Anonymous trolls ISIS
Photo source:
Operation Troll ISIS: inside Anonymous’ war to take down Daesh

Anonymous is holding an open-source hacktivisit war to undermine Daesh, subvert its recruitment and troll its leaders.

1On the sweltering morning of June 16, 2015, Selfeddine Rezgui ran a handful of gel through his hair, then snorted a line of cocaine.

College was over and Rezgui, a 23-year-old electrical engineering student from Gaâfour, in north-west Tunisia, had the day off. He piloted a boat to the beach at Port El Kantaoui in Sousse, 145km south of the Tunisian capital. As he disembarked, Rezgui looked just like any other young local: barefoot and dressed in swimming trunks and black T-shirt. He strolled through the wash, a parasol dangling from one hand, as he made a call on his white Samsung Galaxy smartphone. Moments later he threw the phone into the sea, as if skimming a pebble.

“Go now,” Rezgui told a few locals, as he continued his stroll. Then, at 12.10pm, the young man pulled a Kalashnikov from its hiding place inside the umbrella, raised the gun and began to fire, first at a paraglider overhead, swooning in the breeze, then at the tourists bronzing on sunloungers. Reguzi first swept the beach with gunfire before entering the nearby Imperial Marhaba Hotel, where, the night before, 565 guests had slept. At times he laughed through his drug-smeared haze, which perhaps caused him to forget the crude home-made bomb tucked in a belt slung around his chest. Twenty minutes after Rezgui fired his first bullet, armed police shot him in the street. During his brief rampage, he had claimed 38 victims. Thirty-nine more lay injured. As he lay dying, Rezgui seemed to reach for the bomb’s detonator, which had tumbled from his pocket on to the ground, a few metres away from 
his head. More shots. Then silence.

Somewhere in the middle of America, a man who calls himself Raijin Rising was sitting in his pyjamas at his desk in his home office when he saw the first breaking news report of the attack. Raijin opened Telegram, the encrypted messaging service, and set up a new chat room titled “Tunisia”. Then he issued an invitation for colleagues to join him there. Even before the full details of Rezgui’s attack had been reported, the chat began to fill with columns of troubling links – not to news stories describing the attack, but to Twitter posts celebrating its effects.

One message in particular gave Raijin cause for alarm. “What happened in Tunisia was just the starters,” read the tweet from Abu Hussain Al Britani, nom de guerre of Junaid Hussain, a notorious young British hacker who left his home town of Birmingham in 2014 to travel to Syria and join Daesh (also referred to in the west as “ISIS”, “IS” and “ISIL”), the militant jihadi group that had claimed responsibility for Rezgui’s attack on the beach.

“I had a theory,” Raijin told WIRED recently. “Hussain’s Twitter accounts would be silent for weeks or months. Then, whenever he started tweeting again, a major attack would immediately follow. I started to believe he was sending trigger messages.” In this context, Hussain’s next tweet was even more worrying. “Today you are scared to go on holiday,” it read. “Tomorrow you will be scared to step foot outside your door.”

Raijin opened Telegram and began to type: “There’s going to be another attack in Tunisia.”

anonymous isis

Rezgui never left his home country. This clean-shaven breakdancer, brought up in a moderate Muslim family, was instead radicalised online, specifically in the Café de la République, a Tunisian internet café where he was a regular. He is typical of many Daesh sympathisers around the world who have been turned to violence not through the words of local hate preachers, but rather inside online chat rooms: Daesh runs its own news service, employs online press officers and, in May, launched an Android app to teach children the Arabic alphabet and jihadi-related terms. It even uses hacker groups – including one that was, for a time, run by Hussain – to take down the websites of its enemies and flood the internet with images and videos of atrocities. In this way social media has become both an ideological battleground and a tool for the most effective recruitment-cum-incitement campaign of any terror group.

In recent years, the rise of terror groups that co-opt the internet as a medium for spreading hatred and ideology has been matched by an opposing army of young vigilantes. The energy of these groups has been sustained by the online outrage that follows each new attack by Daesh or al-Qaeda affiliates. Many grew up frequenting the same online communities from which Daesh plucks recruits. And, in recent months, these vigilantes have matched the organisational efforts of their Daesh counterparts.

Raijin was 19 years old when Saddam Hussein attacked Kuwait in 1990. “I was in college and we were all shitting ourselves thinking we were about to be drafted,” he says, having chosen, after a week of trust-building back and forth via email, to tell WIRED his story. “We were glued to CNN. Ever since that day I’ve been a geopolitics junkie.”

Years later, Raijin began to see news about a jihadist militant group called Daesh routinely appearing in his Twitter timeline. “There was so much information that wasn’t hitting the US news, so I started an ISIS watch list.” Shortly after that, Raijin heard about an Internet Relay Chat (IRC) channel – an invitation-only chat room – where members of Anonymous, the disparate hacktivist group, collated details of pro-Daesh Twitter accounts, then reported them to the social media company in batches. Raijin wanted to help. He began adding to the stream.

To sift through the mass of information, Raijin wrote some tools using Twitter’s API to capture the names of accounts that followed prominent Daesh members. He kept a database of pro-Daesh relationships, noting who tweeted what, when and which accounts, then shared those same tweets. After six weeks of sifting the intel, Raijin realised that the information he had gathered might be of greater use than as a mere tool for reporting Twitter accounts. “That’s when I heard about ‘IS Hunting Club’,” he says.

IS Hunting Club was one of the most prominent anti-Daesh accounts. It was run by a member of Ghost Security Group, a close-knit team of open-source intelligence gatherers. “I believe our youngest is 18 and our eldest is in his forties,” says Raijin. “We know very little about each other – it’s safer that way.”

anonymous isis troll

Following Hussain’s warning about another attack, Raijin and the other 11 members of Ghost Security Group narrowed their searches to northern Tunisia, looking for signs of a follow-up. Raijin noticed the hashtag “#jerba” appearing in pro-Daesh accounts, a reference to the island of Djerba, 220km from Sousse. “The tweets didn’t feel right,” Raijin says. “So we dove in and started looking for areas of the town that might be another tourist hotspot that could make for a suitable target for another terrorist attack.”

Using Google Maps, Raijin says that the group identified Houmt El Souk, a popular market for European tourists, which had been mentioned in some tweets alongside threats, written in English, about a potential attack on a nearby synagogue. They gained access to two of the accounts (“You’d be surprised how many of accounts use ‘AllahAkhubar’ as a password,” he says), harvested their private direct messages and the IP addresses, which gave a geographical fix on the tweeters. They passed the information to Michael Smith, an adviser on terrorism to members of the US Congress, whom they’d read about online. Smith, in turn, passed the intel to the FBI.

A few days later, French media reported that four arrests had been made in Djerba in relation to a planned terror attack. Raijin and his colleagues wasted no time in claiming responsibility for the captures. They put out a statement. “Ghost Security Group detected multiple accounts on social media citing threats and co-ordinating what appeared to be an attack targeting British and Jewish tourists in Djerba, Tunisia,” it stated. “Information was forwarded to law enforcement and subsequently a total of 17 arrests 
were made and a terror cell… disrupted.”

Claiming glory in this way – against Smith’s advice – was risky, especially when the group had no way of knowing to what extent its information had led to the arrests. Smith, not wanting to deny Ghost Security Group its moment (or, perhaps, to discourage them from sharing further intel by doing so), showed a Newsweek journalist email correspondence in which a law-
enforcement official verified that the intel had led to the arrests (something which, Smith says, resulted in a call from the FBI). It was enough to prove that hacktivists could have an effect; that their efforts could save lives. Suddenly, online vigilantes had a role model.

” I believe our youngest is 18 and our eldest is in his forties. We know very little about each other – it’s safer that way”
Raijin Rising, IS Hunting Group

Read more on Source