Orchestrated Harassment and IP Cloning by 121.88 and Foster4502





IP Impersonation Case 1 – Macro Operator Switches to User’s IP (121.88 → 58.140)

Deliberate IP Switching and Coordinated Harassment with Foster4502


Summary


On July 1, 2025, at 16:08:33 KST, IP 121.88 — previously identified as a likely macro operator — posted a manipulation thread on the DCInside board. In response, a user (the report author) left a comment: "I pray for you, but justice must be served." Just four minutes later, a semi-anonymous user (foster4502) replied with emotionally charged and targeted attacks.


Notably, foster4502 attempted to link the author to a fringe religious group (via "Lee Man-hee" references), echoing a tactic often used in previous macros. This aggressive framing, combined with keyword alignment, strongly suggests that foster4502 is either working with or is the same actor as 121.88.


At 16:35:24, 121.88 changed its IP to 58.140 — the same IP previously used by the author and this is the second time it has been impersonated

implying attempted impersonation. This IP switch occurred during the active conversation, suggesting deliberate provocation and obfuscation. Moreover, both 121.88 and 58.140 have been confirmed in earlier macro captures using identical filenames, further proving linkage.


Foster4502 was also involved in the earlier macro wave that began around 10:00 AM the same day.



Key Findings


1. 121.88 is a central macro actor that manipulates public perception using IP spoofing and scripted messaging.

2. 121.88 switched to 58.140 mid-thread — a known impersonation tactic — while the conversation was ongoing.

3. foster4502 exhibits macro-like behavior and is likely part of the same network, possibly the same operator.

4. Shared keywords and files among 121.88, 58.140, and foster4502 confirm intentional coordination.



Attachments and Evidence


A) Original post by 121.88: [Archive](https://archive.md/ir7kd) | Screenshot


79ee8873bd8560fe68e687b317d3723f88c2e56c867b1e93f0cbe025bde5aecee7e5c7baea6ac2f05dde1227c88937d4e78ca8595a4c14c5




B) IP switch to 58.140 (post deleted):  [Archive](https://archive.md/8dRuX) | Post No.: 2166325




78e5d624b2813ba26bbed7b315d025650e822f633abf14a193968d6decd4cae211bd18a249b3fe2bf8cc2ad13b065ab7f786287bd4494c03



C) foster4502’s aggressive replies with macro keywords




7ce5d123b48661a53aeb8fe54f847139b686d46537361287ea48fb1831ea63b888c43d6926968e2e6feab9e5bd57a2794b19eb49bde7fd2d



D) Remaining macro posts containing similar language - Remaining macros from July 1 within the 10,000-post search range





2ee98720b3806ff068eb80b610817769d0740dbd60e05f9e639eb44dea40dcd0a298892084a14abe733b41852ed25a4d0e5c68b96aa6a52b



E) Matching macro and foster4502 content (keywords, tone)




79b98376e7833ca739bc81e615d2256422f1e3d6242a9413c51da4d35592f4ab1c033f4ab0c15e89ddef7f22d0a4c2f6881e714226104ff1



7feed527e1d03ea436b9d2e21084703bf891b5b37fab9c9389a298e531ba71c191a2276071b3b1094b6bcd7c6dd16ef9712e41729ed5069b





F) Continued posting by 58.140 using same patterns




74bed374e1d769a568ef82ed4083756bb2b33fdf902005f4828de79435fe31662843ba39ea7a4a1cb44ac77c0c84bbc964fe5d8391ad8333






G) Both IPs (58.140 and 121.88) appear in macro operations


  * [Archive](https://archive.md/7GSEH) | Additional screenshots included




28e4d470bdd33aa43dbad7e746d0226fba22c4707be5dcbb2736971e69682a5640d64b1aa0ed2a80b02f438ebc07d53aba64862afc727f



7ab88176bdd66ea26bea87b615d0256bacf838510bf39983e1d42a29817e5728d690d27ba49e854def0fe42673d99b8f88e60d028c9be37a



75eed673e3d639f63ebcd7e144d0733b680cc79850f86b2cfb06fa1518b53f42291ab60332357de0c4f293b515e700133bf16bf34da22f58






> This case strongly suggests that 121.88 is operating under multiple IPs and pseudonyms, conducting psychological manipulation through macro-level online framing. Further cases (EV07-02 to EV07-05) will continue to analyze additional patterns.


H) Coordinated opinion-rigging surge beginning at 10:00 AM on July 1, 2025, following mass deletion of macro manipulation posts (featuring 121.88 and foster4502)

URL : https://m.dcinside.com/board/uspolitics/2164615?page=1&s_pos=-2177687&s_type=subject_m&serval=Foster



IP Impersonation Case 2 -  Additional Incident Timeline: Targeted IP Harassment & Phishing Attempt (July 1, 2025)
Immediately after the IP spoofing incident, a new escalation occurred.


Summary

① 20:04:33 KST – A post targeting the user’s real IP (58.140) was uploaded by a new fixed nickname "투어" (Tour) :


- Post Number: 2167488

- DCInside URL: https://m.dcinside.com/board/uspolitics/2167488

- Archive: https://archive.md/nqDg1



② This nickname had no prior posting history on the gallery and used mocking language ("깝치지 마").

Following this, a malicious script snippet resembling a phishing attempt using navigator.geolocation was posted—suggesting an attempt to capture the viewer's location:

javascript

<script>
if (navigator.geolocation) {
  navigator.geolocation.getCurrentPosition(
    function(position) {
      const lat = position.coords.latitude;
      const lon = position.coords.longitude;
      document.getElementById("location").innerText =


③ In response, the user created a record post at 21:00 KST, documenting the phishing and harassment:

- URL: https://gall.dcinside.com/mgallery/board/view/?id=uspolitics&no=2168001

- Archive: https://archive.md/CQNYk




④ Around 21:20–21:30 KST, the attacker edited the original post, changing its content to "윤어게인", effectively hiding the earlier attack.
Archive of altered post: https://archive.md/ujQGO


⑤ Around 22:00 KST, the post (2167488) was deleted.


⑥ Post 2167489 (posted just after the original attack post) was archived at 13:10:10 UTC (22:10 KST):
https://archive.md/AuwlG

This timestamp proves deletion timing, reinforcing the intent to erase evidence after the phishing attempt.






Notably, there is no record of any post created using IP 58.140 prior to 8:04:33 PM (KST) on July 1, 2025 — the moment when the first doxxing post targeting the user appeared.


- This strongly suggests that the attacker maliciously copied the user’s actual IP (58.140) and began exploiting it for manipulation starting from that moment.

Although IP 58.140 is the actual IP address of the victim, it was deliberately cloned and used to create two doxxing posts.

- Moreover, evidence shows that hundreds of macro-generated posts were also uploaded using the same IP, indicating automated propaganda distribution.

- In addition, the same attacker deployed a phishing script disguised as a geolocation tool, attempting to intimidate and psychologically pressure the user.

- Altogether, these events provide strong evidence that the entity using 58.140 is not only impersonating real users, but is also a central operator in the macro-level information manipulation network.



Original post url :https://gall.dcinside.com/mgallery/board/view/?id=uspolitics&no=2166999
Original post archive : https://archive.md/R5egc



A particularly noteworthy incident is that 121.88, suspected to be the main entity behind the manipulation, has no posts made under 58.140 prior to June 4. After June 24, following a post that targeted the manipulation, 121.88 began actively posting and spreading such content.

June 4: Prior to this date, no posts were made under 58.140.
Link: https://gall.dcinside.com/mgallery/board/view/?id=uspolitics&no=1968827


June 24, 01:18:13: After targeting the manipulation, 121.88 began posting.