Cyber group 'Purgatory' tied to AI‑enhanced swatting spree at U.S. universities, experts warn law enforcement must adapt
Between Aug. 21 and Aug. 25, fake active‑shooter calls using AI‑generated background sounds forced lockdowns at at least 10 campuses; investigators and cybersecurity specialists call for faster, more technical responses.
A cybercriminal group known as "Purgatory" has been linked to a series of AI‑enhanced swatting calls that triggered lockdowns at at least 10 U.S. universities between Aug. 21 and Aug. 25, according to cybersecurity researchers and law enforcement statements. Experts said the calls — which included AI‑generated screams and simulated gunfire heard during calls to dispatchers — underscore how quickly threat actors are adopting generative audio tools and how law enforcement must update responses to keep pace.
The incidents began Aug. 21 with reported active‑shooter calls at the University of Tennessee at Chattanooga and Villanova University, prompting armed responses and sending students and families into panic during orientation events, officials said. Additional calls were reported Aug. 24 at the University of South Carolina and the University of North Carolina at Chapel Hill. Six more swatting calls on Aug. 25 targeted campuses including Iowa State University, Kansas State University, the University of Maine and the University of Arkansas, where officers searched buildings and students barricaded themselves in classrooms and offices.
Researchers at the Center for Internet Security and the Institute for Strategic Dialogue said the group uses AI tools to synthesize background noises such as screaming and gunfire while on calls to emergency dispatchers. The actors also rely on technical measures to obscure origins, including virtual private networks and Google Voice numbers, and reportedly monitor radio traffic from responding agencies to adjust their messages in real time.
"AI is being used to simulate gunfire in the background. The swatter is monitoring the radio traffic of the responding agencies and tweaking their calls accordingly," said John Cohen, executive director for the Countering Hybrid Threats Program at the Center for Internet Security and a former Department of Homeland Security official. He cautioned that the fast adoption of online tools by criminal and foreign‑linked actors demands an equally rapid evolution of investigative techniques. "Criminals and threat actors are evolving their tactics at internet speed. Unfortunately, law enforcement is still operating in dialogue," Cohen said.
At the University of Arkansas, Assistant Police Chief Matt Mills described the Aug. 25 call that reported an active shooter in Mullins Library. Mills said the call included audible gunfire near the end, prompting a multi‑agency response. "Over the next couple of hours, we received over 300 calls on our non‑emergency lines and 38 911 calls from varying parties," Mills said. Officers cleared seven campus buildings before determining the report was a hoax. He said no one was injured but expressed frustration at the scale of resources deployed.
Analysts said Purgatory organizes primarily on Telegram and Discord and is an offshoot of a broader network known as "The Com," which has been associated with swatting, sextortion and distribution of child sexual abuse material. The FBI issued an alert about "The Com" in late July. Some members of Purgatory have prior indictments. The Department of Justice in May charged three individuals — identified in court filings as Evan Strauss, 26, and two 18‑year‑olds, Owen Jarboe and Brayden Grace — for a 2023–24 swatting campaign that targeted residences, a high school, a casino and an airport; the younger defendants later pleaded guilty.
Reporting and court records indicate that Purgatory has monetized swatting, sometimes taking payment to place hoax calls and at other times carrying out attacks to recruit new participants and gain notoriety. Industry reporting has suggested fees for commissioning school swattings have risen amid media attention, from about $20 previously to roughly $95 in recent transactions. A person using the name "Gores" told WIRED in an interview that the spree would continue for two months; an unidentified group leader claimed earnings of $100,000 since the campaign began, according to reporting.
The FBI said it is investigating the university swatting incidents and that the agency is "seeing an increase in swatting events across the country, and we take potential hoax threats very seriously because it puts innocent people at risk," according to a statement to The New York Times. Local and state law enforcement agencies are also conducting inquiries at targeted campuses.
Experts and officials warned that swatting can be violent and sometimes fatal. "They’re not just irritating. The intent may be, in some cases, to harass the recipients or cause a disruption — but they can be highly dangerous because there are instances where, when the swatting call comes in, the law enforcement organization is going to respond like it’s an actual emergency," Cohen said.
Beyond arrests and prosecutions, cybersecurity specialists urged law enforcement and emergency dispatch centers to develop technical measures to detect likely hoax calls in real time and to incorporate intelligence on how adversaries use internet tools. That could include improved tracing of VoIP and anonymizing services, closer coordination with telecommunications providers, and training dispatchers to recognize indicators of synthetic audio, the analysts said.
University officials have varied in their public descriptions of the incidents, but administrators at affected campuses reported that students, faculty and families experienced fear and disruption. In several cases schools issued shelter‑in‑place orders, canceled classes and activated emergency notification systems while law enforcement cleared buildings.
Investigations into the false reports are ongoing. Authorities said they are reviewing call data and coordinating across jurisdictions to determine who placed and who paid for the calls. The incidents have prompted renewed calls from cybersecurity and law enforcement leaders for resources and technical capabilities to match the pace at which malicious actors adopt new AI tools.
The swatting spree at the universities highlights an intersection of generative AI, organized cybercrime and traditional public‑safety systems. As threat actors continue to weaponize synthesized audio and anonymizing services, officials and analysts said, adapting investigative and emergency response practices will be central to reducing risk and protecting campuses and communities.