CAUGHT IN THE ACT OF DECEPTION
and manipulation


If you would like to see the records of the various tools (traceroutes, NMAP, geolocation tool), click here.


The NCCG leadership was caught in the act while pretending over the internet that they were a "satanist".


Between November 9 and November 12, 2006, it was shown that former cult member, Derek R., had for years been the victim of an internet sham where NCCG cultists would contact him over the internet and even telephone, pretending to be "satanists".


Throughout the years of his cult involvement, Derek had been in a very stressful online relationship with someone claiming the name "Kati." This person was claiming to be a "satanist" who was trapped in a "coven". Derek explained:

...I cried for her and prayed for her (and other "coven members") every night...

..
.I had to spend every last second with Kati trying to help her. It was vital because S.F.F. was apparently trying to take her back to England. Apparently, I "failed" and blamed myself the entire time for my supposed "failure".

...After "the girls" went away for several months, supposedly as returnees to Satanism, it was night after night of constant crying and praying and worrying about Kati and the rest of "the girls". Occasionally they (primarily Kati) would PM me, but it was only once or twice every few months, followed by "a phone call" and then further silence.


After he left the NCCG cult, Derek began to receive internet Instant Messages from "Kati" again. I noted that the writing style was identical to some cult communication I had seen, and also that the messages also contained references to a "satanist" who was already known to have been faked by NCCG cultists.

On that Thursday, to identify Kati's real location in the world, we sent an email to her last known email address. This email contained a link to a brand-new, unpublished image on a webserver that was logging all webhits made to that image.

Within one minute of sending the email, the web image scored a hit. The web log was:

213.66.1.199 - - [09/Nov/2006:11:55:55 -0600] "GET /photo003.jpg HTTP/1.1" 200 4936 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

We now had "Kati"'s IP address. This IP address was owned by Swedish ISP Telia, and its traceroutes and geolocation took it directly to the cult's region of Sweden.

To verify that this was indeed the NCCG cult's internet IP address, Derek sent two Instant Messages containing a different unique link to two cult members who were known to be at the cult's compound in Sweden at the time (Jannicke L. and Sharon Harvey). Three minutes later, the web hit came back, plus 3 more.


213.66.1.199 - - [09/Nov/2006:15:12:45 -0600] "GET /articles/lawrevisited.htm HTTP/1.1" 404 312 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
213.66.1.199 - - [09/Nov/2006:15:12:51 -0600] "GET / HTTP/1.1" 403 5044 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
213.66.1.199 - - [09/Nov/2006:15:12:51 -0600] "GET /icons/apache_pb2.gif HTTP/1.1" 200 2414 "http://www.setapartplace.org/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
213.66.1.199 - - [09/Nov/2006:15:12:51 -0600] "GET /icons/powered_by_rh.png HTTP/1.1" 200 1213 "http://www.setapartplace.org/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"


So, now we knew that "Satanist Kati" was reading her email from the NCCG cult compound.

When we tested the IP address to see what sort of device was connecting to the internet, it was reported to be a LevelOne WBR-3406TX Wireless Broadband router.


Testing was repeated, this time using both email and Instant Messager software, and the outcome was the same.

On Friday, an email was composed from Derek to "Kati" that contained an HTML embedded image. This meant that instead of the mail recipient needing to click the link to generate the web hit, the mail client would load it automatically. He also sent "Kati" an Instant Messager message with another link to the webserver.

On Saturday, The NCCG cult's new IP address was seen to be 81.229.105.239. This was determined by packet sniffing the Instant Messager sessions with two cult members who were at the compound (Jannicke L. and Sharon Harvey).

One of the packets to Jannicke:

13:39:11.379986 IP xxx.xxx.xxx.xxx.3508 > 81.229.105.239.32972: . ack 53 win 65483
        0x0000:  0013 4947 7ba6 000c 6ea3 d933 0800 4500  ..IG{...n..3..E.
        0x0010:  0028 059f 4000 8006 77b0 c0a8 0104 51e5  .(..@...w.....Q.
        0x0020:  69ef 0db4 80cc d5fe d84d db65 c40e 5010  i........M.e..P.
        0x0030:  ffcb 7d9b 0000                           ..}...

One of the packets to Sharon:

13:44:19.549988 IP xxx.xxx.xxx.xxx.3564 > 81.229.105.239.17862: . ack 546 win 64990
        0x0000:  0013 4947 7ba6 000c 6ea3 d933 0800 4500  ..IG{...n..3..E.
        0x0010:  0028 0a64 4000 8006 72eb c0a8 0104 51e5  .(.d@...r.....Q.
        0x0020:  69ef 0dec 45c6 1a3b 2fe2 560d 857e 5010  i...E..;/.V..~P.
        0x0030:  fdde 7d9b 0000                           ..}...


The new IP address being used by cult members Jannicke and Sharon, 81.229.105.239, was once again owned by Swedish provider Telia, and the traceroutes and geolocation went to the cult's region in Sweden.

We tested the IP address to check what kind of device was using it. Like Thursday's result, the new IP address was reported as being used by a LevelOne WBR-3406TX Wireless Broadband router

On Sunday, the web hits from the messages sent to "Kati" on back on Friday came through, using the IP address seen from the cult on the day before. The logs from the emailed hits were:

81.229.105.239 - - [12/Nov/2006:06:53:42 -0600] "GET /sig1.jpg HTTP/1.1" 200 631 "http://us.f569.mail.yahoo.com/ym/ShowLetter?MsgId=8871_98756_697_1603_379_0_5_-1_0&Idx=0&YY=92491&y5beta=yes&y5beta=yes&inc=25&order=down&sort=date&pos=0&view=&head=&box=Inbox" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
81.229.105.239 - - [12/Nov/2006:06:57:35 -0600] "GET /sig1.jpg HTTP/1.1" 304 - "http://us.f368.mail.yahoo.com/ym/ShowLetter?MsgId=172_4806044_455474_1655_1017_0_63185_2387_3086667384&Idx=1&YY=24816&y5beta=yes&y5beta=yes&inc=25&order=down&sort=date&pos=0&view=&head=&box=Inbox" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

7 minutes later, the web hit came in from the Instant Messager link sent to "Kati":

81.229.105.239 - - [12/Nov/2006:07:04:42 -0600] "GET /nofalseprophets.jpg HTTP/1.1" 200 12868 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

We tested the IP address again to see what sort of device it was. It was the same, a LevelOne WBR-3406TX Wireless Broadband router.

If you would like to see the records of the various tools (traceroutes, NMAP, geolocation tool), click here.