Anonymous Divided: Inside the Two Warring Hacktivist Cells Fighting ISIS Online


Anonymous was running its anti-ISIS game the same way it had been for months: finding jihadists online, hitting their websites with attacks and getting their accounts taken down. Then, in June, the hacktivist group stumbled on something dark, volatile and unexpected.

By tracking and geolocating a small group of jihadists it had been keeping tabs on, Anonymous determined ISIS was planning a mass killing in Tunisia — a July 4 copycat of an attack that killed 38 tourists at a beachside hotel. Up until then, members had been stamping out the fires of jihadist propaganda and recruitment campaigns online, but this wasn't an ISIS charm offensive. It was real terrorism. 

GhostSec, the cell within Anonymous that discovered the attack, reached out to Michael Smith II, a counterterrorism adviser with a small South Carolina firm called Kronos Advisory. One member had seen him quoted in the New York Times. GhostSec gave Smith the intel, and he passed it along to those who were able to intervene. According to Smith, GhostSec and their intermediaries in the intelligence community, the attack was halted.

GhostSec got a taste of real counterterrorism — not a game of social media whack-a-mole played by rogue American vigilantes from the comfort of their homes, but something measurable in lives saved. What GhostSec did next launched its small operation to national prominence, got the attention of both Twitter and the U.S. government and created a schism in its own ranks.

GhostSec decided to go legit.

Mic/Getty Images

Setting down the masks: DigitaShadow was an Anon from the early days, an old 4chan lurker who was around for "Chanology," the organized assault on Scientology that brought Anonymous into popular consciousness and the first time Anonymous collectively waged "war" on a singular, powerful institution. 

Documents as recent as December 2014, obtained from the California State Threat Assessment Center, show DigitaShadow was on lookout by state officials, warning that he had taken down a number of municipal police websites in Berkeley and Oakland in support of protests against police violence, and was involved in doxxing a state governor. The report called DigitaShadow "disorganized," saying he had a "lack of a concrete agenda."

"I used to be a bad guy," Digita told Mic. "I'm trying to be the good guy for once."

DigitaShadow got involved with anti-jihadist hacktivism in January after the attack on French satirical newspaper Charlie Hebdo, when the Anonymous initiative called #OpISIS began. He was a member of GhostSec, a core Anonymous group dedicated to eradicating the online presence of the Islamic State group, also known as ISIS or Daesh. GhostSec worked around the clock as a small crew to hand-sift through ISIS's digital propaganda mechanism. As soon as the Americans were headed to sleep in the late hours of the night, European anons would pick up the baton.

After they helped thwart the Tunisia attack, they made an arrangement with Smith. Smith would be a sort of drop box or "funnel" for data gleaned from OpISIS that he could then feed to the appropriate law enforcement and counterterrorism forces. GhostSec became Ghost Security Group — we'll call them "the Group" — and for the next few months would slowly distance themselves from Anonymous until officially cutting all ties in November.

Ghost Security Group has two arms: The first is Ghost Security, of which Digita is the executive director. This team of 14 are technologists, hackers and translators who find ISIS domains and websites, infiltrate them, scrub them of intel and get them taken down. It's a global, 24-hour team that hasn't taken a day off this year. Members work 12-, even 16-hour days.

The other arm of the Group is CtrlSec, the social media offensive. CtrlSec is run by Mikro, a European ex-anon who runs a team of 28 volunteers, many of whom speak Arabic. They track down ISIS accounts one by one and batch them into lists. In October, Mikro complained that Twitter wasn't paying attention, but the media furor around ISIS's online presence seems to have Twitter's attention. According to Ghost Security Group, Twitter is now addressing up to 90% of reported accounts, and they've gotten 110,000 ISIS handles taken down in this way.

"We depend on mass reporting by our followers to bring Twitter's attention to the account," Mikros told Mic. The Group says they receive hundreds, sometimes thousands, of these recommendations a day, and have set up a referral page where anybody can submit the names of accounts they suspect belong to jihadists.

"Anonymous isn't just a bunch of kids. There are law enforcement officials, ex-military and even day-to-day people hiding behind the mask, all fighting with us, for one common goal: removing these terrorists from the net."

Twitter has been tight-lipped about its role in keeping jihadists off the site, and representatives declined to comment for this story, instead directing us to a portion of site policies that says, "Users may not make threats of violence or promote violence, including threatening or promoting terrorism." But according to multiple sources, Twitter and other platforms are overwhelmed by the flood of jihadists using social media to document their victories and spread well-crafted propaganda for recruitment.

A house divided: As Ghost Security Group developed a leadership structure and a relationship with the government, not everyone in the group was on board with this new, more official arrangement. When it came time to split away from Anonymous, a few members of the Group defected.

After DigitaShadow and Mikro created Ghost Security Group, two anons who go by the names Wauchula and TorReaper split off. They saw the Group as all about fame and "money," even if there is no proven arrangement for Smith or any members of the federal government to pay members of the Group. TorReaper got the original site back up and running, they took on the old name of GhostSec and rebuilt it as an Anonymous-affiliated group. It had less leadership, hierarchy and collaboration with the feds, and more familial collaboration, egalitarianism, shit-talking and the populist theater that is the Anonymous hallmark.

Mic/Getty Images

"The goal of OpISIS is to stymie the recruitment efforts ISIS," the Anonymous-affiliated TorReaper told Mic. He describes himself as a "very attractive" tall male who likes holding hands and long walks on the beach. 

"They recruit on average 20 Westerners per day to the so called caliphate under the pretense that it is their religious duty. If we can cut this number down, we can help the guys fighting the real fight."

Whether they're doing the same caliber of work as the original GhostSec did has been called into question both by sources within Twitter, who spoke with the Daily Dot, and by prominent hackers like the Jester, who have said the lists gathered by Anonymous in the past few months are virtually useless or riddled with mistakes.

But the Anonymous-affiliated GhostSec claims to be running its own tight ship, digging deep into the sites and Deep Web territories where ISIS organizes. Here, GhostSec deletes ISIS files, profiles its networks and wreaks havoc where jihadists organize online. GhostSec keeps its own reporting site for ISIS-affiliated social media accounts and websites. It claims to have moles in ISIS communities.

"Anonymous isn't just a bunch of kids," Wauchula told Mic. "Believe it or not, there are many law enforcement officials, ex-military and even day-to-day people hiding behind the mask, all fighting with us, for one common goal: removing these terrorists from the net."

Both groups have similar operations, priorities and values, and still share a common slogan: "We are the ghosts you have created." But fighting ISIS in their separate corners of the Internet proved impossible. According to the Group, Anonymous has overstayed its welcome in the fight, and is now hindering the greater operation.

"When it comes to terrorist attacks, one of the big worries is that you could take down forums and cost someone their lives. Anonymous has a habit of shooting in every direction and asking questions later."

Spy vs. spy: Getting ISIS off the Internet entirely is a noble goal, but taking down ISIS accounts and sites is like cutting the head off a hydra: New accounts and forums spring up in no time.

Instead, Ghost Security Group has "infiltrators," moles who pose as jihadists and burrow into their communities to gain their trust and glean the kind of intelligence that stopped the attack in Tunisia. In that case, leaving a site up long enough to hear whispers of ISIS schemes is a better option than just taking them down. But Anonymous' approach is to simply get those sites removed, deleted, washed away.

"When it comes to terrorist attacks, one of the big worries is that you could take down forums and cost someone their lives," DigitaShadow told Mic shortly after the attacks on Paris. "Anonymous has a habit of shooting in every direction and asking questions later."

On top of that, a lack of collaboration with U.S. intelligence means that if Anonymous and GhostSec are running the same game as the Group — creating moles within online ISIS communities — the good guys in government could end up investigating the Anonymous moles instead of the actual terrorists.

Fox News

"They can end up not just interfering with ongoing investigations, but doing things which result in important resources being diverted away from fighting the enemy toward individuals with no affiliation to Islamic State," Smith told Mic. "So if someone is posing as a supporter of the Islamic State, given the wide net the government agencies cast, it's highly likely that the accounts those individuals are using will become subjects of investigation." 

Anonymous' response is simply that skimming jihadist communities aren't as valuable as intelligence officials claim.

"The government may have arrested one or two kids, but the content being left up there may have radicalized thousands in the time it took," TorReaper told Mic. "Kids are pretty smart these days and know how to stay pretty anonymous. I would much prefer the content was off the net and not available to impressionable kids."

Flame wars: The world of anti-jihadist hacktivism is full of characters, egos, mischief-makers and dissidents. Catch them one-on-one, and members of both factions will say the fight between them is negligible and that they ultimately appreciate the other group's perspective and values.

"It is necessary to have some relationship with the government," says GhostSec's Ransacker, who describes herself as an American female with a background in criminology and counterterrorism. "After all, once we find a threat, we need to contact the authorities. That goes for both groups."

But the fight is consistently nasty in public. With every news report, public list or declaration of victory, GhostSec and Ghost Security Group will hop onto Twitter to discredit the other — the former accusing the Group of being ineffective, lying feds, and the latter accusing GhostSec of being incapable children getting in the way of the real work.

Money is a big player in the accusations. GhostSec insists Ghost Security Group is under paid contract from the federal government now that they've gone legit. Members of Ghost Security Group, as well as Smith, have said this is unequivocally false. They say the only money that sustains the Group comes from donations.

Members of GhostSec also circulated an allegedly incriminating chat from DigitaShadow claiming he was offering payment for joining Ghost Security Group, though members of both sides have conceded that it's probably Photoshopped.

Another problem for Anonymous: leaders like DigitaShadow and Mikro. Since Anonymous first rose to prominence in the late 2000s, there have always been microfactions like Chanology's marblecake and #control — smaller, organized groups that orchestrate larger operations — but the Group goes a step further. Anonymous values an anarchistic equality that abhors attention-seeking as a means to bolster ego and reputation.

The fight from both sides is petty, circular and based largely on either hearsay or minutia, picking slowly at each other and discrediting both parties in the public eye. Luckily, unlike their common enemy, their online campaigns aren't about winning hearts and minds.

Always awake: Ghost Security Group is rolling out custom software that anyone can use to report ISIS accounts and sites — which GhostSec claims is malware meant to trap Anonymous members to be sold off to the government — and CtrlSec continues to tweet out lists of accounts.

And ISIS is pushed further from Twitter, they're fleeing into encrypted channels on new message apps like Telegram. DigitaShadow told Mic that even as Telegram takes down dozens of accounts at a time, this is only a small glimpse at the surface, and that Ghost Security Group has indexed hundreds of ISIS channels where thousands may exist.

Smith trusts Ghost Security Group — because he's communicating with them, and because the intel he provides them with is useful. He compares the Group to the kinds of on-the-ground intelligence counterterrorism has always required, whether it's a schoolteacher in Yemen who hears her students idolizing jihadists, or a tribal elder who sees al-Qaida convoys passing through his territory. 

Ghost Security Group and GhostSec are those tribal elders of the Internet. To an extent, their sleepless efforts work — whether or not they're always working together.