During the past few years, terrorist groups have been increasingly relying on the dark web via the usage of darknet discussion forums to plot their violent plans and crypto markets to purchase weapons that can range from a 9 mm gun to bombs. More recently, terrorist groups have built their very own darknet discussion forums and have used them for various forms of illegal activities.
A recently published research paper has introduced an innovative algorithm for the identification of the trading of modern weapons, as well as relevant discussions taking place by terrorist groups on various darknet forums, Tor message boards, and crypto markets. Authors of the paper collected data from four darknet forums, which were created by active terrorist groups. These dark web forums were Islamic Awakening, Ansar Aljihad Network, Islamic Network, and Gawaher. The study also analyzed weapons trafficking taking place on darknet marketplaces. Let’s take a look at some of the interesting data presented via this paper.
Weapons trafficking on darknet marketplaces:
Product listings associated with weapons on nine darknet marketplaces, or crypto markets, were manually collected during the period between February 2016 and February 2018. Data related to the product listing pages, i.e. sale proposals, offered prices, and vendors’ profiles, were obtained to formulate a thorough overview of weapons trafficking taking place on the dark web. Relationships between different vendors, on the same crypto market as well as on different crypto markets, were also obtained via analysis of content similarities, online digital signatures, and reviews left by customers who actually completed the purchase of a product.
The study detected that weapons trafficking mainly takes place on two major darknet marketplaces. Moreover, it represents a very small percentage of the overall illicit trafficking taking place on crypto markets, especially when compared to illicit drug trading. Among all identified weapons related product listings (n = 386), firearms represented around 25% of all sales proposals, due to the fact that the percentage of non-lethal weapons is highly significant (approximately 46%). Based on the identified aliases, the study managed to identify 96 vendors offering to sell weapons. Some aliases were found to exist on multiple crypto markets, which points to the fact that some vendors may be conducting weapons trafficking on multiple platforms. This theory was further supported by comparing aliases to online evidences such as profile descriptions, PGP keys, images, and others. This approach helped the authors of the paper estimate more precisely the overall number of vendors selling weapons across different crypto markets. As per the data gathered, the bottom line is that the magnitude of weapons trafficking taking place on crypto markets is considerably limited when compared to the trafficking of other forms of illicit goods, such as drugs, malware, stolen data, etc.
Terrorist groups’ usage of darknet forums for communications:
The study relied on data obtained from four major dark web forums created by Islamic extremists Gawaher, Islamic Awakening, Ansar Jihad Network, and Islamic Network. The researchers also relied on machine learning to identify relevant posts. Obtained data was used to compile a complete list of onion addresses, as well as surface web domains, that are used by terrorist groups. A total of 313 relevant forum posts were identified, and they were used as a seed for “reverse expansion” in order to identify websites on the surface web. This approach led to the identification of an additional 88 websites on the surface web.
Manual checking and filtering of data was conducted, because terrorist groups usually use fake URLs and onion addresses to trick law enforcement agencies. The researchers formulated a manual filtering approach that relied on website clues and online digital traces. However, a terrorist group was found to usually use dark web forums to advertise the group’s official surface web domain, which represents the basis for its ideology and support.
The research was expanded to guarantee comprehensiveness of the analysis. With the aid of Arabic speaking personnel, relevant keywords were used to query dark web content, including relevant keywords such as “Moujahedin,” “Crusade of Wars,” “Pegans,” etc. These terms not only aided in broadening the search, but also yielded more relevant results. The aforementioned manual filtering rules were also used to filter out fake and irrelevant content. The final Jihad website collection included more than 100,000 webpages, including HTML pages and plain text.
The crawling of the aforementioned four dark web forums aimed at automatic collection of relevant forum posts and other forms of interesting content. It was found that terrorist groups usually post a weekly video and a webcast. It was also proven that these groups used dark web forums to undergo daily communications with their audience mainly to recruit suicidal commandoes. Dark web forums are also used to urge their audience to conduct certain actions such as sharing videos, tweeting posts, spreading news about successful attacks, etc.
Some anti-terrorists strongly believe that terrorist groups use dark web forums as their main communication platform, especially for “terrorist newscasting,” which represents one of their most effective tactics, as it can influence a wide audience base.
Research has proven that, as terrorists use the dark web for their communications, their chances of being caught are considerably small. Previous research studies have developed computation based systems for collection and analysis of Islamic extremism related content, aiming at deepening our understanding of how these terrorists build their networks and plan their violent attacks.
Researchers have also developed special spiders and botnets to crawl the dark web to obtain content related to Islamic extremism. Some of these crawlers have even been programmed to access some password protected hidden services. The crawler is trained to obtain all forms of content including HTML, DOC, PDF, PHP, links, ASP, CGI, and plain text on a crawler site. However, these crawlers were not very effective, mainly as these terrorists continuously use new onion addresses, instead of the ones that have been identified by these crawlers. Most terrorist groups won’t use an onion address for a dark web forum for more than a few months.
This study has shown that terrorist groups, especially Islamic extremists, are increasingly relying on dark web forums to establish communications, plan their violent attacks, and recruit newcomers. Moreover, terrorists can sometimes rely on darknet marketplaces to purchase weapons that can range from guns to bombs. However, weapons trafficking on crypto markets represents a small percentage of the overall illicit trading taking place on these platforms. More research is needed to monitor and trace Islamic extremists’ activities on the dark web, which will definitely help international anti-terrorism agencies.
by: Tamer Sameeh