Cold Open
The following presentation is not suitable for young children. Listener discretion is advised.
Sfx: a large crowd protesting
On July 23rd, 2016, Ali Bakhtiyari felt a surge of elation as he and his fellow protesters all chanted the same thing:
Death to discrimination! Death to discrimination! Death to discrimination!
Ali had come here with five of his friends, all Hazaras like him. By all accounts, today’s protest had gone well. It began at 7 a.m., when thousands of their fellow Hazaras gathered to march to Afghanistan’s presidential palace. As they marched, they found many of the streets blocked off by trucks and cargo containers, meant to control the protesters’ route.
When they arrived at Deh Mazang Square, about two miles from the palace, riot police blocked their path. They could go no further. So, this is where they made their protest. Over the next several hours, the Hazaras made their voices heard.
Death to discrimination! Death to discrimination! Death to discrimination!
The Hazaras are one of Afghanistan’s minorities, making up about 9% of the population. They originally hailed from Mongolia, and many have Asiatic features. They’re also Shiite Muslims, in a country that’s majority Sunni.
Since 1919, the Hazaras have been the victims of persecution and genocide. Especially during the Taliban years. Things got better in 2001, when the US-led coalition invaded the country in retaliation for the September 11th terrorist attacks. The Taliban-ruled Islamic Emirate of Afghanistan became a democracy, the Islamic Republic of Afghanistan.
But life still wasn’t ideal. The Hazaras still faced discrimination, and violence against them often went unpunished.
The reason for today’s protest was about a specific grievance. Afghanistan was one of the countries building the TUTAP energy project, which was intended to connect Afghanistan’s energy infrastructure to its central Asian neighbors: Turkmenistan, Uzbekistan, Tajikistan, and Pakistan.
TUTAP would bring more electricity to Afghanistan’s remote mountain regions. However, earlier that year the Afghani government decided to reroute TUTAP away from Bamyan province, where most Hazara live. To the Hazara, this decision would deprive their people of a vital resource. So, here they were, demanding their president do something about it.
By 2:30 p.m., the protest was over. Thousands of Hazara began to disperse as peacefully as they’d come.
Only, not everyone in this crowd was a Hazara.
Ali Bakhtiyari and his five friends were walking past an ice cream truck, where an ice cream vendor was selling frozen treats to the sweltering crowd members.
But then, they heard a bang, and then another.
SFX: two explosions
Twin explosions tore through the crowd. Ali watched them engulf the ice cream truck, then the ice cream vendor, and then his friends. Miraculously, he was unhurt. But all his friends were killed instantly.
Dazed, Ali and others tried to help the wounded. Some called for help—but those trucks and cargo containers Kabul police set up along the protest route now made it much more difficult for ambulances to arrive.
80 died, and 230 were wounded. It was the worst attack on the Hazara in years.
Later that day, ISIS took credit, specifically ISIS’s Afghanistan affiliate. The ISIS news agency, Amaq, confirmed that the militant group had sent two suicide bombers to attack the “Shiite gathering.”
It was yet another blow to Afghanistan’s Hazara community, but they didn’t back down. The Hazras continued protesting under a civil disobedience movement called The Enlightenment. And the Enlightenment found an unexpected ally.
Weeks after the attack, the Twitter account for Afghanistan’s Chief Executive, Dr. Abdullah Abdullah, essentially the country’s prime minister, Tweeted a strange message
“I prefer dangerous freedom over peaceful slavery. #enlightenment #enlightenmentmovement.”
It was an open endorsement of the Enlightenment, something Dr. Abdullah would never do—and certainly never Tweet. It was clear he’d been hacked.
As the Chief Executive’s publicity and security people tried to figure out the culprit, they soon had a suspect.
It’s not like they were hiding. Shortly after the hack, another Twitter account belonging to a group called the Ghost Squad Hackers took responsibility:
“Afghanistan Gov Hacked by GhostSquadHackers #ChiefExecutiveOfficer Can you hear me now?”
The Chief Executive’s office had no leads on who these individuals were, but it was far from their first hack—and it wouldn’t be their last. Formerly part of the hacktivist collective Anonymous, the Ghost Squad was now one of the most active hacktivist groups in the world—and it was showing no sign of slowing down.
On this episode: hacktivism, the Islamic State, big banks, police shootings, the Syrian Civil War, terrorist attacks, and the global fight against injustice.
I’m Keith Korneluk and you’re listening to Modem Mischief.
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of the Ghost Squad Hackers.
Patreon Promo
Hey everybody! As we gear up to end 2023 and look forward to 2024, I’d like to ask you, if you love the show, to show us your support on Patreon. For just $5/month you'll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. We've got....16 of them now. Head over to patreon.com/modemmischief. You can also support us through a paid subscription on Apple Podcasts. Supporting us over there goes right back into the production of the show and we’ve got to pay our staff, keep the lights on and computers hardwired. Special shoutout to those of us already supporting us. So head over to Patreon.com/modemmischief to show us your support today! And now...on with the show!
Act One
On November 5, 1605, British authorities caught a group of Catholic sympathizers, including a man named Guy Fawkes, who were plotting against the British government. It became known as the Gunpowder Plot. Fawkes and seven others were drawn and quartered—which does not mean they had their portraits sketched and then were put up in a nice hotel room.
408 years later, on November 5, 2013, a Tuesday, a few hundred people gathered in London’s Trafalgar Square.
They wore Guy Fawkes masks—typically showing the pale, goateed Jacobite with his signature Sphinx-like smirk.
They were just as opposed to government tyranny as Fawkes was. They were members and supporters of the hacktivist collective Anonymous.
They marched to Buckingham Palace and then Parliament, where they set off fireworks…
SFX: fireworks
… a not-so-subtle reference to the Gunpowder Plotters’ plan to blow up Parliament.
There were scuffles with police, but no arrests. The same was mostly true in 477 other cities around the world. Anonymous called the mass protests the “Million Mask March,” although it’s unlikely a million people participated
The Million Mask March wasn’t Anonymous’s first public protest, but it was the biggest. It was meant to help the organization step out of the Internet and into the real world. It was also meant to be a show of strength and unity.
But if you looked closely, Anonymous was anything but unified. Ask protesters in London why they were marching, and they’d tell you it was to protest government surveillance, or a lack of job opportunities. Ask them in Johannesburg, South Africa, and they might name censorship. Ask them in Washington D.C. and they might point to corruption.
These differing points of view reflected the divisions within Anonymous itself.
That’s been story of Anonymous since the beginning—nobody can quite agree on what it is or who it should fight.
We covered the origins of Anonymous in Episode 28, so you should definitely listen to that first. But here’s the thumbnail sketch. Anonymous emerged in the early 2000’s from a community of pranksters and shitposters who made up the online forum 4chan. In the early days, Anonymous mostly pulled Internet pranks against targets they deemed to be assholes, like the Church of Scientology or white supremacists.
But some Anonymous members felt the group should be more dedicated to fighting injustice than to trolling jerks. Inspired by the 2006 film V for Vendetta, they began wearing Guy Fawkes masks in online videos and at public protests.
Then in 2011 the Arab Spring protests broke out. Millions of people in countries like Tunisia, Egypt, and Yemen rose up to challenge the authoritarian regimes who’d ruled for decades.
One especially politically minded Anonymous member, Hector Monsegur, aka Sabu, created an elite team of hackers to assist the Arab Spring protests. He called the group LulzSec—and you can learn all about LulzSec in episode 39, about Jeremy Hammond, or in our recent bonus episode about Monsegur.
LulzSec was the first known Anonymous splinter group, but it wouldn’t be the last. The Ghost Squad Hackers would be another splinter group—but we’ll get to them in a sec.
Anonymous has no formal leadership structure, and its membership is international. Thus, different Anonymous members have different beliefs and goals—sometimes directly opposed to each other.
Take religious discrimination. Before Anonymous, the Internet was already home to a community of pro-Muslim hacktivists. Some of these hacktivists found common cause with Anonymous and joined up, forming their own affiliated groups.
According to these Muslim hacktivists, they were opposed to anti-Muslim bigotry. But according to their critics, their rhetoric often veered into anti-Western and anti-Semitic territory.
One of these Anonymous affiliates was called AnonGhost. It was founded in 2012 by a hacker who went by the moniker “The Mauritanian Attacker,” a nod to his home country, the West African nation of Mauritania.
In an interview, the Mauritanian Attacker explained that he was 25-year-old college graduate who began hacking at 13. A devout Muslim, he got his start with another early Muslim hacktivist group called Team P0is0n, which was founded by the British-Pakistani hacker Junaid Hussain.
You guessed it, we did an episode about him too. Check out Modem Mischief #33. That’s the last time we’ll do this, we promise. But, man…we’ve got a pretty sweet back catalog here if I do say so myself. Okay, back to the show…
Another AnonGhost member went by the handle “Ungku,” which means “Prince” in Malaysian. Like the Mauritanian Attacker, he held what some would consider radical Islamist views. Particularly when it comes to the subject of Israel and Palestine.
The Mauritanian Attacker had good reason to bring AnonGhost into Anonymous—they were roughly in alignment on the Israel-Palestine issue. Many Anonymous members felt that the Israeli government was oppressing Palestinians in Gaza.
On April 7th, 2013, on Yom Hashoa, or Holocaust Remembrance Day, Anonymous launched the first “OpIsrael,” a series of cyberattacks that defaced Israeli government websites. Anonymous would repeat OpIsrael every year after, and AnonGhost would enthusiastically participate.
But AnonGhost’s cozy relationship with Anonymous wouldn’t last.
The following year, 2014, fighters for the Islamic militant organization the Islamic State, or ISIS, carved out a swath of territory in Iraq and Syria the size of Tennessee.
Some members of AnonGhost, like the Mauritanian Attacker and Ungku, became avid ISIS supporters. This is where they diverged with most of their fellow Anonymous members. After all, ISIS is what many would consider an authoritarian state. One book describes it as “a 21st century country with a 7th century philosophy.”
Plus, there was ISIS’s habit of posting videos of its members gleefully beheading prisoners, or burning them in cages.
Many members of Anonymous began launching attacks against ISIS. So, AnonGhost and Anonymous parted ways—and soon found themselves on opposing sides.
By 2015, the Mauritanian Attacker’s old friend, Junaid Hussain, had defected to ISIS and helped found its cyberwarfare division, the CyberCaliphate. Now he was running it. But in August 2015, an American drone strike killed Hussain.
The Mauritanian Attacker wanted to avenge his friend’s death. He convinced several members of AnonGhost to join ISIS and help run the CyberCaliphate. Their duties included both hacking enemies of ISIS, as well as protecting ISIS’s members themselves from cyberattacks.
So, that pitted them directly against Anonymous.
But what about those members of AnonGhost who didn’t support ISIS?
That brings us to the subject of our episode: The Ghost Squad Hackers.
Yes, we know these groups have similar names: Anonymous, AnonGhost, and the Ghost Squad Hackers. It’s confusing, and it’s not any easier on us either. But if you think about it, these similar names illustrate just how anarchic and unruly this hacktivist community really is.
The most public and active member of the Ghost Squad Hackers went by the handle “s1ege.”—spelled S-1-E-G-E. They would serve as the group’s administrator and spokesperson.
In an early interview, s1ege identified themselves as a career computer programmer. By day, s1ege worked in computer security as a penetration tester for various companies. S1ege also made some coin as a bug bounty hunter for social media companies, probing their code for security flaws called zero-day exploits and getting paid per find.
Yet s1ege also had a conscience, so they joined Anonymous. Then, outraged by Israel’s treatment of its Palestinian citizens, s1ege joined AnonGhost.
But s1eg was ambitious. They wanted to fight all injustice, not just that facing Muslims. As s1ege put it, “I hack to end the possibility of world war."
When the Ghost Squad Hackers split from AnonGhost in late 2015, there was no shortage of injustice to combat…like that witnessed by Gameda, an Ethiopian 17-year-old, in December 2016.
Gameda hails from the town of Shashemene, which is in the Oromia region. Oromia is home to Ethiopia’s largest ethnic group, the Oromo, who make up about 35% of the country’s population. Many are farmers
Even though the Oromo possess a voting majority, various smaller ethnic groups have run the government and military for decades, leaving the Oromo marginalized.
In 2014, the government announced a plan to expand the capital of Addis Adaba by 1.1 million hectares, or about the size of Belgium—with much of that land coming from Oromo farmland.
It was called the Master Plan, and the Oromo opposed it from the beginning—often with deadly results.
Things came to a head on November 15, 2015, in the small town of Ginchi. There, government authorities began clearing a forest and soccer field for an investment project. Locals, including many students under age 18, protested the development by marching through the streets with their arms crossed in the shape of an “X.”
It was entirely peaceful. Even so, police opened fire on the protesters with live ammo, killing 75. Police only acknowledged only 5 deaths and then accused the protesters of inciting the violence.
In response, protests broke out in 400 other cities and towns in Oromia, often led by students not even old enough for university, like Gameda.
Gameda and his fellow students were outraged, both by the Master Plan and by the Ginchi Massacre. Along with about 30 classmates, Gameda convinced his entire school to join the ongoing Oromo protests. With their teachers’ support, they made a plan.
The protests would start the following morning at 8 a.m. But when Gameda and his classmates arrived, local police were already there. They ordered the students to disperse and return to class. When the students refused, they arrested four of them.
A few hours later, they returned with federal police.
As Gameda told Human Rights Watch, the federal police officers walked into the school and immediately shot three of his classmates at point-blank range.
Police forced everyone into their classrooms at gunpoint, then removed the bodies. Gameda and his classmates waited there all morning until police arrested him and 20 of his fellow organizers.
And that’s just one story. Across Oromo, police routinely shot protesters. Or, they arrested and tortured them. By June 2016, it’s estimated that at least 400 were killed, thousands more were injured, and tens of thousands were arrested.
Western media mostly ignored the story. But the Ghost Squad Hackers were paying attention
In retaliation, they made their first big strike. They hacked into several Ethiopian government websites and defaced them.
A typical attack went like this. After hacking into the website for, say, the Ministry of Defense, the Ghost Squad painted a crude X over the government’s flag. Then, they uploaded bloody photos taken from real-world protests. Finally, they uploaded a graphic promoting their cause. It read
No Master Plan
Say No To Land Grabbing!
Oromia Shall Be Free
#OromoProtest
It was meant to humiliate as much as it was to raise awareness. To further that goal, on January 26, 2016, The Ghost Squad Hackers created a Twitter account and issued their first Tweet
The Tweet had a link to an interview s1ege gave to the hacker news website Fossbytes, taking credit for the Ethiopian website hacks. It was accompanied by a message:
This is only the beginning.
Indeed it was. The Ghost Squad Hackers had many targets—but it also had a score to settle with ISIS, and their old friend who was now running its cyberwarfare division.
Act Two
The Ghost Squad Hackers had three primary methods to attack their targets.
The first was a good old fashioned website defacement, like the ones we just saw in Ethiopia.
Their second was the Distributed Denial of Service, or DDoS attack. They used it in their next attack, against a target much closer to home.
About two months after its inaugural Tweet, in March 2016, the Ghost Squad Twitter account issued Tweet #2. It began:
#GhostSquadHackers #OpTrump.
“OpTrump” was a reference to a recent Anonymous project in which the group declared all-out war on Donald Trump’s presidential campaign.
The Tweet continued with a message addressed to Trump himself:
Coming_Soon, we will make u regret the words u say about muslims and blacks.
Days later, a Ghost Squad member named BannedOffline launched DDoS attacks against two Trump websites, Trump.com and trumphotelcollection.com, flooding them with so many requests that the sites became inoperable.
However, in keeping with their Anonymous roots, the Ghost Squad Hackers favored neither side in the American presidential race. A few months after the Trump attack, the Ghost Squad would launch a similar attack on Hillary Clinton’s campaign website in an operation they called “OpKillary.”
This time, the group Tweeted:
Hillary Clinton you deserve to be in jail.
So there. Ghost Squad took a shit on both sides. Now that is bipartisanship. Everyone happy now?
Jill Stein 2024.
The third and final type of attack the Ghost Squad Hackers deployed was the data dump. In other words, they would breach a target’s computer system, steal as much data as they could, and then publish it.
For example, about a month after the Trump DDoS attack in March 2016, the Ghost Squad participated in that year’s OpIsrael cyberattacks, the annual assault Anonymous carries out against the Israeli government.
Ghost Squad’s participation in OpIsrael 2016 amounted to publishing the personal information of thousands of Israeli Defense Forces members.
With these three techniques, the Ghost Squad Hackers would carry out several more successful operations in their first few months of existence…
Just four months after becoming operational, the Ghost Squad took on a favorite hacktivist punching bag—the Ku Klux Klan, and specifically its janky-ass website that looked like it hadn’t been updated since the 90’s. In April 2016, the Ghost Squad easily shut down the KKK’s website with a DDoS attack
But dunking on the KKK was child’s play for a group of veteran hackers like the Ghost Squad.
A few months later, on July 5th, 2016, the Ghost Squad was horrified to learn about the death of Alton Sterling, along with much of the rest of the world.
Sterling was a 37-year-old African-American father of five. In July 2016, he resided at Living Waters Outreach Ministries, a transitional living center in Baton Rouge, Louisiana, where he loved to cook for his fellow residents. He previously served five years in prison for resisting arrest and fighting a police officer. But in 2016, he was living an honest life, selling CDs outside convenience stores. He was an engaging salesman who could talk to anyone.
On July 5th, two Baton Rouge police officers, Blaine Salamoni and Howie Lake, both white, responded to an anonymous tip that a man in a red shirt selling CDs outside a convenience store “waved a gun at someone.” When they arrived, they found Alton, who matched the description.
Salamoni and Lake were immediately aggressive. They told Alton to put his hands on a nearby car. When he asked what he’d done, Salamoni pulled his weapon and shouted, "Don't fucking move or I'll shoot your fucking ass, bitch." Alton complied, but when he asked what he’d done wrong a second time, the officers used a stun gun on him, then tackled him to the ground.
When searching Alton, the officers discovered a gun in his back pocket. “He’s got a gun!” one shouted. Shortly after, one of the officers shot Alton multiple times from point blank range. He was pronounced dead at the scene.
The community was outraged. The Black Lives Matter movement promoted Alton’s case, and his killing immediately became a trending topic—especially after the Justice Department declined to press charges against the officers.
Justice was needed, and the Ghost Squad Hackers were determined to do something about it.
Three months after Alton’s death, the Ghost Squad found a vulnerability in the Baton Rouge police department’s website. They replaced the homepage with an all-black background. They showed a picture of a smiling Alton, accompanied by the following message:
“Being Black is not a crime. This is for the shooting of Alton Brown. Just because he’s Black does not mean he’s a bad guy. You will pay. We are the Justice. We are the Ghost Squad Hackers. RIP Alton Sterling.”
The website defacement brought even more publicity to Alton Sterling’s cause. But it’s worth noting that the Ghost Squad Hackers’ dealings with American racism was far from consistent.
Around the same time as the Baton Rouge police department hacks, the Ghost Squad took on an unexpected target: Black Lives Matter.
The Black Lives Matter movement was formed in response to George Zimmerman’s acquittal for the shooting of Trayvon Martin in 2013. Since then, the group protested police violence and institutional racism.
One of BLM’s targets was Stone Mountain, Georgia, where you can see 400 ft. high statues depicting three “heroes” of the Confederacy: President Jefferson Davis and Generals Robert E. Lee and Thomas J. “Stonewall” Jackson.
So, think “racist Mt. Rushmore.”
In April 2016, Black Lives Matter protesters blocked the entrance to the Confederate Memorial Carving.
But according to Ghost Squad, this protest veered into anti-white racism. Some Black Lives Matter members at Stone Mountain called for a genocide against the white race, they said. And so, the Ghost Squad launched a DDoS attack against blacklivesmatter.com.
In an interview with Ars Technica, s1ege explained that they carried out the attacks because Black Lives Matter was “fighting racism with racism” and “going about things in the wrong way.”
While Ghost Squad was attacking injustice on its own, it also found time to participate in Anonymous-wide operations.
In May 2016, Anonymous announced “OpIcarus,” a 30-day cyberattack against the world’s banks. In their video announcing the operation, Anonymous said:
Like Icarus, the powers that be have flown too close to the sun. The time has come to set the wings of their empire ablaze, and watch the system their power relies on come to a grinding halt and come crashing down around them.
Ghost Squad agreed. In an interview with Mic.com, Ghost Squad pointed to high interest rates, foreclosures, and bank bailouts as the reasons for its assault on the banks.
In their participation with OpIcarus, Ghost Squad shut down websites for banks including: Bank of Greece, Central Bank of Cyprus, Central Bank of New Zealand, Bank of Korea, Central Bank of Kuwait, Central Bank of Myanmar, Bank of Cameroon, Main Bank of Nepal, Bank of Kathmandu, Gulf African Bank, and Bank of Scotland. Their target list had over 160 institutions.
The following month, in June 2016, Anonymous announced another project called OpSilence, this time targeting the mainstream media. The Ghost Squad eagerly participated.
On June 2nd, 2016, Ghost Squad announced that it had successfully hacked the email servers for both Fox News and CNN. It didn’t steal any sensitive information; it just inconvenienced two mainstream American news organizations for a few hours. But for a hacktivist group, that’s a win.
For the rest of 2016, the Ghost Squad Hackers attacks continued.
In July, they hacked the Twitter account for Afghanistan’s Chief Executive Officer, which we covered at the top of this episode. They followed that up by defacing 12 Afghanistan government websites with the following message:
Hacked by Ghost Squad. Your site’s security has been compromised by #GhostSquadHackers. All your data belongs to us now. Security is just an illusion.
In October, the Ghost Squad turned its attention to yet another injustice: the Syrian Civil War, which began in 2011 when Syrian Arab Spring protesters rebelled against the government of Bashar al-Assad.
Since 2012, the Syrian city of Aleppo had been held by the Free Syrian Army and several other opposition groups. In response, the Syrian government, backed by Russia, put the city under siege, cutting off its 250,000 people from food, medicine, and fuel. Then in August, the Syrian government hit Aleppo with a chlorine gas attack—which violates international laws against the use of chemical weapons. The chlorine killed 4 and injured 60, including 40 children.
The Ghost Squad retaliated by hitting dozens of Syrian government websites with DDoS attacks, shutting them down. In the ensuing Tweet, they wrote:
#GhostSquadHackers is tired of the war crimes Bashar al-Assad is getting away with. we declare all out war on the Syrian Government #OpSyria”
All of these cyberattacks—hitting Trump and Clinton’s websites; doxing members of the Israeli Defense Force; shutting down the KKK and Black Lives Matter; assaulting hundreds of banks; attacking the mainstream media; and hacking the Afghani and Syrian governments—happened within the first few months of Ghost Squad’s existence.
But throughout all of these high-profile activities, the Ghost Squad never forgot where it started, or who its enemies were. Like the CyberCaliphate, ISIS’s cyberwarfare division.
As we said, following the death of Junaid Hussein, leadership of the CyberCaliphate fell to the Mauritanian Attacker, who was also the Ghost Squad’s former leader when it was called “AnonGhost.”
Since splitting from Anonymous and joining ISIS, the Mauritanian and his cohort carried out several successful cyberattacks on behalf of the Islamic militant group, using many of the same techniques they had during the AnonGhost days.
For example…
-They doxed over 1,400 US military personnel
-They hacked top secret British government emails and published them
-They hacked a Swedish radio station and broadcast an ISIS recruitment song
-They even hacked the website for a small British energy company called SolarUK, located near Junaid Hussein’s hometown of Birmingham, defacing its website with the message: “Fear us. We are the Islamic Cyber Army.”
The Ghost Squad hadn’t forgotten about their old boss—and now, they were going to give him a taste of his own medicine.
In July 2016, they Tweeted the following message:
We declare all out war with Islamic State Hackers and anyone who supports the Islamic State! #OpReverseCaliphate
The Ghost Squad Hackers spent months studying the Mauritanian Attacker and his CyberCaliphate cohort. Finally, in July 2016, s1ege Tweeted the name and phone number of a Mauritanian computer programmer: Moulaye Ahmed Ould Ahmed Semane.
They’d found the identity of the Mauritanian Attacker—and they’ve still never disclosed how they obtained this information.
They also doxed several other members of AnonGhost who now worked for the CyberCaliphate, like Ungku, th Malaysian. His real name was Muhammed Nazmi, and his social media was full of pro-ISIS slogans.
These doxings were a triumph for the Ghost Squad, and they no doubt brought embarrassment to ISIS and the CyberCaliphate. But the Ghost Squad’s work was far from finished. ISIS still had thousands of active members—and they were coming for America.
Act Three
The Ghost Squad Hackers Twitter account stayed mostly quiet for 2017. This was likely because they were carrying out their biggest and most ambitious operation yet—one that required secrecy.
Internally, the Ghost Squad called this project “OpDecryptISIS.” Its goal was to publicly identify as many ISIS members and sympathizers as possible, mainly by hacking their social media accounts and private chat channels.
As s1ege would explain in an interview, OpDecryptISIS was a turning point for the group. "We really do not care about attacking the U.S. elections,” he said. “They've already been hacked. We mostly hack ISIS.”
The Ghost Squad spent most of 2017 doing just that, and by December it made a disturbing discovery.
They hacked into an ISIS chatroom on the Telegram app and discovered members sharing images that appeared to promote an upcoming terrorist attack on Christmas Day in New York City.
One image showed Santa Claus delivering a box of explosives to Times Square, with the message “We meet at Christmas in New York…soon.” Another showed a car driving through the streets of New York city tinted red, with the words “Christmas Blood.”
For the Ghost Squad, it was clear something had to be done. On December 8, 2017, they Tweeted screenshots of those Christmas attack images, along with the following message:
Ghost Squads Hackers has access to dozens of islamic state telegrams and have intercepted their communications, they plan on executing a terror attack on Christmas... [Message] us for details.
It’s unknown if any law enforcement agencies or the media communicated with the Ghost Squad about what they knew. But just three days later, it was clear the US was indeed in danger.
One person who’d also seen those ISIS images was Akayed Ullah. He was a 27-year-old Bangladeshi with a thick, black, mustache-less beard. Six years earlier, he and his family immigrated to the US, where they lived in a basement apartment in Brooklyn. For income, he drove a New York City yellow taxi, and then worked as an electrician. He was a regular sight at his neighborhood mosque.
But Akayed also spent a lot of time online. He was attuned to the injustices and outrages committed against his fellow Muslims, in Gaza, in Syria, in his homeland of Bangladesh, and even right here in the USA. Every news report about an Israeli military operation killing Palestinians, or an American airstrike hurting Syrian civilians, made his blood boil.
Akayed became an ISIS supporter in 2014, and frequented chatrooms full of other ISIS sympathizers in the US. Two years later, he began researching how to build pipe bombs. And so, when ISIS members began sending those images about the New York City Christmas bombing, Akayed was inspired to do his part.
In early December, Akayed purchased black powder, a battery, wiring, nails and screws. He packed it all into a footlong metal pipe he’d found at a construction site where he did electrical work.
On December 11th, he got up before dawn. He scrawled a message in his passport for the authorities to find: “O America, die in your rage.” He slipped the passport into his pocket. Then he fixed the pipe bomb to his torso with zip-ties and Velcro. Finally, he put on a jacket and headed to his local subway stop.
SFX: subway noise
Akayed got on the F train at the 18th street stop. His heart was pounding. He tried not to look or act suspicious, but his fellow subway riders seemed unaware he existed.
Good.
At Jay St., he switched to the A train and rode it into Manhattan to the Port Authority stop, where he got off.
Akayed followed the river of commuters until they arrived at the terminal. It was the busiest part of the station. Akayed took a deep breath, reached into his jacket, and triggered the detonator.
SFX: pipe bomb explosion
When the smoke cleared, Akayed was lying on the ground, shocked but alive. He was taken to Bellevue Hospital and treated for burns and cuts on his hands and body, all non-life threatening. Four commuters were also injured in the attack. Then-New York governor Andrew Cuomo would describe the bomb as an “amateur, effectively low-tech device.”
But when Akayed told investigators that he carried out the attack on behalf of ISIS, the gravity of the situation became clear. And the Ghost Squad Hackers’ mission to expose ISIS became even more urgent.
Of course, the Ghost Squad Hackers’ activities involved more than ISIS. Throughout 2018 and 2019, the Ghost Squad found time to continue attacking other targets they deemed a problem. During this time, their targets included: the governments of Brazil, Russia, India, Peru, Cuba, Canada, Poland, and the website for the University of Ghent in Belgium.
S1ege and his fellow Ghost Squad members seldom explained their rationale for hacking these targets, preferring to let their hacks speak for themselves.
Finally, on February 12, 2019 the Ghost Squad was ready to go public with what it knew about ISIS. It published a trove of documents detailing the personal information of dozens of ISIS members from 14 different countries, including their full names, phone numbers, social media profiles, government identification cards, geolocation data, and even recorded videos from their smartphone cameras.
The document dump was a mosaic comprised of stories of ISIS members from all walks of life. Above all, it gave an unprecedented look at the real people who made up the extremist group.
Among those exposed were a Belgian teenager named Siraj El Moussaoui. We don’t know much about his early life, but he was inspired to support ISIS in 2016. He reached out to the organization online to attempt to join up. As far as we know, ISIS never responded. But this was enough to warrant Belgian police’s attention. When Siraj was arrested, authorities discovered that he’d saved a video on his phone explaining how best to behead someone.
Another of the exposed was Riffat Mahmood Khan. Originally from Bangladesh, he immigrated to Australia. There, he found work as a taxi driver, met his wife, and started a family. They lived in the Australian city of Auburn with their children, and her children from a previous marriage.
But according to information leaked by the Ghost Squad Hackers, Khan was a regular attendee at his local mosque, Al Noor, where friends said he became radicalized.
At some point in 2015, Khan reached out to ISIS via the Internet and joined the group. Eventually, he became the administrator of the group’s encrypted chat channels on WhatsApp and Telegram.
In September 2015, Khan flew from Australia to Turkey and then traveled into ISIS country. It was a chance to meet his colleagues face-to-face. When he returned, neighbors noticed he was angrier. He began requiring his wife to wear the niqab face-covering garment worn by some Musim women.
Khan made a second trip to ISIS territory a few months later, but by then Australian authorities were on his trail. When he returned home, they greeted him at the airport and took him into custody.
The Ghost Squad Hackers document dump relayed all of this, including a video of Australian authorities raiding Khan’s home in Auburn, leading his wife and children away.
By publishing the OpDecryptISIS files, the Ghost Squad hackers struck a humiliating blow against their longtime enemy, ISIS. But from this point forward, the Ghost Squad Hackers would face an even bigger challenge: staying relevant
Act Four
By exposing hundreds of ISIS members, the Ghost Squad Hackers struck a decisive blow against its longtime enemy.
But without an enemy as existential as ISIS and its CyberCaliphte, the Ghost Squad Hackers struggled to find a reason to continue their fellowship.
For the rest of 2019 and into 2020, the Ghost Squad Hackers did continue to fight injustice around the world.
One of their targets was the government of India. Since 1947, the Kashmir region has fought to become independent from its more powerful neighbors, India and Pakistan. In 2019, the Indian government instituted security lockdown and communications blackout in Kashmir.
In retaliation, the Ghost Squad Hackers defaced dozens of Indian government websites with their logo, a smiling Guy Fawkes, accompanied by the message:
Greetz to all Ghost Squad Hackers members.
Other assorted cyberattacks filled out the rest of 2020. The Ghost Squad hackers defaced websites for the Idaho state government, various American sheriff’s departments, and even the European Space Agency—which s1ege admitted wasn’t a political statement, but just something they did for the lulz.
In the end, none of the Ghost Squad Hackers’ operations ever approached the notoriety they achieved with OpReverseCaliphate and OpReverseISIS. The group stopped Tweeting in 2020, and so did its members.
In other words, the members of the Ghost Squad hackers disappeared into the ether, in keeping with their ghostly namesake.
Yes, it’s an anticlimax. We don’t know the real identities of any Ghost Squad Hackers, even though they pissed off dozens of governments and corporations.
And that’s probably how they prefer it.
Over and over in this series, we’ve repeated the same truth: good hackers are famous, but great hackers are anonymous.
Unlike their patron saint Guy Fawkes, the Ghost Squad Hackers never got caught. But the world has seen no shortage of injustice since they went quiet. This leaves just one question: where is the Ghost Squad now?
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon. Just go to patreon.com/modemmischief or click the link in the show notes. You can also support us through a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka Ghosted is the Story of his Dating Life. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!