The vigilantes trying to take down Islamic State online
Every evening after work, P checks her VPN connection and logs onto Twitter and Telegram to collect links of profiles and chats associated with the Islamic State (IS) group.
After carefully typing down a list of high and low-risk targets, she sends her colleagues an encrypted message on Telegram to cross-check her findings with theirs.
New MEE newsletter: Jerusalem Dispatch
Sign up to get the latest insights and analysis on Israel-Palestine, alongside Turkey Unpacked and other MEE newsletters
She is part of an independent vigilante collective called Katiba des Kuffars (KDK), or “Battalion of Infidels." The self-funded French group has been tracking the digital footprint of IS members and sympathisers since 2016.
Prompted by the 2015 Charlie Hebdo attacks in Paris, KDK members have been rummaging through social media platforms and encrypted chat services in an attempt to dismantle and survey IS presence online and prevent militant attacks.
Operating within a non-hierarchical framework, members, who use pseudonyms to protect their identities, juggle real-life responsibilities and jobs in with vigilante activities on which they can spend six hours a day.
But what motivates them to dedicate part of their lives to tracking down IS online? And how do their activities fare alongside large-scale state intelligence operations?
Guerrilla cyberwar
KDK says its members’ diverse socio-economic backgrounds, faiths, and languages are assets to their online hunts, which target channels from all over the world often administered and used by Arabic, Russian, English or French speakers.
“Our avatar will not miss prayer time and will be connected according to the time zone of the target,” another member of KDK explained to Middle East Eye.
Another prominent vigilante group, which asked to be identified as Ruth because of ongoing operations, told MEE they formed as a response to the many IS-inspired attacks in France.
“When you see a baby in the back seat of a car floating down a river, you don't stop and ponder the situation,” said L, a member of the group. “You jump in without thinking and rescue the infant.”
The two groups were initially part of a larger operation initiated by the global hacktivist collective Anonymous. Titled “#OPISIS”, the loosely knit operation dates back to 2014, when IS had a massive presence both in the digital and physical world.
But over time, groups have splintered off from Anonymous and further developed their modus operandi, often reorganising under different incarnations and changing their hunting strategy.
The Ruth member said his group stopped automatically reporting all IS-related channels they found, soon after they created their independent collective. Members came to realise that the longer an account remained active, the more they could learn about who was behind it.
By noticing patterns of behaviour, favourite words or phrases and images that could be tied to specific accounts on multiple platforms, Ruth realised its guerrilla cyberwar was more effective if turned into an intelligence-gathering operation.
Members of the group said it operates more by gathering intelligence that it sometimes hands down to security services rather than reporting the channels to service providers.
KDK, meanwhile, keeps channels of high interests under surveillance, while also focusing on reporting IS-related networks to service providers like Twitter or Telegram.
“To destroy the hive, you have to kill the queen,” said L. “If all you do is swat the worker bees, you'll never figure out where the hive is.”
Independent terrorism analyst Michael S. Smith II - who has previously collaborated with vigilante groups by helping them funnel information to security services - told MEE that he sees the strategic relevance of these independent groups.
'To destroy the hive, you have to kill the queen'
- Anti-IS vigilante
“Such groups have been very helpful to government agencies in the West, whose personnel have been tasked with identifying threats to public safety emanating from the cyber domain,” said Smith, who also teaches security at Johns Hopkins University in the US.
High-interest channels often include encrypted chat groups or accounts that can issue threats to civilians or that seem to be administered by key people from the militant group.
Channels that diffuse amateur propaganda or are administered by low-risk sympathisers are reported through a 24-hour bot system that spares the vigilantes from needing to comb through every channel.
These bots are also the fuel that keeps the hunting machine going, helping them with analysis, research and running the reporting servers without interruption.
Since the beginning of this year, KDK claims it has registered more than 3,700 Twitter profiles, out of which they automatically reported and took down 3,571. On Telegram, from the 600 channels registered, KDK took down 569 and kept nine under surveillance. On other platforms like Tam Tam, BCM or Riot, the group has found 1074 channels, kept 17 of those under surveillance and managed to take down 986.
But KDK says it has experienced great difficulties in keeping up with the digital expansion of IS.
“Jihadism, whether on the ground or in the digital world, knows no borders,” said one member.
A threat in the digital realm
At its peak, IS held territory the size of Great Britain in Iraq and Syria. To conquer that territory and rule over it, the group used social media platforms and encrypted chat services to recruit fighters, spread propaganda and coordinate attacks in Europe.
But since it lost control of all territory previously under its control in 2019, the group has left behind scattered sleeper cells on the ground and an extensive digital presence.
With most of the fighting moving from the real world to the digital realm, the conflict approach has also had to change.
For Michael Krona, an academic researching the IS media ecosystem at Malmo University in Sweden, the scattered online presence of IS makes it nearly impossible to fully clamp down on its activities.
“The IS sphere online is vast and the number of supporters and bot-systems is huge, so it will be difficult to reduce their activity this way, even if any attempt is appreciated,” the researcher, who spends hours every day monitoring IS-related channels, told MEE.
Despite past and recent efforts to push IS offline, the militant group continues to use the large data memory of chat services and popular social media platforms to disseminate propaganda, martyrdom notices, calls for new militant attacks and even instructions on how to craft bombs.
In February, shortly after the Streatham attack in the UK, official IS outlet Quraysh media used channels on a series of chat services to praise the attack and call for more.
Earlier this year, newly appointed IS spokesperson Abu Hamza al-Muhajir made his online debut by delivering a 37-minute address that was disseminated on chat services.
By weaponising online tools many use for social interactions, the online "Jihadosphere" has kept the group’s presence alive, fuelling its propaganda machine.
As a result, IS has quickly adapted to challenges faced online. Global offensive operations and intelligence-gathering organisations struggle to find an effective balance to fight the group’s interlinked communications network.
While some government agencies and institutions have collaborated with independent hunters, the vigilantes often work alone, on the sidelines of the cyberwar against the Islamic State group and without much coordination between each other or with state authorities.
“We are particularly careful not to interfere with or hinder ongoing operations on the part of institutional structure,” said one vigilante.
But at times, the groups battling IS online have felt that official state operations to tackle the militant group have hindered their own efforts.
“Open Source Jihad 1: Make a bomb in your mom’s kitchen” - such was the name, frequently used in the past, of a file shared in early February by an IS sympathiser on blockchain-based encrypted chat service BCM.
BCM was not always the platform of choice for IS supporters, but days after a November 2019 Europol operation that swept away over 5,000 Telegram channels linked to IS, the group started to reshape its robust online presence.
According to online vigilante groups that have been monitoring and hunting down such channels for years, the operation has made their work more difficult.
“The Europol event destroyed years of hard work building up trusted sock accounts that also got swept up in the destruction,” said L, the Ruth member. “It's a scattered mess for everyone, not only for the bad guys but for the good guys as well,” he added.
While it only took a couple of days for IS channels to resurge on Telegram, the ripple effects of the crackdown have prompted many IS sympathisers and members to migrate to lesser-known chat services like BCM, Tam Tam or Hoop.
Krona, the Scandinavian academic, says he has observed a change in the way IS operates online in the aftermath of the recent Europol operation.
“The result, unfortunately, made them even more active and more widespread,” Krona said.
“They were rather isolated on Telegram, but since then, they have been able to expand substantially and now have stable presence on many more apps,” he added.
Responding to an MEE request for comment, Europol press officer Claire Georges said the aim of the action was to disrupt IS online activity, not bring it down.
“It was anticipated that the shake-up of the pro-IS community in Telegram would prompt the move to other platforms,” Georges said.
She added that Europol continues to monitor the dissemination of militant propaganda online, flagging branded militant content to online service providers in a bid to help them build resilience on their own platforms.
While the operation affected how researchers and vigilante hunters conduct their activity, it also proved to make it more difficult for the militant group to coordinate.
“It seems like they are getting exhausted with being on several platforms at once,” said Amarnath Amarasingam, an assistant professor researching IS's online presence at Queen’s University in Canada.
Operation Glowing Symphony
The most recent Europol operation was far from the first carried out by state actors.
In January, the National Security Archive from George Washington University, through a freedom of information request, obtained documents that cracked open the details of the biggest cyber offensive the US government has ever acknowledged implementing.
Dubbed Operation Glowing Symphony, the 2016 undertaking was coordinated by secret joint task force ARES. Its central objective: intercept, slow down and dismantle the online IS communications architecture.
Michael Martelle, the National Security Archive researcher who got his hands on the documents, told MEE that while the operation made it slower and more expensive for Islamic State to share media at the same rate, it unveiled some key issues about the transnational cyberwar against the militant group.
“Exposure is costly in covert operations, and the loud nature of disruption versus passive surveillance means the likelihood of exposure is high,” he said.
“Some might say... that it's more prudent to remain passive collectors on adversary networks, passing intelligence to other arms of national security for action,” Martelle added.
'Militaries want to destroy and degrade while intelligence services want to collect information'
- Ralph Martins
By taking down central IS servers, cyber command operators like the ones working on Operation Glowing Symphony have been actually chipping away at the potential sources of information intelligence services and independent hunters used to garner information, Ralph Martins, CEO of US-based cybersecurity company RPM Consulting, explained.
“Militaries want to destroy and degrade while intelligence services want to collect information,” Martins said. “The constant struggle between the two often means that a victory for one is a setback - or at least a delayed victory - for the other.”
But regardless of what goes on in the world of official authorities, independent hunters like KDK have vowed to continue to put in hours of work every day to prevent the militant group from carrying out more attacks.
“We are just citizens doing whatever we can,” said P, via Telegram. “If we can save a life, we will try to.”
Middle East Eye delivers independent and unrivalled coverage and analysis of the Middle East, North Africa and beyond. To learn more about republishing this content and the associated fees, please fill out this form. More about MEE can be found here.