Starting in 2017, Joel Kurzynski started to make life hard for his enemies. According to his plea agreement, he targeted four people in particular — a man and a woman — with a sustained cyberstalking campaign, sending harassing spam calls at odd hours and over a thousand texts. As time went on, he got more creative, starting a dummy account with one target’s name and picture looking for “dom guys into treating me like crap.” He registered another target with with a string of weight loss programs, resulting in months of rolling emails.
The attack is a byproduct of an unfortunate fact about the online space: it’s very easy to sign up for things, and very hard to quit. Services like Scruff want more users, of course, and a rigorous identity check would make sign-up a lot harder. Attacks like this don’t happen very often, so it’s rarely easy for victims to delete the account. With so many services, it’s easy to find one your target isn’t on, and never any problem finding pictures or details to fill it out. It’s a persistent problem in modern tech, and one you can find over and over again in stalking cases.
Cyberstalking cases offer a strange window into the way online networks are built: how much pain can you cause with unlimited malice and limited technical skill? This wasn’t a case of trained Russian trolls or NSA hackers. Kurzynski was an IT professional, but nothing he did required any particular technical skill. The most sophisticated tricks seem to have been triggering password resets and making anonymous phone calls, nothing beyond the reach of the average 4chan troll. But as long as there were doppelgänger accounts, he didn’t need to. All he needed to do was start an account.
Earlier this month, Kurzynski was sentenced to two and a half years in prison, for two counts of cyberstalking. But while this individual case is finished, the weakness he exploited is still out there, and fixing it will be much harder than catching a single stalker.