Earlier this year, a string of bomb threats targeted more than 100 Jewish centers, causing daily chaos for local organizations and raising new concerns about anti-Semitic violence in the US. The spree came to an end when police arrested 19-year-old Israeli citizen Michael Kadar in connection with the threats, overcoming various anonymity measures to trace the calls. But new evidence suggests Kadar may have been making the calls on behalf of a third party, as part of a larger bomb-threat-for-hire business operating on the dark web.

In a recently unsealed search warrant (first surfaced by researcher Seamus Hughes), police sought access to Kadar’s AlphaBay accounts, where he appears to have operated the business. A public description of the service was found by investigators in a text file on Kadar’s computer, and is reproduced in the warrant. The post includes detailed pricing info for threats, an option to include a false name as part of the email, and even a refund offer if classes are not canceled as a result of the threat.

The same text was also found by investigators on AlphaBay, posted by a user called “DarkNetLegend” on February 8th. ProPublica’s tracker records as many as 65 bomb threats against Jewish centers made before the 8th, although the majority of the threats were made in February and March.

Kadar’s text description refers only to emailed threats to schools, although subsequent files also made reference to a calling service. Evidence from Kadar’s Google Voice account indicates his threats went beyond just Jewish centers, including bomb threat calls to a middle school in Florida and a United Airlines flight departing from Orlando.

The timing of the filing indicates it occurred independent from the investigation that took down AlphaBay in July. The warrant application naming Kadar was filed on April 6th, two weeks after Israeli police raided Kadar’s home, but three months before the AlphaBay takedown. The application remained sealed until last week.

In many ways, Kadar’s business raises more questions than it answers. Investigators located Kadar by tracing the Google Voice numbers used in the attacks, but there’s still no indication of who may have hired him to target Jewish centers in the first place. If the transactions were made using AlphaBay’s standard anonymity features, there may be no way to trace it back to the client who ordered the calls. If a similar service emerges on the remaining dark web marketplaces, there would be little to stop that client from relaunching the campaign.