The team at CYFIRMA began hunting for activities related to the banned organization, Islamic State. We attempted to gain access to the group or at least determine if it was still possible to connect with individuals who espoused the Islamic State’s ideology or maybe some hidden platform being utilized by terror organizations. To our surprise, we were able to connect with one of the suspicious users operating a Telegram channel with Islamic State’s ideology. As our investigation progressed, we also discovered that the telegram channel is associated to a private RocketChat server, exclusively used by ISIS. Furthermore, we uncovered a donation program being run through a Telegram channel.
The research team collated Telegram channels and groups that were coaxing users to join their Telegram channels in which atrocities against Muslims, prisoners, and refugees in the Al Hol Camp in Syria were being discussed. Several Telegram channels discussed Islam and acts against Muslims. Occasionally, these channels shared posts of the Telegram channel that directly operated with the IS ideology. During the investigation, the team observed one such post being shared by a pro-Islamic Telegram channel.
The Telegram channel “WhispersOfTheForgotten” occasionally shared by pro-Islamic telegram channels, specializes in sharing radicalization content and also operates on a RocketChat server named TechHaven (an exclusive platform employed by ISIS). The RocketChat platform has many other ISIS groups active/inactive from different regions around the globe. The existence of the group on the RocketChat server proved that the telegram channel “WhispersOfTheForgotten” is run by users with ISIS ideology.
The channel “WhispersOfTheForgotten” on Telegram also runs a parallel donation drive. The suspicious channel shares contact details where other telegram users could reach out to and discuss donations they would like to offer. The team initiated engagement to find out more about their intentions and the real reason behind their donation program.
‘Whispers of the Forgotten’ on Telegram and Rocket Chat Server
Below is a screenshot from a private RocketChat server hosting a variety of global ISIS-related screengrabs from the “Whispers of the Forgotten” on TechHaven (RocketChat Server) and Telegram channel.
Private RocketChat server hosting various ISIS channels belonging to different regions, including Whispers of The Forgotten.
Private RocketChat server hosting various ISIS channels belonging to different regions, including Whispers of The Forgotten.
Telegram Channel of Whisper of the forgotten posting about the new channel.
‘Letters from Inside’: This channel broadcasts atrocities alleged to have occurred to women and children living in the Al Hol/Al Hawl camp in Syria. The channel also raises funds for specific individuals from the camp who have medical or survival needs. However, the channel has been found to reshare content from the ISIS-linked “WhispersOfTheForgotten”.
‘The travelers’: this Telegram channel discusses tenets of Islam to their subscribers, as well as the alleged atrocities to Muslims in Syria. They have also reshared content from WhispersOfTheForgotten.
The team initiated communication with an admin from WhispersOfTheForgotten, who was running a donation drive to secure money through Cryptocurrency.
The below screenshots show a Telegram handle ‘Donations UndergroundPrisoners‘ with a bio containing a username for the WhispersOfTheForgotten telegram channel. Later on, the user asked us to chat on another handle and enabled Telegram’s secret chat feature which restricts users from grabbing screenshots.
The following screenshots are from our engagement with “Backup Star War“, that demonstrate the malicious intentions of the donation drive. The suspicious account is collecting funds to help prisoners, and potentially also Jihadists outside prison. (Please note that the captures are not perfect as the chat was extremely time-limited and the messages were deleted by the user after reading).
During our engagement, we obtained their Bitcoin wallet addresses (the suspect transfers funds to other wallets, maintaining empty balances in the donation-receiving wallets, with a single wallet address only used, before generating a new one). Notably, they have received over $80,000 across two distinct Bitcoin wallets. Given that we only obtained two wallet addresses, it is likely that additional wallets are being used to receive and disperse the funds they have acquired.
1. 3EXvTSx8RsVZMguBUJKdQS51V3Z3CCH56g
2. 1M8i6bdcYaBL1bkY8DGFQTPd7FtX3f2Mym
The widespread availability of messenger platforms such as Telegram and decentralized RocketChat server grants terrorist organizations the ability to establish communication hubs and connect with individuals who share their ideologies, radicalizing them from afar. Recent investigations have uncovered two Bitcoin wallet addresses linked to suspects who potentially funnel funds toward possible terrorist activities. The convergence of cryptocurrency and secure platforms like Telegram enables terrorist groups to operate stealthily, evading detection by law enforcement agencies and complicating efforts to track their illicit activities. Without comprehensive solutions implemented by law enforcement agencies or governments, these terror cells will continue leveraging various cyber infrastructures for their gain.
The team’s investigation has shed light on a hidden threat emerging from the depths of the internet, often overlooked by the cyber community. The ease with which terrorists can access communication platforms to connect with like-minded individuals presents a significant internet security challenge. Despite this, it is still unclear how money is being circulated and precisely where it is being utilized. However, this investigation has shown that funds are being used directly and indirectly for terrorist activities. The revelation of funds being obtained via Telegram donations, relatively unhindered, is particularly concerning and warrants international concern and cooperation in tackling it.
