With the loss of training camps in Afghanistan, terrorists have turned to the Internet to find and train recruits. The story of one pioneer of this effort—the enigmatic “Irhabi 007”—shows how
On May 11, 2004, a link to a five-and-a-half-minute video appeared on the Web site Muntada al-Ansar al-Islami, or the Forum of the Islamic Supporters. Announced with the words SHEIKH ABU MUSAB AL-ZARQAWI SLAUGHTERS AN AMERICAN INFIDEL, the video featured the now-notorious beheading of the American contractor Nicholas Berg. Initially sent from a computer that was probably somewhere in Iraq, the video was copied onto Internet sites and within twenty-four hours had been downloaded half a million times. With the slash of a knife, al-Zarqawi had pulled off the most successful online terrorist PR campaign ever.
It was no small feat. A terrorist intent on eluding capture can’t simply walk into an Internet café in Baghdad or Fallujah and broadcast a video of his exploits to the world. Once that video is posted online and recognized for what it is, the site carrying it may get shut down by government officials, private hackers, or host servers hoping to avoid public outcry. And even if none of those things happens immediately, the site may receive so much traffic all at once that it simply crashes. Al-Zarqawi’s success was possible because he had anticipated the importance of the Internet—an increasingly important weapon in the global terrorist arsenal. Which is where “Irhabi 007” comes in.
Irhabi 007—presumed to be a man, because irhabi in Arabic means “terrorist” and refers to a single male—was first observed in 2003, on two jihadi Web sites. The sites focused on how to commit cyber-crimes, and one of them also disseminated pages of a “jihad encyclopedia—a compendium of violence collected by al-Qaeda in Afghanistan that included detailed instructions on how to use agricultural chemicals as weapons of mass destruction. “I don’t know how old he was, or whether he was male or female, but you got the impression of a teenager,” one analyst told me. “Occasionally he used Arabic, but not much, which suggested he might be using a machine translator. He started out as a bit of a loudmouth, one of those cheerleaders who would go around cheerleading global terrorism.”
Those two sites disappeared in 2004, and Irhabi relocated to al-Ansar, the site where the Berg video was posted. In his early days there Irhabi’s skill set seemed limited. He posted links to run-of-the-mill articles in English and Arabic, and translated the English headlines into Arabic. An article about al-Qaeda’s claim of responsibility for the Madrid train bombings was punctuated with a smiley face; the downing of a U.S. helicopter in Baghdad merited the invocation “God is Great!” Irhabi’s enthusiasm, as measured by the abundance of his posts, earned him the computer-generated title of “distinguished member.”
When Irhabi first turned up on the site, a member of the forum suspected that he was accessing Web pages with his personal IP address—a rookie mistake—and warned him to stop. (Every computer on the Internet bears a numerical code, known as an Internet Protocol, or IP, that acts as an “address” for packets of data traveling to and from the host server. An IP identifies the location of a computer, and by extension its owner, just as surely as a return address on an envelope identifies the home of a sender.) Irhabi took the advice and learned fast. Within months he was dispensing advice himself: he provided security tips on how to avoid detection online; distributed anonymizing software that masks a computer’s actual IP address; and emphasized the importance of using a proxy server, which acts as an intermediary between a user and a host server, and can also be used to mask the user’s identity.
Right from the start Irhabi was determined to make himself useful. On the al-Ansar site he posted maps of Israel, Navy SEAL guides on sniper training, CIA manuals on making explosives, and other intelligence that he’d found online, especially if it concerned Iraq. American soldiers stationed in the country had begun writing blogs about their lives there and were posting photos and videos online. Irhabi wanted to mine those blogs for information about U.S. forces in the country—and he realized how effectively that information could be incorporated into the homemade videos that are the lifeblood of online jihadi forums. “I’m looking for soldier footages from within U.S. bases etc.,” he wrote in March 2004. “That’s the fish I want to catch.” (The U.S. military eventually took measures to protect some of the information.) The next month, he pointed a member toward instructions on how to make smoke bombs, and he illegally distributed software on al-Ansar that included tools for hacking, noting that the tools were “quite complex” for “Newbies.” His efforts did not go unrecognized. “The hero,” one member gushed about Irhabi in a typical post. “God salutes you.” To which Irhabi responded, “Hero? I am only half a man now.”
Soon Irhabi’s reach and reputation extended far beyond the al-Ansar community. In the fall of 2005, the Terrorism Research Center—an independent organization, based just outside Washington, D.C., in northern Virginia, whose far-flung experts provide intelligence on global security to governments and private companies—published a report on Irhabi that described him as “heavily involved in maintaining al-Qaeda’s online presence.” The TRC reported that Irhabi had posted videos of beheadings and attacks by insurgent groups in Iraq, as well as clips released by the al-Sahab foundation, considered by many analysts to be al-Qaeda’s production company. It added that Irhabi had registered one of his Web sites under the name, phone number, and address of an American lieutenant deployed in Iraq.
Irhabi was part of a new and growing terrorist vanguard. After 9/11 and the American bombing campaign in Afghanistan, al-Qaeda lost much of its infrastructure. No longer able to recruit in plain sight, its strategists recognized that the Internet could become a vast global recruiting ground—in effect, a new, borderless Afghanistan. The shift of emphasis to online activity, the TRC report asserted, gave al-Qaeda a powerful new means of exercising “command and control over its amorphous network.” And al-Qaeda also realized that in jihadi chat rooms it could find precisely what it most needed to maintain its ranks of recruits and suicide bombers: impressionable young Muslim men (and some women), many of them second-generation immigrants living in the United States and Europe.
As a central figure in this new effort, Irhabi was becoming an asset to terrorists worldwide. One cyber-terrorism consultant, the Irhabi-tracker Evan Kohlmann, went so far as to call him “the AT&T of al-Qaeda.”
As Irhabi worked to build himself up, Aaron Weisburd resolved to take him down. A computer programmer by training, with expertise in Web development, Weisburd began tracking online jihadists in 2002 from his home office in Carbondale, Illinois. When I visited him there this past year, two days before he celebrated Passover, he had hung a giant American flag from a window so that I couldn’t miss the house. He lives with his wife, three well-fed cats, and two sick dogs.
Born in New York City in 1964, Weisburd declared his own private war against al-Qaeda because he was mad—mad that Yasir Arafat had rejected the peace plan at Camp David in 2000, mad that al-Qaeda had blown up the buildings in Manhattan he grew up around, and mad because he had read that Hamas was teaching Palestinian kindergartners to hate Israelis. So he set up Internet Haganah, a site designed to put jihadists like Irhabi on the law-enforcement radar screen (haganah is the Hebrew word for “defense,” and a reference to the proto-Israeli army of the 1940s).
Weisburd is the only paid full-time member of Internet Haganah. He runs his operation from the second-floor office of his home. Surrounded by five computers, he trawls online in search of the press statements and videos that terrorists release to rally their supporters. He goes undercover, logging on to restricted forums (if he has been able to get a password) and visiting the many open sites advocating jihad. He doesn’t speak Arabic but insists the limitation doesn’t slow him down much. Though he relies on translation software at times, and on associates in Internet Haganah’s network who speak Arabic, linguistic comprehension isn’t his goal. “You’re dealing with a group of people who are very demonstrative,” he said. “They’re working to make their text look like they feel.” When he finds the terrorist press releases and videos, he works to figure out where they’re coming from. Then he either shames service providers into shutting down the sites that host them or gathers what he terms “intel” for interested parties. On Internet Haganah he maintains a blog to rally his own side, providing an outlet for people eager to contribute their time and money to the fight against terrorism. The blog has an added benefit: because Weisburd closely monitors its traffic, he can watch the jihadists watching him.
About a dozen groups in the United States, many of them founded in the wake of 9/11, monitor jihadi chat rooms. They range from the well established (like the TRC and the Search for International Terrorist Entities Institute) to the slightly out there (like the Northeast Intelligence Network) to networks run by solo mavericks like Weisburd and Evan Kohlmann (who works out of his apartment in New York City). Most of the analysts offer consulting services to governments and private clients, and some accept donations. The bigger groups employ Arabic linguists, a scarce and vital resource that can help win lucrative contracts. In a competitive field, Weisburd stands out, not only for his technical expertise but also for his combative approach. Getting Web sites shut down, as Weisburd does, strikes some of his peers as counterproductive, because it complicates surveillance.
In 2004, Weisburd posted entries on Internet Haganah taunting Irhabi that succeeded in getting under the jihadist’s skin. “That pig hacked into my machine and destroyed the site,” Irhabi vented shortly after joining al-Ansar. A member of that site who sometimes worked in tandem with Irhabi posted Weisburd’s home address, promising vengeance. “By the way, Aaron,” Irhabi wrote a month later, “the new layout of your website looks … how do i put it? … SHITTY.” Irhabi posted the street address again in June, along with a photo of Weisburd and a copy of a death threat sent to his house. “To the Jewish asshole Aaron Weisburd,” it read. “This is our donation to you, either you close the website called Internet Haganah by next week or you will [be] beheaded.” This was followed by an image of a laughing face and “p.s. … I get to keep a finger or an ear . [a] little souvenir. ahahahahha.”
The threat convinced Weisburd that he was doing something right—as did a prior al-Qaeda “denial of service” attack against Internet Haganah, an illegal technique of sending so many requests to a Web site that it crashes. After that attack Weisburd quit his day job and decided to track his tormenters full-time. “The first threat I got was from a leader of al-Qaeda,” he said. “Once you internalize a threat like that, it’s downhill. A couple of years later, Hamas described me as a ‘virus.’ I was like: Nice of you to notice, guys.”
Abu Musab al-Zarqawi’s skill at using the Internet to promote his efforts is unmatched by any of his fellow terrorists—including Osama bin Laden and other leaders of al-Qaeda. Al-Zarqawi pioneered using an online press secretary—someone who, until early this year, when he seems to have faded away, went by the name of Abu Maysara al-Iraqi. Abu Maysara’s posts were widely held to be authentic transmissions from al-Zarqawi himself. When Irhabi was first observed online, in 2003, he had no apparent connection to al-Zarqawi’s network; he was just a self-starter who applied himself to solving problems. But when Abu Maysara posted links online, Irhabi would often set up mirror links immediately after.
One technique Irhabi used to create such sites was to find vulnerabilities in the File Transfer Protocol (FTP) servers that many organizations use to move cumbersome files around. Unbeknownst to the groups paying for those servers, Irhabi would dump his files there, thus saving the jihadists money and reducing risk. In July 2004, he showed off his prowess by uploading about sixty files, including videos of bin Laden and the 9/11 hijackers, onto an FTP server at the Arkansas State Highway and Transportation Department. Then, on al-Ansar, he posted links to the files. “Hurry to download,” he warned, anticipating that the files wouldn’t stay on the site long. He was right: Laura Mansfield, an analyst then working for the Northeast Intelligence Network, in Erie, Pennsylvania, soon spotted them and had them removed. Though pulled down in less than a day, the files lasted long enough for Irhabi to make a splash in The Washington Post. Days later, an al-Ansar member thanked him for all his hard work, referring to him as the “knight of jihadi media,” to which Irhabi responded, “haha … is this the new nickname? I am only the slave of God, the son of the slave of God.” Soon, Irhabi’s online groupies began tacking “007” onto their own screen names.
In October, Irhabi’s place in the jihadi firmament was confirmed when Abu Maysara posted a video of a suicide bombing in Iraq, and Irhabi posted mirrors six minutes later. “Long live the terrorist … Irhabi 007,” Abu Maysara exulted. “By God, your existence gladden[s] me, my beloved brother.” Abu Maysara’s direct endorsement was a rarity, Kohlmann says, and greatly increased Irhabi’s visibility. “Irhabi got the attention of the important people,” he adds.
The relationship between Irhabi and al-Zarqawi seems then to have deepened, and by the spring of 2005, Irhabi was playing a central role in al-Zarqawi’s PR network. Irhabi started running a host site that Kohlmann believes contained material received directly from al-Zarqawi’s people. If that’s true—and it’s hard to prove definitively, because copies can be made within seconds—there had to be coordination behind the scenes. Kohlmann discovered what may have been evidence of that coordination when he happened upon a Web site that Irhabi was in the process of building. Irhabi had left open a directory on his server, and Kohlmann found a file that was a draft of a Web site for al-Zarqawi’s group, Al-Qaeda in the Land of the Two Rivers. The site never went live. “We know there was communication,” Kohlmann said. “We just don’t know how much.”
Finally, though, Irhabi got too smart for his own good.
In July 2005, using a credit card stolen from someone with a Paris address, Irhabi placed an order with a Web provider in Los Angeles for a domain that consisted of thirty-seven digits, all zeroes and ones. Gregor Loock, who ran the service, processed the $72.92 order and paid little attention, thinking, Maybe some geek wants a Web site in binary code. Two days later, however, Loock received a request for a domain name with a slightly different string of zeroes and ones—and this time the order was put through on a credit card in the name of a woman in Britain. Suspecting fraud, Loock rejected the order, shut down the earlier account, and started perusing the backup files he’d made of the first site.
Loock’s suspicions deepened when he saw the names on some of the ZIP files: Fallujah, Samarra, and other cities he recognized from the news about Iraq. He couldn’t read the documents, which were in Arabic, but he could watch the videos. At first they seemed like footage he’d seen on TV about the insurgency, showing American forces under enemy fire. But these videos were different. “One of these martyrs was going to someone in the middle of the night, taping a belt to himself,” Loock said. “The man seemed to approach American soldiers, who opened fire, blowing him up.” Then it dawned on Loock: these videos were from the attackers’ point of view. He proceeded to do what is known as a “reverse DNS lookup,” running a trace on the IP addresses that had been used to upload the files, which turned out to come from Saudi Arabia and the United Kingdom.
Loock went to the FBI’s Web site, which has a section for tips from the public, and filled out a form. No response. He called and spoke to an agent, who promised that another agent would be in touch. No response. He talked to his brother-in-law, who is in the Navy and forwarded the information to the CIA. No response. Eventually he contacted an agent at the Department of Homeland Security, and, as he put it, “things went pretty fast after that.” The agent visited Loock’s house with a computer specialist, and Loock handed over everything that he’d discovered: the credit-card numbers that he thought were stolen, the files, and his searches of the IP addresses.
Irhabi had slipped up the year before, too. In July 2004, in setting up a Web site to publish a threat against Italy, Irhabi had picked a service provider that added a time stamp, the identity of the registered user, and the user’s IP address whenever files were uploaded. Irhabi wasn’t using anonymizing software or a proxy server at the time, and he made the mistake of using the provider at least twice before he stopped. Meanwhile, cyber-jihadists and readers of Internet Haganah began reporting that Irhabi’s site was infected with a virus—news that prompted Aaron Weisburd and his associates to look at the pages’ source code, the programming language that tells a browser what to do. There they found two IP addresses.
Weisburd wrote a blog entry on Internet Haganah publicizing the concern, which exacerbated anxiety among the cyber-jihadists, who keep track of what analysts write about them. To prove that his computer was clean, Irhabi posted a screen shot of a virus-free run, with his IP address hastily blotted out each of the nearly two dozen times it was listed. One of Weisburd’s associates stared at the screen shot, found he could make out a number here and there, and managed to piece together a third IP address. The three addresses Weisburd now had were all different, but each turned out to be only one hop from a router in a London neighborhood known as Ealing. “Frequently, IP addresses are assigned dynamically,” Weisburd said, explaining the significance of this discovery. “If you’re Irhabi, you disconnect from the router and reconnect, and it reroutes in a way that gives you a new IP address. Irhabi was moving around on this small section of the network.” By July, the information had been sent to U.S. and British law enforcement, but to no apparent end. Eventually, in September 2005, Weisburd had had enough. “Irhabi 007 is in Ealing, England,” he announced on Internet Haganah. “Or at least that’s where the bastard was when we located him (a year and a half ago). Why nothing was done about him then—despite the fact that we had also acquired hundreds of pages from various Islamist forums where Irhabi 007 admitted to committing a broad range of computer crimes—this I cannot tell you.” But something was being done.
A month after Weisburd’s announcement, a young Swede born in Serbia-Montenegro was arrested in a Sarajevo apartment as he was preparing a suicide attack. The Bosnians called British authorities about the man and his co-conspirators, based on evidence seized during their arrest. Working off that tip, the British police converged on a basement apartment in a quiet, middle-class section of West London, just a few minutes’ walk from the Shepherd’s Bush tube stop on the Central Line—and only five stops away from Ealing. In the apartment, the police found and arrested Younis Tsouli, a twenty-two-year-old of Moroccan ancestry who lived there with his father.
Last November, New Scotland Yard announced eight charges against Tsouli based in part on what had been found on his computer: video slides about how to make a car bomb, and photos of Washington, D.C., that included an emergency van used to test chemical, radiological, biological, and nuclear material. That evidence, the indictment charged, along with more items discovered at the apartments of two other men (Waseem Mughal and Tariq al-Daour), gave rise to the “reasonable suspicion” that Tsouli was involved in “the commission, preparation or instigation of an act of terrorism”—a rocket bomb attack on an undisclosed location. Tsouli was also charged with conspiracies to commit murder, to cause an explosion, to raise money for terrorist purposes, and to obtain “property belonging to others” with stolen credit cards.
A few months earlier, New Scotland Yard had learned from the Department of Homeland Security about the two stolen credit-card numbers that had been given to Loock to set up the strange sites with names in zeroes and ones. When investigators later entered the credit-card numbers found during their West London raid into their database, the Loock numbers popped up as matches. Tsouli, they realized with excitement, might well be Irhabi 007.
In February one of the terrorist-monitoring groups, the Search for International Terrorist Entities Institute, went public with the claim that Tsouli had been “recently revealed to be the infamous ‘Irhabi 007’ himself—a hacker whose “teachings and contributions to the jihadi Internet community reigned unparalleled until the summer of 2005.” A source close to the case has since discovered that Tsouli, who doesn’t speak Arabic fluently, was working in tandem with his alleged co-conspirators, Mughal and al-Daour, and perhaps others. The director and co-founder of SITE, Rita Katz, noted the volume of Irhabi’s posts, many of them “very time-consuming uploads,” and the numerous requests he fielded from the al-Ansar community as evidence that “he could not have been a one-man operation.”
At a preliminary hearing in May, Tsouli and his fellow suspects appeared by video link from the top-security prison in southeast London where they’re being held. Wearing a white T-shirt and jogging pants, Tsouli sat between Mughal and al-Daour, folding his arms over his chest and slouching in his chair. He showed little reaction to the procedural matters being discussed, uncrossing his arms only to muffle his laughter with his hand at something one of his companions said.
For some time yet, Tsouli will remain a distant figure, understood only dimly through the online identity he may have created. His trial has not begun, and British law strictly limits disclosures about ongoing cases. Still, whether Irhabi turns out to have been an individual—Tsouli—or a composite is less important than the legacy he has left behind.
Months after Tsouli’s arrest, a member of an English- language jihadi chat room wrote, “I was wondering if anyone knows how to find vulnerabilities on servers or hacking in general (erhabis hacking tips), can they please post in here.” He was directed to muslimhackers.com and told to send a private e-mail to the administrator for a password. Muslimhackers offers tips on how to target members of its hit list, which includes Internet Haganah and a number of sites run by Shiites. Since that time, Irhabi’s guide to the Internet has also been making the rounds in a number of popular forums; titled “The encyclopedia on hacking the crusaders’ and zionists’ Web sites, drafted by Irhabi 007,” it includes file-transfer programs and the infamous password cracker “John the Ripper,” along with its own hit list.
Online jihadists can now do serious damage—and they’re learning to stay under the radar. In the early days, before the Iraq War, the “online global jihad” amounted to a collection of chat rooms where angry members could let off steam and experiment with threatening graphics. The sites welcomed visitors, offering a painless process of registration; today they present tougher barriers to entry and place a greater emphasis on remaining anonymous and secure. There are now scores of sites, and the competition among them to become the one to watch is fierce. These sites constitute a sophisticated media machine with which terrorists like Abu Musab al-Zarqawi can shape their image, test their message, and broadcast their news swiftly and securely, often in the form of slick videos. Forum members thrive on the brutal rhetoric and are encouraged to participate in a way that enhances their sense of belonging and importance. That participation poses a threat deeper than propaganda, because it helps terrorists find and train recruits willing to strap themselves into suicide vests and blow themselves up.
The arrest of Younis Tsouli, unfortunately, represents not the end of the story but only its beginning. “Irhabi was the right man at the right time when the terrorists were in need of a robust online network,” Katz said. “Today, that network is established. What Irhabi taught the jihadi community is out there.” What Irhabi helped create—a template for his own replication online—has opened a door to a struggle that is likely to be with us for a long time. Commenting recently on that struggle, a member of a jihadi forum that Irhabi had frequented captured an essential, if figurative, truth. “By the way brothers,” he announced, “Irhabi 007 is free.”