On Monday the FBI, DHS, and CISA—the U.S. government agency focused on defensive cybersecurity—published a report laying out the tools, techniques, and capabilities of the SVR, the Russian foreign intelligence service that the U.S. has blamed for the wide-spanning SolarWinds supply chain hack. That report said that the SVR makes use of a specific anonymous email service called cock.li.
The administrator of cock.li has now told Motherboard that this is the first time he has heard of the SVR using his service, but that "it's hard to surprise me nowadays."
"This is the first time I've heard for sure that Russian intelligence is using cock.li, but it's not surprising, since the CIA uses it too," Vincent Canfield, the administrator of cock.li, said in a Twitter direct message. Canfield declined to provide evidence that American intelligence agencies use the service.
Do you know anything else about how intelligence services are using anonymous email services? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Cock.li is an established, albeit obscure, meme email service. In 2015, Motherboard reported how Canfield said that German authorities had seized a hard drive from one of his servers after someone used the service to send a hoax bomb threat. Following the threat, all public schools in Los Angeles closed for a day. Two years later Canfield said SoundCloud removed audio of a phone call he had with the FBI concerning a bomb threat made against the Miami FBI office.
The site allows users to also create XMPP accounts, which can be used for encrypted instant messaging, and lets them sign up while using the anonymity network Tor or other proxies. Many other email services block users who sign up using a VPN, for instance. Canfield claimed the service has over a million users, including with domains that aren't listed on the site's front page. The tagline of the service is "Yeah it’s email with cocks."
Under the heading "General Tradecraft Observations," the joint FBI-DHS-CISA report says that "SVR cyber operators are capable adversaries."
"FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies," it continues. "These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains." Some of cock.li's other domains include "national.shitposting.agency" and "wants.dicksinmyan.us".
"Anonymous e-mail is a necessary tool enjoyed by people across the world, including governments. It's a critical building block to a free Internet and if it's not provided by independent companies like ours these state actors are likely to operate their own e-mail providers, Crypto AG style," Canfield continued, referring to a historical case where the CIA secretly ran an encryption company in Switzerland in order to intercept others' communications.
"We're proud to have worked with dozens of governments by educating them on the nature of anonymous e-mail, and while data is never handed over without legal obligation in our jurisdiction, these reports have still helped to stop thousands of bad actors and these governments have thanked us as a result," Canfield said, adding that those who have information about users violating cock.li's terms of service can contact an abuse address. Cock.li's terms of service says that users may be banned for "Conducting any activity that breaks the laws in which cock.li is governed," and "Encouraging others to break cock.li's rules or the law using cock.li."
After publication of the joint report, Kyle Ehmke, a researcher with cybersecurity firm ThreatConnect, tweeted that "it's worth noting that 4400+ domains (current and historic) have been registered using a cock[.]li address. SVR registration among those almost certainly are a small percentage."
Subscribe to our cybersecurity podcast, CYBER.