A Closer Look At Hacktivists Thwarting Terrorist Attacks

Hollywood and headlines are largely responsible for what we know about hackers. Also, factor in the unfortunate experiences of system administrators that have had the displeasure of cleaning up the damage they cause, and incident response teams trying to prepare for the next attack.


It’s no wonder why terms like “hacker” consequently accompany terms such as “criminal” and “threat.”


Assuming we have all had run-ins with scammers and have dealt with our fair share of malware, none of these actions taken by the majority speak for every hacker. Though we oftentimes rely on other terms such as “black hat” and “white hat” to simplify our understanding of who the good guys are, most people who possess the skillset and knowledge of hacking are abandoning this black and white identification system.


Take for example the DC comic vigilante Batman. Depending on who is driving the narrative, Batman is not a “white hat.” Rather, he is described as the “Dark Knight.” He is a criminal who takes the law into his own hands, but for good reasons.


He could be thought of as an archetypical “hacktivist” of sorts. Law enforcement is overwhelmed, and he has all the tools and technology at his disposal to help make the world a safer place. If the law enforcement had the opportunity, they have the right to arrest Batman. Until that day comes, they loosely tolerate him, because he backs the blue.



Cyber Vigilantes Who Thwarted Terrorist Attacks


Meet GhostSec. The group isn’t your typical hacktivists. This is something more, an evolution from the common caste of cyber activists who only seem limited to launching distributed denial of service (DDoS) attacks and defacing websites to make their statement known.


On the contrary, this is the group of cyber vigilantes who foiled terrorist attacks planned by a suspected Islamic State (ISIS) cell that targeted New York and Tunisia.


The group didn’t stop there. They went on to identify and expose one of ISIS’s funding mechanisms in the form of a bitcoin (BTC) address worth $3 million, at the time of its discovery.


To compound their war on ISIS, the hackers infiltrated ISIS message boards, launched attacks against websites belonging to ISIS and the Taliban, exposed their supporters and the identities of the propaganda pushers over social media - and this isn’t even the icing on the cake.


Terrorist groups have been put on notice. Its members allegedly receive at least 500 tips a day concerning suspected terrorist activities. The presence of GhostSec across the internet has helped to dismantle the online operations of radical jihadists.



Hackers Join The Fight Against Terrorism


Governments and counter-terrorism agencies have powerful tools at their disposal, but aren’t omniscient and consequently cannot reach every nook and cranny of the web. When faced with bureaucratic red tape which can slow progress with the threat of violence ticking like a time bomb, this hacker group has arisen to prominence in the war on terror and has made it their mission to disrupt and dismantle terrorist organizations.


“We’ve been hacktivists and fighting for what we believe in, especially fighting for the rights, for the people, and giving a voice to the voiceless, corruption in general, even if it’s corporate corruption, privacy invasion, things like that. It doesn’t have to be a country’s government being corrupt. Terrorism. [We fight for] a lot of things, whatever we believe is considered a threat that we can act somehow in our way,”

said Sebastian Dante Alexander, one of the group’s founders, using a voice modulator over an encrypted messenger channel.


Alexander, who also goes by the alias GhostSec420, started his journey into hacking back in 2013. It was during that time that he began wandering a lot deeper into a social media platform called Galaxy2.


There, he met a hacker known as gHost3301, whose Open Source Intelligence (OSINT) prowess and cryptography knowledge would come to inspire Alexander into pursuing a life of hacktivism, which, in turn, altered the trajectory of his life.


Soon after this fated encounter, Alexander and gHost3301 joined forces and would eventually come to found the group GhostSec and set their sights on ISIS, after the 2015 attacks on the French satirical weekly newspaper Charlie Hebdo, which was carried out by two French radical Muslim extremists that left twelve people killed and eleven injured.


The massacre left Alexander altered in a profound way. “Personally, it made me realize the even larger threats in the world [...] [and] opened my eyes to a whole new field as well OSINT,” he said and further added:


“And it hurt me to know about the people who got harmed from terrorist organizations and 'threats' in general. We decided to step in and support any way we can, doing what we enjoy at the same time.”

He wanted to help prevent future attacks. He took what he learned from gHost3301 and cultivated it into Operation: ISIS (OPISIS), which is an online operation in intelligence gathering and cyber-sabotage against ISIS and other terror cell groups.


“Intel gathering became our specialty,” he explained. “Even today, we are constantly gathering intel on any of the ‘threats’ that we recognize. Though OSINT isn’t our most prominent field now, it still holds a special place for us and we constantly continue with threat intelligence as a whole.”

They began attacking Twitter accounts associated with the ISIS Caliphate and defacing ISIS and Taliban websites. In one instance, they defaced an ISIS website and replaced the content with ironic Prozac ads, in addition to uploading offensive media, which they did for the lulz, a corrupted form for “laugh out loud.”


According to Alexander, these kinds of post-exploit tactics are used to demoralize their targets, which also sends a strong message that ISIS and the Taliban are no longer in control of these accounts.


“For example, ISIS, they realized, social media isn’t the best place to be. And we also stopped a bunch of recruiting from happening. So besides our 'lulzy' approach, we have done damage as well. It’s funny, but at the same time we definitely did damage.”

He went on, describing how GhostSec eventually evolved its tactical approach when targeting terrorist cells. “I remember [gHost3301] mentioning something about ‘taking down these accounts doesn’t actually help the people trying to find info and intel with it.’ So instead of just taking down accounts, we started watching the accounts, getting into group chats, infiltrating their group as much as possible,” he said and continued:


“When we take down accounts we also prevent recruiting. So besides just taking down accounts and defacing websites, we also put charity stuff on it. We are also watching every move we can watch. We were in group chats, many more.”

Furthermore, Alexander explained how GhostSec’s counter-terrorism operations progressed more effectively by carefully studying the accounts owned by ISIS or their affiliates, which, in turn, helped the group understand the unique way terror cells communicate with each other.


“For example, if a location is on one of these ISIS accounts, it's called a 'Beacon.' For example, if it says 'London' on the location for the Twitter handle. Normally, when people see that, they think, 'Ok, that’s where an attack is going to happen,' and that was our initial thought as well, back then," said Alexander.


“Over time, we realized it was called a 'Beacon' for where they are recruiting. If you messaged this guy, you knew this area, and you’re recruiting in this area. So we took things our way, instead of just taking down accounts and defacing websites,”

he explained.


“Gathering all the accounts was pretty tough, especially accounts that were still up. Once we did find them, we hoped it would stay up long enough so we could gather intel off of it. At one point we actually did gather enough intel to stop an attack, the attack in Tunisia. So finding intel has been our special approach to Operation: ISIS, and our approach to threat intelligence as a whole is unique compared to others,” Alexander shared.


By furnishing actionable results to law enforcement, government agencies were able to validate the information reported to them by the hacker group and thwart terrorist attacks, an unprecedented feat.


An article by

Jesse McGraw


Reporting was contributed by

London C. Edwards


Edited by

Ana Alexandre


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

532 views1 comment