'' Admin Says He’s Not Surprised Russian Intelligence Uses His Site

A joint FBI-DHS-CISA report said that the SVR, the Russian foreign intelligence service behind the SolarWinds hack, uses
SVR building
Image: Alexey Sazonov/AFP via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

On Monday the FBI, DHS, and CISA—the U.S. government agency focused on defensive cybersecurity—published a report laying out the tools, techniques, and capabilities of the SVR, the Russian foreign intelligence service that the U.S. has blamed for the wide-spanning SolarWinds supply chain hack. That report said that the SVR makes use of a specific anonymous email service called


The administrator of has now told Motherboard that this is the first time he has heard of the SVR using his service, but that "it's hard to surprise me nowadays."

"This is the first time I've heard for sure that Russian intelligence is using, but it's not surprising, since the CIA uses it too," Vincent Canfield, the administrator of, said in a Twitter direct message. Canfield declined to provide evidence that American intelligence agencies use the service.

Do you know anything else about how intelligence services are using anonymous email services? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on, or email is an established, albeit obscure, meme email service. In 2015, Motherboard reported how Canfield said that German authorities had seized a hard drive from one of his servers after someone used the service to send a hoax bomb threat. Following the threat, all public schools in Los Angeles closed for a day. Two years later Canfield said SoundCloud removed audio of a phone call he had with the FBI concerning a bomb threat made against the Miami FBI office.


The site allows users to also create XMPP accounts, which can be used for encrypted instant messaging, and lets them sign up while using the anonymity network Tor or other proxies. Many other email services block users who sign up using a VPN, for instance. Canfield claimed the service has over a million users, including with domains that aren't listed on the site's front page. The tagline of the service is "Yeah it’s email with cocks."

Under the heading "General Tradecraft Observations," the joint FBI-DHS-CISA report says that "SVR cyber operators are capable adversaries."

"FBI investigations have revealed infrastructure used in the intrusions is frequently obtained using false identities and cryptocurrencies," it continues. "These false identities are usually supported by low reputation infrastructure including temporary e-mail accounts and temporary voice over internet protocol (VoIP) telephone numbers. While not exclusively used by SVR cyber actors, a number of SVR cyber personas use e-mail services hosted on cock[.]li or related domains." Some of's other domains include "" and "".

"Anonymous e-mail is a necessary tool enjoyed by people across the world, including governments. It's a critical building block to a free Internet and if it's not provided by independent companies like ours these state actors are likely to operate their own e-mail providers, Crypto AG style," Canfield continued, referring to a historical case where the CIA secretly ran an encryption company in Switzerland in order to intercept others' communications.

"We're proud to have worked with dozens of governments by educating them on the nature of anonymous e-mail, and while data is never handed over without legal obligation in our jurisdiction, these reports have still helped to stop thousands of bad actors and these governments have thanked us as a result," Canfield said, adding that those who have information about users violating's terms of service can contact an abuse address.'s terms of service says that users may be banned for "Conducting any activity that breaks the laws in which is governed," and "Encouraging others to break's rules or the law using"

After publication of the joint report, Kyle Ehmke, a researcher with cybersecurity firm ThreatConnect, tweeted that "it's worth noting that 4400+ domains (current and historic) have been registered using a cock[.]li address. SVR registration among those almost certainly are a small percentage."

Subscribe to our cybersecurity podcast, CYBER.