Loock went to the FBI’s Web site, which has a section for tips from the public, and filled out a form. No response. He called and spoke to an agent, who promised that another agent would be in touch. No response. He talked to his brother-in-law, who is in the Navy and forwarded the information to the CIA. No response. Eventually he contacted an agent at the Department of Homeland Security, and, as he put it, “things went pretty fast after that.” The agent visited Loock’s house with a computer specialist, and Loock handed over everything that he’d discovered: the credit-card numbers that he thought were stolen, the files, and his searches of the IP addresses.
Irhabi had slipped up the year before, too. In July 2004, in setting up a Web site to publish a threat against Italy, Irhabi had picked a service provider that added a time stamp, the identity of the registered user, and the user’s IP address whenever files were uploaded. Irhabi wasn’t using anonymizing software or a proxy server at the time, and he made the mistake of using the provider at least twice before he stopped. Meanwhile, cyber-jihadists and readers of Internet Haganah began reporting that Irhabi’s site was infected with a virus—news that prompted Aaron Weisburd and his associates to look at the pages’ source code, the programming language that tells a browser what to do. There they found two IP addresses.
Weisburd wrote a blog entry on Internet Haganah publicizing the concern, which exacerbated anxiety among the cyber-jihadists, who keep track of what analysts write about them. To prove that his computer was clean, Irhabi posted a screen shot of a virus-free run, with his IP address hastily blotted out each of the nearly two dozen times it was listed. One of Weisburd’s associates stared at the screen shot, found he could make out a number here and there, and managed to piece together a third IP address. The three addresses Weisburd now had were all different, but each turned out to be only one hop from a router in a London neighborhood known as Ealing. “Frequently, IP addresses are assigned dynamically,” Weisburd said, explaining the significance of this discovery. “If you’re Irhabi, you disconnect from the router and reconnect, and it reroutes in a way that gives you a new IP address. Irhabi was moving around on this small section of the network.” By July, the information had been sent to U.S. and British law enforcement, but to no apparent end. Eventually, in September 2005, Weisburd had had enough. “Irhabi 007 is in Ealing, England,” he announced on Internet Haganah. “Or at least that’s where the bastard was when we located him (a year and a half ago). Why nothing was done about him then—despite the fact that we had also acquired hundreds of pages from various Islamist forums where Irhabi 007 admitted to committing a broad range of computer crimes—this I cannot tell you.” But something was being done.
A month after Weisburd’s announcement, a young Swede born in Serbia-Montenegro was arrested in a Sarajevo apartment as he was preparing a suicide attack. The Bosnians called British authorities about the man and his co-conspirators, based on evidence seized during their arrest. Working off that tip, the British police converged on a basement apartment in a quiet, middle-class section of West London, just a few minutes’ walk from the Shepherd’s Bush tube stop on the Central Line—and only five stops away from Ealing. In the apartment, the police found and arrested Younis Tsouli, a twenty-two-year-old of Moroccan ancestry who lived there with his father.
Last November, New Scotland Yard announced eight charges against Tsouli based in part on what had been found on his computer: video slides about how to make a car bomb, and photos of Washington, D.C., that included an emergency van used to test chemical, radiological, biological, and nuclear material. That evidence, the indictment charged, along with more items discovered at the apartments of two other men (Waseem Mughal and Tariq al-Daour), gave rise to the “reasonable suspicion” that Tsouli was involved in “the commission, preparation or instigation of an act of terrorism”—a rocket bomb attack on an undisclosed location. Tsouli was also charged with conspiracies to commit murder, to cause an explosion, to raise money for terrorist purposes, and to obtain “property belonging to others” with stolen credit cards.
A few months earlier, New Scotland Yard had learned from the Department of Homeland Security about the two stolen credit-card numbers that had been given to Loock to set up the strange sites with names in zeroes and ones. When investigators later entered the credit-card numbers found during their West London raid into their database, the Loock numbers popped up as matches. Tsouli, they realized with excitement, might well be Irhabi 007.
In February one of the terrorist-monitoring groups, the Search for International Terrorist Entities Institute, went public with the claim that Tsouli had been “recently revealed to be the infamous ‘Irhabi 007’ himself—a hacker whose “teachings and contributions to the jihadi Internet community reigned unparalleled until the summer of 2005.” A source close to the case has since discovered that Tsouli, who doesn’t speak Arabic fluently, was working in tandem with his alleged co-conspirators, Mughal and al-Daour, and perhaps others. The director and co-founder of SITE, Rita Katz, noted the volume of Irhabi’s posts, many of them “very time-consuming uploads,” and the numerous requests he fielded from the al-Ansar community as evidence that “he could not have been a one-man operation.”
At a preliminary hearing in May, Tsouli and his fellow suspects appeared by video link from the top-security prison in southeast London where they’re being held. Wearing a white T-shirt and jogging pants, Tsouli sat between Mughal and al-Daour, folding his arms over his chest and slouching in his chair. He showed little reaction to the procedural matters being discussed, uncrossing his arms only to muffle his laughter with his hand at something one of his companions said.