raid Katayama's home "if it were before the four men had been mistakenly arrested." However, further patient investigation was carried out on Katayama.

"We can't make the same mistake of excessively relying on an IP addresses [as decisive evidence]," the officer added.

Investigators also examined the memory device found on the cat's collar, and found a source code very similar to that of the "iesys.exe" viruses used to remotely control computers in the four incidents.

Further examination led to the discovery of a program on the memory device exactly matched with the iesys.exe virus used to remotely control the computer in Nagoya.

The task force, sources said, also scrutizined Katayama's comings and goings and found he was likely using his computer about the same time the remotely controlled computers posted threats or sent e-mails claiming responsibility.

Katayama may have harboured resentment against investigators because he was arrested in 2005 in a similar threatening case,police said.

"In fact, we've come back to the basics of investigation," the senior officer said.

The task force initially planned to prosecute Katayama on suspicion of keeping a computer virus to remotely control computers in a memory device. Japanese law prohibits possession of electronic data that can enable control of electronic devices belonging to others.

But prosecutors objected to the idea.

"We can assume that people who possess counterfeit bills intend to use them," a senior prosecutor said. "But when someone is found to possess a virus, we only have to accept their word if they claim their computers have been infected, or they have the viruses for research purposes."

Following intensive discussions, the task force and prosecutors concluded Katayama should be arrested on suspicion on interfering with third-party businesses by sending an online threat.

"Just proving that the suspect had a virus did not help us get to the core of the incidents," a senior police officer said. "We only had to gather evidence [to arrest him] on suspicion of remotely controlling computers."

-Washington Post