Information Sharing Following College Active Shooter Reports

In August 2025, as students were heading back to college campuses, a wave of active shooter swatting calls brought fear and confusion to the start of the school year, as reported bymultiplenewsoutlets, including one university where studentssprinted out of their classroom after receiving a warning text message.

These calls resulted in lockdowns, panic, and significant disruptions to campus operations.

Read on to learn how the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) supported public safety and awareness in response to these calls.

Panic and Disruptions at Multiple U.S. Universities

Analysts assessed with high confidence in an Emerging Incident Report (EIR) released on August 27, 2025, that the swatting group “Purgatory” very likely made false emergency reports targeting at least 10 U.S. universities between August 21 and 25, 2025.

• Attribution: On August 21, 2025, a member of the Com-affiliated swatting group Purgatory placed calls to emergency services during swatting incidents at universities in Tennessee and Pennsylvania, according to analysts’ review of online materials. On August 25, 2025, analysts reviewed separate material indicating Purgatory members were very likely responsible for eight additional swatting calls targeting universities across the United States between August 24 and 25, 2025.
• Tactics, Techniques, and Procedures (TTPs): During the false emergency reports, Purgatory member(s) often claimed an active shooter was present at a campus library, with several calls also featuring gunshot sounds.
• Background: The Com is a loose network of online threat actors who conduct swatting and cybercriminal activities while also engaging in sextortion and online child sexual abuse material (CSAM) distribution. Purgatory was a prominent swatting group affiliated with the Com network. While Purgatory is no longer active and has not been since late 2025, analysts have observed Purgatory members participating in other, similar Com-affiliated swatting groups.
• Outcome: In all cases summarized above, the campuses were quickly cleared by law enforcement, and no threat was identified. However, nearly all the incidents reportedly led to lockdowns, panic, and significant disruptions to campus operations.

"A Serious Crime that Can Have Deadly Consequences"

According to the FBI, swatting is "a serious crime that can have deadly consequences due to confusion on the part of victims and responding officials, and that also diverts limited public safety resources from valid emergencies."

Here's how the active shooter calls unfolded at the affected universities:

• The first set of observed swatting calls targeted University of Tennessee at Chattanooga (UTC) and Villanova University. At approximately 12:30 P.M. ET on August 21, 2025, the Hamilton County 911 Emergency Communications District received an emergency call reporting an active shooter in the UTC library, with dispatch operators noting, “Two gunshots fired during the call.” Approximately one hour later, the school announced law enforcement found no evidence of a threat.
• Around 4:30 P.M. ET on August 21, 2025, Delaware County’s Department of Emergency Services received a call reporting an active shooter on Villanova’s campus, which was followed by several additional calls with “gunshot-like” sounds in the background. Later that day, Villanova University’s president announced the reports of an active shooter on campus were a “cruel hoax.”
• On August 24, 2025, Purgatory member(s) made calls to the non-emergency lines of police departments near University of South Carolina (USC) and the University of North Carolina at Chapel Hill (UNC), according to analysts’ review of online materials. Media reports indicated callers used the same script as the previous calls, including claims of an active shooter in the library and gunshot sounds in the background.
• Analysts assessed with high confidence Purgatory member(s) very likely placed swatting calls to six additional universities on August 25, 2025. Media additionally reported swattings at two additional universities on the same day that also matched the observed tactics from the previous calls.
• Purgatory member(s) used a Voice over Internet Protocol (VoIP) telephone service to place the swatting calls, according to analysts’ review of online materials. Past analytic research indicates members of “swatting-for-hire” groups often purchase compromised VoIP accounts for this purpose, generally only accessing the accounts via Virtual Private Networks (VPNs) to conceal their IP address and identity.

Critical and Timely Information Sharing with Law Enforcement

The MS-ISAC shared critical and timely information with members in an EIR posted to the CIS Portal.

• Rapid response: In several instances, analysts observed the calls firsthand and were able to inform law enforcement of the potential imminent swatting threats.
• Business continuity: In response to rapid information sharing and proactive outreach to law enforcement, an entertainment company was able to successfully manage the situation without needing to evacuate its public locations.
• Outlook: At the time, analysts assessed with moderate confidence Purgatory and other Com-affiliated swatting groups would likely adopt similar tactics to swat academic institutions coinciding with the beginning of the academic year.
• Recommendations: The MS-ISAC provided recommendations to mitigate the risks associated with swatting and similar threats. Recommendations included:
  • Creating and implementing swatting and bomb threat protocols
  • Developing comprehensive communication procedures for exigent circumstances
  • Taking steps to limit the online availability of sensitive information
  • Incorporating cybersecurity best practices

Why It Matters

On April 30, 2026, the U.S. Department of Justice (DOJ) announced charges against an unidentified self-identified member of the Purgatory cybercriminal swatting group for participating in the August 2025 campaign targeting universities.

"Recently, swatting calls have become an increasingly common crime. Swatting calls waste valuable resources for local police departments and first responders who are responsible for responding to the calls believing there is an actual and immediate threat," the DOJ announcement said.

This incident shows how MS-ISAC offers rapid response information on emerging multidimensional threats, informing members of potential safety risks and insight on how to mitigate those risks. Without the MS-ISAC:

• Schools would be left without critical information and needed mitigation measures.
• Law enforcement would have less insight into the TTPs of swatting groups.
• Communities could face panic, fear, and a diversion of public safety resources.

Ready to stay informed of emerging multidimensional threats?