Forwarded from: William Knowles <wk@private> http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1150494610771&call_pageid=968332188492 By SANDRO CONTENTA EUROPEAN BUREAU June 17, 2006 LONDON - On a cold night last October, police stormed a West London apartment and found Younis Tsouli at his computer, allegedly building a Web page with the title "You Bomb It." Initially, the raid seemed relatively routine, one of about 1,000 arrests made under Britain's terrorism act during the last five years. The more eye-popping evidence was allegedly found in the London-area homes of two accused co-conspirators: a DVD manual on making suicide bomb vests, a note with the heading "Welcome to Jihad," material on beheadings, a recipe for rocket fuel, and a note with the formula "hospital = attack." But as investigators sifted through computer disk information the picture that emerged was dramatic. Police had apparently stumbled on the man suspected of being the most hunted cyber-extremist in the world. Tsouli, a 22-year-old Moroccan, is being widely named as a central figure in a cyber-terrorist network that has inspired suspected homegrown extremists in Europe and North America, including the 17 people recently arrested in the Toronto area. The massive, 750 gigabytes of confiscated computer and disk information - an average DVD movie is 4.7 gigabytes - found on Tsouli's computer files is an Internet trail believed to link some of the 39 terror suspects arrested in Canada, Britain, the United States, Sweden, Denmark and Bosnia over the past eight months. A source with close knowledge of the Tsouli case has told the Toronto Star of evidence that he used the Web address Irhabi007 — the cyber-persona of the most notorious extremist hacker on the World Wide Web. "Irhabi007 was like the Godfather of cyber-terrorism for Al Qaeda," says Evan Kohlmann, an Internet terrorism consultant and determined Irhabi tracker. Since coming on the cyber-extremist scene in late 2003, Irhabi's Internet exploits have become the stuff of legend for the scores of militants reading and chatting on Al Qaeda-inspired sites. He almost single-handedly brought the hardcore network into the modern computer age, solving its most pressing propaganda challenge - how to distribute heavy multi-media files, such as videos of beheadings, to the growing ranks of jihadis. A self-starter believed to have worked mainly from his home, he hacked and linked his way to become the administrator of the password-protected forum, Muntada al-Ansar al-Islami, the main Internet mouthpiece of Abu Musab al-Zarqawi, Al Qaeda's leader in Iraq until he was killed last week by a U.S. aerial attack. But his downfall has been as dramatic as his rise. Says Aaron Weisburd, another Irhabi tracker: "While he was at large, he was a leader, an opinion-shaper, a solver of problems, and an inspiration to his friends and associates. Now that the authorities have him and his hard disk drive, he has become a major liability." The London-area raid resulted in terrorism related charges against Tsouli, Waseem Mughal, 22, and Tariq Al-Daour, 19. Their trial is expected to begin in January. Among the items allegedly found in Tsouli's computer is a video slide film on how to make a bomb and another showing sites in Washington, D.C. The images of the American capital were reportedly filmed by two Georgia men arrested by the FBI in March and accused in U.S. court documents of having travelled to Toronto to meet "like-minded Islamists." Tsouli immigrated to London four years ago. At the time of his arrest, his father said Tsouli spoke often of the West waging a war against Islam. Bachir Tsouli, then deputy head of Morocco's tourism office in London, said his son had few friends and spent most of his time at his computer. "What can you do on the computer?" Bachir, 60, told the Daily Mail newspaper. "He hasn't been to Iraq or to training camps in Afghanistan. Tomorrow they will be saying he is a friend of Osama bin Laden." No one has accused him of that, but experts who tracked Irhabi007 believe he had links to al-Zarqawi, credited with having turned the Web into a powerful tool for global jihad. During the past two years, al-Zarqawi's followers produced scores of videos on suicide bombings, attacks against U.S. forces in Iraq, beheadings of hostages, propaganda tracts and terrorist "how to" manuals. The problem was distribution - how to post and move heavy files on the Internet without sites crashing or being shut down. Irhabi007 met the challenge. In May 2004, he helped distribute the video of al-Zarqawi's beheading of American contractor Nicholas Berg. It was quickly copied on Internet sites and downloaded half a million times within 24 hours. "He got his name on the map with the Nicholas Berg beheading video," says Ned Moran, intelligence analyst with the Virginia-based, Terrorism Research Center. Irhabi007's distribution technique became clear two months later, when he hacked into a FTP computer site used to transfer big files by the Arkansas Highway and Transportation Department. He posted 70 jihadi propaganda files on the site, including videos featuring Osama bin Laden. He then posted links to the files on the Muntada site and urged jihadis to download quickly. Arkansas authorities didn't catch on until 24 hours later. By then, the material had replicated exponentially, with those who downloaded it passing it on to others in an almost endless chain. Irhabi (the word means "terrorist" in Arabic) was using skills largely unknown in the cyber-jihadi world. And he spread them around, posting his own hacking manuals for a new generation of more computer-savvy jihadis increasingly using the Internet as a tool to recruit and plot attacks. Irhabi wannabes suddenly began appearing on chat forums, tagging 007 at the end of their Web personas. On October 2004, his status in their eyes reached heroic proportions. He provided almost immediate links to a suicide bombing video posted by Abu Maysara al-Iraqi, widely considered one of al-Zarqawi's closest aides. The initiative led Maysara to break silence for the first time and post praise for Irhabi007's work, Kohlmann says. "Bless the terrorist, Irhabi007," said the message, translated by Kohlmann, founder of globalterroralert.com. "In the name of Allah, I am pleased with your presence my beloved brother. May Allah protect you." Says Kohlmann: "It's kind of like Bruce Springsteen picking someone out in a concert and saying, `I love this guy.' That's what the effect was - people went crazy." In September 2005, a Terrorist Research Center report described Irhabi007 as "heavily involved in maintaining Al Qaeda's on-line presence." It found evidence on al-Zarqawi's Al-Ansar site listing Irhabi as its "administrator." The speed with which Irhabi posted links to videos from al-Zarqawi's Iraqi cell led observers to speculate he was getting a heads up from al-Zarqawi's people. He's suspected of stealing identities to register his websites. His http://www.irhabi007.org domain name was registered to the name, telephone number and Pennsylvania home address of a first lieutenant deployed in Iraq, according to the centre's report. He also registered a Canada-based domain name, http://www.irhaby007.ca. By the end of 2005, Irhabi007 had a whole army of cyber-terrorism trackers on his tail. Few were as persistent as Aaron Weisburd, director of Internet Haganah, dedicated to making on-line life miserable for cyber-jihadis. In 2004, Weisburd turned in Irhabi to his service provider and got him cut off. An incensed Irhabi posted Weisburd's home address in Illinois on the Internet and took part in chat-room discussions on slicing Weisburd like a salami. "I get to keep a finger or an ear," Irhabi wrote, "a little souvenir." Weisburd reported the threat to the FBI and stepped up his efforts. "I take all threats seriously," he said in an email exchange with the Toronto Star. "And like any American `good ole boy' I have more than one loaded gun nearby." In July that year, Irhabi made his first mistake, leaving his IP (Internet Protocol) address — which can be used to track a user's location - on a site he was setting up to post a threat against Italy. Weisburd examined another Irhabi Web page and found a second IP address. He then posted a message on the Haganah site warning that Irhabi's files were infected. Irhabi responded by posting a graphic to prove they were not. His IP number was blotted out, but not well enough. Weisburd's associate made it out. The three IP addresses all pointed to London's Ealing area — the place where Tsouli would be arrested 15 months later. Weisburd passed the information on to U.S. and British police but heard nothing back. In September 2005, a month before Tsouli's arrest, a frustrated Weisburd posted this message on his site: "Irhabi007 is in Ealing. Or at least that's where the bastard was when we located him (18 months ago)." Since Tsouli's arrest, Weisburd says police have asked him to resubmit the information he passed on months before. The events that led to the arrest of the presumed Irhabi began with police forcing their way into an apartment in Sarajevo on Oct. 19, arresting 18-year-old Swedish citizen Mirsad Bektasevic and Abdul Kadir Cesur, a 20-year-old Danish-born Turk. Almost 20 kilograms of explosives were in the apartment, according to the indictment filed in a Sarajevo court. A Sony VHS tape also found gives instructions on how to make a bomb. Says a voice on the tape, believed to be that of Bektasevic: "These brothers are ready to attack and, God willing, they will attack the infidels who are killing our brothers and Muslims in Iraq, Afghanistan. This weapon will be used against Europe, against those whose forces are in Iraq and Afghanistan." Their arrests sparked back-to-back raids in London and Denmark, where a total of nine men were arrested, including Tsouli. The last number dialled on his cellular phone was Bektasevic's Bosnian number three days earlier, according to the Star's source. Since then, arrests have also been made in the U.S., Canada, Britain and Sweden. Postings on the Internet by Irhabi007 stopped with Tsouli's arrest. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 19 2006 - 01:14:16 PDT