Three Worked the Web to Help Terrorists
British Case Reveals How Stolen Credit Card Data Bought Supplies for Operatives

By Brian Krebs
washingtonpost.com Staff Writer
Friday, July 6, 2007

The global jihad landed in Linda Spence's e-mail inbox during the summer of 2003, in the form of a message urging her to verify her eBay account information. The 35-year-old New Jersey resident clicked on the link included in the message, which took her to a counterfeit eBay site where she entered personal financial information.

Spence's information wound up in the hands of a man in Britain who investigators say was the brains behind a cell that sought to facilitate bombings in the United States, Europe and the Middle East.

Investigators say Spence's stolen data made its way via the Internet black market for stolen identities to a 21-year-old biochemistry student, Tariq al-Daour, one of three British residents who pleaded guilty this week to using the Internet to incite murder.

Much has been written about how radical Islamic groups use the Internet to distribute propaganda and recruit members. The British investigation, however, revealed a significant link between Islamic terrorist groups and cyber-crime, and experts say security officials must do more to understand and confront cyber-crime as part of any overall strategy for combating terrorism.

Investigators in the United States and Britain say the three used computer viruses and stolen credit card accounts to set up a network of communication forums and Web sites that hosted such things as tutorials on computer hacking and bomb-making, and videos of beheadings and suicide bombings in Iraq.

Authorities say one of the men, Waseem Mughal, a 24-year-old law student, was found with a computer containing a 26-minute video that included instructions in Arabic for preparing a suicide-bomb vest and a recipe for improvised explosives.

The third and perhaps best-known of the group, Moroccan-born Younes Tsouli, 23, became adept at setting up sites to host huge video files and other propaganda. Investigators said he became the de facto administrator of the online jihadist forum Muntada al-Ansar al-Islami, which once was the main Internet public relations mouthpiece of Abu Musab al-Zarqawi, the leader of al-Qaeda in Iraq who was killed last month.

The three men maintained their innocence during their trial over the past few months. This week, however, they changed their pleas to guilty. They were sentenced yesterday to prison terms ranging from 6 1/2 to 10 years.

According to documents gathered by law enforcement officials, the three men used stolen credit card numbers at hundreds of online stores to buy items that fellow jihadists might need in the field. Authorities also say the men laundered money from stolen credit card accounts through more than a dozen online gambling sites.

Two law enforcement officials involved in the investigation provided information about the British case on the condition of anonymity out of concern that speaking on the record might jeopardize current investigations.

Investigators zeroed in on the three British residents in October 2005, following a tip from Bosnian authorities who also were investigating terrorism. British authorities raided Tsouli's basement apartment in West London. He was reportedly arrested while logged on to the Web site "youbombit.r8.org" using the online identity "IRH007."

It wasn't until weeks after his arrest that U.S. and British police learned that Tsouli was the person previously known to counterterrorism officials only as "Irhabi007." As Irhabi -- "terrorist" in Arabic -- Tsouli was thought to have hacked into dozens of Web sites to host huge computer files, mostly videos of beheadings and suicide bombings recorded in Iraq. Irhabi007 also spent a great deal of time creating and disseminating tutorials on hacking and hiding identities online.

Investigators said Tsouli later began using stolen credit card numbers and identities to buy Web hosting services. According to data gathered by U.S. officials, Tsouli and his two associates used at least 72 stolen credit card accounts to register more than 180 domains at 95 different Web hosting companies in the United States and Europe.

Rita Katz, director and co-founder of the SITE Institute, which gathers information on jihadist activity by monitoring online forums, said the evidence unearthed from items seized from Tsouli's arrest revealed that he had helped to create an online network used by jihadist cells across the world to exchange information, recruit members and plan attacks.

On Tsouli's laptop, authorities said, they found a folder named "Washington" that contained short video clips of the U.S. Capitol grounds, the World Bank building, a hazardous chemical response vehicle and local fuel storage facilities. Also on the laptop were instant message chat logs and a PowerPoint presentation detailing how to build a car bomb.

On a computer seized from al-Daour's West London apartment, investigators said they found 37,000 stolen credit card numbers. Alongside each credit card record was other information, such as the account holders' addresses, dates of birth, credit balances and credit limits.

Investigators said al-Daour and his compatriots made more than $3.5 million in fraudulent charges using credit card accounts they stole via phishing scams and the distribution of Trojan horses -- computer programs embedded in innocent-looking e-mail messages or Web sites that give criminals control over infected computers.

Spence, the New Jersey woman whose information was among the data seized from the men, said thieves made $2,000 in fraudulent charges to her account, all at a business based in Portugal. "I'm just mortified to think that my stolen information had any type of connection with terrorism," Spence said.

Authorities said both al-Daour and Mughal compiled shopping lists for items that fellow jihadists might need for their battle against U.S. and allied forces in Iraq, including global positioning satellite devices, night-vision goggles, sleeping bags, telephones, survival knives and tents. Records show the men purchased other operational resources, including hundreds of prepaid cellphones, and more than 250 airline tickets using 110 different credit cards at 46 airlines and travel agencies.

Al-Daour also allegedly laundered money through online gambling sites, using accounts set up with stolen credit card numbers and victims' identities, and ran up thousand-dollar tabs at such sites as AbsolutePoker.com, BetFair.com, BetonBet.com, Canbet.com, Eurobet.com, NoblePoker.com and ParadisePoker.com. Al-Daour and other members of the group conducted 350 transactions at 43 different online wagering sites, using more than 130 compromised credit card accounts. Winnings were withdrawn and transferred to online bank accounts the men controlled.

Investigators in the United States and abroad spent hundreds of hours tracking the financial activities of the three men across thousands of merchants in more than a dozen countries. The case against them relied on evidence that they had incited others to commit terrorist acts, rather than evidence of cyber-crime. But one investigator who worked on the case said the story of how the three men funded their operations is an indicator of methods that other terrorist cells either have already adopted or are likely to.

If Tsouli helped pioneer a number of methods for the jihadist forums, jihadist groups have since moved their Internet operations further underground. Experts said most of the major forums have consolidated their operations into small number of password-protected forums known as the Al Fajr Center.

Still, Katz said, Irhabi's legacy lives. His hacking and anonymity tutorials are widely traded on jihadist forums, and variations on Irhabi -- such as Irhabi008 and Irhabi009 -- remain some of the most popular screen names on those sites.

View all comments that have been posted about this article.

© 2007 The Washington Post Company