PLAINFIELD, Ind. – A California man faces several felony charges in connection with the cyber threats that put Plainfield on edge more than a year ago—and federal authorities believe he victimized minors in at least 10 other federal districts in a “sextortion” scheme.
Buster Hernandez, 26, is charged with sexual exploitation of a child, threats to use an explosive device and threats to injure in the Plainfield case, which began with a series of threats posted on social media on Dec. 16, 2015. Federal prosecutors announced charges in the case during a news conference Monday.
Hernandez was arrested Thursday in California and had an initial hearing Friday. He’ll be moved to Indianapolis by the end of the week.
U.S. Attorney Josh Minkler said Monday that Hernandez wanted to be the “worst cyberterrorist who ever lived.”
Plainfield Community School Corporation closed school a day before winter break in response to the threats. Other threats made against The Shops at Perry Crossing and Carmike movie theater led to a closure and an evacuation.
The threats were attributed to an individual on Facebook known as “Brian Kil.” Investigators said Hernandez used the alias to make the threats, according to a 37-page federal indictment that was unsealed Monday and obtained by FOX59.
The investigation was complex, Minkler said, requiring more than 100 state and federal search warrants along with electronic surveillance, wiretapping and sophistic computer forensics techniques. Minkler said more than 200 grand jury subpoenas were issued in an effort to find the “needle in a haystack.”
Hernandez faces a minimum term of 15 years and a maximum term of 30 years if convicted, prosecutors said.
“Law enforcement has identified victims in at least 10 federal districts, maybe more,” Minkler said, directing people who may have been victimized to report it at the FBI website or call 317-595-4000, Option 2.
“Sextortion is a real crime. Individuals are looking to exploit our children. Individuals are looking to put communities in fear. Individuals are looking to shut down schools and shopping malls,” Minkler said.
“I know our youth thinks they can a picture of themselves and send it to their friends, and that goes away. But the reality is that it doesn’t. You don’t control where that image goes. Many times it ends up in bad hands. In this case, those images ended up in the hands of an individual who is a proclaimed cyberterrorist who is looking to sextort the victims,” Minkler said.
Using online accounts, Hernandez approached minors and said he had lewd or sexually explicit videos and photos, court documents said. He then asked for more and threatened to expose them unless they sent additional photos and videos. One of his targets, referred to as “Victim 1” in court documents, was a girl from Plainfield.
Hernandez had such a hold on one victim that he convinced her to go to a public forum on the case in Plainfield and report back what people said during the meeting and what law enforcement knew about the person responsible for the threats.
From Dec. 17, 2015, through Jan. 11, 2016, Hernandez opened 10 Facebook accounts in order to make threats and then disabled them, investigators said. From Jan. 11, 2016, through Jan. 27, 2016, he opened and closed 14 Facebook accounts. Hernandez opened an additional two accounts on Feb. 16, 2017.
In the federal indictment, Hernandez said he wanted to ratchet up the drama and compared the threats to a soap opera. In a series of Facebook posts, he admitted he never knew the Plainfield teen, referring to her as “unlucky” for getting hacked.
“Truth is, I lied about knowing her,” Hernandez wrote on Facebook. “I don’t know [Victim 1]. I’ve never met her. She’s just a girl who was very unlucky and had her cloud storage hacked. From there I dragged her through the mud by spreading lies and misinformation to reach my goals that really had no relation with her whatsoever. I basically used her as an access point to attack an entire town.”
Hernandez said he made it all up. His demand for an “apology” from the victim and her mother was a complete fabrication.
“From day 1, I’ve said I would turn myself in if [Victim 1] and her mother apologized to me,” court documents said, attributing Hernandez. “I made this up. There is nothing to apologize for. I needed to create some driving motivation for this soap opera. I fabricated this plot point. An ‘apology’ is something so simple to do, but I knew it would never be given,” court documents said.
Hernandez said his drive to get an apology allowed the drama to continue until after Christmas break. He also said he believed the demand for an apology would turn people against the Plainfield victim and her family. He said the strategy proved to be “highly effective.”
Investigators probed the threats for months. Their big break, however, didn’t come until June 2017. A judge authorized a technique (a Network Investigative Technique also known as a NIT) that allowed investigators to trace the IP address of Brian Kil after his interactions with a victim in Michigan.
Kil demanded videos be sent to a Dropbox. The NIT allowed investigators to locate the IP address Kil had masked after he viewed a video sent to him, leading investigators to an address in Bakersfield, Calif., where they found Hernandez.
In July, U.S. District Judge Tanya Walton Pratt authorized the interception of communications to and from the IP address. Investigators found a photograph of the killers in the 1999 shooting at Columbine High School in Colorado. That discovery was significant because Kil posted the same photograph on Tumblr when he threatened the Plainfield school district.
On July 19, 2017, cameras were installed outside the home in Bakersfield, Calif. Investigators were able to match Hernandez’s movements with web activity from the IP address. Basically, when Hernandez was inside the home, someone continued to access software that allows anonymous communication online.
Hernandez was “always present” during internet activity at the home, court documents said.
Based on that information, investigators believe Hernandez is “Brian Kil” and used the internet to cause victims to produce and distribute child pornography. They believe he’s behind threats to set off explosives at Plainfield schools and businesses unless Victim 1 provided him with more material.
Plainfield Community Corporation released a statement about the arrest, saying,
We have been notified by the U.S. Department of Justice that an arrest has been made in the cyberterrorism case known locally as #BrianKil. News of the arrest brings tremendous relief to families not just here in Plainfield, but nationwide.
While we know very little about the case or the arrest, we do know that this individual is alleged to have been involved in similar scenarios across the country; this was not isolated to Plainfield.
The months of cyberterrorism were very difficult, and yet we experienced a tremendous outpouring of support, cooperation, and assistance. Our PCSC employees worked diligently to ensure our students experienced as much normalcy as possible, while continuing to provide a safe learning environment.
Superintendent Scott Olinger stated, “Thank you to our students, who conducted themselves with dignity and respect during a very difficult time. Thank you to our parents, for your support and encouragement. And thank you to our staff. Your dedication is, quite simply, the best.”
Of course, the Town of Plainfield and the Plainfield Police Department have been great partners. With financial support shared by the Town, the PPD provided additional officers to our schools, and additional patrols around town. Their commitment to securing our schools, and our community, is second to none.
While the threats have been silent for more than a year, we remember all too well the stress that we endured. Superintendent Olinger added, “It is important to note: this does not mean that our safety and security measures will lessen. Protecting the children of Plainfield will always be our #1 priority.”
We’ve learned a great deal over the past 20 months. Cyber crimes are far more difficult to investigate and solve than television shows make it appear. But the cooperation of countless public safety agencies has resulted in an arrest, and we are incredibly grateful.
Timeline of the investigation:
Wednesday, December 16, 2015
Thursday, December 17
Friday, December 18
- FBI takes lead in investigation
- Threats made against The Shops at Perry Crossing and Carmike movie theater; mall is closed and theater is evacuated
Saturday, December 19
Sunday, December 20
- Another threat is made against The Shops at Perry Crossing, Carmike movie theater, and Walmart; businesses stay open
Saturday, January 2, 2016
Monday, January 4
Tuesday, January 5
Wednesday, January 6
Thursday, January 7
Monday, August 7, 2017