A coordinated wave of swatting attacks has disrupted college campuses across the United States at the start of the 2025 fall semester, with an online group known as “Purgatory” claiming responsibility. The group operates a paid service on Telegram, offering to place false emergency calls that draw armed law enforcement responses to schools, malls, and airports1. These hoaxes, which began on August 21, have targeted at least 19 institutions, causing widespread panic, lockdowns, and a significant drain on law enforcement resources2. The FBI has confirmed it is investigating the incidents, noting the serious risks they pose to public safety3.
Operational Structure and Monetization
The group “Purgatory” is led by individuals using the aliases “Gores” and “tor,” who have communicated directly with journalists1. They operate a clear business model, monetizing fear and disruption through a tiered pricing structure. Initially, threats against schools were offered for as low as $20, though prices increased to $95 following media coverage. The group also advertised more severe threats against hospitals, businesses, and airports for up to $50, and even offered services implying real-world violence, such as “slashings” and “brickings,” for as little as $101. Gores claimed the group had earned approximately $100,000 since the spree began, though this figure could not be independently verified by journalists1. This monetization strategy highlights a concerning trend where disruptive acts are commoditized and sold as a service to the highest bidder.
Technical Execution and Evasion Techniques
The group’s technical methods for placing these calls are designed for maximum anonymity and evasion. According to cybersecurity expert Rob D’Ovidio of Drexel University, the actors likely use Voice over IP (VoIP) services, such as Google Voice, layered with Virtual Private Networks (VPNs) and potentially compromised accounts to obscure their true location and identity4. This multi-layered obfuscation makes attribution “very difficult for law enforcement.” Researchers from the Global Project Against Hate and Extremism (GPAHE) and extremism researcher Marc-André Argentino confirmed listening to the group conduct swatting calls via audio livestreams on platforms like Discord1. In recordings reviewed by WIRED, callers included sound effects, such as simulated shotgun blasts, to enhance the credibility of their threats and ensure a heightened emergency response.
Links to Extremist Networks and Ideology
The “Purgatory” group is suspected of being connected to “764,” a nihilistic and violent extremist subgroup within the larger “The Com” network1. The U.S. Department of Justice has previously described 764 as a network “seeking to destroy civilized society through the corruption and exploitation of vulnerable populations, which often include minors.” This connection is not merely speculative; federal authorities have directly linked the same network to a series of bomb scares and bogus shooting reports in early 2024. Three individuals—Owen Jarboe, Brayden Grace, and Evan Strauss—pleaded guilty this year for their roles in those earlier incidents1. A joint report from the Center for Internet Security (CIS) and the Institute for Strategic Dialogue (ISD) concluded it is “very likely” this swatting group was responsible for the false emergency reports, intending to “boost their reputation, attract larger audiences, and generate revenue”3.
Impact and Institutional Response
The impact of these hoaxes extends far beyond the momentary disruption of classes. At Villanova University, students and faculty were locked down during an orientation mass, an event designed to be a welcoming celebration1. The emotional toll on parents was severe; Pedro Gutierrez, who had just dropped his son off at campus, experienced profound distress and guilt upon hearing the news1. The physical dangers are also very real. David Riedman, founder of the K-12 School Shooting Database, highlighted the risks inherent in the massive police response, which can include officers causing collisions by running red lights. In one documented instance from a previous swatting event, an officer rammed a car through a school’s locked doors1. Institutions like the University of Colorado Boulder have stated their police are working with “state and federal partners, including the FBI” to investigate these threats and prevent future occurrences1.
Relevance to Security Professionals
For security professionals, the Purgatory campaign is a case study in the weaponization of communication infrastructure and the challenges of mitigating low-cost, high-impact attacks. The use of encrypted messaging apps like Telegram for command and control (C2) and recruitment, combined with easily accessible obfuscation tools like VoIP and VPNs, presents a significant challenge for traditional threat detection and attribution models. The group’s operational security, including the public bragging and livestreaming of attacks, adds a layer of psychological warfare aimed at maximizing media attention and public fear. This incident underscores the need for enhanced monitoring of threat actor communications on clearnet and darknet platforms, as well as closer collaboration between private sector threat intelligence firms and public law enforcement agencies. The successful intercession by a GPAHE researcher, who warned Bucknell University of an incoming hoax after hearing it planned on a livestream, demonstrates the potential value of proactive threat hunting in these spaces1.
Conclusion and Future Implications
The wave of swatting attacks perpetrated by the “Purgatory” group represents a sophisticated and malicious exploitation of emergency response systems. Their use of encrypted communications, financial monetization, and technical obfuscation points to a concerning evolution of these tactics. The psychological and physical harm inflicted on thousands of students, parents, and faculty is substantial, and the drain on law enforcement resources is significant. The links to a known extremist network suggest this is not an isolated incident but potentially part of a broader campaign of societal disruption. Moving forward, a multi-faceted approach combining technical monitoring, law enforcement action, and public awareness is necessary to deter and mitigate such threats. The ongoing FBI investigation will be critical in determining the full scope of the operation and identifying those responsible3.
