Anonymous is holding an open-source hacktivisit war to undermine Daesh, subvert its recruitment and troll its leaders
On the sweltering morning of June 16, 2015, Selfeddine Rezgui ran a handful of gel through his hair, then snorted a line of cocaine.
College was over and Rezgui, a 23-year-old electrical engineering student from Gaâfour, in north-west Tunisia, had the day off. He piloted a boat to the beach at Port El Kantaoui in Sousse, 145km south of the Tunisian capital. As he disembarked, Rezgui looked just like any other young local: barefoot and dressed in swimming trunks and black T-shirt. He strolled through the wash, a parasol dangling from one hand, as he made a call on his white Samsung Galaxy smartphone. Moments later he threw the phone into the sea, as if skimming a pebble.
“Go now,” Rezgui told a few locals, as he continued his stroll. Then, at 12.10pm, the young man pulled a Kalashnikov from its hiding place inside the umbrella, raised the gun and began to fire, first at a paraglider overhead, swooning in the breeze, then at the tourists bronzing on sunloungers. Reguzi first swept the beach with gunfire before entering the nearby Imperial Marhaba Hotel, where, the night before, 565 guests had slept. At times he laughed through his drug-smeared haze, which perhaps caused him to forget the crude home-made bomb tucked in a belt slung around his chest. Twenty minutes after Rezgui fired his first bullet, armed police shot him in the street. During his brief rampage, he had claimed 38 victims. Thirty-nine more lay injured. As he lay dying, Rezgui seemed to reach for the bomb’s detonator, which had tumbled from his pocket on to the ground, a few metres away from his head. More shots. Then silence.
Somewhere in the middle of America, a man who calls himself Raijin Rising was sitting in his pyjamas at his desk in his home office when he saw the first breaking news report of the attack. Raijin opened Telegram, the encrypted messaging service, and set up a new chat room titled “Tunisia”. Then he issued an invitation for colleagues to join him there. Even before the full details of Rezgui’s attack had been reported, the chat began to fill with columns of troubling links – not to news stories describing the attack, but to Twitter posts celebrating its effects.
One message in particular gave Raijin cause for alarm. “What happened in Tunisia was just the starters,” read the tweet from Abu Hussain Al Britani, nom de guerre of Junaid Hussain, a notorious young British hacker who left his home town of Birmingham in 2014 to travel to Syria and join Daesh (also referred to in the west as “ISIS”, “IS” and “ISIL”), the militant jihadi group that had claimed responsibility for Rezgui’s attack on the beach.
“I had a theory,” Raijin told WIRED recently. “Hussain’s Twitter accounts would be silent for weeks or months. Then, whenever he started tweeting again, a major attack would immediately follow. I started to believe he was sending trigger messages.” In this context, Hussain’s next tweet was even more worrying. “Today you are scared to go on holiday,” it read. “Tomorrow you will be scared to step foot outside your door.”
Raijin opened Telegram and began to type: “There’s going to be another attack in Tunisia.”
Rezgui never left his home country. This clean-shaven breakdancer, brought up in a moderate Muslim family, was instead radicalised online, specifically in the Café de la République, a Tunisian internet café where he was a regular. He is typical of many Daesh sympathisers around the world who have been turned to violence not through the words of local hate preachers, but rather inside online chat rooms: Daesh runs its own news service, employs online press officers and, in May, launched an Android app to teach children the Arabic alphabet and jihadi-related terms. It even uses hacker groups – including one that was, for a time, run by Hussain – to take down the websites of its enemies and flood the internet with images and videos of atrocities. In this way social media has become both an ideological battleground and a tool for the most effective recruitment-cum-incitement campaign of any terror group.
In recent years, the rise of terror groups that co-opt the internet as a medium for spreading hatred and ideology has been matched by an opposing army of young vigilantes. The energy of these groups has been sustained by the online outrage that follows each new attack by Daesh or al-Qaeda affiliates. Many grew up frequenting the same online communities from which Daesh plucks recruits. And, in recent months, these vigilantes have matched the organisational efforts of their Daesh counterparts.
Raijin was 19 years old when Saddam Hussein attacked Kuwait in 1990. “I was in college and we were all shitting ourselves thinking we were about to be drafted,” he says, having chosen, after a week of trust-building back and forth via email, to tell WIRED his story. “We were glued to CNN. Ever since that day I’ve been a geopolitics junkie.”
Years later, Raijin began to see news about a jihadist militant group called Daesh routinely appearing in his Twitter timeline. “There was so much information that wasn’t hitting the US news, so I started an ISIS watch list.” Shortly after that, Raijin heard about an Internet Relay Chat (IRC) channel – an invitation-only chat room – where members of Anonymous, the disparate hacktivist group, collated details of pro-Daesh Twitter accounts, then reported them to the social media company in batches. Raijin wanted to help. He began adding to the stream.
To sift through the mass of information, Raijin wrote some tools using Twitter’s API to capture the names of accounts that followed prominent Daesh members. He kept a database of pro-Daesh relationships, noting who tweeted what, when and which accounts, then shared those same tweets. After six weeks of sifting the intel, Raijin realised that the information he had gathered might be of greater use than as a mere tool for reporting Twitter accounts. “That’s when I heard about ‘IS Hunting Club’,” he says.
IS Hunting Club was one of the most prominent anti-Daesh accounts. It was run by a member of Ghost Security Group, a close-knit team of open-source intelligence gatherers. “I believe our youngest is 18 and our eldest is in his forties,” says Raijin. “We know very little about each other – it’s safer that way.”
Following Hussain’s warning about another attack, Raijin and the other 11 members of Ghost Security Group narrowed their searches to northern Tunisia, looking for signs of a follow-up. Raijin noticed the hashtag “#jerba” appearing in pro-Daesh accounts, a reference to the island of Djerba, 220km from Sousse. “The tweets didn’t feel right,” Raijin says. “So we dove in and started looking for areas of the town that might be another tourist hotspot that could make for a suitable target for another terrorist attack.”
Using Google Maps, Raijin says that the group identified Houmt El Souk, a popular market for European tourists, which had been mentioned in some tweets alongside threats, written in English, about a potential attack on a nearby synagogue. They gained access to two of the accounts (“You’d be surprised how many of accounts use ‘AllahAkhubar’ as a password,” he says), harvested their private direct messages and the IP addresses, which gave a geographical fix on the tweeters. They passed the information to Michael Smith, an adviser on terrorism to members of the US Congress, whom they’d read about online. Smith, in turn, passed the intel to the FBI.
A few days later, French media reported that four arrests had been made in Djerba in relation to a planned terror attack. Raijin and his colleagues wasted no time in claiming responsibility for the captures. They put out a statement. “Ghost Security Group detected multiple accounts on social media citing threats and co-ordinating what appeared to be an attack targeting British and Jewish tourists in Djerba, Tunisia,” it stated. “Information was forwarded to law enforcement and subsequently a total of 17 arrests were made and a terror cell… disrupted.”
Claiming glory in this way – against Smith’s advice – was risky, especially when the group had no way of knowing to what extent its information had led to the arrests. Smith, not wanting to deny Ghost Security Group its moment (or, perhaps, to discourage them from sharing further intel by doing so), showed a Newsweek journalist email correspondence in which a law- enforcement official verified that the intel had led to the arrests (something which, Smith says, resulted in a call from the FBI). It was enough to prove that hacktivists could have an effect; that their efforts could save lives. Suddenly, online vigilantes had a role model.
Five months after the beach attack in Tunisia, seven gunmen shot and killed 130 people in Paris. It was an act of vivid and appalling hatred. On November 18, five days after the spree, a video was posted to the official Anonymous YouTube channel. In it, a man wearing the group’s signature V for Vendetta mask, and with his voice distorted to conceal his identity, stated: “Hello, citizens of the world. We are Anonymous. It is time to realise that social media is a solid platform for ISIS’s communication as well as neutering their ideas of terror amongst youth. However, at the same time, social media has proved it is an advanced weapon. We must all work together and use social media to eliminate the accounts used by terrorists.”
Although vigilante outfits had been passing open-source intelligence gathered from pro-jihadi social-media accounts and forums to authorities for months (Ghost Security Group was founded on January 10, 2015, and existed in different forms and under different monikers before then), Anonymous’s message offered a rousing call to every young hacker who felt helpless when faced with harrowing news reports. “ISIS, we will hunt you and take down your sites, accounts, emails and expose you. From now on, there is no safe place for you online. You will be treated like a virus, and we are the cure,” the spokesman concluded.
A rallying hashtag – #OpParis – was created. Anonymous users set up a dedicated IRC channel filled with manuals for how anyone could get involved in taking the online fight to Daesh. As well as starter guides such as “How To Help”, these documents include tutorials for “Noob hackers”; lists of jihadi-related keywords to search for on social media; tutorials for how to report offensive material; how to mount DDoS attacks on jihadi websites in order to overwhelm them with traffic and take them offline; the names of specific people within Daesh to be on the lookout for, and even a dictionary of Arabic. There were video tutorials for “approved” members and know-your-enemy style links to Daesh’s own guides on how to improve online security and hack others.
Much of what followed was tinged with Anonymous’s brand of humour. One pro-Daesh website hosted on the dark web was replaced with a link to an online store that sold Viagra. The group declared December 11, 2015 “Troll Day” against Daesh, encouraging followers to Photoshop rubber ducks and goats into previously grotesque propaganda images, alongside the jeering hashtag #Daeshbags. Daesh, which itself has dedicated online teams around the world managing its messaging, responded in kind. “Anonymous hackers threatened in [a] new video release that they will carry out a major hack operation on the Islamic State,” the statement read. “Idiots.”
However, adventurous Anonymous members began to infiltrate Daesh social media networks and forums – but failed to alert authorities to the names of accounts they were using. In numerous cases, according to Smith, these rogue accounts became subjects of official investigation, distracting efforts away from genuine targets. In a video release, self-proclaimed members of #OpParis announced that they had alerted law enforcement to an alleged planned Daesh attack on a WWE wrestling event in Atlanta. The FBI publicly discredited the information, stating: “We do not have specific or credible information of an attack at this time.”
Misinformation soon curdled to infighting among members. Hacktivist “th3j35t3r” described the #OpParis campaign as a “comedy of errors”. On November 22, 2015, the Anonymous Twitter account joined in. “Seriously, after #OpISIS there have been too many fame whores,” one tweet stated. “It’s not about the follows or RTs. It’s about the truth. Have some integrity.”
These missteps added weight to criticisms of such well-meaning but amateur efforts. Besides – who cares about a few social-media accounts when people are being gunned down on beaches? The online vigilantes, however, knew only too well how much of an effect just one of their number could have in the terror arena. After all, Junaid Hussain, the hacker from Birmingham whom Raijin believed was triggering attacks through his Twitter messages, was a former Anon.
Hussain grew up in Birmingham but, like many of those involved in #OpParis, was raised on the internet. At the age of 15 he co-founded “TeaMp0isoN”, a hacker group with whom he operated under the moniker “TriCk”. Hussain’s activity, in his early days, was little more than digital vandalism, the hacker’s equivalent of daubing a penis on the side of a railway carriage. He first gained notoriety for publishing the name and addresses of members of LulzSec, the hacker collective renowned for breaching the security of high-value targets such as the CIA and Sony Pictures. Hussain’s crimes were serious, but tinged with the mocking irreverence of the teenage internet troll. He was jailed for six months, for example, for stealing the personal address book of former prime minister Tony Blair.
In time, Hussain’s work gained a political bent, often falling in line with pro-Palestinian causes. In 2011, for example, TeaMp0isoN claimed to have helped “clean Facebook” of more than 1,000 pages that, the group claimed, contained what it regarded to be racist or Zionist content. The operation’s targets also included British far-right groups such as the English Defence League. “I started usinghacking as my form of medium by defacing sites to raise awareness of issues around the world, and to ‘bully’ corrupt organisations and embarrass them via leaks,” he told the website Softpedia in 2012. “That is how I got into hacktivism.”
Although Hussain’s splinter group still rolled with Anonymous, a supposedly apolitical movement, he became increasingly zealous in his beliefs. Hussain was quoted inThe Daily Telegraph in 2012: “Terrorism doesn’t exist. They create the terrorism and fabricate it to demonise a certain faith.” At the time he claimed that TeaMp0isoN did not follow a particular religion or political group. After his arrest in 2012, however, he swapped the pro-Palestinian rhetoric (the avatar on his Twitter account, for example, displayed a child’s face decorated with a Palestinian flag) for a pro-Daesh stance (in his new Twitter avatar, Hussain looked down the sights of a machine gun aimed at the camera, his mouth covered with a black scarf).
Hussain arrived in Syria with his wife, Sally Jones, a former punk rocker from Kent, whom he reportedly met via Anonymous, in August 2014. “You can sit at home and playCall of Duty,” he tweeted from one of his many now-deleted accounts. “Or you can come here and respond to the real call of duty… the choice is yours.”
He became known as one of “The Beatles”, the four British jihadists nicknamed by western captives because of their British accents. As his standing grew, Hussain began to employ in the service of Daesh the skills and techniques that he’d learned as a teenage hacker working under the banner of Anonymous. In January 2015, he claimed credit for an audacious hack on the Twitter and YouTube accounts of the US Central Command, which co-ordinates strategy from the Middle East to Central Asia. On April 5, 2015, Hussain’s group, the Cyber Caliphate, seized control of a French television network for several hours in one of the highest-profile hacks of the year. These attacks mirrored those for which Anonymous was known.
The symmetry is not coincidental. “Counter-terrorism analysts have struggled, without much success, to discern some religious, economic or even psychological trend among the more than 30,000 foreign fighters who have joined the Islamic State,” says Emerson Brooking, a consultant to the New America Foundation. “What they most have in common is a sense of alienation and disempowerment in the places where they’ve grown up – a yearning for a greater purpose that they somehow find in the Syrian desert.”
This sense of alienation and disempowerment is shared by the hacktivists who now hunt Daesh. Both groups find their purpose in the equalising power of the internet. Both groups are attracted to the online fight both for and against Daesh that they are uniquely equipped to handle.
The ideological knife-edge on which many young hackers sit is no clearer demonstrated than in the circumstances surrounding Hussain’s death. On August 24, 2015 – less than two months after the foiled attack in Djerba – the US Department of Defense declared that the 21-year-old had been killed by a US drone strike outside Raqqa, Syria. “[Hussain] was involved in recruiting ISIL sympathisers in the west to carry out lone wolf-style attacks,” US Air Force Colonel Patrick Ryder told Pentagon reporters. “He had significant technical skills and expressed a strong desire to kill Americans… He no longer poses a threat.”
Two months later, a former member of Hussain’s childhood hacker group claimed to have been responsible for supplying the Department of Defense with a lead on Hussain’s location just before the strike. In a series of tweets posted in November 2015, the hacker claimed to have sent Hussain a link that, when clicked, inadvertently revealed his location. This drew the Sauron-like eye of the drone hovering in the sky above. If true, the anecdote shows how easily previously allied members of hacktivist groups can be recruited to opposing sides. If untrue, it reveals another wrinkle: in the amateur intelligence community, everyone wants to claim their place in history.
This was not their achievement,” says Mikro, regarding Ghost Security Group’s claim to have foiled the attack in Djerba. Mikro is founder of Control Sec and the man who claims to have coined the hashtag #OpISIS. “Sorry for my sharp reaction, but everyone I speak to asks about their role in that case. I am honestly a little fed up.” Mikro, who says that he is in his twenties and lives in Europe (his Telegram avatar shows, revealingly perhaps, a photograph of a dog at the wheel of a British police car), contradicts Raijin’s account of what happened in the foiling of the second Tunisian terror plot.
“It happened like this,” he says. “We got a tip from one of our sources in Tunisia who has a connection to Daesh that there was something going on. I guess they were pretty proud of the beach attack the week before, so they were starting to brag about their next move. We knew the name of the market and the fact a second attack was planned to target Jews.”
There was no searching of Twitter for the #jerba hashtag, Mikro says. Nobody guessed the password of incriminating Twitter accounts (“We did that kind of thing a while back, but the info is reachable for authorities so why waste time on it?”). Although, Mikro concedes, Control Sec and Ghost Security Group shared information “in the working environment” at the time, he also insists that all that the rival organisation did was pass his information on to Smith and the FBI.
When Ghost Security Group claimed responsibility for foiling the attack, Mikro was furious. “Working together was a bad move,” he says. “The fact that I have to sit here and sound like a big-headed idiot to get the story out there says enough, doesn’t it?” This wrangling for credit could be cleared up if the intelligence services were willing to publicly praise their informants. According to Raijin, however, this will never happen. “I don’t think any law enforcement would publicly admit they relied on information from hackers to stop a terrorist event,” he says. “It would either make them look crazy for trusting us, or embarrass them that we could find that information when they couldn’t.”
This scramble for credit reveals a contradiction at the heart of vigilante action. Young hackers often enter these groups hoping to gain prominence and glory for their successes, something to elevate their standing within a group where esteem can be measured in the primary currencies of our time, those dopamine-injecting “Likes” and “retweets”. Anonymous may benefit from anonymity, but the allure of fame and notoriety is equally powerful. Much intelligence work, however, is clandestine by design. Sources must be protected. Victories are often left unannounced so as not to reveal techniques and strategies to the enemy. Narcissists are a poor fit for intelligence services.
This lack of co-ordination between the amateurs and professionals creates deeper problems. Although police and others are generally in favour of removing harmful, jihadi-related content from the internet, unless this whitewashing work is co-ordinated, valuable intelligence can be lost. “For intelligence agencies interested in open-source-intelligence collection, the elimination of these accounts can be a source of frustration,” Emerson Brooking says. “Then, of course, there’s the issue that Anonymous has been responsible for the takedown of a large number of accounts that have absolutely nothing to do with jihadis: the websites of academics, activist and journalists. There is a significant hit-and-miss aspect to all of this.”
Twitter is adamant that it does not rely on vigilante information to monitor accounts. In a statement published last year, a company spokesperson said that the company is not using the lists generated by Anonymous, as research has found them to be “wildly inaccurate”. Another representative of a social media company, who asked for both her and her employer’s name to be withheld, was even clearer: “Tech companies ignore vigilante lists because they’re garbage,” she said.
Mikro disagrees. “That’s not even close to the truth,” he says. “Every day I see ISIS-related profiles that have been up for 12 to 16 hours. Seconds after we target them they go down.” To prove his point, he tells WIRED to watch the CtrlSec Twitter feed as he tweets out the names of jihadi Twitter accounts for his followers to report en masse. Just as he promised,
the accounts are taken offline shortly afterwards.
Maura Conway, a researcher at Dublin City University on the impact of violent online political extremism, also believes that social-media companies benefit from crowdsourced moderation. “Flagging activity has a fairly long history,” he says. “YouTube has a ‘trusted flagger’ programme, that allows agencies and individuals to fast-track the reporting and deletion of terrorist material.” Many believe, however, that Twitter, Facebook and the rest should do more, that their willingness to rely on their audience’s self-policing exacerbates the problems associated with vigilantism. Some, such as Brooking, have even suggested that social-media companies deputise and pay hacktivists who spend hours per day hunting and reporting ISIS accounts.
Whether it’s paid for or offered gratis, vigilante action is evolving. Mikro claims to work on OpISIS for 18 hours a day (he refuses to explain how he earns a living). Raijin spends much of his spare time loitering in ISIS-run Telegram message groups (“this second I am sitting in more than 100 ISIS Telegram channels writing variously in Arabic, Russian, Indonesian and English,” he tells WIRED), sifting through the messages which include links to YouTube videos on how to make bombs, or material that identifies targets in the Iraqi and Syrian armies, their faces circled in red on digital photographs. Raijin, Ghost Security Group’s technical lead, has developed tools with elaborate graphical interfaces that show, in pictorial terms, the connections that exist between individual suspects on the web, a substantial undertaking.
“We shed our ‘underground’ ways and now work within legitimate means,” he tells me. “In the old days you may have found someone DDoSing an ISIS website, or perhaps hacking into their social-media accounts or forums. In most countries, information obtained via those methods can’t be used in a legal procedure, so we needed to work above board. All the data in the world is useless if people won’t take it from you.”
Despite these efforts to professionalise their operations, it’s unlikely that any vigilante group, Anonymous or otherwise, will ever be able to work openly with intelligence agencies. “Even in the case of the best intentioned vigilantes, their co-operation with the US government could set a precedent whereby another nation such as Russia could justify its own use of organised trolls to stifle political dissidents,” Brooking says. “The world is currently united against ISIS, but future scenarios are unlikely to be this clear-cut.”
This absence of legitimacy does nothing to dampen the resolve of Mikro, who spends so many hours trying to stem the flow of propaganda. For him, the sense of community and belonging – the same traits offered by the terrorist group against which he works – is enough. “I take my inspiration from the people I do this with,” he tells me. “That is the driving power behind all this. That is enough of a pay-off.”