3 June 2021

Exploring the digital jihadist underground on the Onion Router (TOR)

Miron Lakomy

Introduction
The emergence of the dark web at the beginning of the 21st century is considered to be one of the most significant developments in the history of the digital revolution. What was initially perceived as an experimental and legitimate response to the increased government control over the Internet in time has become a source of a broad spectrum of computer-related crimes. This was mostly caused by the fact that the Onion Router (TOR),[1] Invisible Internet Project (I2P), Freenet or—more recently—ZeroNet[2] provide users with a set of tools enabling anonymous and safe communication. Cybercriminal underground quickly realized that these technologies substantially facilitate the exchange of illicit goods, services, and content. Effectively, the dark web has become an online communication layer known not for the freedom of speech but rather for popular drug markets, firearm vendors, leaked databases, or illegal pornography.

Unique technical traits of the dark web have also attracted attention from Salafi-jihadist violent extremist organizations (VEOs) that are in constant search of new technologies allowing safer and more persistent communication with their sympathizers and members. They have experimented with this environment for more than a decade. One of the first to do so was al-Qaeda, as its affiliated message boards moved “under the surface” during the War on Terror. However, this trend has become increasingly visible since the advent of the Islamic State’s (IS) campaign, which maintained at least several services in TOR, including the infamous Isdarat. At the time also the popular Shumukh al-Islam message board was available in this environment.[3] Moreover, recent reports suggest that terrorist organizations have also attempted to utilize the potential of the rapidly developing ZeroNet.[4]

In this context, it is quite surprising to note that the academic debate on the activities of Salafi-jihadist VEOs on the dark web is quite limited. In the last decade, only a few papers that discussed this problem were published in internationally recognized journals, and most of them were not even evidence-based. Therefore, this note aims to reinvigorate this discussion by briefly outlining the specificity of digital jihadist environments that were detectable with open-source intelligence (OSINT) tools in the Onion Router at the beginning of 2021.

In search for Salafi-jihadist propaganda on the dark web

The exploitation of the Onion Router by the Salafi-jihadist VEOs is usually perceived by academia as an essential means of propaganda dissemination,[5] but few examples prove that. Previous research shows that even at the apogee of the Islamic State’s online campaign in 2014-2015, this group was not very keen to exploit TOR on a massive scale. Aside from the aforementioned Isdarat, which was probably established in 2015 and constituted the most abundant repository of propaganda of Daesh (IS) on the dark web, there were only a few other .onion domains of the group available there.[6] At least one of them was dedicated to promoting audiovisual productions of the IS exclusively.

Another notable example of Salafi-jihadist propaganda dissemination in TOR is related to the Kavkaz Center(KC), one of the oldest and most popular Chechen extremist web pages. For a long time, this domain was engaged in proliferating releases of the Caucasus Emirate.[7] Analysis of dark web link collections (for instance, the Uncensored Hidden Wiki) shows that the KC has utilized the .onion environment for years. It also changed its addresses at least twice. However, at the beginning of 2021, all publicly available URLs of the KC proved to be inactive.

Also, the Syrian-based Hayat Tahrir al-Sham (HTS) was known for experimenting with the dark web. Its main surface website—TahrerSham (Figure 1)—has redirected users to a TOR address since at least 2020. Again, this .onion URL proved to be unavailable in 2021. Still, the evidence shows that it previously constituted a primary propaganda aggregator of the HTS, consisting of images of mujahideen, videos, and group’s announcements.

Overall, the vast majority of digital jihadist propaganda repositories that operated on the dark web in recent years proved to be gone at the beginning of 2021. This is a surprising finding given that Salafi-jihadist VEOs’ dissemination strategies are focused on reestablishing communication channels blocked by the law enforcement agencies. On the surface web, they usually reemerge in new locations almost instantly, which reminds us of a tedious whack-a-mole game.[8] Thus, a question arises, why the same process is not observable in the Onion Router? The current situation suggests that terrorist organizations largely abandoned propaganda distribution on the dark web, despite being very active on the surface and deep web.[9] Paradoxically, this activity may be the most important reason. Given the massive presence of Salafi-jihadist VEOs on the “clearnet,”[10] despite years of intensive countering violent extremism (CVE) programs, there may be simply no need to disseminate manipulative releases through TOR which had only 8 million daily users in 2018.[11] In other words, exploitation of the more complicated and less popular dark web for this purpose makes little sense if masses of Internet users are still exposed to digital jihad elsewhere.

Figure 1. TahrerSham website that redirects visitors to the .onion domain

However, this does not mean that the Onion Router is utterly useless in facilitating access to Salafi-jihadist propaganda. On the contrary, evidence indicates that sympathizers of terrorist organizations have utilized at least some popular messaging boards and microblogs in TOR to learn about the whereabouts of some significant productions of violent extremist organizations. This trend was noticeable, for instance, on the Hidden Answers microblog that has experienced an upsurge of the followers of Daesh in 2014-2016. Their questions were usually met with adverse reactions from other users, but sometimes they were also provided with links to domains containing releases of the self-proclaimed “Caliphate” (Figure 2).

Figure 2. Inquiry related to the Islamic State’s propaganda on Hidden Answers

Facilitating terrorist activities with the dark web

The scarcity of Salafi-jihadist propaganda repositories in TOR does not mean that VEOs and their followers have not used it extensively for other purposes. To begin with, the Onion Router has served as an environment facilitating the organization of terrorist attacks. As mentioned above, it enables illicit arms trade on a massive scale. Guns can be ordered either from independent vendors (Figure 3) or through popular cryptomarkets. According to the study of Paoli et al., there were at least 18 markets that allowed gun sales in 2016. The same research identified 52 vendor accounts that were active at the time. The monthly gross revenue from these sales was estimated at $80,000. Aside from firearms, also ammunition and explosives have been sold on the dark web.[12]

Figure 3. Example of a TOR gun vendor website

Transactions are usually carried out in cryptocurrencies, namely Bitcoin (BTC) and Monero (XMR).[13] Moreover, these arms are usually shipped globally in a way that prevents their detection at the borders. On top of that, TOR is also full of weapon blueprints that can be downloaded and 3D printed, which sometimes constitutes a safer alternative for acquiring firearms necessary for terrorist attacks (Figure 4).

Figure 4. Example of a TOR website specialized in disseminating 3D gun blueprints

In this context, the ability to buy these weapons safely constitute a significant opportunity for VEOs and their followers. There are known cases of terrorist attacks, such as the 2016 Munich shooting, in which lone-wolves utilized weapons bought on the dark web.[14] Their interest in the illicit gun trade is also proven by the fact that at the beginning of 2021, at least one Salafi-jihadist gun vendor operated in TOR. This Arabic website has focused on selling arms, explosives, munitions, and even poisons, as available data shows. In order to access its closed message board, all interested users were required to register and contact its administrator via the encrypted Conversation app.

The dark web is also full of tutorials on how to organize terrorist attacks. One of the most popular terrorist instructions available there is the infamous al-Qaeda’s training manual. TOR websites also contain precise instructions on the elaboration of explosives, such as pipe bombs. This problem is especially visible in “mainstream” microblogs, which are frequently full of .onion links leading to these manuals. Their users also post “recipes” by themselves.

Moreover, Salafi-jihadist violent extremist organizations have attached great importance to raising awareness of their members and followers of cybersecurity. Therefore, a significant emphasis in their dark web operations has been placed on distributing professional instructions on safe online communication and avoiding eavesdropping. There are two significant manifestations of this trend. On the one hand, the .onion pseudo domain has been utilized for years by the German-language Kybernetiq magazine, which constitutes the first professional Salafi-jihadist publication series focused on cybersecurity. It was launched in 2015 and is probably somehow affiliated with al-Qaeda in Syria.[15] It operates under three different TOR addresses, but their content is identical (Figure 5). There are several core functions of this domain. First, it is a repository of all issues of the magazine. Second, it servers as a blog to its editors. For instance, they publish articles devoted to various international events, such as the recent data leak of Chinese communist party members. Finally, they also follow, link and comment on the academic and media chatter that mentions Kybernetiq. Overall, the website remains one of the most valuable and professional sources of information related to maintaining cybersecurity standards among mujahidin. On the other hand, a similar website was also launched by the Islamic State’s affiliated Afaaq (Horizons) Electronic Foundation in 2018.[16] In contrast to other media offices of Daesh, this bureau is specialized only in producing professional cybersecurity instructions.[17] Thus, as expected, its .onion domain provided visitors with multilingual instructions on communicating safely on the Internet.

Figure 5. Kybernetiq’s TOR website

The Onion Router has also been utilized by wannabe jihadists that looked for getting in touch with terrorist organizations. Collected evidence shows that hotspots of the TOR communication were treated as bulletin boards used by people looking for opportunities to get recruited (Figure 6). However, the efficiency of these attempts and the true motivations behind them remain unknown.

Figure 6. Example of the inquiry related to Salafi-jihadist recruitment on Hidden Answers

Finally, the Onion Router has also been probably exploited as an alternative option for funding terrorist operations by, at least, some VEOs. On the one hand, multiple scientific works and law enforcement reports indicate that terrorist organizations have utilized TOR for money laundering.[18] On the other, in 2020 and 2021, at least one .onion domain was seemingly engaged in crowdfunding the Islamic State’s activities. Its visitors were encouraged to send BTC to the advertised crypto-wallet (Figure 7). However, it should be stressed that this URL could also be operated by cybercriminals looking for an easy way to earn cryptocurrencies.

Figure 7. Islamic State’s crowdfunding website

Conclusions

To summarize, the current scale and specificity of digital jihadist activities in TOR suggest that disseminating propaganda in this environment has never been a priority for violent extremist organizations. There is simply no reason to invest time and resources in the dark web if Salafi-jihadists established a solid foothold on the surface web. Instead, however, VEOs and their followers seem to perceive the Onion Router as a facilitator of a broad spectrum of terrorist activities. The dark web offers easy access to illegal guns, explosives, ammunition, or manuals, which have been already utilized in terrorist attacks. TOR also contributes to the awareness-raising of Salafi-jihadist sympathizers of cybersecurity and privacy on the Internet. Finally, the Onion Router seems to partially serve as a platform enabling terrorist activities to be funded. The true nature of these phenomena is, however, yet to be analyzed.

No comments: