someone wearing an anonymous mask

Ghost Security has been flooded with tips following the Paris attacks.

You’ve heard about Anonymous declaring “war on ISIS.” But the group who’s really battling the Islamic State in the wake of Friday night’s attacks on Paris isn’t using Guy Fawkes masks, and they’ve been fighting for more than a year already.

Ghost Security, an online hacktivist collective that works against ISIS’s online presence, describes its members as “international volunteer counterterrorism operatives.” Since the Nov. 13 Paris attacks that left at least 129 people dead and hundreds of other injured, GhostSec has received a flood of thousands of new tips about potential ISIS operatives. 

Now the real work has started.

“Things are crazy right now. Our site is blowing up with tips, and our group is proactively looking for current threats.”

“Soon after the attacks, our site was getting close to 300 unique visits per minute,” a Ghost Security operative who goes by the username GhostSecPl told the Daily Dot via Twitter direct message. “Things are crazy right now. Our site is blowing up with tips, and our group is proactively looking for current threats.”

Unlike some Anonymous efforts, like a recent operation that failed to deliver on its promise of outing more than 1,000 members of the Ku Klux Klan, GhostSec gets results. The group is credited with providing information that led to law enforcement disrupting a plot to recreate the Sousse beach massacre in Tunisia that left 38 British tourists dead, according to Michael Smith, COO of Kronos Advisory. A private defense contractor, Kronos often serves as a middleman between law enforcement and Ghost Security, whose members prefer to keep at arms length from police.

“[Ghost Security] have developed very rich knowledge of the Islamic State’s online activities, with focus on its social networks,” Smith told the Daily Dot in a phone interview. “They’ve been very instrumental in helping authorities identify communications about offline activities like recruitments, in some instances actual attack plots, and they’ve been especially useful in terms of things that are more difficult-to-monitor communications platforms like Telegram messenger.”

As a rule, the GhostSec team members intentionally disassociate themselves from Anonymous so that they can cooperate with law enforcement, according to GhostSecPl. Some of its members have, however, identified as Anonymous in the past. 

“I would say in the region of 30 percent of the sites reported are genuine extremist activity and less than 10 percent are ISIS.”

Ghost Security works by collecting suspected ISIS Twitter accounts and infiltrating supposed ISIS websites. From there, they report all of the information to Kronos, whose analysts forward the information to law-enforcement agencies like the FBI. Ghost Security uses Kronos as a buffer, allowing them to maintain their anonymity and refrain from interacting with law enforcement directly. The attacks in Paris, however, have called for a different approach. GhostSecPl said the group has been reporting “sensitive tips” directly to police.

“I would say in the region of 30 percent of the sites reported are genuine extremist activity and less than 10 percent are ISIS,” GhostSecPl said. “The numbers are much higher for Twitter handles reported—these can be as high as 70 percent accurate.”

The group’s intensified efforts have also resulted in a number of large-scale, distributed denial-of-service (DDoS) attacks on their website, where Ghost Security keeps an archive of all of the reported data, following the attacks in Paris.

“We get [DDoS attacks] daily and cannot count them effectively,” GhostSecPL said. “The attacks on the site are a mix of layer 7 dos attacks (which make up most of them) or people trying to run repeated SQL injection or XSS attacks on us,” GhostSecPL added, referencing some common but damaging technical attacks on Web properties.

Ghost Security has been working to fight ISIS online for almost a year. Since its inception, the group says, it has reported over 1,000 domains and 10,000 Twitter accounts.  

The FBI did not respond to a request for comment. 

Illustration by Max Fleishman

William Turton

William Turton

Once named one of Forbes’ 20 Under 20 and hired as a staff writer for the Daily Dot when he was still a senior in high school, William Turton is a rising tech reporter focusing on information security, hacking culture, and politics. Since leaving the Daily Dot in April 2016, his work has appeared on Gizmodo, the Outline, and Vice News Tonight on HBO.

Layer 8
Paris attacks spark renewed fight against encryption
Surveillance defenders are seizing the tragedy to push for new spy powers.
From Our VICE Partners