By Brian Krebs
washingtonpost.com Staff Writer
Thursday, July 5, 2007 2:34 PM
The global jihad landed in Linda Spence's e-mail inbox during the summer of 2003, in the form of a message urging her to verify her eBay account information. The 35-year-old New Jersey resident clicked on the link included in the message, which took her to a counterfeit eBay site where she unwittingly entered in personal financial information.
Ultimately, Spence's information wound up in the hands of a young man in the United Kingdom who investigators said was the brains behind a terrorist cell that sought to facilitate deadly bombing attacks against targets in the United States, Europe and the Middle East.
Investigators say Spence's stolen data made its way via the Internet black market for stolen identities to 21-year-old biochemistry student Tariq al-Daour, one of three U.K. residents who pleaded guilty this week to a terrorism charge of using the Internet to incite murder.
Much has been written about radical Islamic groups' use of the Internet to propagandize and recruit new members. The U.K. investigation, however, revealed a significant link between Islamic terrorist groups and cyber crime, and experts say security officials must do more to understand and confront cyber crime as part of any overall strategy for combatting terrorism.
Investigators in the United States and Britain say the trio used computer viruses and stolen credit card accounts to set up a network of communication forums and Web sites that hosted everything from tutorials on computer hacking and bomb-making to videos of beheadings and suicide bombing attacks in Iraq.
"In a sense, these guys were operating an online dating service for al-Qaeda," said Evan Kohlmann, a counterterrorism expert who runs GlobalTerrorAlert.com. "They were among a very small group of individuals who had successfully made the leap from ad hoc terror cell to something close to al-Qaeda simply by using the Internet."
Authorities said another member of the trio, 24-year-old law student Waseem Mughal, was found with a computer containing a 26-minute video in Arabic featuring instructions on preparing a suicide bomb vest, along with a recipe for improvised explosives.
The third and perhaps most well-known member of the group, Moroccan-born Younes Tsouli, 23, grew adept at setting up sites to host massive video files and other propaganda. Investigators said he eventually became the de facto administrator of the online jihadist forum Muntada al-Ansar al-Islami, at one time the main Internet public relations mouthpiece of Abu Musab al-Zarqawi, Al Qaeda's former leader in Iraq.
The trio maintained their innocence throughout most of their trial over the past few months. This past week, however, all three changed their pleas to guilty. The men were sentenced Thursday to prison terms ranging from six-and-one-half to ten years.
"These three men, by their own admission, were encouraging others to become terrorists and murder innocent people," said Peter Clarke, head of Scotland Yard's Counter Terrorism Command. "This is the first successful prosecution for inciting murder using the Internet, showing yet again that terrorist networks are spanning the globe."
According to documents obtained by washingtonpost.com, the three men used stolen credit card numbers to make purchases at hundreds of online stores, armed with shopping lists of items that fellow jihadists might need in the field. Authorities also say the men laundered funds from stolen credit card accounts through more than a dozen online gambling Web sites.
washingtonpost.com received information about the U.K. case from two law enforcement officials involved in the investigation; both requested anonymity out of concern that speaking on the record might jeopardize ongoing investigations.
Following the Trail
Investigators zeroed in on the three U.K. residents in October 2005, following a tip from Bosnian authorities. Officials there had just arrested Mirsad Bektasevic, a 19-year-old Swedish national of Bosnian origin, and Abdul Cesur, a 21-year-old Danish man of Turkish heritage, as the two were preparing for a bomb attack on European soil. Bektasevic and Cesur were found in possession of nearly 44 pounds of plastic explosives. Also included among their possessions was a video of the two men in ski masks armed with improvised explosive devices.
Such a cache, if armed properly, would have had the potential to inflict massive casualties in a coordinated suicide bombing. In the July 2005 attacks against London's transport system that killed 52 people and injured more than 700, each of the four suicide bombers carried just 10 pounds of explosives concealed in backpacks.
The video seized by Bosnian police was a message from Bektasevic and Cesur meant to be seen after the two had conducted their attack. In it, they said they planned to attack sites in Europe to punish nations that had aided in the invasions of Afghanistan and Iraq. The two were later convicted of plotting to blow up an unidentified European target and sentenced to more than 13 years in prison.
Police were able to draw a connection between the Bosnian duo and the U.K trio because Bektasevic had saved one of the men's phone numbers on his cell phone.
Later that month, British authorities raided Tsouli's basement apartment in West London. Tsouli was reportedly arrested while logged on to the Web site "youbombit.r8.org" using the online identity "IRH007."
It wasn't until weeks after his arrest that U.S. and U.K. police learned that Tsouli was the individual who until then was known to counterterrorism officials only as "Irhabi007." As Irhabi -- literally "terrorist" in Arabic -- Tsouli was thought to have hacked into dozens of Web sites. He then used the sites to host huge computer files, mostly videos of beheadings and suicide bombings filmed in Iraq. Irhabi007 also spent a great deal of time creating and disseminating tutorials on hacking and hiding one's identity online.
Investigators say Tsouli later began using stolen credit card numbers and identities to buy Web hosting services. According to data gathered by U.S. officials, Tsouli and his two associates used at least 72 stolen credit card accounts to register more than 180 Web site domains at 95 different Web hosting companies in the United States and Europe.
Rita Katz, director and co-founder of the SITE Institute, which gathers intelligence on jihadist activity by monitoring dozens of online forums, said the evidence unearthed from items seized from Tsouli's arrest revealed that he had helped to create an online network used by jihadist cells across the globe to exchange information, recruit members and plan attacks.
On Tsouli's laptop, authorities said they found a folder named "Washington" that contained short, video clips of the U.S. Capitol grounds, the World Bank building, a hazardous chemical response vehicle, and fuel tank storage facilities in the Washington metropolitan region. Also on the laptop were instant message chat logs and a PowerPoint presentation detailing how to construct a car bomb.
Five months later, U.S. investigators would arrest two men in the Atlanta area for allegedly working with Tsouli and others to produce the videos discovered on the laptop. In June 2006, Canadian authorities arrested 17 people and charged them with attempting to blow up targets in Canada. Katz, whose institute has worked with investigators in this and other Internet-related terrorism cases, said the two Americans and the members of the Canadian group had all communicated with one another on a jihadist Internet message board.
Masters of Cyber Crime
If Tsouli was the ideological leader of the group, al-Daour was the financier and logistics coordinator. On one computer seized from al-Daour's West London apartment, investigators say they found some 37,000 stolen credit card numbers. Alongside each credit card record was other information on the ID theft victims, such as the account holder's address, date of birth, credit balances and limits.
All told, investigators said al-Daour and his compatriots made more than $3.5 million in fraudulent charges using credit card accounts they stole via online phishing scams and the distribution of Trojan horses -- computer programs embedded in innocent-looking e-mail messages or Web sites that give criminals control over infected computers.
Authorities said both al-Daour and Mughal compiled shopping lists for items that fellow jihadists might need for their battle against the American and allied forces in Iraq, including global positioning satellite (GPS) devices, night-vision goggles, sleeping bags, telephones, survival knives and tents. Records show the men had purchased other operational resources, including hundreds of prepaid cell phones, and more than 250 airline tickets using 110 different credit cards at 46 airlines and travel agencies.
Al-Daour also allegedly laundered money through online gambling sites -- using accounts set up with stolen credit card numbers and victims' identities -- running up thousand-dollar tabs at sites like AbsolutePoker.com, BetFair.com, BetonBet.com, Canbet.com, Eurobet.com, NoblePoker.com and ParadisePoker.com, among others. All told, al-Daour and other members of the group conducted 350 transactions at 43 different online wagering sites, using more than 130 compromised credit card accounts. It didn't matter if they lost money on their wagering. Winnings were withdrawn and transferred to online bank accounts the men controlled.
Investigators in the United States and abroad spent hundreds of hours tracking the trio's financial activities across thousands of merchants in more than a dozen countries. But many of the details in this story about how the three U.K. residents financed their operation were never presented in court.
In May, the magistrate overseeing the trial, Justice Peter Openshaw, interrupted the proceedings with a statement that observers said stunned prosecutors for the Crown. "The trouble is I don't understand the language. I don't really understand what a Web site is."
Ultimately, the three men were convicted on the strength of evidence showing they had incited others to commit terrorist acts, rather than any evidence of cyber crimes. But one investigator who worked on the case said the story of how the three men funded their operations needed to be told because it serves as an indicator of methods other start-up terror cells either have already adopted or are likely to latch onto going forward.
"There is no law enforcement agency in the world that, if this wasn't a terrorism financing case, would follow up on this," one investigator said. "They just don't have the resources."
The Counter-Terrorism Challenge
Kohlmann said Irhabi and his alleged compatriots beginning in 2003 laid the groundwork for the Internet strategy that al-Qaeda and like-minded organizations would adopt over the next few years.
"Many Muslim men, a number of whom are living in the U.S. and the Middle East, see themselves at war with society and aspire to be part of a larger group," Kohlmann said. "It seems far-fetched that someone living in London who has never been to Iraq could suddenly become a key player, but Irahbi did. The power of the Internet means that people who don't ordinarily fit the terrorist profile can now be part and parcel of it."
Aaron Weisburd, who directs Internet Haganah, a Web forum dedicated to tracking pro-terrorist Web sites online, said cyber crime and credit card fraud have been a steady subplot underlying most of the terrorist-related sites he's tracked online since 2002.
In a recent analysis, Weisburd examined a number of Internet sites residing on a Web server also used to host a jihadist site. Weisburd said he found numerous counterfeit online banking sites, the sort typically set up by scam artists to steal personal and financial data from consumers.
"In short, the terrorist Web site was the most legitimate site on the server," Weisburd said. "In an age when people sign themselves up for the cause and make a good faith effort to try and kill people, credit card fraud and identity theft is a crime [terrorist sympathizers] can get into from the privacy of their own home. Pretty much wherever there are jihadists active online, you will also find guys engaged in online fraud."
Weisburd said credit card fraud and the cyber crime methods that facilitate it are ideally suited for upstart terror cells seeking funding. The Carbondale, Ill.-based activist said he also sees a great deal of overlap in membership between the Arabic-language online hacking forums and those of the online jihadist community.
"If they don't know how to get started in online fraud, these guys can find all kinds of support from people who will gladly teach them how to do it."
If Tsouli helped to pioneer a number of methods for the jihadist forums, jihadist groups have since moved their Internet operations further underground. Experts said most of the major forums have since consolidated their operations into small number of password-protected forums known as the Al Fajr Center.
"By keeping the number of primary source jihadist Web sites small, online ideologues and leaders of various jihadist groups can provide a seamless way to authenticate their communications, allowing forum participants to instantly tell the difference between official and fake communiques posted to the forums," Katz said.
Still, Katz said, Irhabi's legacy lives on. His hacking and anonymity tutorials are widely traded on jihadist forums, and variations on "Irhabi" -- such as Irhabi008 and Irhabi009 -- remain some of the most popular screen names on those sites.
Groups that monitor jihadist Web sites and chat rooms say most operate almost entirely using infrastructure and commercial services based in the United States. While some anti-terror groups advocate an aggressive dismantling of U.S. based jihadist networks, others say U.S. intelligence services need to do more to infiltrate and learn from them.
"We need to better understand who the primary actors are on these sites and chat rooms, as well as the nexus between where these people are in the cyber and physical world," said Frank J. Cillufo, director of the Homeland Security Policy Institute at The George Washington University. "Sure, people will say and do things in the cyber environment that they probably wouldn't do face-to-face, but the question is when does it morph from talk into action? We need to better understand the trigger points that move these participants from sympathizer to activist to indiscriminate violence."
In testimony submitted in February at a hearing in the House Armed Services Committee, the SITE Institute presented several recent case studies where jihadist forum participants or administrators transitioned from online activists to combatants fighting U.S. coalition force in Iraq and Afghanistan.
"U.S. authorities must continue to study the Internet as a vital battleground in the war on terror and undertake further efforts to combat jihadists on this front," Katz said. "Delving efficiently into the online world of jihadists will be one significant step in the war on terror."