Hacktivists claim ISIS terrorists linked to Paris attacks had bitcoin funding

Anti-ISIS hackers claimed to have detected indicators of an impending attack on Paris as well as bitcoin funding, a wallet with over $3 million, used by ISIS militants.

ISIS Paris attacks used bitcoin hackers Ghost Security Group

During Dateline coverage after the terrorist attacks on Paris, Lestor Holt asked, "Does this change the game in terms of intelligence?"

Andrea Mitchell replied, "It does," before discussing how intelligence missed any type of communication regarding the coordinated attacks. She added, "There's such good surveillance on cellphones and there's such good communications ability by the intelligence gathering in Europe, especially in France, especially in Great Britain and in the United States. So they may have been communicating via social media or through codes. And that's the kind of thing that is very concerning to U.S. intelligence."

See also: Pros and cons of Anonymous waging a hacking war against ISIS

After the Charlie Hebdo massacre, France passed an "intrusive" surveillance bill, granting the government the power "to wiretap communications, install secret surveillance cameras and sweep up metadata." That didn't stop the horrific attacks on Paris, aka "Paris' 9/11," and more ubiquitous and invasive surveillance is not the answer. Matthew Williams, a researcher of computational criminology at Cardiff University in Wales, told Mic that "picking out singular acts of crime or terror from an indiscriminate pile of civilian noise is all but impossible."

Ghost Security Group detected indicators of attack on Paris

Even with all the surveillance, intelligence groups again missed indicators of a credible terrorist attack. Yet in an interview with NewsBTC, a member of the hacktivist group "Ghost Security Group" claims it "did detect several indicators of an attack impending and are currently in the process of collecting valuable evidence for United States government officials."

ISIS and bitcoin funding

DW (Deutsche Welle) previously reported that the Islamic State is experimenting with currency, specifically gold and bitcoin. One bitcoin wallet received around $23 million in a month; anti-ISIS hackers from GhostSec followed a chain of transactions to another wallet with over $3 million in bitcoins.

Ghost Security Group confirmed to NewsBTC that ISIS is "extensively using bitcoin for funding their operations" and that the group has "managed to uncover several bitcoin addresses used by them." Furthermore, bitcoin is "their prime form of cryptocurrency." No evidence was given, such as the bitcoin wallet address, as the hackers "cannot go into more detail at the moment on current investigations."

GhostSec Background

GhostSec (Ghost Security), a hacktivist group which is an offshoot of Anonymous, has been attacking thousands of ISIS social media accounts and public websites since early this year. The group is not alone; in February, Anonymous and the Redcult Team called ISIS a virus that it planned to cure during Operation ISIS (#OpISIS).

A GhostSec spokesperson claimed that ISIS, ironically, has been using Google and Amazon Web Service to avoid U.S. and international intelligence agencies and to shield itself and its websites from being hacked by Ghost Security Group; the latter has been credited with stopping terrorist attacks. DigitaShadow, executive director of the Ghost Security Group, told IBTimes UK that the group discovered terrorist threats against Tunisia in July, and also uncovered evidence that foiled a terrorist attack in New York on July 4. The hacktivist group has also been credited with discovering and reporting other credible extremist threats.

GhostSec keeps a running tally of Twitter IDs reported, server IPs reported to host extremist content, Facebook, Tumblr, YouTube, and other common sites, as well as "uncommon sites" that have been reported as being dedicated to extremist causes and "could/should be targeted and brought down." It also has a way to submit potential terrorism-related content and other tools. The hacking group has targeted and bypassed CloudFlare "to determine the actual website that they need to attack to takedown the actual website."

Ghost Security Group

Ghost Security reportedly formed earlier this year after the terrorist attacks against Charlie Hebdo offices in Paris. Earlier this month, Ghost Security Group split (pdf) from "Ghost Security."

Ghost Security Group is a counter terrorism network that combats extremism on the digital front lines of today utilizing the internet and social media as a weapon. Our cyber operations consist of collecting actionable threat data, advanced analytics, offensive strategies, surveillance and providing situational awareness through relentless cyber terrain vigilance.

The newly formed Ghost Security Group (GSG) said (pdf) it "needed to address some misapprehensions concerning our group. Much of that stemmed from our uses of menacing graphics which resemble logos used by illicit cyber networks. Perceptions matter and all of that was undermining our abilities to cultivate relationships with officials who now recognize our capabilities to add value to counter terrorism initiatives."

The new group has a new website that has a more corporate-like appearance, while Ghost Security uses the older .org website. Ghost Security Group added (pdf):

The group's new trademarked look discards the hoodies and Guy Fawkes masks so often associated with publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites in favor of pristine, white graphics devoid of any reference to illegal activities. Part of the transition has included discarding their old brand and website, www.GhostSec.org, which are now used by former group members who have a different philosophy and approach to combating ISIS online.

Ghost Security Group has 12 core members, some of whom work "16 hours a day … and 7 days a week nonstop" to identify surface-level and hidden Deep Web sites that are suspected to be related to the Islamic State; the group receives tips from volunteers and part-time helpers. Foreign Policy reported the group receives 500 tips every day.

Data-mining, identity stitching, email monitoring, predictive analysis, social media surveillance, terrorism financing and social engineering are but some of the things listed among GSG's counter surveillance capabilities. Some members of the small group of terrorist hunters have "ex-military or cybersecurity backgrounds."

GSG said it "monitors over 200 known violent extremist websites for actionable threat data and analysis;" it has "identified and terminated over 100,000 extremist social media accounts that were used primarily for recruitment purposes and transmission of threats against life and property."

It is GSG that claims to have detected indicators of the attack on France. Can you believe that? Michael Smith, co-founder of Kronos Advisory and an advisor to U.S. Congress, forwards about 90% of GhostSec's leads to the FBI. Even retired Gen. David Petraeus, formerly head of the CIA, told Foreign Policy, "[Smith] has shared with me some of the open source data he has provided to various U.S. agency officials, and I can see how that data would be of considerable value to those engaged in counter-terrorism initiatives."

Regarding ISIS and bitcoin funding, one unnamed GSG hacker said, "Most of the Bitcoin funding sites utilized by the Islamic State are on the deep web and we have managed to uncover several and successfully shut them down in order to limit the funding extremists receive through the use of cryptocurrencies."

The feds claim encryption is a terrorist's tool, so hopefully the horrible attacks on Paris won't add fuel to their encryption-is-evil claims. In the same way that all encryption is not bad, bitcoin is not used exclusively by terrorists; hopefully the ISIS-bitcoin-funding issue won't take a twist and lead to the bashing of cryptocurrencies or a push for more surveillance laws.

If you like the idea of cyber vigilantes going after ISIS instead of the government, and if you want to help stop ISIS and other extremist groups, GSG said to report "suspicious activities." Tips go through a "rigorous review process before a website is cleared for termination." Every potential "target is reviewed by five members – often including a native Arabic speaker – and ranked by level of threat."

When "asked if their destruction of Islamic State websites sets a bad precedent for freedom of speech online," GSG's @DigitaShadow answered: "No. Free speech isn't murder."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)