In 2004, Weisburd posted entries on Internet Haganah taunting Irhabi that succeeded in getting under the jihadist’s skin. “That pig hacked into my machine and destroyed the site,” Irhabi vented shortly after joining al-Ansar. A member of that site who sometimes worked in tandem with Irhabi posted Weisburd’s home address, promising vengeance. “By the way, Aaron,” Irhabi wrote a month later, “the new layout of your website looks … how do i put it? … SHITTY.” Irhabi posted the street address again in June, along with a photo of Weisburd and a copy of a death threat sent to his house. “To the Jewish asshole Aaron Weisburd,” it read. “This is our donation to you, either you close the website called Internet Haganah by next week or you will [be] beheaded.” This was followed by an image of a laughing face and “p.s. … I get to keep a finger or an ear . [a] little souvenir. ahahahahha.”
The threat convinced Weisburd that he was doing something right—as did a prior al-Qaeda “denial of service” attack against Internet Haganah, an illegal technique of sending so many requests to a Web site that it crashes. After that attack Weisburd quit his day job and decided to track his tormenters full-time. “The first threat I got was from a leader of al-Qaeda,” he said. “Once you internalize a threat like that, it’s downhill. A couple of years later, Hamas described me as a ‘virus.’ I was like: Nice of you to notice, guys.”
Abu Musab al-Zarqawi’s skill at using the Internet to promote his efforts is unmatched by any of his fellow terrorists—including Osama bin Laden and other leaders of al-Qaeda. Al-Zarqawi pioneered using an online press secretary—someone who, until early this year, when he seems to have faded away, went by the name of Abu Maysara al-Iraqi. Abu Maysara’s posts were widely held to be authentic transmissions from al-Zarqawi himself. When Irhabi was first observed online, in 2003, he had no apparent connection to al-Zarqawi’s network; he was just a self-starter who applied himself to solving problems. But when Abu Maysara posted links online, Irhabi would often set up mirror links immediately after.
One technique Irhabi used to create such sites was to find vulnerabilities in the File Transfer Protocol (FTP) servers that many organizations use to move cumbersome files around. Unbeknownst to the groups paying for those servers, Irhabi would dump his files there, thus saving the jihadists money and reducing risk. In July 2004, he showed off his prowess by uploading about sixty files, including videos of bin Laden and the 9/11 hijackers, onto an FTP server at the Arkansas State Highway and Transportation Department. Then, on al-Ansar, he posted links to the files. “Hurry to download,” he warned, anticipating that the files wouldn’t stay on the site long. He was right: Laura Mansfield, an analyst then working for the Northeast Intelligence Network, in Erie, Pennsylvania, soon spotted them and had them removed. Though pulled down in less than a day, the files lasted long enough for Irhabi to make a splash in The Washington Post. Days later, an al-Ansar member thanked him for all his hard work, referring to him as the “knight of jihadi media,” to which Irhabi responded, “haha … is this the new nickname? I am only the slave of God, the son of the slave of God.” Soon, Irhabi’s online groupies began tacking “007” onto their own screen names.
In October, Irhabi’s place in the jihadi firmament was confirmed when Abu Maysara posted a video of a suicide bombing in Iraq, and Irhabi posted mirrors six minutes later. “Long live the terrorist … Irhabi 007,” Abu Maysara exulted. “By God, your existence gladden[s] me, my beloved brother.” Abu Maysara’s direct endorsement was a rarity, Kohlmann says, and greatly increased Irhabi’s visibility. “Irhabi got the attention of the important people,” he adds.
The relationship between Irhabi and al-Zarqawi seems then to have deepened, and by the spring of 2005, Irhabi was playing a central role in al-Zarqawi’s PR network. Irhabi started running a host site that Kohlmann believes contained material received directly from al-Zarqawi’s people. If that’s true—and it’s hard to prove definitively, because copies can be made within seconds—there had to be coordination behind the scenes. Kohlmann discovered what may have been evidence of that coordination when he happened upon a Web site that Irhabi was in the process of building. Irhabi had left open a directory on his server, and Kohlmann found a file that was a draft of a Web site for al-Zarqawi’s group, Al-Qaeda in the Land of the Two Rivers. The site never went live. “We know there was communication,” Kohlmann said. “We just don’t know how much.”
Finally, though, Irhabi got too smart for his own good.
In July 2005, using a credit card stolen from someone with a Paris address, Irhabi placed an order with a Web provider in Los Angeles for a domain that consisted of thirty-seven digits, all zeroes and ones. Gregor Loock, who ran the service, processed the $72.92 order and paid little attention, thinking, Maybe some geek wants a Web site in binary code. Two days later, however, Loock received a request for a domain name with a slightly different string of zeroes and ones—and this time the order was put through on a credit card in the name of a woman in Britain. Suspecting fraud, Loock rejected the order, shut down the earlier account, and started perusing the backup files he’d made of the first site.
Loock’s suspicions deepened when he saw the names on some of the ZIP files: Fallujah, Samarra, and other cities he recognized from the news about Iraq. He couldn’t read the documents, which were in Arabic, but he could watch the videos. At first they seemed like footage he’d seen on TV about the insurgency, showing American forces under enemy fire. But these videos were different. “One of these martyrs was going to someone in the middle of the night, taping a belt to himself,” Loock said. “The man seemed to approach American soldiers, who opened fire, blowing him up.” Then it dawned on Loock: these videos were from the attackers’ point of view. He proceeded to do what is known as a “reverse DNS lookup,” running a trace on the IP addresses that had been used to upload the files, which turned out to come from Saudi Arabia and the United Kingdom.