Group that sent email threats to schools in County Carlow may have slipped up

THE PEOPLE behind the shooting threats sent to 20 Carlow primary schools last Wednesday may have made one fatal mistake: they used a Gmail account, and Google never forgets.

Michele Neylon, CEO and co-founder of Carlow-based web hosting and domain registration company Blacknight, told The Nationalist that while tracing the sender of the threatening emails that plunged the county into chaos on 27 May could take time, it is far from impossible.

“It might take the gardaí three months, six months or longer to get that data, but they will get it,” Mr Neylon said.

An Garda Síochána had confirmed that the email, which threatened mass shootings and was sent to 20 of the county’s 42 primary schools just after 7am on Wednesday 27 May, was routed through another country and sent from a Gmail account, with the sender’s real location masked using a VPN (virtual private network), a technology that disguises internet traffic.

But Mr Neylon said the use of a VPN may ultimately prove to be an insufficient precaution. “The smarter-than-average Joe might use a VPN, but if they used a Gmail address and logged into that account at some point using their home IP and think ‘oh, well, I didn’t use my home IP the day I sent those emails’ ‒ well, it could be the case that they did six months ago, so Gmail still has that in the logs.” 

In other words, even if the sender was careful on the day the emails were sent, a single previous login to the same Gmail account from an unmasked home internet connection could be enough to catch them.

Gardaí can formally request that data from Google through established legal channels. The investigation has also taken on an international dimension. The Garda Special Detective Unit, which investigates threats to the state, is understood to be involved and is in contact with agencies in the United States of America, through which the email’s IP address is believed to have been routed.

Mr Neylon was unequivocal in characterising what happened. “It’s a form of cyber-terrorism,” he said, adding that the disruption caused in terms of schools closed, parents left scrambling and garda resources stretched constituted significant economic damage as well as societal harm.

“There would also be significant economic damage associated with it … massive disruption. There’s a whole litany of things which would push it into a higher realm in terms of the pecking order of crimes.” 

Despite the severity of the impact, Mr Neylon said the technical barrier to launching such an attack was remarkably low. “It’s been quite easy to do something like this for a long time. This is nothing new,” he said, noting that tools to anonymise internet activity are widely available and require little technical expertise to use.

He also stressed that the weapons photograph included in the email, which caused widespread alarm among parents, was found to be a stock image. “If anybody was to do a quick reverse image look-up on Google, they would have found it. But the problem is that if you are a parent of a child, you’re not going to be looking at it from a computer forensics perspective. Most people are going to go ‘oh my God, this is a threat to my children’.” 

This has been confirmed elsewhere ‒ the image has been traced to a YouTube video posted six years ago and a Spotify track from 2021.

As to who sent the emails and why, Mr Neylon offered two broad possibilities: an immature opportunist seeking notoriety or a more calculating actor using Carlow as a test case.

Garda sources have suggested one line of inquiry is that the emails were sent by a group that deliberately targets institutions to generate a large-scale policing response, a phenomenon seen in similar incidents in Lithuania, Estonia, Latvia and Slovakia in recent years.

Mr Neylon described the less sophisticated end of this spectrum as “script kiddies” or individuals with limited hacking skills who just do this for kicks. “They’re not particularly evolved in terms of hacking and all that, but it’s more that they’re doing things for fun.” 

The chances of being caught, he said, depend entirely on how carefully the sender covered their tracks. “If they were very, very clever, it becomes hard to trace them. If they were just kind of smarter than the average Joe but not that brilliant, they’ll get caught.”